gosecure.ai
Open in
urlscan Pro
141.193.213.11
Public Scan
Submitted URL: https://security.gosecure.net/NDgzLURKVC00NjgAAAGS89S196JN7efBvXNdmPr37c9YVDaQNeTrVlGLgMYlxBBIs3Ah7PFovLpYoKVy8UGpm-pljKU=
Effective URL: https://gosecure.ai/blog/2024/02/07/beyond-the-script-attackers-sleep-schedule-and-strategies-behind-automated-attac...
Submission: On May 08 via api from CA — Scanned from CA
Effective URL: https://gosecure.ai/blog/2024/02/07/beyond-the-script-attackers-sleep-schedule-and-strategies-behind-automated-attac...
Submission: On May 08 via api from CA — Scanned from CA
Form analysis 4 forms found in the DOM
GET https://gosecure.ai/
<form role="search" method="get" class="et_pb_menu__search-form" action="https://gosecure.ai/">
<input type="search" class="et_pb_menu__search-input" placeholder="Search …" name="s" title="Search for:">
</form>GET https://gosecure.ai/
<form role="search" method="get" id="searchform" class="searchform" action="https://gosecure.ai/">
<div>
<label class="screen-reader-text" for="s">Search for:</label>
<input type="text" value="" name="s" id="s">
<input type="submit" id="searchsubmit" value="Search">
</div>
</form>GET https://gosecure.ai
<form action="https://gosecure.ai" method="get"><label class="screen-reader-text" for="cat">Categories</label><select name="cat" id="cat" class="postform">
<option value="-1">Select Category</option>
<option class="level-0" value="54">.Net</option>
<option class="level-0" value="90">AAP</option>
<option class="level-0" value="107">Active Directory</option>
<option class="level-0" value="328">Advisory Services</option>
<option class="level-0" value="13">Alt Sec Con</option>
<option class="level-0" value="100">Android</option>
<option class="level-0" value="72">AppSec</option>
<option class="level-0" value="441">Artificial Intelligence</option>
<option class="level-0" value="15">ASP.net</option>
<option class="level-0" value="327">Assessment</option>
<option class="level-0" value="34">Auditor</option>
<option class="level-0" value="42">Automation</option>
<option class="level-0" value="33">Backdoor</option>
<option class="level-0" value="297">Bazarloader</option>
<option class="level-0" value="110">Binary Analysis</option>
<option class="level-0" value="98">Bitcoin</option>
<option class="level-0" value="55">BlackHat</option>
<option class="level-0" value="350">BluStealer</option>
<option class="level-0" value="47">Botnet</option>
<option class="level-0" value="330">Breach Readiness</option>
<option class="level-0" value="301">Brute Force</option>
<option class="level-0" value="35">Burp</option>
<option class="level-0" value="49">C#</option>
<option class="level-0" value="61">Checkpoint</option>
<option class="level-0" value="58">Christmas</option>
<option class="level-0" value="384">Chrome</option>
<option class="level-0" value="383">CI/CD</option>
<option class="level-0" value="60">Cisco</option>
<option class="level-0" value="94">Code Review</option>
<option class="level-0" value="258">Compliance</option>
<option class="level-0" value="11">Conference</option>
<option class="level-0" value="16">Confoo</option>
<option class="level-0" value="259">COVID-19</option>
<option class="level-0" value="372">Credential Stuffing</option>
<option class="level-0" value="48">Criminal Market</option>
<option class="level-0" value="431">Criminology</option>
<option class="level-0" value="21">Cryptography</option>
<option class="level-0" value="36">CSP</option>
<option class="level-0" value="99">Cybercrime</option>
<option class="level-0" value="108">Cybersecurity</option>
<option class="level-0" value="317">Cybersecurity Assessment</option>
<option class="level-0" value="320">Cybersecurity Audits</option>
<option class="level-0" value="319">Cybersecurity Risk</option>
<option class="level-0" value="321">Cybersecurity Roadmaps</option>
<option class="level-0" value="101">Cybersecurity Statistics</option>
<option class="level-0" value="318">Cybersecurity Strategy</option>
<option class="level-0" value="92">Darknet</option>
<option class="level-0" value="66">Deserialization</option>
<option class="level-0" value="65">Detection</option>
<option class="level-0" value="85">Development</option>
