利用日志审计追踪APT***

这个TT安全的文章讲述了Google的安全人员利用DNS日志来追踪极光（Aurora）***的事情。
作为一种典型的APT***，Google的安全经理Adkins说：“Google发现最有用的方法是系统数字取证、事件日志和恶意软件分析。”当Google发现了网络***后，安全团队变得十分敏感，他们仔细检查，不放过每个简单的异常事件。

【附】什么是APT***？这可是当下最热门的网络安全词汇了。
这里有个中文说明，应该是我看到的第一个中文版翻译的解释了。不过，说实在的，解释的很一般，都是一些表象的表象。建议看看wiki上的解释。The "Advanced Persistent Threat" (APT) refers to advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals such as a foreign nation state government.
而这个SANS 上的解释则更加详细。
简单的理解，APT***就是一类特定的***，为了获取某个组织甚至是国家的重要信息，有针对性的进行的一系列***行为的整个过程。APT***利用了多种***手段，包括各种最先进的手段和社会工程学方法，一步一步的获取进入组织内部的权限。APT往往利用组织内部的人员作为***跳板。有时候，***者会针对被***对象编写专门的***程序，而非使用一些通用的***代码。此外，APT***具有持续性，甚至长达1年，这种持续体现在***者不断尝试各种***手段，以及在***到网络内部后长期蛰伏，不断收集各种信息，直到收集到重要情报。总之，APT***具有很强的特定性，特指有明确目的的***，而非随意的***。因而，APT***也是Cyberwar，Cybersecurity重点关注的问题。
APT***的步骤，如下图，是这个SANS 博客写的。

另外，DarkReading也有一个步骤描述，跟上面的差不多：
 

1. Reconnaissance 勘查、踩点: Attackers research and identify individuals they will target in the attacks, using public search or other methods, and get their email addresses or instant messaging handles.

2. Intrusion into the network ***网络: It all typically starts with spear-phishing emails, where the attacker targets specific users within the target company with spoofed emails that include malicious links or malicious PDF or Microsoft Office document attachments. That infects the employee's machine and gives the attacker a foot in the door.

3. Establishing a backdoor 建立后门: The attackers try to get domain administrative credentials and extract them from the network. Since these credentials are typically encrypted, they then decrypt them using pass-the-hash or other tools and gain elevated user privileges. From here, they move "laterally" within the victim's network, installing backdoors here and there. They typically install malware via process injection, registry modification, or scheduled services, according to Mandiant.

4. Obtaining user credentials  获得用户凭据: Attackers get most of their access using valid user credentials, and they access an average of 40 systems on the victim's network using the stolen credentials, according to Mandiant. The most common type: domain-administrator credentials.

5. Installing multiple utilities 安装各种***软件: Utility programs are installed on the victim's network to conduct system administration, including installing backdoors, grabbing passwords, getting email, and listing running processes, for instance.
 

6. Privilege escalation, lateral movement, and data exfiltration 提权、数据泄漏: Now the attackers start grabbing emails, attachments, and files from servers via the attacker's C&C infrastructure. They typically funnel the stolen data to staging servers, where they encrypt and compress it, and then delete the compressed files from the staging server.

7. Maintaining persistence 持续***: If the attackers find they are being detected or remediated, then they use other methods to ensure they don't lose their presence in the victim's network, including revamping their malware.

 

FYI。