收集受害者身份信息是指攻击者通过主动或被动手段获取目标个人或组织敏感身份数据的过程,包括但不限于用户凭证、联系方式、安全配置等信息。传统防御手段主要依赖监控异常认证请求、检测大规模数据爬取行为,以及分析网络流量中的敏感字段模式。通过部署Web应用防火墙(WAF)识别暴力破解特征,或使用数据泄露防护(DLP)系统监控敏感信息外传。
为规避传统检测机制对集中式、高频率信息收集行为的识别能力,攻击者发展出分布式采集、协议伪装、关联推理等新型匿迹技术,将信息收集行为解构为低强度、多维度、长周期的数据交互过程,使单次操作特征低于检测阈值,同时通过跨平台数据聚合提升信息获取效率。
当前匿迹技术的核心逻辑在于信息收集行为的场景融合与特征稀释。社交工程伪装技术通过构建高仿真业务交互界面,将恶意数据收集嵌入合法业务流程;凭证爬虫伪装利用搜索引擎协议特征实现流量匿名化;多源聚合技术通过暗网数据关联规避直接信息查询;碎片化采集则依赖长期微量数据积累与智能推理。这些技术的共性在于突破传统单点数据获取模式,通过合法协议滥用、分布式架构设计、密码学隐私保护等手段,将攻击行为分解为多个表面合规的操作单元,同时利用现代数据处理技术实现信息价值的隐蔽提取。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过精确模拟合法业务交互协议(如HTTP爬虫规范、OAuth认证流程),使信息收集流量在协议特征、数据格式、交互时序等维度与正常业务流量高度一致。例如伪装成搜索引擎爬虫的数据采集行为,其User-Agent、请求间隔等参数完全符合行业标准,实现恶意流量的表面合法化。
在信息传输与存储环节采用分层加密策略,对收集的原始数据实施内存加密传输、分布式碎片化存储,并利用可信执行环境(TEE)进行数据处理。在跨平台采集场景中,通过同态加密技术实现数据关联计算,确保原始敏感信息始终处于加密状态,规避内容检测系统的识别。
通过将集中式信息收集任务拆解为跨平台、长周期的微量数据采集,单次操作的时间间隔和空间分布均符合正常用户行为模式。例如社交工程攻击中长达数周的渐进式信息诱导,或跨年度的碎片化数据积累,使得攻击特征被稀释在长期网络活动中,难以通过短期流量分析发现。
| ID | Name | Description |
|---|---|---|
| G0050 | APT32 |
APT32 has conducted targeted surveillance against activists and bloggers.[1] |
| G1016 | FIN13 |
FIN13 has researched employees to target for social engineering attacks.[2] |
| G1001 | HEXANE |
HEXANE has identified specific potential victims at targeted organizations.[3] |
| G1004 | LAPSUS$ |
LAPSUS$ has gathered detailed information of target employees to enhance their social engineering lures.[4] |
| G0059 | Magic Hound |
Magic Hound has acquired mobile phone numbers of potential targets, possibly for mobile malware or additional phishing operations.[5] |
| C0022 | Operation Dream Job |
For Operation Dream Job, Lazarus Group conducted extensive reconnaissance research on potential targets.[6] |
| C0014 | Operation Wocao |
During Operation Wocao, threat actors targeted people based on their organizational roles and privileges.[7] |
| G1033 | Star Blizzard |
Star Blizzard has identified ways to engage targets by researching potential victims' interests and social or professional contacts.[8] |
| G1017 | Volt Typhoon |
Volt Typhoon has gathered victim identify information during pre-compromise reconnaissance. [9] |
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0029 | Network Traffic | Network Traffic Content |
Monitor for suspicious network traffic that could be indicative of probing for user information, such as large/iterative quantities of authentication requests originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. |