<option class="level-0" value="43">Devops</option>
<option class="level-0" value="64">DNS</option>
<option class="level-0" value="111">Dynamic Analysis</option>
<option class="level-0" value="88">EDR</option>
<option class="level-0" value="119">Email</option>
<option class="level-0" value="366">Email Security</option>
<option class="level-0" value="382">Engineering</option>
<option class="level-0" value="30">Enterprise</option>
<option class="level-0" value="91">ESI</option>
<option class="level-0" value="109">ESI Tags</option>
<option class="level-0" value="374">Ethical Hacking</option>
<option class="level-0" value="403">Events</option>
<option class="level-0" value="68">Exploit</option>
<option class="level-0" value="22">Exploitation</option>
<option class="level-0" value="116">Find-Sec-Bugs</option>
<option class="level-0" value="62">Firewall</option>
<option class="level-0" value="81">Fraud</option>
<option class="level-0" value="112">Fuzzing</option>
<option class="level-0" value="381">GoSecure Titan</option>
<option class="level-0" value="418">Hackers</option>
<option class="level-0" value="352">Hacktoberfest</option>
<option class="level-0" value="39">Header</option>
<option class="level-0" value="103">Honeypot</option>
<option class="level-0" value="40">HTTP</option>
<option class="level-0" value="348">IDR</option>
<option class="level-0" value="386">Incident Response</option>
<option class="level-0" value="76">Industry</option>
<option class="level-0" value="10">IoT</option>
<option class="level-0" value="45">Java</option>
<option class="level-0" value="69">Jboss</option>
<option class="level-0" value="70">Jenkins</option>
<option class="level-0" value="302">Jetpack</option>
<option class="level-0" value="87">Kotlin</option>
<option class="level-0" value="23">Lansweeper</option>
<option class="level-0" value="93">Leaks</option>
<option class="level-0" value="311">LinkedIn</option>
<option class="level-0" value="12">Linux</option>
<option class="level-0" value="368">Log4j</option>
<option class="level-0" value="369">Log4Shell</option>
<option class="level-0" value="63">Malboxes</option>
<option class="level-0" value="9">Malware</option>
<option class="level-0" value="298">Malware Research</option>
<option class="level-0" value="105">Man-In-The-Middle</option>
<option class="level-0" value="80">Manipulation</option>
<option class="level-0" value="349">MDR</option>
<option class="level-0" value="77">Media</option>
<option class="level-0" value="387">MFA</option>
<option class="level-0" value="57">Moose</option>
<option class="level-0" value="53">MSBuild</option>
<option class="level-0" value="89">MSSP</option>
<option class="level-0" value="14">NorthSec</option>
<option class="level-0" value="106">NTLM</option>
<option class="level-0" value="26">Opcache</option>
<option class="level-0" value="117">Open-Source</option>
<option class="level-0" value="78">Opinion</option>
<option class="level-0" value="31">Oracle</option>
<option class="level-0" value="315">OSINT</option>
<option class="level-0" value="118">OWASP</option>
<option class="level-0" value="24">Password</option>
<option class="level-0" value="260">PCI DSS</option>
<option class="level-0" value="113">PDF</option>
<option class="level-0" value="362">Penetration Testing</option>
<option class="level-0" value="83">Pentest</option>
<option class="level-0" value="32">PeopleSoft</option>
<option class="level-0" value="120">Phishing</option>
<option class="level-0" value="27">PHP</option>
<option class="level-0" value="28">PHP7</option>
<option class="level-0" value="41">Plugin</option>
<option class="level-0" value="264">Privacy</option>
<option class="level-0" value="84">Privilege-Escalation</option>
<option class="level-0" value="73">Process</option>
<option class="level-0" value="86">Proxy</option>
<option class="level-0" value="375">Purple Team</option>
<option class="level-0" value="115">PYRDP</option>
<option class="level-0" value="75">Ransomware</option>
<option class="level-0" value="95">RCE</option>
<option class="level-0" value="104">RDP</option>
<option class="level-0" value="17">RequestValidation</option>
<option class="level-0" value="46">Research</option>
