隐藏基础设施是攻击者为保护其指挥控制(C2)节点、恶意服务端点等关键资源,通过技术手段掩盖其真实网络属性的战术行为。传统手段包括使用代理服务器、VPN隧道、域名生成算法(DGA)等,防御方通常采用IP信誉库匹配、证书指纹分析、流量特征检测等方法进行对抗。但随着云服务普及和加密技术发展,基于简单特征匹配的防御措施面临严峻挑战。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过深度模仿合法服务特征实现基础设施隐匿,包括使用可信域名证书、符合RFC标准的协议交互流程、以及合规云服务接口。例如将C2服务器伪装成CDN节点或云存储端点,使得网络流量在协议特征、证书指纹、域名信誉等维度与正常业务流量无异,有效规避基于特征匹配的检测机制。
普遍采用TLS 1.3等强加密协议对通信内容进行端到端加密,结合Oblivious DNS-over-HTTPS等隐私增强技术,彻底隐藏DNS查询和载荷传输的关键元数据。部分高级变种还会实施传输层分片加密,将加密数据包分散在多个会话中传输,进一步增加内容重组难度。
通过动态IP代理池和分布式云节点实现基础设施的时空维度稀释。自动化的IP地址轮换机制使单节点的活动频次低于检测阈值,而全球分布的节点网络破坏攻击流量的地理关联性。结合长周期慢速通信策略,将恶意交互特征稀释在正常业务流量中,传统基于时间窗口的检测模型难以有效识别。
| ID | Name | Description |
|---|---|---|
| G0016 | APT29 |
APT29 uses compromised residential endpoints, typically within the same ISP IP address range, as proxies to hide the true source of C2 traffic.[1] |
| S1111 | DarkGate |
DarkGate command and control includes hard-coded domains in the malware masquerading as legitimate services such as Akamai CDN or Amazon Web Services.[2] |
| C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 set the hostnames of their C2 infrastructure to match legitimate hostnames in the victim environment. They also used IP addresses originating from the same country as the victim for their VPN infrastructure.[3] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0038 | Domain Name | Domain Registration |
Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information, and in monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. |
| DS0035 | Internet Scan | Response Content |
Once adversaries have provisioned infrastructure (ex: a server for use in command and control), internet scans may help proactively discover adversary acquired infrastructure. If requests are filtered or blocked, the specifics of this action, such as the response sent, can be used to gain further insight into the resource's nature or creation. |
| Response Metadata |
Internet scanners may be used to look for artifacts associated with malicious C2 infrastructure. Correlate data and patterns from Internet-facing resources gathered from scans with network traffic to gain further insight into potential adversary C2 networks. |
||
| DS0029 | Network Traffic | Network Traffic Content |
Network detection systems may be able to identify traffic for specific adversary command and control infrastructure. Correlate network traffic with data and patterns from Internet-facing resources gathered from scans to gain further insight into potential adversary C2 networks. |