Cybereason researchers have been analysing a complex network honeypot operation, and the results should make every CISO pause for thought
Establishing fake servers to attract attackers is nothing new, and while the results can be useful from a threat intelligence perspective they don’t tend to reveal anything particularly new either. Where the attackers are coming from is of less value than what they do when they arrive, and that’s where the fake financial company created by Cybereason really delivered the goods; it was discovered and breached by automated bots almost instantly. “These tools will drop the average dwell time of an attacker from a couple of hours to a couple of minutes” the researchers warn. The Cybereason researchers saw a lot of rudimentary activity across all services, but what really caught their eye was the botnet that struck within two hours of the team weakening additional RDP ports. It literally did the grunt work for the attackers, who didn’t participate manually in the attack until after the bots had exploited known vulnerabilities, scanned the network, dumped credentials of the compromised machines and created new user accounts to enable the perpetrators to easily return even if the actual users changed their passwords in the meantime. Sounds like a lot of work, doesn’t it? Yet this took the botnet just 15 seconds to achieve from start to finish.