<option class="level-0" value="50">Roslyn</option>
<option class="level-0" value="74">SDLC</option>
<option class="level-0" value="51">Security</option>
<option class="level-0" value="436">Security Advisory</option>
<option class="level-0" value="331">Security Framework</option>
<option class="level-0" value="329">Security Maturity</option>
<option class="level-0" value="287">Security Measures</option>
<option class="level-0" value="121">Sextortion</option>
<option class="level-0" value="79">Social Media</option>
<option class="level-0" value="96">SPEL</option>
<option class="level-0" value="97">Spring</option>
<option class="level-0" value="353">SQL</option>
<option class="level-0" value="44">Static Analysis</option>
<option class="level-0" value="102">Statistics Canada</option>
<option class="level-0" value="29">Threat</option>
<option class="level-0" value="114">Threat-Intelligence</option>
<option class="level-0" value="340">Titan Labs</option>
<option class="level-0" value="37">Tool</option>
<option class="level-0" value="1">Uncategorized</option>
<option class="level-0" value="56">Video</option>
<option class="level-0" value="52">Visual Studio</option>
<option class="level-0" value="59">VoIP</option>
<option class="level-0" value="71">Vulnerability</option>
<option class="level-0" value="354">WAF</option>
<option class="level-0" value="25">Web</option>
<option class="level-0" value="67">Weblogic</option>
<option class="level-0" value="82">Windows</option>
<option class="level-0" value="303">Wordpress</option>
<option class="level-0" value="361">WSUS</option>
<option class="level-0" value="18">XSS</option>
<option class="level-0" value="38">Zap</option>
</select>
</form>POST /blog/2024/02/07/beyond-the-script-attackers-sleep-schedule-and-strategies-behind-automated-attacks/?mkt_tok=NDgzLURKVC00NjgAAAGS89S19-PWOOh0X9j_B334VXCiXj2cjMxFlld2Q3y2qRBIgx5SDVdpiXroJfKq1tFZXrlUGoGl10gZnJahqtTat7S4KMjGnEPsygON5GZEgPJG
<form method="post" enctype="multipart/form-data" id="gform_13"
action="/blog/2024/02/07/beyond-the-script-attackers-sleep-schedule-and-strategies-behind-automated-attacks/?mkt_tok=NDgzLURKVC00NjgAAAGS89S19-PWOOh0X9j_B334VXCiXj2cjMxFlld2Q3y2qRBIgx5SDVdpiXroJfKq1tFZXrlUGoGl10gZnJahqtTat7S4KMjGnEPsygON5GZEgPJG"
data-formid="13" novalidate="">
<div class="gform-body gform_body">
<div id="gform_fields_13" class="gform_fields top_label form_sublabel_above description_below">
<div id="field_13_1" class="gfield gfield--type-email gfield--input-type-email field_sublabel_above gfield--no-description field_description_below hidden_label gfield_visibility_visible" data-js-reload="field_13_1"><label
class="gfield_label gform-field-label" for="input_13_1">Email</label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_13_1" type="email" value="" class="medium" aria-invalid="false">
</div>
</div>
<fieldset id="field_13_2" class="gfield gfield--type-consent gfield--type-choice gfield--input-type-consent gfield_contains_required field_sublabel_above gfield--no-description field_description_below gfield_visibility_visible"
data-js-reload="field_13_2">
<legend class="gfield_label gform-field-label gfield_label_before_complex">Consent<span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_consent"><input name="input_2.1" id="input_13_2_1" type="checkbox" value="1" aria-required="true" aria-invalid="false"> <label
class="gform-field-label gform-field-label--type-inline gfield_consent_label" for="input_13_2_1">I consent to receive communications from GoSecure and I agree to the Privacy Notice.</label><input type="hidden" name="input_2.2"
value="I consent to receive communications from GoSecure and I agree to the Privacy Notice." class="gform_hidden"><input type="hidden" name="input_2.3" value="8" class="gform_hidden"></div>
</fieldset>
<div id="field_13_3" class="gfield gfield--type-honeypot gform_validation_container field_sublabel_above gfield--has-description field_description_below gfield_visibility_visible" data-js-reload="field_13_3"><label
class="gfield_label gform-field-label" for="input_13_3">Comments</label>
<div class="ginput_container"><input name="input_3" id="input_13_3" type="text" value="" autocomplete="new-password"></div>
<div class="gfield_description" id="gfield_description_13_3">This field is for validation purposes and should be left unchanged.</div>
</div>
</div>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_13" class="gform_button button" value="SUBMIT"
onclick="if(window["gf_submitting_13"]){return false;} if( !jQuery("#gform_13")[0].checkValidity || jQuery("#gform_13")[0].checkValidity()){window["gf_submitting_13"]=true;} "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_13"]){return false;} if( !jQuery("#gform_13")[0].checkValidity || jQuery("#gform_13")[0].checkValidity()){window["gf_submitting_13"]=true;} jQuery("#gform_13").trigger("submit",[true]); }">
<input type="hidden" class="gform_hidden" name="is_submit_13" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="13">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_13"
value="WyJ7XCIyLjFcIjpcIjFjM2E0ZmQzN2YxZjMwZGNiZDg4YzI1MDlmYWQzM2Q4XCIsXCIyLjJcIjpcIjgyYjMxODQ1ZmFhNmMxNTE3NzUxYmFiODM5NTYyYmRmXCIsXCIyLjNcIjpcImU3NDk5MDllZjlmMDE2MGNmNmVlNTZkZjQ5NDcwNWZjXCJ9IiwiZWQ3ZTI0M2FiMTFjMmNjZGQ3NGFkZTdlODc3ZWIzOGIiXQ==">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_13" id="gform_target_page_number_13" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_13" id="gform_source_page_number_13" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>Text Content
We value your privacy
This website and its third-party tools may process personal data. We do not sell
your personal information. We may share information with our partners, but you
have the option to opt out if you wish. To exercise this option, please click on
the 'Do Not Share My Personal Information' link.
Do Not Share My Personal Information
Opt-out Preferences
We use third-party cookies that help us analyze how you use this website, store
your preferences, and provide the content and advertisements that are relevant
to you. However, you can opt out of these cookies by checking "Do Not Share My
Personal Information" and clicking the "Save My Preferences" button. Once you
opt out, you can opt in again at any time by unchecking "Do Not Share My
Personal Information" and clicking the "Save My Preferences" button.
Do Not Share My Personal Information
Cancel Save My Preferences
GoSecure Titan® Managed Extended Detection & Response (MXDR)
GoSecure Titan® Managed Extended Detection & Response (MXDR) Foundation
GoSecure Titan® Vulnerability Management as a Service (VMaaS)
GoSecure Titan® Managed Security Information & Event Monitoring (SIEM)
GoSecure Titan® Managed Perimeter Defense (MPD)
GoSecure Titan® Inbox Detection and Response (IDR)
GoSecure Titan® Secure Email Gateway (SEG)
GoSecure Titan® Threat Modeler
GoSecure Titan® Identity
GoSecure Titan® Platform
GoSecure Professional Security Services
Incident Response Services
Security Maturity Assessment
Privacy Services
PCI DSS Services
Penetration Testing Services
Security Operations
GoSecure MXDR for Microsoft
Comprehensive visibility and response within your Microsoft security environment
LEARN MORE
×
GET A QUOTE
USE CASES
CYBER RISKS
Risk-Based Security Measures
SENSITIVE DATA SECURITY
Safeguard sensitive information
PRIVATE EQUITY FIRMS
Make informed decisions
CYBERSECURITY COMPLIANCE
Fulfill regulatory obligations
CYBER INSURANCE
A valuable risk management strategy
RANSOMWARE
Combat ransomware with innovative security
ZERO-DAY ATTACKS
Halt zero-day exploits with advanced protection
CONSOLIDATE, EVOLVE & THRIVE
Get ahead and win the race with the GoSecure Titan® Platform
24/7 MXDR FOUNDATION
GoSecure Titan® Endpoint Detection and Response (EDR)
GoSecure Titan® Next Generation Antivirus (NGAV)
GoSecure Titan® Network Detection and Response (NDR)
GoSecure Titan® Inbox Detection and Reponse (IDR)
GoSecure Titan® Intelligence
×
ABOUT GOSECURE
GoSecure is a recognized cybersecurity leader and innovator, pioneering the
integration of endpoint, network, and email threat detection into a single
Managed Extended Detection and Response (MXDR) service. For over 20 years,
GoSecure has been helping customers better understand their security gaps and
improve their organizational risk and security maturity through MXDR and
Professional Services solutions delivered by one of the most trusted and skilled
teams in the industry.
