進階持續性威脅網路攻擊之重建模擬實作與大型語言模型代理之自主式攻擊

Abstract

隨著資訊技術的快速發展與資安威脅的日益複雜化，進階持續性威脅（Advanced Persistent Threats, APTs）已成為企業與政府組織面臨的重要挑戰。APT 攻擊活動往往具備階段性、長時間潛伏與規避偵測等特性，攻擊者會依據目標特性設計複雜的攻擊流程，實施如初步入侵、橫向移動、憑證竊取及資料外洩等行動。本研究旨在協助防禦方理解與模擬現實中的 APT 攻擊行為，透過三個真實攻擊案例之重建，包括 Lazarus Attack Campaign、Taiwan Critical Infrastructure Attack 與 Islamic Organization Espionage Campaign，完整重塑其攻擊生命週期，並依據 MITRE ATT&CK 架構對各階段攻擊行為進行分析，完成不同攻擊階段戰略（Tactics）與戰術（Techniques）的對應。 本研究首先根據公開之資安威脅情資報告（Cyber Threat Intelligence, CTI）進行攻擊生命週期（Mandiant Attack Life Cycle）重建，補足報告中缺漏之技術細節，並實作、補充攻擊腳本（Abilities）貢獻至 CALDERA 平台，擴充並多樣化紅隊武器庫。接著，本研究記錄模擬執行完整的攻擊活動過程中產生之系統事件日誌，擴充 TTP（Tactics, Techniques, and Procedures）知識庫，為未來以深度學習為基礎之威脅偵測模型提供更豐富的訓練資料。 進一步地，本研究亦探索大型語言模型代理（LLM Agent）在自主式模擬攻擊之應用，嘗試證明並發揮大型語言模型代理規劃與推論的能力。研究中設計並實作不同的工具（武器庫），使大型語言模型代理具備自主式攻擊的能力，可利用現有的工具，獨自完成 APT 攻擊活動中多階段攻擊目標。透過結合實際攻擊重建與大型語言模型代理的自主式攻擊，本研究提供防禦方更多紅隊演練的攻擊技巧並提升紅隊演練自動化的程度，期望有助於防禦方提升對 APT 威脅的認知與應對能力。

With the rapid advancement of information technology and the increasing complexity of cybersecurity threats, Advanced Persistent Threats (APTs) have become a critical challenge faced by enterprises and government organizations. APT campaigns are often characterized by their staged execution, long-term persistence, and evasion of detection. Threat actors design intricate, multi-phase operations tailored to their targets, including initial compromise, lateral movement, credential theft, and data exfiltration. This study aims to support defenders in understanding and simulating real-world APT behaviors through the reconstruction of three documented attack campaigns: Lazarus Attack Campaign, Taiwan Critical Infrastructure Attack, and Islamic Organization Espionage Campaign. Each campaign's attack life cycle is reconstructed and analyzed using the MITRE ATT&CK framework to classify tactics and techniques used in each attack phase. The study first reconstructs Mandiant Target Attack Life Cycle based on publicly available Cyber Threat Intelligence (CTI) reports, filling in technical gaps and implementing corresponding attack scripts (Abilities) to contribute to the CALDERA red teaming platform, thereby enhancing and diversifying its arsenal. Next, the study records system event logs generated during the execution of complete attack simulations to expand the TTP (Tactics, Techniques, and Procedures) knowledge base, providing more diverse training data for deep learning-based threat detection models. Furthermore, this research explores the application of Large Language Model (LLM) Agents in autonomous attack simulation, demonstrating their planning and reasoning capabilities. By designing and implementing a variety of tools, the study enables LLM Agents to autonomously conduct multi-stage APT style attacks using existing tools. Through the combination of real-world attack reconstruction and autonomous LLM Agent driven attacks, this study provides red teams with enriched offensive techniques and improves the automation of red team exercises. Ultimately, it aims to enhance defenders’ situational awareness and response capabilities against APT threats.