We present the first large-scale characterization of attacker activity in compromised enterprise accounts based on our dataset of 989 enterprise accounts spanning 120 real-world enterprise organizations. Given the wealth of confidential and sensitive information that enterprises have access to, malicious access to enterprise accounts can incur major damage. We develop a novel forensic technique for distinguishing between attacker activity and benign activity in compromised enterprise accounts that yields few false positives and enables us to perform fine-grained analysis. Applying our forensic methods to these accounts, we quantify the length of time attackers spend in enterprise accounts, surface clues about the economy of enterprise accounts, explore a potential attack vector of compromise, and identify what these accounts are used for by attackers. We find that attackers dwell a long time in accounts and there appears to be a specialized market for these accounts in which one set of attackers compromise the accounts and another set of attackers utilize the accounts, possibly for extracting monetary value. Taken together, our findings illuminate differences in how attackers exploit enterprise accounts compared to personal accounts and inform organizations of new defense strategies that can address the state of threats today.




Download Full History