About Us
Leadership
Board of Directors
Careers
EVENT CALENDAR
May 9 CISO Meet
May 12 NorthSec
May 21 ITSec
Jun 5 CPX VIP Dinner
View Calendar
GoSec
LATEST PRESS RELEASE
GOSECURE APPOINTS ERIC ROCHETTE TO CHIEF TECHNOLOGY OFFICER (CTO)
GoSecure, a leading provider of managed detection and response solutions along
with expert professional services, proudly announces the promotion...
read more
GOSECURE NEWSROOM
REQUEST A MEDIA KIT
×
GOSECURE BLOG
MAXIMIZING EMPLOYEE PROTECTION BY RETHINKING EXPECTATIONS OF PHISHING AWARENESS
AND EMAIL SECURITY
Apr 26, 2024
Blaming users for falling victim to phishing...
HACK TO THE FUTURE: THE ATTACK SURFACE OF GPS SIGNALS
Mar 11, 2024
In an era where our critical infrastructures...
PHISHING MAY HAVE JUST BECOME A LOT HARDER TO DETECT…
Feb 20, 2024
We are on the upward trajectory of AI. AI can be...
READ MORE
RESOURCES
Case Studies
Datasheets & Brochures
eBooks
Whitepapers & Reports
Webinars & Podcasts
Videos & Infographics
Technical & User Guides
SEE LIBRARY
SECURITY ADVISORIES
COMBATING ADVANCED CYBER THREATS: GOSECURE’S PROACTIVE DEFENSE AGAINST THE
IVANTI CONNECT SECURE VPN BREACH
Ivanti Connect Secure VPN faced a significant security breach involving two
critical...
read more
ENHANCING CYBER RISK DIALOGUE: LESSONS FROM SEC’S RECENT ACTION
As a reaction to a number of major corporate and accounting scandals (namely
Enron and WorldCom),...
read more
SEE ALL ADVISORIES
×
GET A DEMO
k
BUILD A QUOTE
BECOME A PARTNER
×
24/7 Emergency – (888)-287-5858 SupportContact UsBlog
* Français
* What We Do
* GoSecure Titan® Managed Extended Detection & Response (MXDR)
* GoSecure Titan® Managed Extended Detection & Response (MXDR) Foundation
* GoSecure Titan® Vulnerability Management as a Service (VMaaS)
* GoSecure Titan® Managed Security Information and Event Monitoring (SIEM)
* GoSecure Titan® Managed Perimeter Defense (MPD)
* GoSecure Titan® Inbox Detection & Response (IDR)
* GoSecure Titan® Secure Email Gateway (SEG)
* GoSecure Titan® Threat Modeler
* GoSecure Titan® Identity
* GoSecure Titan® Platform
* GoSecure Professional Security Services
* GoSecure Incident Response Services (IRS)
* GoSecure Security Maturity Assessment
* GoSecure Privacy Services
* GoSecure PCI DSS Services
* GoSecure Penetration Testing Services
* GoSecure Security Operations
* MXDR For Microsoft
* Why GoSecure
* MXDR Investment
* Use Cases
* Cyber Risk
* Cybersecurity Compliance
* Ransomware
* Zero-Day Attacks
* Sensitive Data Security
* Cyber Insurance
* Consolidate, Evolve & Thrive
* 24/7 MXDR
* GoSecure Titan® Endpoint Detection and Response (EDR)
* GoSecure Titan® Next Generation Antivirus (NGAV)
* GoSecure Titan® Network Detection and Response (NDR)
* GoSecure Titan® Inbox Detection and Response (IDR)
* GoSecure Titan® Intelligence
* Company
* About GoSecure
* Leadership
* Board of Directors
* Careers
* Events
* Event Calendar
* GoSec
* Newsroom
* Request A Media Kit
* Resources
* GoSecure Blog
* Resources
* White Papers & Reports
* eBooks
* Case Studies
* Datasheets & Brochures
* Webinars & Podcasts
* Videos & Infographics
* Technical Guides
* See Library
* Security Advisories
* Partners
* Get Secure
* What We Do
* GoSecure Titan® Managed Extended Detection & Response (MXDR)
