Have criminals developed a 9 to 5 mentality?
Five years ago, we were ready again. Sitting in SOC’s watching the 3d earth spinning around and eyeballing the incident feeds for red lines, something interesting happened: nothing. Some yellow threat feed lines. Nothing seemed bad. At Christmas Eve, we grew increasingly anxious. “For sure this year there’s a late Christmas rally, and we’re going to miss out on dinner!” Nothing continued to happen though. In the second week of January, fraud returned. Slowly but surely new campaigns started up. It was almost as if all the criminals had gone on a skiing holiday.
With the mainstream criminals becoming more “corporate” in their operations, could it be they adopted some counterproductive corporate traits too, like 9 to 5 mentalities? Today, we are looking at our CDC data to search for clues.
About the data
We are looking at anonymized alert data from a dozen of medium and large sized companies. These generate tens of thousands of “events” per day. Our CDC platform condenses those to alerts, which are then handled by analysts. We are looking at this alert data on a daily basis.
What we’re looking for
We are looking to answer three questions today:
- Do criminals enjoy downtime on the weekends?
- Does criminal activity decline during holiday seasons?
- Do criminals have a 9 to 5 mentality?
Criminal weekday activity
Consider a graph of aggregated alerts over the June 2017 period and let’s overlay the weekends to see if these spikes and dips coincide.
They seem to correlate but what about the nature of the data. Couldn’t it be said that since people don’t work on the weekends, they click less bad links, and visit less watering holes? Let’s remove threats which need victim interaction, and look solely at threats like network and application anomalies.
The correlation seems a bit less strong, but for sure we can see the spikes are on the weekdays and the dips are on the weekends. We checked it with the May numbers for the sample batch too. Here, we can see one interesting deviation:
The dips and the spikes correlate, except for a spike on the weekend of May 13th and 14th. I think you can guess what we’re looking at here: it’s, of course, the Wannacry worm. Worms, for sure, do not need human interaction to propagate. Looking across other months, there seems to be less threat activity on the weekends, and weekend spikes can explain it can be attributed to the events.
Criminal holiday activity
Let’s consider a graph of all alerts over a year for this data set. We are taking all event types into account again since we don’t discern between weekdays and weekend for these purposes.
Out of this graph, the mint green is representing malware incidents. The majority of malware is spread in criminal campaigns, so let’s zoom in on the malware incidents over the past ten months.
- After a leisurely July / August, September malware is on the rise again.
- A definite dip in winter / Christmas holidays for most of Europe and a bit farther east.
- This ransomware spike is caused by Wannacry.
- And in June 2017, the data shows another decline, even not taking Wannacry into account.
Attacks and office hours
As we can see, the majority of incidents take place during office hours. In fact, in this data set, it’s 59%. Early mornings and evenings there’s activity too. It’s safe to say there are fewer incidents at night.
- Our data supports criminal activity much less on the weekends. Furthermore, activity over the year declines in holiday months. Attacks happen mostly within business hours, and criminals don’t like to work at night; but, they do like to work in the evenings and early mornings. As the Myth Busters would say it, as it is circumstantial evidence, and we would call it plausible, for reasons of the chicken and egg nature in attack data (see 3).
- Furthermore, as of June of 2017, it is already showing a decline in activity, extrapolating and taking a wild stab in the dark. This might evolve to a quiet summer from a cyber-crime perspective. Bear in mind that the criminals are not the only ones causing misery on the internet; there are activists, spies, and nation states too. Some of those might up their ante over summer.
- This said, even when victim interactions are excluded from the data, criminals will have scripted their e-mail campaigns, and their infections to align with victim hours. It might not necessarily mean attackers don’t work on weekends or holidays. However, in attacks like the hybrid attack (which requires a criminal operator to take over hijacked sessions manually), there are criminal functions that need to adapt to victim time windows.As we see criminal organisations grow and become more organised, their proven 9 to 5 mentality with attack data seem to be a chicken and egg problem. The detectable events we see mostly during business hours. Historical trends suggest their organisations follow corporate timings. We’ll update this space if we can find more info.
- And on a final note, the people behind Wannacry don’t seem to exhibit the weekend mentality. If that makes them a nation state, it is up for debate…