Visible to the public Biblio

Filters: Author is Nikiforakis, Nick  [Clear All Filters]
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 
Barron, Timothy, Nikiforakis, Nick.  2017.  Picky Attackers: Quantifying the Role of System Properties on Intruder Behavior. Proceedings of the 33rd Annual Computer Security Applications Conference. :387–398.

Honeypots constitute an invaluable piece of technology that allows researchers and security practitioners to track the evolution of break-in techniques by attackers and discover new malicious IP addresses, hosts, and victims. Even though there has been a wealth of research where researchers deploy honeypots for a period of time and report on their findings, there is little work that attempts to understand how the underlying properties of a compromised system affect the actions of attackers. In this paper, we report on a four-month long study involving 102 medium-interaction honeypots where we vary a honeypot's location, difficulty of break-in, and population of files, observing how these differences elicit different behaviors from attackers. Moreover, we purposefully leak the credentials of dedicated, hard-to-brute-force, honeypots to hacking forums and paste-sites and monitor the actions of the incoming attackers. Among others, we find that, even though bots perform specific environment-agnostic actions, human attackers are affected by the underlying environment, e.g., executing more commands on honeypots with realistic files and folder structures. Based on our findings, we provide guidance for future honeypot deployments and motivate the need for having multiple intrusion-detection systems.

Kintis, Panagiotis, Miramirkhani, Najmeh, Lever, Charles, Chen, Yizheng, Romero-Gómez, Rosa, Pitropakis, Nikolaos, Nikiforakis, Nick, Antonakakis, Manos.  2017.  Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. :569–586.
Domain squatting is a common adversarial practice where attackers register domain names that are purposefully similar to popular domains. In this work, we study a specific type of domain squatting called "combosquatting," in which attackers register domains that combine a popular trademark with one or more phrases (e.g., betterfacebook[.]com, youtube-live[.]com). We perform the first large-scale, empirical study of combosquatting by analyzing more than 468 billion DNS records - collected from passive and active DNS data sources over almost six years. We find that almost 60% of abusive combosquatting domains live for more than 1,000 days, and even worse, we observe increased activity associated with combosquatting year over year. Moreover, we show that combosquatting is used to perform a spectrum of different types of abuse including phishing, social engineering, affiliate abuse, trademark abuse, and even advanced persistent threats. Our results suggest that combosquatting is a real problem that requires increased scrutiny by the security community.