搜索开放网站/域指攻击者通过公开网络资源获取目标组织情报的侦察手段,涉及社交媒体、企业信息平台、技术论坛等数据源的系统性采集。传统防御主要依赖网站端的异常访问检测与关键词过滤,但受限于公开数据的合法访问特性及海量正常用户流量,难以有效识别具有明确攻击导向的信息收集行为。防御重点往往转向攻击链后续阶段,如钓鱼攻击或初始访问行为监测。
为规避传统检测机制,攻击者发展出深度结合公开数据生态特性的隐蔽搜索技术,通过身份伪装、行为拟态、意图分解等策略,将恶意情报收集行为溶解于合法数据访问流程中。其核心演进路径体现为从显性检索向隐性推导、从集中式采集向分布式聚合、从直接查询向语义迂回的三重转变,形成"大隐隐于市"的新型开放式情报获取范式。
现有匿迹技术的共性特征在于攻击链与数据生态的深度耦合:分布式账户协同搜索利用平台用户群体的天然隐蔽性,通过构建虚拟用户网络实现攻击流量稀释;合法爬虫行为模拟直接寄生在搜索引擎基础设施中,赋予恶意扫描官方爬虫的协议合法性;长周期任务规划则使攻击特征在时间维度被稀释在目标组织的正常业务波动中。这些技术均突破了传统基于单次请求分析的检测维度,要求防御方建立跨账户、跨会话、跨平台的行为关联分析能力。
匿迹技术的应用导致传统基于关键词过滤或访问频率阈值的防御体系逐渐失效。防御方需构建面向开放数据生态的威胁感知体系,结合用户行为建模、语义意图分析、跨平台情报关联等技术,识别分布式情报收集网络的协同特征。同时需要与第三方数据服务平台建立威胁情报共享机制,及时发现异常API调用模式,形成对隐蔽搜索行为的立体化防御。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ❌ |
| 时空释痕 | ✅ |
攻击者通过精确模拟合法用户和官方爬虫的网络行为特征,使得恶意搜索请求在协议层、行为层与正常流量完全一致。例如复制搜索引擎爬虫的TLS指纹和请求头顺序,或构建符合社交平台用户画像的虚拟账户,实现攻击流量的表面合法化。
通过分布式账户体系将集中式情报收集任务分解为长周期、低频率的离散查询,单个账户的行为特征完全落入平台正常用户活动区间。结合全球代理节点动态轮换策略,破坏搜索行为的时空关联性,使防御系统难以通过单点检测发现系统性情报收集活动。
| ID | Name | Description |
|---|---|---|
| G0034 | Sandworm Team |
Sandworm Team researched Ukraine's unique legal entity identifier (called an "EDRPOU" number), including running queries on the EDRPOU website, in preparation for the NotPetya attack. Sandworm Team has also researched third-party websites to help it craft credible spearphishing emails.[1] |
| G1033 | Star Blizzard |
Star Blizzard has used open-source research to identify information about victims to use in targeting.[2][3] |
| G1017 | Volt Typhoon |
Volt Typhoon has conducted pre-compromise web searches for victim information.[4] |
| ID | Mitigation | Description |
|---|---|---|
| M1013 | Application Developer Guidance |
Application developers uploading to public code repositories should be careful to avoid publishing sensitive information such as credentials and API keys. |
| M1047 | Audit |
Scan public code repositories for exposed credentials or other sensitive information before making commits. Ensure that any leaked credentials are removed from the commit history, not just the current latest version of the code. |
Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.