8.15. Traceability Analysis¶
8.15.1. Attack aircraft source tracing technology¶
8.15.1.1. Log-based provenance¶
Use routers, hosts and other devices to record key information (time, source address, destination address) in the data stream transmitted by the network, and perform reverse tracking based on log query during tracking.
The advantages of this method are that it has strong compatibility, supports retrospect after the event, and has less network overhead. But at the same time, this method is also limited by performance, space and privacy protection. Considering the above factors, the data characteristics and data quantity recorded can be limited. In addition, technologies such as traffic mirroring can be used to reduce the impact on network performance.
8.15.1.2. Routing Input Debugging Techniques¶
In the scenario where the attack continues to send data and the characteristics are relatively stable, the router’s input debugging technology can be used to dynamically trace upward when the attack traffic is matched. This method is more effective in DDoS attack tracing, and has less network overhead.
8.15.1.3. Controlled flooding techniques¶
Flood attacks to potential upstream routers during tracing. If the received attack traffic is found to be less, the attack traffic will flow through the corresponding route. The advantage of this method is that it does not require pre-deployment and requires less collaboration. But this method itself is an attack that will affect the network.
8.15.1.4. Package-based data modification traceability techniques¶
This source tracing method directly modifies the data packet, adds coding or marking information, and reconstructs the transmission path at the receiving end. This method is less labor-intensive and supports post-mortem analysis, but it is not very supportive for some protocols.
Based on this method, the random marking technology is derived. Each route identifies the data packets with a certain probability, and the receiving end collects multiple packets and reconstructs them.
8.15.2. Traceability based on honeypot¶
Social network jsonp API
Get attacker IP
Get burp information
8.15.3. Analysis models¶
8.15.3.1. Kill Kain Model¶
The concept of the kill chain originated in the military domain, and it is a model that describes the link of an attack. The general kill chain includes Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objective, etc. several stages.
The earlier an attack is blocked in the kill chain, the better the protection, so the concept of the kill chain can also be used to counter attacks.
During the tracking phase, attackers typically use scans and searches to find possible target information and evaluate attack costs. At this stage, it can be found through log analysis, email analysis, etc., and threat intelligence can also be used to obtain attack information at this stage.
In the weapon construction stage, attackers usually have ready attack tools and conduct tentative attacks. At this stage, there may be attack records in the IDS, and accounts such as external network applications and mailboxes may have records of password blasting. Some attackers use public attack tools with certain known characteristics.
During the payload delivery stage, attackers usually deliver malicious code by means of network vulnerabilities, harpoons, watering holes, network hijacking, and USB flash drives. At this stage, some personnel have already received attack payloads in the corresponding channels, and sufficient security training for personnel can achieve a certain degree of defense.
In the penetration stage, the attacker will execute malicious code to obtain system control rights. At this time, the Trojan program has been executed. In this stage, antivirus software and abnormal behavior alarms can be used to find the corresponding attack.
During the installation and implantation stage, attackers usually install Webshell or implant backdoors, rootkits, etc. on the web server to achieve persistent control over the server. These implants can be found by reverse engineering the sample.
In the communication control stage, the attacker has realized remote communication control, and the Trojan will communicate with the control server through three-party websites, DNS tunnels, and emails. At this point, traces of the Trojan can be found by analyzing the logs.
When the target stage is reached, the attacker starts to complete his own purpose, which may be to disrupt the normal operation of the system, steal target data, extort extortion, lateral movement, etc. At this time, there may already be attack exploit tools uploaded by the attacker in the controlled machine, which can be discovered by means of honeypots at this stage.
8.15.3.2. The Diamond Model¶
The diamond model was proposed in 2013 by Sergio Catagirone et al. of The Center for Cyber Intelligence Anaysis and Threat Research (CCIATR).
The model divides all security events into four core elements, namely Adversary, Capability, Infrastructure and Victim, and the relationship between them is represented by a diamond-shaped connection , hence the name “Diamond Model”.
The characteristics of the kill chain model is that it can explain the attack line and the process of the attack, and the characteristic of the diamond model is that it can explain the attack purpose and the attack method used by the attacker in a single event.
When using the diamond model analysis, the pivot point analysis method is usually used. Pivoting refers to an analytical technique that extracts an element and combines it with a data source to discover relevant elements. The fulcrum can be changed at any time in the analysis, and the four core features and the two extended features (socio-political, technological) may become the fulcrum of the analysis at that time.
8.15.4. Correlation analysis methods¶
Correlation analysis is used to combine multiple different attack samples.
8.15.4.1. Document classes¶
hash
ssdeep
Version Information (Company/Author/Last Modified Author/Created Time/Last Modified Time)
8.15.4.2. Behavior Analysis¶
- based on network behavior
similar interaction
8.15.4.3. Executable similarity analysis¶
special port
special string/key
- PDB file path
similar folders
- code reuse
Similar code snippet
8.15.5. Clear log mode¶
kill <bash process ID>
won’t storeset +o history
Do not write historyunset HISTFILE
environment variables to clear history