towards high interaction virtual ics honeypots in a box
play

Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A - PowerPoint PPT Presentation

Jul 22, 2023 •658 likes •922 views

CPS-SPC 16 @ Vienna AU Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O. T IPPENHAUER daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box 1 Overview In this

  1. CPS-SPC 16 @ Vienna AU Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O. T IPPENHAUER daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box 1

  2. Overview In this work we: • Present the design of a realistic ICS honeypot ◮ Satisfying traditional, and ICS requirements ◮ That is high-interaction, virtualized and low-cost • Show an implementation of such a design ◮ Targeting ICS based on Ethernet/IP ◮ High-interaction without full virtualization ◮ Compatible with Software-Defined Networking • Discuss its evaluation ◮ S3’s Capture-The-Flag (CTF) for ICS daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Abstract 2

  3. Industrial Control Systems (ICS) • Industrial Control Systems (ICS) ◮ Connected devices, managing an industrial process ◮ Control and monitor: PLC, SCADA, HMI ◮ Physical: sensors, actuators ◮ Cyber: switches, routers, gateways • ICS security is a major challenge ◮ Internet-facing control networks ◮ Cyber and physical attacker surface ◮ Legacy-code, uncertified devices daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 3

  4. Real Water Treatment ICS SCADA Historian VPN/Gateway HMI HMI HMI Internet Switch L1 Network Process 1 Process 2 Process n PLC PLC PLC PLC PLC PLC ... PLC1a PLC1b PLC2a PLC2b PLCna PLCnb L0 Network L0 Network L0 Network Remote IO Remote IO Remote IO ... RIO RIO RIO Sensor Sensor Sensor 42.42 42.42 42.42 Actuators Sensors Actuators Sensors Actuators Sensors daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 4

  5. Real Water Treatment ICS SCADA Historian Attacker VPN/Gateway HMI HMI HMI Internet Switch L1 Network Process 1 Process 2 Process n PLC PLC PLC PLC PLC PLC ... PLC1a PLC1b PLC2a PLC2b PLCna PLCnb L0 Network L0 Network L0 Network Remote IO Remote IO Remote IO ... RIO RIO RIO Sensor Sensor Sensor 42.42 42.42 42.42 Actuators Sensors Actuators Sensors Actuators Sensors daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 4

  6. Our Idea: ICS Honeypots Attacker Internet SCADA Historian VPN/Gateway HMI HMI HMI Switch L1 Network Process 1 Process 2 Process n PLC PLC PLC PLC PLC PLC ... PLC2a PLC2b PLCna PLCnb PLC1a PLC1b L0 Network L0 Network Remote IO L0 Network Remote IO Remote IO ... RIO RIO RIO Sensor Sensor Sensor 42.42 42.42 42.42 Actuators Sensors Actuators Sensors Actuators Sensors daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 5

  7. ICS Honeypots: Introduction • Systems intended be probed, attacked, and compromised ◮ Lures the attacker impersonating an ICS ◮ Stop, or slow-down the attack ◮ Study attacker’s behaviours • Classifications ◮ Infrastructure: real vs. virtual (vs. hybrid) ◮ Realism: low-interaction vs. high-interaction ◮ Role: client vs. server ◮ Usage: research vs. production daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 6

  8. Our Honeypot: Attacker Model • Assumptions ◮ Honeypot reached over the Internet ◮ Vulnerable interface determines the attacker surface • Capabilities ◮ Fingerprinting: addresses, ports, protocol ◮ Protocols: knowledge of all protocols used in system ◮ Physical system: limited knowledge of process and devices • Interactions ◮ Denial-of-Service: flood the network ◮ Man-in-the-Middle: passive and active ◮ Device impersonation: valid and malformed packets ◮ Sabotage: trigger actions through malicious commands daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 7

  9. Our Honeypot: Requirements • High-interaction ICS honeypot ◮ Simulate the physical process ◮ Simulate the ICS devices: control logic, services ◮ Emulate the network infrastructure • Low-cost ◮ Reconfigurable ◮ Scales • ICS requirements ◮ Time : completion of tasks, and delivery of packets ◮ Determinism : schedule of tasks, and order of packets daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 8

