搜索受害者拥有的网站是指攻击者通过访问和分析目标组织公开的Web资产获取情报的侦察手段,通常涉及网站结构分析、敏感信息抓取和隐藏内容探测。攻击者可能利用自动化工具扫描sitemap.xml、robots.txt等文件发现隐蔽目录,或通过解析网页元数据提取人员架构、业务关系等情报。传统防御措施主要依赖监控异常访问模式(如高频次请求、非常规时段访问)和分析HTTP头字段(如异常User-Agent)来识别潜在恶意爬取行为。
为规避传统检测机制对集中式、高频率爬取行为的识别能力,攻击者发展出深度伪装的新型信息采集技术,通过身份虚拟化、行为分散化和协议合规化等手段,将恶意情报收集活动解构为大量低风险的合法网络交互,在维持侦察效能的同时实现攻击链的全面隐匿。
现有匿迹技术的核心创新在于突破传统爬虫对抗的协议层博弈,转向身份层与环境层的深度隐匿。攻击者构建多维度的动态伪装体系:合法爬虫行为模拟技术通过精确复制搜索引擎的通信特征,使恶意流量获得协议层面的"白名单"豁免权;分布式低频采集技术利用全球节点资源将攻击行为稀释为地理分散的合法访问,破坏防御系统的空间关联分析能力;动态身份伪装技术则通过虚拟身份工厂持续切换网络指纹,使得单次访问行为与真实用户无异。三类技术的共性在于将传统攻击链拆解为大量低置信度事件,利用防御方在跨实体关联分析、长周期行为建模方面的技术短板,实现"化整为零、聚零为整"的隐匿效果。攻击者通过精确控制单个行为的合法性和离散性,确保每个微操作均低于检测阈值,而防御方由于缺乏全局视角的威胁拼图能力,难以从海量正常事件中识别出协同攻击行为。
匿迹技术的演进导致传统基于规则匹配和单维度阈值告警的防御体系逐渐失效,防御方需构建基于身份图谱分析、跨会话行为关联的智能检测系统,结合UEBA(用户实体行为分析)技术识别异常信息聚合模式,并强化对虚拟身份生成基础设施的监控与阻断能力。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ❌ |
| 时空释痕 | ✅ |
攻击者通过深度复制合法爬虫的通信特征(包括User-Agent字符串、请求间隔、访问路径等),使恶意数据采集流量在协议层面与搜索引擎行为完全一致。同时利用动态身份伪装技术生成具有地域特征的网络指纹(如本地化语言设置、时区适配),使得单次访问行为难以与真实用户区分,实现攻击流量的"白名单化"隐匿。
通过将集中式情报收集任务拆解为持续数周甚至数月的低频访问事件,并利用全球分布的代理节点动态切换访问源,使得攻击行为特征被稀释在长周期、广域度的正常网站访问流量中。这种时空维度上的行为稀释导致传统基于短期日志分析的检测系统难以建立有效的威胁关联模型。
| ID | Name | Description |
|---|---|---|
| C0040 | APT41 DUST |
APT41 DUST involved access of external victim websites for target development.[1] |
| C0029 | Cutting Edge |
During Cutting Edge, threat actors peformed reconnaissance of victims' internal websites via proxied connections.[2] |
| G1011 | EXOTIC LILY |
EXOTIC LILY has used contact forms on victim websites to generate phishing e-mails.[3] |
| G0094 | Kimsuky |
Kimsuky has searched for information on the target company's website.[4] |
| G0034 | Sandworm Team |
Sandworm Team has conducted research against potential victim websites as part of its operational planning.[5] |
| G0122 | Silent Librarian |
Silent Librarian has searched victim's websites to identify the interests and academic areas of targeted individuals and to scrape source code, branding, and organizational contact information for phishing pages.[6][7][8] |
| G1038 | TA578 |
TA578 has filled out contact forms on victims' websites to direct them to adversary-controlled URLs.[9] |
| G1017 | Volt Typhoon |
Volt Typhoon has conducted pre-compromise reconnaissance on victim-owned sites.[10] |
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. |