Time to Compromise Exposed Services

November 26, 2021 - Researchers from Palo Alto Networks set up 320 honeypots of various cloud services including remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB), and Postgres database services to collect and evaluate date on the various attack patterns.

The term honeypot refers to a security structure or mechanism built to deflect the attackers to distract them from the valuable asset of the organization. Honeypots are servers configured to appear as if they are running various software as lures to monitor threat actors' tactics. The following are key summary details of what the researchers found:

  1. 80% of the honeypots were compromised in under 24 hours. In contrast with other prior reports by other entities, instead of days to compromise, the general time to compromise is under a day.

  2. 85% of the attacker IP was observed in a single day, thus, threat actors are unlikely to reuse the same IP for subsequent attacks.

  3. SSH honeypots are most targeted, with a mean time of compromise of three hours and SSH attack intervals (e.g., time between two consecutive attacks) of two hours.

  4. Postgres database service is the second most popular target, and that has the worst compromise time of just under 30 seconds.

The researchers recommend organizations to implement the following actions to reduce their risk profile:

  • Prevent privileged ports from being open.

  • Monitor/Audit all the open ports and exposed services.

  • Identify and correct misconfigurations automatically.

  • Utilize next-generation firewalls in front of the applications.