  10. Simple Design Approach • How about an OpenPLC 1 indexed on shodan.io ? ◮ Classification: real, low-interaction, server ◮ Pros: low-cost, configuration ◮ Cons: realism, scale Attacker Internet 1 http://www.openplcproject.com/ daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Design 9

  11. Our Honeypot: Design Choices • Virtual and high-interaction : ◮ Simulation of physical process and ICS devices ◮ Lightweight network emulation ◮ Runs in-a-Box (with SDN support) • ICS requirements ◮ Time: real-time emulation, and simulation ◮ Determinism: scriptable environment Attacker SCADA Historian HMI VPN/Gateway HMI HMI Internet Switch L1 Network Process 1 Process 2 Process n PLC PLC PLC PLC PLC PLC ... PLC1a PLC1b PLC2a PLC2b PLCna PLCnb L0 Network L0 Network Remote IO L0 Network Remote IO ... Remote IO RIO RIO RIO Sensor Sensor Sensor 42.42 42.42 42.42 Actuators Sensors Actuators Sensors Actuators Sensors daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Design 10

  12. Our Honeypot: Architecture High-Interaction virtual honeypot Simulated PLC VPN PLC SI S Physical Device Process Emulated SSH Simulation network T elnet Gateway Simulated HMI Internet Real ICS/SCADA system PLC Attacker VPN Gateway PLC Device Physical ICS Process network SSH T elnet Gateway HMI Proposed Honeypot (top) vs. Real ICS (bottom). daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Design 11

  13. MiniCPS Framework [CPS-SPC 15] Network Component Component Logic Logic Physical Layer API Physical Layer Simulation "MiniCPS: A toolkit for security research on CPS Networks." https://github.com/scy-phy/minicps (C)yber → Network Emulator (P)hysical → Physical Layer Simulation and API (S)ystem → Devices Simulation daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 12

  14. MiniCPS Framework [CPS-SPC 15] Network Component Component Logic Logic Physical Layer API Physical Layer Simulation "MiniCPS: A toolkit for security research on CPS Networks." https://github.com/scy-phy/minicps (C)yber → Network Emulator (P)hysical → Physical Layer Simulation and API (S)ystem → Devices Simulation daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 12

  15. Honeypot Implementation High-Interaction virtual honeypot EtherNet/IP HMI 192.168.1.100 VPN VPN PLC1 Device 192.168.1.10 192.168.1.76 Physical Physical PLC2 Switch Process 192.168.1.20 Layer Internet Internet Simulation API PLC3 192.168.1.30 Attacker Attacker SSH SSH T T elnet elnet PLC4 192.168.1.40 Gateway 192.168.1.77 SDN Controller Network Component Component Logic Logic Physical Layer API Physical Layer Simulation daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 13

  16. Honeypot Implementation High-Interaction virtual honeypot EtherNet/IP HMI 192.168.1.100 VPN VPN PLC1 Device 192.168.1.10 192.168.1.76 Physical Physical PLC2 Switch Process Layer 192.168.1.20 Internet Internet Simulation API PLC3 192.168.1.30 Attacker Attacker SSH SSH T T elnet elnet PLC4 192.168.1.40 Gateway 192.168.1.77 SDN Controller Component Logic Physical Layer Physical Layer Simulation Network API Component Logic daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 13

  17. Realistic Attack Propagation High-Interaction virtual honeypot EtherNet/IP HMI 192.168.1.100 VPN VPN PLC1 Device 192.168.1.10 192.168.1.76 Physical Physical Switch PLC2 Process Layer 192.168.1.20 Internet Internet Simulation API PLC3 192.168.1.30 Attacker Attacker PLC4 192.168.1.40 SDN Controller Attack propagates over the simulated components daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 14

  18. PLC Implementation • Allen-Bradley ControlLogix ◮ Same IP , MAC, and netmask ◮ Simulated control logic (modifiable in real-time) ◮ Ethernet/IP server on port 44818, and client ◮ Same monitoring Webserver daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 15

  19. Network Gateway Device Implementation • Moxa OnCell IP gateway ◮ Eg: provide IP over 3G connection ◮ SSH server with default credentials ◮ Telnet server with default credentials (plaintext authentication) • Virtual implementation ◮ Same IP , MAC, and netmask ◮ sshd on port 22 with default credentials ◮ telnetd on port 23 with default credentials ◮ Attacker gets a (chrooted) shell daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Honeypot technologies 2006 First Conference / tutorial Junes 2006

