A Large-Scale Analysis of Attacker Activity in Compromised Enterprise Accounts

Neil Shah, Grant Ho, Marco Schweighauser, M.H. Afifi, Asaf Cidon and David A. Wagner

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2020-80
May 28, 2020

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2020/EECS-2020-80.pdf

We present the first large-scale characterization of attacker activity in compromised enterprise accounts based on our dataset of 989 enterprise accounts spanning 120 real-world enterprise organizations. Given the wealth of confidential and sensitive information that enterprises have access to, malicious access to enterprise accounts can incur major damage. We develop a novel forensic technique for distinguishing between attacker activity and benign activity in compromised enterprise accounts that yields few false positives and enables us to perform fine-grained analysis. Applying our forensic methods to these accounts, we quantify the length of time attackers spend in enterprise accounts, surface clues about the economy of enterprise accounts, explore a potential attack vector of compromise, and identify what these accounts are used for by attackers. We find that attackers dwell a long time in accounts and there appears to be a specialized market for these accounts in which one set of attackers compromise the accounts and another set of attackers utilize the accounts, possibly for extracting monetary value. Taken together, our findings illuminate differences in how attackers exploit enterprise accounts compared to personal accounts and inform organizations of new defense strategies that can address the state of threats today.

Advisor: David A. Wagner


BibTeX citation:

@mastersthesis{Shah:EECS-2020-80,
    Author = {Shah, Neil and Ho, Grant and Schweighauser, Marco and Afifi, M.H. and Cidon, Asaf and Wagner, David A.},
    Title = {A Large-Scale Analysis of Attacker Activity in Compromised Enterprise Accounts},
    School = {EECS Department, University of California, Berkeley},
    Year = {2020},
    Month = {May},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2020/EECS-2020-80.html},
    Number = {UCB/EECS-2020-80},
    Abstract = {We present the first large-scale characterization of attacker activity in compromised enterprise accounts based on our dataset of 989 enterprise accounts spanning 120 real-world enterprise organizations. Given the wealth of confidential and sensitive information that enterprises have access to, malicious access to enterprise accounts can incur major damage. We develop a novel forensic technique for distinguishing between attacker activity and benign activity in compromised enterprise accounts that yields few false positives and enables us to perform fine-grained analysis. Applying our forensic methods to these accounts, we quantify the length of time attackers spend in enterprise accounts, surface clues about the economy of enterprise accounts, explore a potential attack vector of compromise, and identify what these accounts are used for by attackers. We find that attackers dwell a long time in accounts and there appears to be a specialized market for these accounts in which one set of attackers compromise the accounts and another set of attackers utilize the accounts, possibly for extracting monetary value. Taken together, our findings illuminate differences in how attackers exploit enterprise accounts compared to personal accounts and inform organizations of new defense strategies that can address the state of threats today.}
}

EndNote citation:

%0 Thesis
%A Shah, Neil
%A Ho, Grant
%A Schweighauser, Marco
%A Afifi, M.H.
%A Cidon, Asaf
%A Wagner, David A.
%T A Large-Scale Analysis of Attacker Activity in Compromised Enterprise Accounts
%I EECS Department, University of California, Berkeley
%D 2020
%8 May 28
%@ UCB/EECS-2020-80
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2020/EECS-2020-80.html
%F Shah:EECS-2020-80