A Qualitative Empirical Analysis of Human Post-Exploitation Behavior

TL;DR

This paper presents a low-cost honeypot framework that analyzes attacker behavior post-exploitation, revealing varied attacker reactions to defensive tactics through empirical deployment and qualitative analysis.

Contribution

It introduces a novel, easy-to-deploy honeypot framework and models attacker-defender interactions as a Bayesian game for qualitative analysis.

Findings

Attackers react differently to insults and blocked commands.

Some attackers ignore, while others retaliate with insults.

Over 200 sessions provided insights into post-exploitation behavior.

Abstract

Honeypots are a well-studied defensive measure in network security. This work proposes an effective low-cost honeypot that is easy to deploy and maintain. The honeypot introduced in this work is able to handle commands in a non-standard way by blocking them or replying with an insult to the attacker. To determine the most efficient defense strategy, the interaction between attacker and defender is modeled as a Bayesian two-player game. For the empirical analysis, three honeypot instances were deployed, each with a slight variation in its configuration. In total, over 200 distinct sessions were captured, which allows for qualitative evaluation of post-exploitation behavior. The findings show that attackers react to insults and blocked commands in different ways, ranging from ignoring to sending insults themselves. The main contribution of this work lies in the proposed framework, which offers a low-cost alternative to more technically sophisticated and resource-intensive approaches.