Honeypot technologies 2006 First Conference / tutorial Junes 2006

Honeypot technologies 2006 First Conference / tutorial Junes 2006 {Franck.Veysset,Laurent.Butti}@orange-ft.com D1 -June 2006 Agenda s Origins and background s Different kinds of honeypot Q High interaction honeypots Q Low interaction honeypots

1.5k views • 112 slides
Bitter Harvest: S ystematically Fingerprinting Low- and Medium- interaction Honeypots at

Bitter Harvest: S ystematically Fingerprinting Low- and Medium- interaction Honeypots at

Bitter Harvest: S ystematically Fingerprinting Low- and Medium- interaction Honeypots at Internet S cale Alexander Vet t erl and Richard Clayt on University of Cambridge 12th USENIX Workshop on Offensive Technologies August 13-14, 2018

481 views • 21 slides
We know where you live Systematically Fingerprinting Low- and Medium-interaction Honeypots at

We know where you live Systematically Fingerprinting Low- and Medium-interaction Honeypots at

We know where you live Systematically Fingerprinting Low- and Medium-interaction Honeypots at Internet Scale Alexander Vetterl University of Cambridge alexander.vetterl@cl.cam.ac.uk Introduction Honeypot s: A resource whose value is

477 views • 19 slides
A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande

A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande

Honeypots architecture Security Properties Statistical results Conclusion A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande C. Toinard LIFO Universit dOrlans ENSI de Bourges SHPCS08,

401 views • 19 slides
Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Overview Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots What can you do with them? Claire OShea Problems with honeypots COMP 290 Spring 2005 Overview Motivation Examples of

645 views • 15 slides
Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin Neumann University of Connecticut The role of the honeypot The limitations Low-interaction honeypots: "Artificial" attack surface

846 views • 13 slides
Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and Collin Mulliner Security in Telecommunications Technische Universit at Berlin, Germany { steffen,mlange } @sec.t-labs.tu-berlin.de Northeastern

713 views • 11 slides
Visualization and Interaction Visualization and Interaction 4.1 Introduction and motivation 4.2

Visualization and Interaction Visualization and Interaction 4.1 Introduction and motivation 4.2

Visualization and Interaction Visualization and Interaction 4.1 Introduction and motivation 4.2 Fundamentals interactive computer graphics viewing in 3D virtual reality (VR) augmented reality (AR) haptic feedback 4.3 Application Virtual

676 views • 46 slides
VR/AR research Mark Miller, Virtual Human Interaction Lab, Stanford For CS 11SI: How to Make VR

VR/AR research Mark Miller, Virtual Human Interaction Lab, Stanford For CS 11SI: How to Make VR

VR/AR research Mark Miller, Virtual Human Interaction Lab, Stanford For CS 11SI: How to Make VR Quick background on me, AR/VR, & this talk Currently a third-year PhD student in the Virtual Human Interaction Lab led by Jeremy Bailenson

347 views • 33 slides
Collaborative Virtual Environments M2R Interaction / Universit Paris-Sud / 2015-2016 Cdric

Collaborative Virtual Environments M2R Interaction / Universit Paris-Sud / 2015-2016 Cdric

Groupware and Collaborative Interaction Collaborative Virtual Environments M2R Interaction / Universit Paris-Sud / 2015-2016 Cdric Fleury (cedric.fleury@lri.fr) Outline Virtual Reality Collaboration in Virtual Reality Awareness

798 views • 62 slides
Bimanual Haptic Interaction with Virtual Environments Anthony Talvas INSA, IRISA and Inria Rennes

Bimanual Haptic Interaction with Virtual Environments Anthony Talvas INSA, IRISA and Inria Rennes

Bimanual Haptic Interaction with Virtual Environments Anthony Talvas INSA, IRISA and Inria Rennes Hybrid Team Advisors: Maud Marchal Anatole Lcuyer Virtual Reality and Haptics Virtual Reality (VR) : Immersion of a user in a Virtual

706 views • 45 slides
INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS JOSH PYORRE Security Researcher Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre HONEYPOTS CURRENTLY IN USE

