A Large-Scale Analysis of Attacker Activity in Compromised Enterprise Accounts

We present a large-scale characterization of attacker activity across 111 real-world enterprise organizations. We develop a novel forensic technique for distinguishing between attacker activity and benign activity in compromised enterprise accounts that yields few false positives and enables us to perform fine-grained analysis of attacker behavior. Applying our methods to a set of 159 compromised enterprise accounts, we quantify the duration of time attackers are active in accounts and examine thematic patterns in how attackers access and leverage these hijacked accounts. We find that attackers frequently dwell in accounts for multiple days to weeks, suggesting that delayed (non-real-time) detection can still provide significant value. Based on an analysis of the attackers' timing patterns, we observe two distinct modalities in how attackers access compromised accounts, which could be explained by the existence of a specialized market for hijacked enterprise accounts: where one class of attackers focuses on compromising and selling account access to another class of attackers who exploit the access such hijacked accounts provide. Ultimately, our analysis sheds light on the state of enterprise account hijacking and highlights fruitful directions for a broader space of detection methods, ranging from new features that home in on malicious account behavior to the development of non-real-time detection methods that leverage malicious activity after an attack's initial point of compromise to more accurately identify attacks.

[1]  Samuel B. Williams,et al.  ASSOCIATION FOR COMPUTING MACHINERY , 2000 .

[2]  Christopher Krügel,et al.  Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks , 2006, NDSS.

[3]  H.L. Owen,et al.  TimeKeeper: A Metadata Archiving Method for Honeypot Forensics , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.

[4]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[5]  Suku Nair,et al.  A comparison of machine learning techniques for phishing detection , 2007, eCrime '07.

[6]  Gerhard Paass,et al.  Improved Phishing Detection using Model-Based Features , 2008, CEAS.

[7]  Lionel C. Briand,et al.  An Industrial Investigation of Similarity Measures for Model-Based Test Case Selection , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[8]  Nikita Borisov,et al.  Proceedings of the 2012 ACM workshop on Privacy in the electronic society , 2012, CCS 2012.

[9]  Emiliano De Cristofaro,et al.  EsPRESSo: Efficient Privacy-Preserving Evaluation of Sample Set Similarity , 2012, DPM/SETOP.

[10]  Tao Wei,et al.  How many eyes are spying on your shared folders? , 2012, WPES '12.

[11]  William H. Sanders,et al.  Safeguarding academic accounts and resources with the University Credential Abuse Auditing System , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[12]  Mahmoud Reza Hashemi,et al.  An adaptive profile based fraud detection framework for handling concept drift , 2013, 2013 10th International ISC Conference on Information Security and Cryptology (ISCISC).

[13]  Gianluca Stringhini,et al.  COMPA: Detecting Compromised Accounts on Social Networks , 2013, NDSS.

[14]  Emiliano De Cristofaro,et al.  EsPRESSO: Efficient privacy-preserving evaluation of sample set similarity , 2014, J. Comput. Secur..

[15]  Stefan Savage,et al.  Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild , 2014, Internet Measurement Conference.

[16]  Vern Paxson,et al.  Consequences of Connectivity: Characterizing Account Hijacking on Twitter , 2014, CCS.

[17]  Gianluca Stringhini,et al.  That Ain't You: Blocking Spearphishing Through Behavioral Modelling , 2015, DIMVA.

[18]  Yang Zhang,et al.  Detecting Compromised Email Accounts from the Perspective of Graph Topology , 2016, CFI.

[19]  Gianluca Stringhini,et al.  What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild , 2016, Internet Measurement Conference.

[20]  Grant Ho,et al.  Detecting Credential Spearphishing Attacks in Enterprise Settings , 2017 .

[21]  Bai Wang,et al.  Extracting Topics Based on Word2Vec and Improved Jaccard Similarity Coefficient , 2017, 2017 IEEE Second International Conference on Data Science in Cyberspace (DSC).

[22]  Vern Paxson,et al.  Data Breaches, Phishing, or Malware?: Understanding the Risks of Stolen Credentials , 2017, CCS.

[23]  Konrad Rieck,et al.  Reading Between the Lines: Content-Agnostic Detection of Spear-Phishing Emails , 2018, RAID.

[24]  Asaf Cidon,et al.  High Precision Detection of Business Email Compromise , 2019, USENIX Security Symposium.

[25]  Dan Boneh,et al.  Protecting accounts from credential stuffing with password breach alerting , 2019, USENIX Security Symposium.

[26]  Yu Jiang,et al.  Evaluating Login Challenges as aDefense Against Account Takeover , 2019, WWW.

[27]  Stefan Savage,et al.  Detecting and Characterizing Lateral Phishing at Scale , 2019, USENIX Security Symposium.

[28]  S. Niwattanakul,et al.  Using of Jaccard Coefficient for Keywords Similarity , 2022 .