close banner

Over the last year, the number of cyber threat actors using hands-on-keyboard attack techniques surged. 

And security researchers say this is part of a pivot. 

Attackers are looking for new ways to evade detection. Personally directing an attack in real-time is one of the methods.

Research: Hands On Keyboard Attacks 

A hands-on keyboard attack occurs after a breach when attackers are already inside your environment. A cybercriminal sits at a keyboard on one end of the operation, and your compromised network sits on the other end of this technique.

The threat actor types keystrokes and commands to move laterally across your network, looking for critical data, jumping between accounts, and elevating privileges.

Crowdtrike’s 2022 Global Threat Report reveals the recent increase:

“CrowdStrike has observed that 62% of attacks comprise non-malware, hands-on-keyboard activity. As adversaries advance their tradecraft in this manner to bypass legacy security solutions, autonomous machine learning alone is not good enough to stop dedicated attackers.”

We can call this a motivated movement by attackers to evade detection because most tools cannot detect this activity.

Detecting On-Keyboard Attacks

Attackers are targeting more organizations in more industry verticals with this method. And this dramatically increases the risk of a successful cyberattack.

Dr. Andrew Fast, Chief Data Scientist at LiveAction, discussed the threat during a recent webinar.

“Keystroke detection is critical for detecting hands on a keyboard. Some of the latest ransomware attacks involve a human in the loop. This means a threat actor is somewhere, behind a keyboard, exploring the network, locking things down for ransomware and the exploitation there.” — Dr. Andrew Fast, Chief Data Scientist, LiveAction

During Detecting Advanced Threats with Encrypted Traffic Analysis, Fast explains how his team developed a Network Detection and Response platform to uncover this threat. As you see here, it combines long-term behavior baselines with streaming Machine Learning to correlate complex events.


“Our keystroke detection uses a unique combination of packet dynamics, looking at the keystroke. Especially if you’re using a shell or a terminal, those keystrokes might be echoed back so you might type a character, and then that character is reflected back on the screen,” says Fast.

“So you see that interaction, which is very characteristic of a keyboard. And this works in protocols like RDP, SSH, and HTTPS. You can look at the keystrokes and understand what’s going on.”

And he adds that with ThreatEye, enriched, high-fidelity alerts guide response so your SOC can disrupt a live attack on the network.

How do these cyberattacks start?

If attackers need access before they implement a hands-on keyboard strategy, how are they compromising networks in the first place? 

From the Global Threat Report: 

“Nearly 80% of cyberattacks leverage identity-based attacks to compromise legitimate credentials and use techniques like lateral movement to quickly evade detection.”

This popular attacker approach means you need a way to detect malicious activity. And detection must occur even within encryption, even if it is coming from a trusted device or end-user. Those trusted credentials may become compromised at any moment.

ThreatEye utilizes Encrypted Traffic Analysis to detect all of these things, even if a hacker sitting behind a keyboard personally directs the attack.