iT邦幫忙

2019 iT 邦幫忙鐵人賽

DAY 16
0

介紹一個好用的線上工具,叫做STIX Visualizer
https://ithelp.ithome.com.tw/upload/images/20181031/20112538E19QqFdaE1.png

STIX Visualizer 可以將STIX2.0的json結構,經過萃取parsing後,轉換成網絡圖,可以了解到一個threat所帶出來的完整profile。

例如下圖是一個資安威脅報告以poisonivy.json流通,並透過STIX Visualizer繪製成的網絡圖。

https://ithelp.ithome.com.tw/upload/images/20181031/20112538lnNnygQSYq.png

以下是SITX官網對於poisonivy報告範例的說明:
Fireeye's threat report on Poison Ivy covers how this remote access tool (RAT) was used by different campaigns and threat actors. In this converted report, there are several variants of PIVY malware represented by the Malware SDO, as well as Campaign, Threat Actor, Attack Pattern, and Vulnerability objects. Relationship SROs help link the malware variants to the campaigns and threat actors and demonstrate the vulnerabilities PIVY exploits. The JSON representation is available for download.

STIX架構如下,為一個獨立且可再使用的架構,可將各角色之間的關係加以定義。連結箭頭表示各角色間的關係;星號表示該段關係可能會出現0到多次。
https://ithelp.ithome.com.tw/upload/images/20181031/20112538MLr02b6fwv.png

參考來源
poisonivy
https://github.com/oasis-open/cti-stix2-json-schemas/blob/master/examples/threat-reports/poisonivy.json
STIX 2.0 Threat Reports
https://oasis-open.github.io/cti-documentation/stix/examples
STIX
http://newsletter.ascc.sinica.edu.tw/news/read_news.php?nid=3010


上一篇
STIX (1)
下一篇
CIRT
系列文
自然語言技術與AI/ML初探30

尚未有邦友留言

立即登入留言