1.25k views • 96 slides
Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 1 / 28 Outline Introduction 1 History 2 Types of honeypots 3 Deception techniques using Honeypots

632 views • 61 slides
Outline Virtual Reality Collaboration in Virtual Reality Groupware and Collaborative

Outline Virtual Reality Collaboration in Virtual Reality Groupware and Collaborative

05/12/2013 Outline Virtual Reality Collaboration in Virtual Reality Groupware and Collaborative Interaction Awareness Collaborative Virtual Environments Communication Collaborative Interaction Navigation

340 views • 11 slides
Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project & Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers & Co- author, Know Your Enemy ! Work

676 views • 52 slides
Specimen Box: A Tangible Interaction Technique for World-Fixed Virtual Reality Displays Regis

Specimen Box: A Tangible Interaction Technique for World-Fixed Virtual Reality Displays Regis

Specimen Box: A Tangible Interaction Technique for World-Fixed Virtual Reality Displays Regis Kopper David J. Zielinski Derek Nankivil Dept. of Mechanical Engineering Duke immersive Virtual Environment Dept. of Biomedical Engineering and

596 views • 25 slides
Using Honeypots for Security Operations Jim Barlow <jbarlow@ncsa.uiuc.edu> Head of

Using Honeypots for Security Operations Jim Barlow <jbarlow@ncsa.uiuc.edu> Head of

Using Honeypots for Security Operations Jim Barlow <jbarlow@ncsa.uiuc.edu> Head of Security Operations and Incident Response National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign National

229 views • 20 slides
HoneySAP Who really wants your money? M ARTIN G ALLO M ARCH 2015 P A G E AGENDA SAP SAP

HoneySAP Who really wants your money? M ARTIN G ALLO M ARCH 2015 P A G E AGENDA SAP SAP

HoneySAP Who really wants your money? M ARTIN G ALLO M ARCH 2015 P A G E AGENDA SAP SAP security Threat landscape Have Needs Honeypots HoneySAP Approach Goal Design Architecture Services Integration Example profiles Demo

748 views • 45 slides
Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of

Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of

Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Joint work with: Tanja Lange Technische Universiteit Eindhoven Memories of graduate school Early 1990s,

768 views • 40 slides
Counting Outdated Honeypots: Legal and Useful Alexander Vetterl * , Richard Clayton * and Ian

Counting Outdated Honeypots: Legal and Useful Alexander Vetterl * , Richard Clayton * and Ian

Counting Outdated Honeypots: Legal and Useful Alexander Vetterl * , Richard Clayton * and Ian Walden *University of Cambridge, Queen Mary University of London 4th International Workshop on Traffic Measurements for Cybersecurity May 23,

423 views • 17 slides
Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by

Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by

Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by Nunzio Cicone and Hans-Peter Hllwirth Setting Password Attacks Passwords are a notoriously weak authentication mechanism One significant

422 views • 20 slides
Honey, There is a Python in My Android Phone Ing Wei, Tang (James) About the Title: It was

Honey, There is a Python in My Android Phone Ing Wei, Tang (James) About the Title: It was

Honey, There is a Python in My Android Phone Ing Wei, Tang (James) About the Title: It was taken from: Honey, I have shrunk the kids! (1989) Source: https://en.wikipedia.org/wiki/Honey,_I_Shrunk _the_Kids Android Phone vs 486-DX4

539 views • 31 slides
321 Section, Week 2 Natalie Linnell All lions are fierce Discussion Some lions do not drink

321 Section, Week 2 Natalie Linnell All lions are fierce Discussion Some lions do not drink

321 Section, Week 2 Natalie Linnell All lions are fierce Discussion Some lions do not drink coffee Some fierce creatures do not drink coffee Translate into logic (provide defs for predicates) All lions are fierce All lions are fierce

300 views • 3 slides
Copies of the OSBA Profit and Loss Report and Balance Sheet are provided at the OSBA Table, as

Copies of the OSBA Profit and Loss Report and Balance Sheet are provided at the OSBA Table, as

Slide 1 OSBA Income- Jan.-Oct. 21, 2018 Research 11% Education 37% Operations 39% Member Services 14% Income Income- EDUCATION Income- MEMBER SERVICES Income- OPERATIONS Income- RESEARCH Copies of the OSBA Profit and Loss Report and

506 views • 14 slides

More recommend