TY - GEN
T1 - Picky attackers
T2 - 33rd Annual Computer Security Applications Conference, ACSAC 2017
AU - Barron, Timothy
AU - Nikiforakis, Nick
N1 - Publisher Copyright: © 2017 Copyright held by the owner/author(s). Publication rights licensed to ACM.
PY - 2017/12/4
Y1 - 2017/12/4
N2 - Honeypots constitute an invaluable piece of technology that allows researchers and security practitioners to track the evolution of break-in techniques by attackers and discover new malicious IP addresses, hosts, and victims. Even though there has been a wealth of research where researchers deploy honeypots for a period of time and report on their findings, there is little work that attempts to understand how the underlying properties of a compromised system affect the actions of attackers. In this paper, we report on a four-month long study involving 102 medium-interaction honeypots where we vary a honeypot's location, difficulty of break-in, and population of files, observing how these differences elicit different behaviors from attackers. Moreover, we purposefully leak the credentials of dedicated, hard-To-brute-force, honeypots to hacking forums and paste-sites and monitor the actions of the incoming attackers. Among others, we find that, even though bots perform specific environment-Agnostic actions, human attackers are affected by the underlying environment, e.g., executing more commands on honeypots with realistic files and folder structures. Based on our findings, we provide guidance for future honeypot deployments and motivate the need for having multiple intrusion-detection systems.
AB - Honeypots constitute an invaluable piece of technology that allows researchers and security practitioners to track the evolution of break-in techniques by attackers and discover new malicious IP addresses, hosts, and victims. Even though there has been a wealth of research where researchers deploy honeypots for a period of time and report on their findings, there is little work that attempts to understand how the underlying properties of a compromised system affect the actions of attackers. In this paper, we report on a four-month long study involving 102 medium-interaction honeypots where we vary a honeypot's location, difficulty of break-in, and population of files, observing how these differences elicit different behaviors from attackers. Moreover, we purposefully leak the credentials of dedicated, hard-To-brute-force, honeypots to hacking forums and paste-sites and monitor the actions of the incoming attackers. Among others, we find that, even though bots perform specific environment-Agnostic actions, human attackers are affected by the underlying environment, e.g., executing more commands on honeypots with realistic files and folder structures. Based on our findings, we provide guidance for future honeypot deployments and motivate the need for having multiple intrusion-detection systems.
UR - https://www.scopus.com/pages/publications/85038952341
U2 - 10.1145/3134600.3134614
DO - 10.1145/3134600.3134614
M3 - Conference contribution
T3 - ACM International Conference Proceeding Series
SP - 387
EP - 398
BT - Proceedings - 33rd Annual Computer Security Applications Conference, ACSAC 2017
PB - Association for Computing Machinery
Y2 - 4 December 2017 through 8 December 2017
ER -