foreword
One of the things that the defender must do in offensive and defensive drills is traceability analysis. After discovering an intruder, quickly switch from defense to offense. Next, let's take a look at how to do source tracing analysis according to different scenarios, and finally generate an identity portrait of the attacker.
attack method
In the offensive and defensive drills, the attacker mainly attacks through the following methods: web sites, service vulnerabilities, phishing, and near-source attacks that have become more popular in recent years. None of these attack methods are invisible and leave traces on various devices. Traceability is to find the attacker in reverse according to the traces left behind.
source of attack
Let’s take a look at the attack sources we can obtain. These are the raw data for our traceability analysis. The most common attack sources are IP addresses, domain names, malicious samples, social account IDs, and email/mobile phone numbers.
Traceability method
As can be seen from the above, the attack sources we obtained can be divided into three types: IP, domain name, personal ID information (mobile phone number, social name, email, etc.)
IP traceability
Get the attacker's IP, you can trace the source in the following way
1) First determine the type of IP, see if the IP is a proxy IP, IDC computer room/cloud host, broiler, CDN IP. You can check the type of IP through threat intelligence websites or websites like ipip.net.
2) Proxy IP/CDN: If the attacking IP is a proxy IP or CDN IP address, there is generally no way to effectively trace the source, so you can give up first.
3) Broiler IP: This kind of IP is generally obtained by the attacker due to a loophole, and then used as a springboard to attack. This kind of IP can only be used to attack the host after obtaining the permission, and go up to find the connection record, and then obtain the real IP. , in traceability. This way is more difficult.
4) IDC computer room or cloud host: This may be the attacker's own server. You can check the historical domain name resolution records of the IP, and do a whois query based on the domain name information to see if you can obtain the registrant information, such as name and email address. , phone number, etc. If you can get this information, you can check the social worker library, or various forums to improve the attacker's portrait.
5) Real IP: If it is a real IP, you can roughly locate the location of the attacker through the website, and make a judgment in combination with other information.
Common websites for querying IP information:
https://www.cz88.net/iplab
https://www.ipip.net/
https://www.ipuu.net/query/ip?search=
https://tool.lu/ip/ https://x.threatbook.com/
Domain name method traceability
Domain names can be extracted from malicious samples or phishing emails, and information about the attacker can be found based on the domain names.
ID traceability
Inquire in the following way
1) If you have email address, mobile phone number and other information, you can search the social worker database to obtain information
2) Search for the same name of the ID, and search on various social networking sites, such as Taobao, qq, etc.
3) ID is a mobile phone number, you can search for relevant information through the mobile phone number, as well as the name of the user of the mobile phone number, etc.
Summarize
The key to source tracing is how much information you can obtain. You need to use technologies such as honeypots to capture the characteristics of the attacker as much as possible, and then conduct a reverse investigation.
Due to my limited level, there may be some mistakes in the article. Welcome everyone to correct me, thank you very much. If you have any good ideas, welcome to share, thank you~~