基础设施妥协指攻击者通过非法控制第三方网络资源构建攻击基础设施,包括服务器、域名、云服务等,用以支持网络攻击的各个阶段。传统防御手段通过监控域名注册信息异常、扫描暴露服务特征(如特定端口响应)以及分析SSL/TLS证书指纹等方式进行检测。缓解措施包括实施DNSSEC验证、监控证书透明化日志以及分析C2通信模式等。
随着防御体系对基础设施特征的识别能力提升,攻击者发展出深度隐蔽的匿迹技术,通过基础设施的合法化伪装、动态化调度与信任链污染,将恶意资源深度嵌入互联网正常服务体系,形成"形神皆似"的隐蔽攻击阵地。
当前基础设施妥协匿迹技术的核心在于重构攻击资源的身份属性与存在形态。攻击者通过多维度的身份冒用与动态伪装,突破传统基于静态特征匹配的检测范式:合法云服务寄生利用云平台的信誉背书,将恶意节点混入海量合规业务资源中;可信域名劫持通过污染DNS解析链,赋予攻击基础设施合法数字身份;僵尸网络动态调度技术构建弹性基础设施网络,实现攻击资源的按需分配与快速迭代;数字证书滥用则从密码学信任层面对恶意节点进行合法化包装。这些技术的共性在于深度利用互联网服务体系的结构性漏洞,通过身份嫁接、资源融合与动态演化三大策略,使得攻击基础设施在协议合规性、业务合理性和数字可信性三个维度均达到高度隐蔽。
匿迹技术的演进导致传统基于IP信誉、证书指纹的检测方法面临失效风险,防御方需构建跨域信任验证体系,实施持续性的证书链监控与DNS审计,并引入基于行为链分析的动态威胁评估模型,才能有效识别深度伪装的基础设施威胁。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过SSL/TLS证书冒用、云服务协议模拟等手段,使恶意基础设施在数字证书、通信协议等层面与合法服务保持高度一致。例如劫持高信誉域名的HTTPS证书构建钓鱼站点,或利用云存储服务的标准API接口隐藏恶意负载,使得防御方难以通过表面特征识别基础设施的恶意属性。
在僵尸网络动态调度等子技术中,攻击者采用Tor-over-HTTPS、DNS-over-HTTPS等加密通信协议,将基础设施间的控制指令与数据回传流量封装在加密通道中。加密不仅保护通信内容,更关键的是隐藏了基础设施节点的拓扑关系与交互模式,阻断防御方的流量关联分析。
通过动态基础设施调度机制,攻击者实现恶意节点的快速创建与销毁。利用云服务的弹性扩展特性,攻击基础设施可呈现"按需出现、完成任务即消失"的瞬时存在特征。结合全球分布式节点池和智能调度算法,使得攻击痕迹分散在不同时间片段与地理区域,传统基于单一时空维度的检测方法难以捕捉完整攻击链。
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0038 | Domain Name | Active DNS |
Monitor for queried domain name system (DNS) registry data that may compromise third-party infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
| Domain Registration |
Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet. |
||
| Passive DNS |
Monitor for logged domain name system (DNS) data that may compromise third-party infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
||
| DS0035 | Internet Scan | Response Content |
Once adversaries have provisioned compromised infrastructure (ex: a server for use in command and control), internet scans may help proactively discover compromised infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.[1][2][3] |
| Response Metadata |
Monitor for contextual data about an Internet-facing resource gathered from a scan, such as running services or ports that may compromise third-party infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |