We deployed a large collection of high-interaction deception servers deployed in multiple cloud environments worldwide. Each such deception machine is capable of capturing and recording attacks on various services. This infrastructure provides us with a tremendous amount of data; With this infrastructure, we get to see where attacks originate from, what machines they connect-back to, the ports and services attackers attempt to breach, the processes they initiate – and many more. Using this unique and comprehensive dataset, we explore attack patterns and model the behavior of the attackers.
In this talk, we will guide the audience through our analysis and present some interesting findings. For example, do attackers really change behavior after new vulnerabilities are disclosed? What is the lifetime of an attack machine or a command-and-control server? Do attackers bother staying persistent on victim machines? Using our results, we will provide a clearer picture of today’s data-center-oriented Cyber attacks.