* GoSecure Titan® Managed Extended Detection & Response (MXDR) Foundation
* GoSecure Titan® Vulnerability Management as a Service (VMaaS)
* GoSecure Titan® Managed Security Information and Event Monitoring (SIEM)
* GoSecure Titan® Managed Perimeter Defense (MPD)
* GoSecure Titan® Inbox Detection & Response (IDR)
* GoSecure Titan® Secure Email Gateway (SEG)
* GoSecure Titan® Threat Modeler
* GoSecure Titan® Identity
* GoSecure Titan® Platform
* GoSecure Professional Security Services
* GoSecure Incident Response Services (IRS)
* GoSecure Security Maturity Assessment
* GoSecure Privacy Services
* GoSecure PCI DSS Services
* GoSecure Penetration Testing Services
* GoSecure Security Operations
* MXDR For Microsoft
* Why GoSecure
* MXDR Investment
* Use Cases
* Cyber Risk
* Cybersecurity Compliance
* Ransomware
* Zero-Day Attacks
* Sensitive Data Security
* Cyber Insurance
* Consolidate, Evolve & Thrive
* 24/7 MXDR
* GoSecure Titan® Endpoint Detection and Response (EDR)
* GoSecure Titan® Next Generation Antivirus (NGAV)
* GoSecure Titan® Network Detection and Response (NDR)
* GoSecure Titan® Inbox Detection and Response (IDR)
* GoSecure Titan® Intelligence
* Company
* About GoSecure
* Leadership
* Board of Directors
* Careers
* Events
* Event Calendar
* GoSec
* Newsroom
* Request A Media Kit
* Resources
* GoSecure Blog
* Resources
* White Papers & Reports
* eBooks
* Case Studies
* Datasheets & Brochures
* Webinars & Podcasts
* Videos & Infographics
* Technical Guides
* See Library
* Security Advisories
* Partners
* Get Secure
BEYOND THE SCRIPT: ATTACKER’S SLEEP SCHEDULE AND STRATEGIES BEHIND AUTOMATED
ATTACKS
by Andréanne Bergeron | Feb 7, 2024
Examining the brute-forcing attack patterns on our Remote Desktop Protocol (RDP)
honeypot systems reveals the discernible behavior of automated scripts. Yet,
upon closer inspection of the temporal patterns associated with these attacks,
subtle nuances indicative of human behavior begins to emerge.
We’ve accumulated a wealth of data from attempted logins on our exposed RDP
honeypot over time. In a previous blog, we delved into the human presence
revealed by these login attempts. Now, turning our focus to the temporal attack
patterns proves highly insightful, as they unveil valuable information crucial
for understanding the tactics employed by attackers.
To visually depict attack patterns, we generated calendar-style heatmaps. Each
heatmap provides a comprehensive view of one IP address’ activities throughout a
month (July 2022). The Y-axis (vertical) corresponds to the day of the month,
while the X-axis (horizontal) represents the hour of the day. Colors signify the
attack frequency, with a unique legend for each attacker located on the right
side of the graphic.
In the first scenario (see Graph 1), the activities exemplify the profile of a
persistent attacker engaged in continuous, fully automated login attempts on our
system.
The attacks are persistent, rapid, and relentless. One can envision a
compromised computer tirelessly executing tentative logins on the target.
Interestingly, this pattern was somewhat rare within our dataset (0.8%),
unveiling other noteworthy attack behaviors.
