获取基础设施指攻击者通过购买、租赁或非法手段获取用于网络攻击的各类资源,包括服务器、域名、云服务账户及僵尸网络节点等。传统防御手段依赖WHOIS数据库查询、SSL证书指纹比对及IP信誉库匹配等技术,通过分析基础设施注册信息、网络服务特征及历史威胁情报识别恶意资源。监测重点包括异常端口开放模式、已知C2框架特征及集中式基础设施集群的拓扑关联。
为规避传统检测机制对固定基础设施的识别能力,攻击者发展出动态化、寄生化及去中心化的资源获取策略。通过匿名身份体系、合法服务滥用及算法驱动的基础设施变更,构建出具备弹性与隐蔽性的攻击资源网络,显著提高基础设施与攻击行为的解耦程度。
当前匿迹技术的核心演进方向集中于基础设施的"合法化伪装"与"动态化重构"。攻击者通过深度融入商业服务生态(如CDN托管)、利用去中心化技术(如区块链域名)及构建算法驱动的资源池(如DGA域名),实现三个层面的匿迹:首先,将恶意基础设施的特征属性与合法服务的技术参数对齐,例如匹配CDN节点的SSL证书链与IP地理分布;其次,通过短周期资源置换机制(如云实例按小时租赁)破坏基础设施的持久可追溯性;最后,利用暗网经济体系构建匿名资源获取渠道,切断支付链路与身份关联。这些技术使得攻击基础设施呈现出"表面合规、动态漂移、身份匿名"的三重特性,传统基于静态特征匹配或注册信息分析的检测方法面临根本性挑战。
匿迹技术的发展迫使防御体系从被动指标收集转向主动行为预测,需构建基础设施生命周期监控模型,结合注册模式分析、资源使用异常检测及暗网交易情报挖掘,形成对动态化攻击基础设施的早期预警能力。同时应推动云服务商、域名注册商与安全社区的威胁情报共享,建立跨平台的恶意资源协同处置机制。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过深度仿冒合法服务特征实现基础设施伪装。例如在CDN寄生托管中精准复制目标网站的SSL证书与HTTP头部信息,使恶意节点与合法CDN边缘服务器具有相同的协议指纹。动态域名生成技术则通过注册与知名品牌相似的算法生成域名,模仿正常企业的域名命名规律。
加密货币支付与加密通信协议的应用构成双重数据遮蔽。攻击者在租赁云服务或注册域名时使用门罗币等隐私加密货币,切断资金流向溯源路径。基础设施间的通信采用DNS-over-TLS或自定义加密隧道,隐藏C2指令与数据渗透的元数据特征。
动态资源调度机制导致攻击基础设施呈现时空维度的高度碎片化。云实例按需创建与销毁策略使单点存在时间短于常规检测周期,DGA域名的每日批量轮换稀释了域名黑名单的有效性,僵尸网络节点的地理分散性则破坏基础设施集群的空间关联特征。
| ID | Name | Description |
|---|---|---|
| G1030 | Agrius |
Agrius typically uses commercial VPN services for anonymizing last-hop traffic to victim networks, such as ProtonVPN.[1] |
| G1003 | Ember Bear |
Ember Bear uses services such as IVPN, SurfShark, and Tor to add anonymization to operations.[2] |
| G0119 | Indrik Spider |
Indrik Spider has purchased access to victim VPNs to facilitate access to victim environments.[3] |
| G0094 | Kimsuky |
Kimsuky has used funds from stolen and laundered cryptocurrency to acquire operational infrastructure.[4] |
| G0034 | Sandworm Team |
Sandworm Team used various third-party email campaign management services to deliver phishing emails.[5] |
| G1033 | Star Blizzard |
Star Blizzard has used HubSpot and MailerLite marketing platform services to hide the true sender of phishing emails.[6] |
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0038 | Domain Name | Active DNS |
Monitor for queried domain name system (DNS) registry data that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
| Domain Registration |
Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
||
| Passive DNS |
Monitor for logged domain name system (DNS) data that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
||
| DS0035 | Internet Scan | Response Content |
Once adversaries have provisioned infrastructure (ex: a server for use in command and control), internet scans may help proactively discover adversary acquired infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.[7][8][9] Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
| Response Metadata |
Monitor for contextual data about an Internet-facing resource gathered from a scan, such as running services or ports that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |