Towards Data-Driven Characterization of Brute-Force Attackers

Brute-force login attempts are common for every host on the public Internet. While most of them can be discarded as low-threat attacks, targeted attack campaigns often use a dictionary-based brute-force attack to establish a foothold in the network. Therefore, it is important to characterize the attackers' behavior to prioritize defensive measures and react to new threats quickly. In this paper we present a set of metrics that can support threat hunters in characterizing brute-force login attempts. Based on connection metadata, timing information, and the attacker's dictionary these metrics can help to differentiate scans and to find common behavior across distinct IP addresses. We evaluated our novel metrics on a real-world data set of malicious login attempts collected by our honeypot Honeygrove. We highlight interesting metrics, show how clustering can be leveraged to reveal common behavior across IP addresses, and describe how selected metrics help to assess the threat level of attackers. Amongst others, we for example found strong indicators for collusion between ten otherwise unrelated IP addresses confirming that a clustering of the right metrics can help to reveal coordinated attacks.