A Large-Scale Analysis of Attacker Activity in Compromised Enterprise Accounts

  title={A Large-Scale Analysis of Attacker Activity in Compromised Enterprise Accounts},
  author={Neil Shah and Grant Ho and Marco Schweighauser and M. Afifi and Asaf Cidon and David A. Wagner},
We present a large-scale characterization of attacker activity across 111 real-world enterprise organizations. We develop a novel forensic technique for distinguishing between attacker activity and benign activity in compromised enterprise accounts that yields few false positives and enables us to perform fine-grained analysis of attacker behavior. Applying our methods to a set of 159 compromised enterprise accounts, we quantify the duration of time attackers are active in accounts and examine… Expand
1 Citations
What Clinical Trials Can Teach Us about the Development of More Resilient AI for Cybersecurity
A model that is informed by the experience, urged forward by massive scale cyberattacks, and inspired by parallel developments in the biomedical field and the unprecedentedly fast development of new vaccines to combat global pathogens is proposed. Expand


High Precision Detection of Business Email Compromise
BEC-Guard is presented, a detector used at Barracuda Networks that prevents business email compromise attacks in real-time using supervised learning and achieves a precision of 98.2% and a false positive rate of less than one in five million emails. Expand
What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild
A taxonomy of malicious activity performed on stolen Gmail accounts is devised to identify differences in the behavior of cybercriminals that get access to stolen accounts through different means, and to identify systematic attempts to evade the protection systems in place at Gmail and blend in with the legitimate user activity. Expand
Consequences of Connectivity: Characterizing Account Hijacking on Twitter
It is argued that early outbreak detection that stems the spread of compromise in 24 hours can spare 70% of victims, and developed a system for detecting large-scale attacks on Twitter that identifies 14 million victims of compromise. Expand
Detecting and Characterizing Lateral Phishing at Scale
The first large-scale characterization of lateral phishing attacks is presented, based on a dataset of 113 million employee-sent emails from 92 enterprise organizations, and several thematic content and recipient targeting strategies that attackers follow are identified. Expand
Evaluating Login Challenges as aDefense Against Account Takeover
It is illustrated that login challenges act as an important barrier to hijacking, but that friction in the process leads to 52% of legitimate users failing to sign-in-though 97% of users eventually access their account in a short period. Expand
COMPA: Detecting Compromised Accounts on Social Networks
This work has extensively studied the use of fake (Sybil) accounts that attackers set up to distribute spam messages, which typically exhibit highly anomalous behavior, and hence, are relatively easy to detect. Expand
Detecting Credential Spearphishing Attacks in Enterprise Settings
We present a new approach for detecting credential spearphishing attacks in enterprise settings. Our method uses features derived from an analysis of fundamental characteristics of spearphishingExpand
Safeguarding academic accounts and resources with the University Credential Abuse Auditing System
The design, implementation, and evaluation of a system for safeguarding academic accounts and resources called the University Credential Abuse Auditing System (UCAAS) are described and shown to be useful in reducing the burden of credential theft. Expand
Data Breaches, Phishing, or Malware?: Understanding the Risks of Stolen Credentials
The first longitudinal measurement study of the underground ecosystem fueling credential theft and the risk it poses to millions of users is presented and a remarkable lack of external pressure on bad actors is observed, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s. Expand
Reading Between the Lines: Content-Agnostic Detection of Spear-Phishing Emails
It is shown that a sender leaves content-agnostic traits in the structure of an email, and a method capable of learning profiles for a large set of senders and identifying spoofed emails as deviations thereof is developed. Expand