Human versus Machine: The Level of Human Interaction in Automated Attacks Targeting the Remote Desktop Protocol

Back to the list of Speakers and Sessions
Watch the stream

One of the characteristics of system security is that attackers do not need any special and/or expensive tools to perform the most powerful attacks. Brute force authentication attacks on Remote Desktop Protocol (RDP) can be automated and shared between malicious actors. However, when a human or an organization behind an automated attack shows more motivation, the danger increases as it is no longer an opportunistic “spraying and praying” strategy but rather a strategy that is closer to a targeted attack.

The objective of this study is to measure the level of human engagement behind the attacks targeting Remote Desktop Protocol (RDP). To do so, we launched high-interaction honeypots on the Internet. We collected and analyzed over 3.4 million connections attempts that supplied hashed credentials over a period of 3 months. With over 95% success rate in cracking these hashes, our team was able to identify different attack strategies.

The indicators of human intervention in the attacks will be presented and includes (1) the number of attacks; (2) the use of credential leak lists; (3) the constant presence of the machine over the observation period; and (4) the use of several attacks per second. The indicators of machine-like behavior will also be presented and includes (1) presence of pause before launching an attack; (2) the attack is customized for its target; (3) slowing down of attack rhythm by imposing a delay between attempt login. A score of engagement is given based on those indicators to visualized the level of human engagement behind attacks. Then, a Pearson correlation coefficient was computed to assess the linear relationship between automated attacks and the other variables associated with human and machine behaviors.

Showing the series of actions conducted on exposed RDP systems gives us an eye-opening understanding of threat actors’ strategies. Characterizing attackers allows us to get closer to revealing their identity. This will hopefully contribute to give them cold feet as they will have to change their practices. The ultimate objective of our work is to increase the cost of attackers and knowing who they are and how they proceed is one step further in this direction.