Human Strategies in Attack Patterns
In the second scenario (see Graph 2), the attack dynamics leave constant
onslaughts to instead present themselves in discernible blocks. Our working
hypothesis suggests a distinctive approach by these attackers, involving the
utilization of lists containing around 6,300 credentials. This strategy entails
systematically testing each set of credentials for potential system entry. Upon
completion of an automated attack list, the intervention of a human operator is
necessary to initiate a new attack block, introducing a new set of credentials
into the equation.
Also, the irregular pauses observed, seemingly arbitrary in duration and
sporadically dispersed throughout different periods of the day, point to the
human operator’s intermittent presence at the computer. These pauses,
characterized by their randomness, introduce an additional layer of complexity
to the attack pattern and represent approximately 14% of the behavior observed
in our dataset.
Avoiding Detection and Weekend Patterns
Attackers often employ a strategic approach involving the deliberate insertion
of delays between successive attacks. The purpose of this calculated tactic is
to effectively mitigate the risk of detection by security systems. This third
scenario is exemplified below (see Graph 3), showcasing a pattern where each
attack is strategically spaced apart by a couple of seconds. This pattern
strongly suggests the implementation of an automated attack specifically
programmed to incorporate intentional delays between each tentative login,
enhancing its ability to evade security measures and operate with a deceptive
resemblance to human interaction. The number of attackers imposing delays
between attempt logins represents 32% of our dataset.
What adds a compelling layer of intrigue to this example is the strategic
placement of pauses during entire days. When scrutinizing the calendar for July
2022, it becomes evident that the pauses align with weekends. Two hypotheses
emerge to elucidate this distinct attack pattern.
The first hypothesis concerns the “office-like” hours of attacks. There have
been documented instances and allegations of state-sponsored cyber activities
involving China. The Chinese government has been accused of engaging in cyber
espionage and hacking campaigns targeting various entities, including other
countries’ government systems and organizations. These activities are believed
to be carried out by different Chinese state-sponsored hacking groups.
One prominent example is the involvement of groups like APT1, also known as Unit
61398, which has been linked to the Chinese military. Reports and analyses by
cybersecurity firms and government agencies have detailed their alleged
involvement in cyber espionage operations targeting a range of sectors and
industries.
Therefore, should the attackers indeed be federal employees adhering to regular
office hours, their schedule would probably exhibit days off, mirroring typical
weekends.
The second hypothesis posits that a computer has been infiltrated and is being
utilized as a proxy for attacking the target. The owner of the compromised
computer may be unaware of its compromise, unwittingly facilitating the hacker’s
activities. This scenario could involve an office computer systematically
powered down on weekends.
Nighttime Patterns
There is a fourth scenario (see Graph 4 below) unveiling another intriguing
pattern: an 8-hour block where no attacks are initiated. The succeeding
tentative logins might be running but there is a hole of 8 hours in which none
are started. This observation is noted among 15% of attackers.
Several hypotheses can be explored here. First, when a human intervention is
required to initiate the block of attacks, a natural period of dormancy occurs.
For instance, adherence to sleep cycles renders individuals unavailable during
specific hours, resulting in an observable 8-hour hiatus.
Beyond the sleep cycle, the 8-hour gap may also be indicative of a work cycle.
Therefore, a second hypothesis suggests a scenario where the hacker initiates
attacks while at home but abstains during legitimate employment hours, when they
are away from home.
A third and final hypothesis is that the hacker is using a compromised computer
that is shut down at a specific time, beyond their control. However, this
hypothesis is less compelling, as the 8 hours blocks are not constant every
night.
Conclusion
The human touch in automated attacks is strikingly apparent. Even within the
realm of heavy attackers, distinctly human behaviors emerge. The observed sample
of attackers on the RDP honeypot reveals the diverse strategies, from continuous
assaults to deliberate pauses, reflect a nuanced understanding of the target.
Notably, the alignment of attacks with weekends and sleep cycles hints at the
attackers’ daily lives. The deliberate imposition of delays between attacks
serves to mimic human behavior, aiding in evading detection. It’s essential to
bear in mind that our adversary is human, not a machine.
Researchers: Here is the Code!
