Picky Attackers: Quantifying the Role of System Properties on Intruder Behavior

Honeypots constitute an invaluable piece of technology that allows researchers and security practitioners to track the evolution of break-in techniques by attackers and discover new malicious IP addresses, hosts, and victims. Even though there has been a wealth of research where researchers deploy honeypots for a period of time and report on their findings, there is little work that attempts to understand how the underlying properties of a compromised system affect the actions of attackers. In this paper, we report on a four-month long study involving 102 medium-interaction honeypots where we vary a honeypot's location, difficulty of break-in, and population of files, observing how these differences elicit different behaviors from attackers. Moreover, we purposefully leak the credentials of dedicated, hard-to-brute-force, honeypots to hacking forums and paste-sites and monitor the actions of the incoming attackers. Among others, we find that, even though bots perform specific environment-agnostic actions, human attackers are affected by the underlying environment, e.g., executing more commands on honeypots with realistic files and folder structures. Based on our findings, we provide guidance for future honeypot deployments and motivate the need for having multiple intrusion-detection systems.

[1]  Susan Marie Wade SCADA Honeynets: The attractiveness of honeypots as critical infrastructure security tools for the detection and analysis of advanced threats , 2011 .

[2]  Gianluca Stringhini,et al.  What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild , 2016, Internet Measurement Conference.

[3]  Damon McCoy,et al.  To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[4]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[5]  Evangelos P. Markatos,et al.  A Systematic Characterization of IM Threats using Honeypots , 2010, NDSS.

[6]  Marc Dacier,et al.  Lessons learned from the deployment of a high-interaction honeypot , 2006, 2006 Sixth European Dependable Computing Conference.

[7]  Salvatore J. Stolfo,et al.  Baiting Inside Attackers Using Decoy Documents , 2009, SecureComm.

[8]  Robin Berthier,et al.  Profiling Attacker Behavior Following SSH Compromises , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[9]  Petros Nicopolitidis,et al.  Analysis and visualization of SSH attacks using honeypots , 2013, Eurocon 2013.

[10]  Marc Dacier,et al.  Honeypots: practical means to validate malicious fault assumptions , 2004, 10th IEEE Pacific Rim International Symposium on Dependable Computing, 2004. Proceedings..

[11]  Lance Spitzner,et al.  The Honeynet Project: Trapping the Hackers , 2003, IEEE Secur. Priv..

[12]  P. Biondi,et al.  Honeypot forensics , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[13]  Matthieu Herrb,et al.  Set-up and deployment of a high-interaction honeypot: experiment and lessons learned , 2011, Journal in Computer Virology.

[14]  Decoy Document Deployment for Effective Masquerade Attack Detection , 2011, DIMVA.

[15]  Mustaque Ahamad,et al.  Phoneypot: Data-driven Understanding of Telephony Threats , 2015, NDSS.

[16]  Collin Mulliner,et al.  Nomadic Honeypots : A Novel Concept for Smartphone Honeypots , 2013 .

[17]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[18]  Salvatore J. Stolfo,et al.  Fox in the trap: thwarting masqueraders via automated decoy document deployment , 2015, EUROSEC.

[19]  Debin Gao,et al.  MobiPot: Understanding Mobile Telephony Threats with Honeycards , 2016, AsiaCCS.

[20]  Markus Jakobsson,et al.  Scambaiter: Understanding Targeted Nigerian Scams on Craigslist , 2014, NDSS.

[21]  Davide Balzarotti,et al.  Behind the Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web , 2013, NDSS.