1. Home
  2. Techniques
  3. Enterprise
  4. 收集受害者组织信息

收集受害者组织信息

ID Name
T1591.001 企业信息聚合平台寄生采集
T1591.002 供应链节点伪装探测
T1591.003 暗网数据市场匿名订阅

收集受害者组织信息是攻击者通过公开或半公开渠道系统化获取目标企业运营数据、人员架构及业务关系的侦察行为,通常为后续精准钓鱼、供应链攻击或社会工程提供情报支撑。传统防御主要依赖监控异常数据下载行为、检测敏感信息外传等机制,但由于此类活动多利用合法网络服务且发生在目标网络边界之外,防御方往往缺乏有效监测手段。

当前组织信息收集匿迹技术的共性在于攻击场景的合法化重构与数据获取的间接化设计。企业信息平台寄生采集通过完全依托商业数据服务的业务流程,使恶意查询获得合法业务外壳;社交网络元数据分析利用人员信息的公开性,将敏感信息挖掘转化为数据科学层面的关联推理;供应链伪装探测则通过身份冒用与路径转移,将攻击行为隐藏在组织间正常业务交互中;暗网数据订阅更是直接脱离明网监控体系,构建完全匿名的信息获取通道。这些技术的本质突破在于摆脱对目标系统直接渗透的依赖,转而通过信息生态中存在的天然数据流动完成情报积累,使得传统基于网络入侵检测或数据泄露防护的防御模型彻底失效。

ID: T1591
Sub-techniques:  T1591.001, T1591.002, T1591.003
Tactic: 目标侦查
Platforms: PRE
Version: 1.1
Created: 02 October 2020
Last Modified: 27 August 2021

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过完全复现商业场景中的合法数据交互模式实现行为伪装。在信息聚合平台采集中,恶意查询请求在参数结构、访问频率等方面与真实商业调查完全一致;供应链伪装探测则使用符合行业标准的文档模板与通信协议。这使得防御方无法从交互特征层面区分正常业务活动与恶意情报收集。

数据遮蔽

暗网数据订阅技术通过Tor网络加密通信通道和加密货币支付实现全链路数据遮蔽。信息传输过程中的元数据(如下载源、数据大小)和内容均被加密保护,防御方无法通过流量分析获取有效威胁情报。

时空释痕

社交网络元数据关联分析通过长达数月的持续性低频数据采集,将单次信息获取行为稀释在正常用户社交活动中。攻击者利用跨平台数据聚合的时间延迟效应,使得数据收集过程无法通过短期行为分析被察觉。

Procedure Examples

ID Name Description
G0094 Kimsuky

Kimsuky has collected victim organization information including but not limited to organization hierarchy, functions, press releases, and others.[1]
G0032 Lazarus Group

Lazarus Group has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals.[2]
G1036 Moonstone Sleet

Moonstone Sleet has gathered information on victim organizations through email and social media interaction.[3]
C0022 Operation Dream Job

For Operation Dream Job, Lazarus Group gathered victim organization information to identify specific targets.[4]
G1017 Volt Typhoon

Volt Typhoon has conducted extensive reconnaissance pre-compromise to gain information about the targeted organization.[5]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Detection

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

References

  1. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  2. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  3. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
  1. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  2. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.