As a courtesy to the cybersecurity research community, we shared the code for
the calendar heatmaps on our GitHub.
We would like to thank Olivier Bilodeau for his help in generating the calendar
heatmaps.
SEARCH
Search for:
CATEGORIES
Categories Select Category .Net AAP Active Directory Advisory Services Alt Sec
Con Android AppSec Artificial Intelligence ASP.net Assessment Auditor Automation
Backdoor Bazarloader Binary Analysis Bitcoin BlackHat BluStealer Botnet Breach
Readiness Brute Force Burp C# Checkpoint Christmas Chrome CI/CD Cisco Code
Review Compliance Conference Confoo COVID-19 Credential Stuffing Criminal Market
Criminology Cryptography CSP Cybercrime Cybersecurity Cybersecurity Assessment
Cybersecurity Audits Cybersecurity Risk Cybersecurity Roadmaps Cybersecurity
Statistics Cybersecurity Strategy Darknet Deserialization Detection Development
Devops DNS Dynamic Analysis EDR Email Email Security Engineering Enterprise ESI
ESI Tags Ethical Hacking Events Exploit Exploitation Find-Sec-Bugs Firewall
Fraud Fuzzing GoSecure Titan Hackers Hacktoberfest Header Honeypot HTTP IDR
Incident Response Industry IoT Java Jboss Jenkins Jetpack Kotlin Lansweeper
Leaks LinkedIn Linux Log4j Log4Shell Malboxes Malware Malware Research
Man-In-The-Middle Manipulation MDR Media MFA Moose MSBuild MSSP NorthSec NTLM
Opcache Open-Source Opinion Oracle OSINT OWASP Password PCI DSS PDF Penetration
Testing Pentest PeopleSoft Phishing PHP PHP7 Plugin Privacy Privilege-Escalation
Process Proxy Purple Team PYRDP Ransomware RCE RDP RequestValidation Research
Roslyn SDLC Security Security Advisory Security Framework Security Maturity
Security Measures Sextortion Social Media SPEL Spring SQL Static Analysis
Statistics Canada Threat Threat-Intelligence Titan Labs Tool Uncategorized Video
Visual Studio VoIP Vulnerability WAF Web Weblogic Windows Wordpress WSUS XSS Zap
RECENT POSTS
* Maximizing Employee Protection by Rethinking Expectations of Phishing
Awareness and Email Security
* Hack to the future: The Attack Surface of GPS Signals
* Phishing may have just become a lot harder to detect…
* Beyond the Script: Attacker’s Sleep Schedule and Strategies Behind Automated
Attacks
* Combating Advanced Cyber Threats: GoSecure’s Proactive Defense Against the
Ivanti Connect Secure VPN Breach
* Merry and Secure: Unwrapping the Truth Around Malicious Hackers Activities
During Holiday Season
* From Spraying and Praying to Custom Attacks: Different Playbooks for the
Different Types of Malicious Actors Targeting RDP
* Enhancing Cyber Risk Dialogue: Lessons from SEC’s Recent Action
CONTACT US
(855) 893-5428
* Follow
* Follow
* Follow
WHAT WE DO
GoSecure Titan®
Managed Extended
Detection & Response
GoSecure Titan® Platform
GoSecure Professional
Security Services
GoSecure Titan®
MXDR for Microsoft
COMPANY
About Us
Blog
Library
Careers
Privacy Notice
Support
BECOME A PARTNER
GLOBAL HEADQUARTERS
13220 Evening Creek Dr.S
Suite 107
San Diego, CA 92128
Tel: 855-893-5428
JOIN 200,000+ SECURITY LEADERS
SIGN UP FOR OUR COMMUNICATIONS TO RECEIVE OUR LATEST NEWS, EVENTS, HELPFUL
ASSETS, AND LEARN MORE.
EMAIL SUBSCRIPTION
Email
Consent(Required)
I consent to receive communications from GoSecure and I agree to the Privacy
Notice.
Comments
This field is for validation purposes and should be left unchanged.
2024 © GoSecure, Inc. All Rights Reserved.
24/7 Emergency – (888)-287-5858
Notifications