tra ffi c lights smart grid honeypots in ics environments
play

) tra ffi c lights smart grid Honeypots in ICS Environments space - PowerPoint PPT Presentation

) tra ffi c lights smart grid Honeypots in ICS Environments space station steel mill ( power plant supertanker death star gas pipeline sewage plant wind turbine ) cypherpunk chaotic neutral privacy activist researcher DI Daniel


  1. ) tra ffi c lights smart grid Honeypots in ICS Environments space station steel mill ( power plant supertanker death star gas pipeline sewage plant wind turbine

  2. ) cypherpunk chaotic neutral privacy activist researcher DI Daniel Haslinger, BSc. 
 developer IT Security Researcher honeynet ( project Institute of IT Security Research St. Poelten University of Applied Sciences member The Honeynet Project Norwegian “honeynor” chapter

  3. 2014: HAVEX 1999: Gazprom 
 2012: Flame 2008: Lodz 2006: Browns Ferry (published) ICS vulnerabilities are on the rise 2010: Stuxnet 2011: DUQU 2013: Shamoon 2000: Maroochy Shire

  4. No of published vulnerabilities found on the web 160 120 80 40 2009 2010 2011 2012 2013 2014

  5. Intrusion Detection Systems Data Loss Prevention Gateways L7 Firewalls Signature Based Detection Mechanisms ( Fuzzy Detection Mechanisms

  6. HONEY POTS “gathering needles since 1998”

  7. Valuable Intelligence: WHO is attacking us? WHAT is the attacker trying to achieve? HOW is the actual attack carried out?

  8. ) 
 laos poland japan north korea russia “Who’s really attacking your ICS Equipment” china united states published 2013, trend labs brazil vietnam ( great britain chile

  9. 
 Advantages of Honeypots (in general) Small Data Sets you only need to analyze data that matters… Reduced False Positives what you see is what you … got Catching False Negatives to measure the performance of conventional 
 security techniques

  10. Pros & Cons of Honeypots (in general) Crypto aware the honeypot is the endpoint IPv6 aware the final frontier Flexible & cheap most solutions run on commodity hardware

  11. Pros & Cons of Honeypots (in general) Risk may be involved especially if you use high interaction honeypots Limited field of view you do not see the whole picture Not a real security solution to count on after all, you still need conventional security

  12. Products & Solutions CIAG SCADA Honeynet scadahoneynet.sourceforge.net 
 telnet, ftp, modbus, http very minimal interaction, but profits from honeyd (network, os decept.) ~ 2004 - 2005 SHaPe C-based low interaction module for Dionaea IEC61850

  13. Products & Solutions Digital Bond SCADA Honeynet Honeywall based approach based on SNORT works with emulated and real hardware will not work properly with encrypted protocols General Purpose Honeypots (ENISA, 2012) Amun, Dionaea, KFsensor, Honeyd, Honeytrap, nepenthes, Tiny Honeypot, …

  14. Products & Solutions Conpot developed from scratch based on python Modbus, HTTP, SNMP, S7comm, Kamstrup Hybrid Interaction through request forwarding Central Databus all across the protocols TAXII*, HPfriends, SQL, Syslog No OS deception stack (yet) Still under heavy development * DHS

  15. Deployment Strategies Thick Deployments Every entity contains the whole logic Global high interaction honeypot? - shipping, customs and hardware costs Individual maintenance involved Entity operator has physical access to your data

  16. Deployment Strategies Thin Deployments A central server spawns instances of honeypots Each instance serves one “honey tra ffi c reflector” Little to no hardware costs on the receiving site Tra ffi c is forwarded without the loss of vital information Logs and logic always stay in your hands

  17. Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y openVPN HP 10.0.0.x 10.0.0.1 BACKEND

  18. Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND

  19. Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND

  20. Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND

  21. Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND DNAT

  22. Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND

  23. Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND LOG & RESPOND

  24. Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND

  25. Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND SNAT

  26. Deployment Strategies Thin Deployments 192.92.13.5 72.23.4.1 10.0.0.z 10.0.0.y POOH openVPN HP 10.0.0.x 10.0.0.1 BACKEND

  27. Lessons learned Sifting through aggregated data is serious work Creating good templates is a work for perfectionists Don’t be overly attached to your CC OS deception is a MUST

Recommend


More recommend