arXiv: Ghost Without Shell: Measuring Non-Interactive SSH Attacks on Honeypots

This paper, published on arXiv, presents a novel measurement study of non-interactive SSH attacks against honeypots, which are decoy systems used to detect cyber threats. The research reveals that a significant volume of attacks do not involve interactive shell commands but instead rely on automated scripts to exploit vulnerabilities, steal credentials, or deploy malware without leaving typical interactive logs. This challenges existing detection methods that focus on interactive behavior, highlighting a blind spot in current cybersecurity monitoring.

Organizations across all sectors that rely on SSH for remote system administration are affected, particularly those in critical infrastructure, finance, healthcare, and cloud service providers. Compliance teams in these sectors must recognize that standard security controls, such as intrusion detection systems and log analysis tuned for interactive sessions, may miss these non-interactive threats. This gap could lead to undetected breaches and non-compliance with data protection and cybersecurity regulations like NIS2, DORA, or GDPR.

Compliance teams should immediately review their SSH monitoring and logging configurations to ensure they capture and analyze non-interactive session data, including automated key-based logins and scripted command execution. They should update their risk assessments to account for this attack vector and verify that incident response plans include procedures for detecting and responding to non-interactive threats. Finally, teams should engage with their security operations to test current detection capabilities against the attack patterns described in the paper.