获取能力指攻击者通过购买、窃取或租赁等方式获取攻击所需资源(包括恶意软件、漏洞利用工具、数字证书等)的战术阶段。与传统自主开发模式不同,该技术依赖第三方资源供应链降低自身暴露风险,涉及暗网交易、供应链渗透、证书伪造等多种手段。防御方可通过分析恶意代码特征关联性、监控证书异常签发行为、追踪云资源滥用模式等手段进行检测,但受限于攻击活动的跨平台特性和匿名化设计,实际检测效能面临严峻挑战。
为突破传统资源获取模式中身份暴露、交易溯源、特征留存等缺陷,攻击者发展出多层嵌套的隐蔽获取体系。通过构建匿名化交易网络、污染软件供应链、滥用数字信任体系及云服务弹性架构,将资源获取行为深度融入合法商业活动和技术生态,形成"获取即隐匿"的新型作战范式。
现有获取能力匿迹技术的核心特征体现为资源供应链的多维重构与信任体系的系统化滥用。攻击者通过暗网交易实现资源流转路径的拓扑匿名化,利用加密货币和隐私增强协议切断资金溯源链路;通过供应链污染将恶意代码注入合法软件分发渠道,借助企业现有信任关系实现攻击载荷的"合规化"传播;证书伪造技术突破数字身份验证机制,赋予恶意软件合法签名属性;时间离散化租赁则重构攻击基础设施生命周期,消除资源持有阶段的特征留存。四类技术的共性在于突破传统对抗边界,将攻击资源获取行为嵌入数字经济体系的基础运行逻辑,通过技术合法性与业务合规性的双重伪装,使得防御方难以建立有效的检测溯源锚点。
匿迹技术的演进导致传统基于特征匹配、信誉评级的防御体系面临失效风险,防御方需构建跨平台的数字证书监控网络、实施软件供应链完整性验证机制,并建立云服务资源异常租赁行为识别模型,通过多维数据关联分析实现隐蔽资源获取链路的动态感知。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ✅ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过数字证书伪造和合法软件供应链污染,使获取的恶意资源呈现可信特征。例如使用盗取的代码签名证书对攻击工具进行合法化包装,或将漏洞利用工具植入通过正规渠道分发的软件更新包,使得安全系统难以从表面特征识别恶意本质。
利用零日漏洞和未公开的供应链缺陷实施能力获取,例如通过尚未披露的编译器漏洞注入恶意代码。防御方因缺乏特征规则和检测模型,难以发现此类隐蔽的资源获取行为。
采用加密货币和暗网加密通信协议保护交易数据,通过Tor网络多层加密、区块链混币技术等手段,使资源交易内容、参与者身份及资金流向均无法被传统监控系统解析。
通过时间离散化租赁和全球化资源调度,将资源获取行为分散在不同时间窗口和地理区域。短期云实例租赁、跨时区暗网交易等手法,使得攻击特征被稀释在长期、大范围的正常商业活动中,破坏防御方的时间关联分析能力。
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0037 | Certificate | Certificate Registration |
Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.[1] Some server-side components of adversary tools may have default values set for SSL/TLS certificates.[2] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control. |
| DS0035 | Internet Scan | Response Content |
Monitor for logged network traffic in response to a scan showing both protocol header and body values that may buy and/or steal capabilities that can be used during targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control. |
| DS0004 | Malware Repository | Malware Content |
Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.[3] Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in Cobalt Strike payloads.[4] |
| Malware Metadata |
Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control. |