) tra ffi c lights smart grid Honeypots in ICS Environments space station steel mill ( power plant supertanker death star gas pipeline sewage plant wind turbine
) cypherpunk chaotic neutral privacy activist researcher DI Daniel Haslinger, BSc. developer IT Security Researcher honeynet ( project Institute of IT Security Research St. Poelten University of Applied Sciences member The Honeynet Project Norwegian “honeynor” chapter
2014: HAVEX 1999: Gazprom 2012: Flame 2008: Lodz 2006: Browns Ferry (published) ICS vulnerabilities are on the rise 2010: Stuxnet 2011: DUQU 2013: Shamoon 2000: Maroochy Shire
No of published vulnerabilities found on the web 160 120 80 40 2009 2010 2011 2012 2013 2014
Intrusion Detection Systems Data Loss Prevention Gateways L7 Firewalls Signature Based Detection Mechanisms ( Fuzzy Detection Mechanisms
HONEY POTS “gathering needles since 1998”
Valuable Intelligence: WHO is attacking us? WHAT is the attacker trying to achieve? HOW is the actual attack carried out?
) laos poland japan north korea russia “Who’s really attacking your ICS Equipment” china united states published 2013, trend labs brazil vietnam ( great britain chile
Advantages of Honeypots (in general) Small Data Sets you only need to analyze data that matters… Reduced False Positives what you see is what you … got Catching False Negatives to measure the performance of conventional security techniques
Pros & Cons of Honeypots (in general) Crypto aware the honeypot is the endpoint IPv6 aware the final frontier Flexible & cheap most solutions run on commodity hardware
Pros & Cons of Honeypots (in general) Risk may be involved especially if you use high interaction honeypots Limited field of view you do not see the whole picture Not a real security solution to count on after all, you still need conventional security
Products & Solutions CIAG SCADA Honeynet scadahoneynet.sourceforge.net telnet, ftp, modbus, http very minimal interaction, but profits from honeyd (network, os decept.) ~ 2004 - 2005 SHaPe C-based low interaction module for Dionaea IEC61850
Products & Solutions Digital Bond SCADA Honeynet Honeywall based approach based on SNORT works with emulated and real hardware will not work properly with encrypted protocols General Purpose Honeypots (ENISA, 2012) Amun, Dionaea, KFsensor, Honeyd, Honeytrap, nepenthes, Tiny Honeypot, …
Products & Solutions Conpot developed from scratch based on python Modbus, HTTP, SNMP, S7comm, Kamstrup Hybrid Interaction through request forwarding Central Databus all across the protocols TAXII*, HPfriends, SQL, Syslog No OS deception stack (yet) Still under heavy development * DHS
Deployment Strategies Thick Deployments Every entity contains the whole logic Global high interaction honeypot? - shipping, customs and hardware costs Individual maintenance involved Entity operator has physical access to your data
Deployment Strategies Thin Deployments A central server spawns instances of honeypots Each instance serves one “honey tra ffi c reflector” Little to no hardware costs on the receiving site Tra ffi c is forwarded without the loss of vital information Logs and logic always stay in your hands
Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y openVPN HP 10.0.0.x 10.0.0.1 BACKEND
Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND
Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND
Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND
Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND DNAT
Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND
Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND LOG & RESPOND
Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND
Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND SNAT
Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND
Lessons learned Sifting through aggregated data is serious work Creating good templates is a work for perfectionists Don’t be overly attached to your CC OS deception is a MUST
Recommend
More recommend