DeepAI AI Chat
Log In Sign Up

A Large-Scale Analysis of Attacker Activity in Compromised Enterprise Accounts

by   Neil Shah, et al.

We present a large-scale characterization of attacker activity across 111 real-world enterprise organizations. We develop a novel forensic technique for distinguishing between attacker activity and benign activity in compromised enterprise accounts that yields few false positives and enables us to perform fine-grained analysis of attacker behavior. Applying our methods to a set of 159 compromised enterprise accounts, we quantify the duration of time attackers are active in accounts and examine thematic patterns in how attackers access and leverage these hijacked accounts. We find that attackers frequently dwell in accounts for multiple days to weeks, suggesting that delayed (non-real-time) detection can still provide significant value. Based on an analysis of the attackers' timing patterns, we observe two distinct modalities in how attackers access compromised accounts, which could be explained by the existence of a specialized market for hijacked enterprise accounts: where one class of attackers focuses on compromising and selling account access to another class of attackers who exploit the access such hijacked accounts provide. Ultimately, our analysis sheds light on the state of enterprise account hijacking and highlights fruitful directions for a broader space of detection methods, ranging from new features that home in on malicious account behavior to the development of non-real-time detection methods that leverage malicious activity after an attack's initial point of compromise to more accurately identify attacks.


page 1

page 2

page 3

page 4


Detecting and Characterizing Lateral Phishing at Scale

We present the first large-scale characterization of lateral phishing at...

Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum

We performed the first systematic study of a new attack on Ethereum to s...

Gotta catch 'em all: a Multistage Framework for honeypot fingerprinting

Honeypots are decoy systems that lure attackers by presenting them with ...

Simulation of Attacker Defender Interaction in a Noisy Security Game

In the cybersecurity setting, defenders are often at the mercy of their ...

Forecasting Suspicious Account Activity at Large-Scale Online Service Providers

In the face of large-scale automated social engineering attacks to large...

The GANfather: Controllable generation of malicious activity to improve defence systems

Machine learning methods to aid defence systems in detecting malicious a...

Analysis of Attacker Behavior in Compromised Hosts During Command and Control

Traditional reactive approach of blacklisting botnets fails to adapt to ...