Print Email Facebook Twitter Fingerprinting tooling used for SSH compromisation attempts Title Fingerprinting tooling used for SSH compromisation attempts Author Ghiette, V.D.H. (TU Delft Cyber Security) Griffioen, H.J. (TU Delft Cyber Security) Dörr, C. (TU Delft Cyber Security) Date 2019 Abstract In SSH brute forcing attacks, adversaries try a lot of different username and password combinations in order to compromise a system. As such activities are easily recognizable in log files, sophisticated adversaries distribute brute forcing attacks over a large number of origins. Effectively finding such distributed campaigns proves however to be a difficult problem. In practice, when adversaries would spread out brute-forcing over multiple sources, they would likely reuse the same kind of software across all of these origins to simplify their operation and reduce cost. This means if we are able to identify the tooling used in these attempts, we could cluster similar tool usage into likely collaborating hosts and thus campaigns. In this paper, we demonstrate that it is possible to utilize cipher suites and SSH version strings to generate a unique fingerprint for a brute-forcing tool used by the attacker. Based on a study using a large honeynet with over 4,500 hosts, which received approximately 35 million compromisation attempts over the period of one month, we are able to identify 49 tools from the collected data, which correspond to off-the-shelf tools, as well as custom implementations. The method is also able to fingerprint individual versions of tools, and by revealing mismatches between advertised and actually implemented features detect hosts that spoof identifying information. Based on the generated fingerprints, we are able to correlate login credentials to distinguish distributed campaigns. We uncovered specific adversarial behaviors, tactics and procedures, frequently exhibiting clear timing patterns and tight coordination. To reference this document use: http://resolver.tudelft.nl/uuid:1835b205-ccf9-4047-bbb8-0d88d347cd0e Publisher USENIX Association ISBN 978-193913307-6 Source RAID 2019 Proceedings: 22nd International Symposium on Research in Attacks, Intrusions and Defenses Event 22nd International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2019, 2019-09-23 → 2019-09-25, Beijing, China Part of collection Institutional Repository Document type conference paper Rights © 2019 V.D.H. Ghiette, H.J. Griffioen, C. Dörr Files PDF raid2019_ghiette.pdf 900.16 KB Close viewer /islandora/object/uuid:1835b205-ccf9-4047-bbb8-0d88d347cd0e/datastream/OBJ/view