The Attacker’s Dictionary
rapid7-research-the-attackers-dictionary rapid7-research-the-attackers-dictionary
04 EVENT FREQUENCY AND TRAFFIC ANALYSIS Some days are busier than others for the Heisenberg honeypots. While we cannot say what causes the particular spikes in credential scanning traffic, we can plot when there is increased attention to RDP across all sources. For example, it appears that the spring and summer of 2015 saw much more scanning activity across the board than the following autumn and winter (Figure 2). However, if we break out our event statistics by source country, we can see that scanning sourced from China is responsible for the vast majority of the RDP activity, with distinct spikes in April, June, and July (Figure3). Of course, while some fraction of these “sources” are in fact proxies and artifacts of the limitations inherent in GeoIP databases, the observation that endpoints in networks associated with China are responsible for so much of the traffic is not particularly surprising. China also happens to be the most populous country on Earth, and the most recent data indicates that the Chinese account for nearly 20% of humanity as well as 20% of all Internet users 9 . However, the dominance of endpoints in China-based networks in our scan Figure 2: Events Per Day, 2015-2016 9 Internetlivestats.com. (n.d.). Internet Users by Country (2014). Retrieved February 19, 2016, from http://www. internetlivestats.com/internet-users-by-country/ | Rapid7.com The Attacker’s Dictionary: Auditing Criminal Credential Attacks 8
Figure 3: Events Per Day by Country, 2015-2016 data does make it difficult to see more granular activity reports by other regions, so the plot below (Figure 4) shows the top five countries’ activity after endpoints in China-based networks are removed. Here, we can see that the endpoints in U.S.-based networks were the source of much more consistent scanning through the spring and summer of 2015, with a spike from endpoints in networks associated with the Republic of Korea (South Korea) in mid-June. Traffic analysis like this can help investigators get a sense of overall opportunistic compromise activity of RDP-enabled systems, so they can look for clues accordingly. Figure 4: Events Per Day by Country, Excluding Endpoints in China-based Networks | Rapid7.com The Attacker’s Dictionary: Auditing Criminal Credential Attacks 9
- Page 1 and 2: The Attacker’s Dictionary Auditin
- Page 3 and 4: 01 EXECUTIVE SUMMARY This paper is
- Page 5 and 6: 03 HEISENBERG HONEYPOTS Heisenberg
- Page 7: var td_2F = new td_0g(“4818a8896d
- Page 11 and 12: Figure 6: Top 10 Country Network Or
- Page 13 and 14: Figure 7: Top 10 Usernames administ
- Page 15 and 16: Top Passwords for the Top Ten Usern
- Page 17 and 18: Top Usernames Associated with the T
- Page 19 and 20: Figure 12: Distinct Passwords per U
- Page 21 and 22: 07 PASSWORD COMPLEXITY AND PROVENAN
- Page 23 and 24: Figure 15: Password Lifetimes Compl
- Page 25 and 26: would almost certainly run afoul of
04<br />
EVENT FREQUENCY AND<br />
TRAFFIC ANALYSIS<br />
Some days are busier than others for<br />
the Heisenberg honeypots. While we<br />
cannot say what causes the particular<br />
spikes in credential scanning traffic,<br />
we can plot when there is increased<br />
attention to RDP across all sources.<br />
For example, it appears that the spring<br />
and summer of 2015 saw much more<br />
scanning activity across the board than<br />
the following autumn and<br />
winter (Figure 2).<br />
However, if we break out our event<br />
statistics by source country, we can<br />
see that scanning sourced from China<br />
is responsible for the vast majority of<br />
the RDP activity, with distinct spikes<br />
in April, June, and July (Figure3).<br />
Of course, while some fraction of<br />
these “sources” are in fact proxies<br />
and artifacts of the limitations<br />
inherent in GeoIP databases, the<br />
observation that endpoints in networks<br />
associated with China are<br />
responsible for so much of the traffic<br />
is not particularly surprising. China<br />
also happens to be the most populous<br />
country on Earth, and the most recent<br />
data indicates that the Chinese<br />
account for nearly 20% of humanity<br />
as well as 20% of all Internet users 9 .<br />
However, the dominance of endpoints<br />
in China-based networks in our scan<br />
Figure 2: Events Per Day, 2015-2016<br />
9<br />
Internetlivestats.com. (n.d.). Internet Users by Country<br />
(2014). Retrieved February 19, 2016, from http://www.<br />
internetlivestats.com/internet-users-by-country/<br />
| Rapid7.com <strong>The</strong> <strong>Attacker’s</strong> <strong>Dictionary</strong>: Auditing Criminal Credential Attacks 8
Change language