The Attacker’s Dictionary

Recommendations

Info

04 EVENT FREQUENCY AND TRAFFIC ANALYSIS Some days are busier than others for the Heisenberg honeypots. While we cannot say what causes the particular spikes in credential scanning traffic, we can plot when there is increased attention to RDP across all sources. For example, it appears that the spring and summer of 2015 saw much more scanning activity across the board than the following autumn and winter (Figure 2). However, if we break out our event statistics by source country, we can see that scanning sourced from China is responsible for the vast majority of the RDP activity, with distinct spikes in April, June, and July (Figure3). Of course, while some fraction of these “sources” are in fact proxies and artifacts of the limitations inherent in GeoIP databases, the observation that endpoints in networks associated with China are responsible for so much of the traffic is not particularly surprising. China also happens to be the most populous country on Earth, and the most recent data indicates that the Chinese account for nearly 20% of humanity as well as 20% of all Internet users 9 . However, the dominance of endpoints in China-based networks in our scan Figure 2: Events Per Day, 2015-2016 9 Internetlivestats.com. (n.d.). Internet Users by Country (2014). Retrieved February 19, 2016, from http://www. internetlivestats.com/internet-users-by-country/ | Rapid7.com The Attacker’s Dictionary: Auditing Criminal Credential Attacks 8
Figure 3: Events Per Day by Country, 2015-2016 data does make it difficult to see more granular activity reports by other regions, so the plot below (Figure 4) shows the top five countries’ activity after endpoints in China-based networks are removed. Here, we can see that the endpoints in U.S.-based networks were the source of much more consistent scanning through the spring and summer of 2015, with a spike from endpoints in networks associated with the Republic of Korea (South Korea) in mid-June. Traffic analysis like this can help investigators get a sense of overall opportunistic compromise activity of RDP-enabled systems, so they can look for clues accordingly. Figure 4: Events Per Day by Country, Excluding Endpoints in China-based Networks | Rapid7.com The Attacker’s Dictionary: Auditing Criminal Credential Attacks 9
Page 1 and 2: The Attacker’s Dictionary Auditin
Page 3 and 4: 01 EXECUTIVE SUMMARY This paper is
Page 5 and 6: 03 HEISENBERG HONEYPOTS Heisenberg
Page 7: var td_2F = new td_0g(“4818a8896d
Page 11 and 12: Figure 6: Top 10 Country Network Or
Page 13 and 14: Figure 7: Top 10 Usernames administ
Page 15 and 16: Top Passwords for the Top Ten Usern
Page 17 and 18: Top Usernames Associated with the T
Page 19 and 20: Figure 12: Distinct Passwords per U
Page 21 and 22: 07 PASSWORD COMPLEXITY AND PROVENAN
Page 23 and 24: Figure 15: Password Lifetimes Compl
Page 25 and 26: would almost certainly run afoul of

The Attacker’s Dictionary

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?