) tra ffi c lights smart grid Honeypots in ICS Environments space - - PowerPoint PPT Presentation

tra ffi c lights smart grid honeypots in ics environments
SMART_READER_LITE
LIVE PREVIEW

) tra ffi c lights smart grid Honeypots in ICS Environments space - - PowerPoint PPT Presentation

Jan 14, 2023 383 likes •660 views

) tra ffi c lights smart grid Honeypots in ICS Environments space station steel mill ( power plant supertanker death star gas pipeline sewage plant wind turbine ) cypherpunk chaotic neutral privacy activist researcher DI Daniel

slide-1
SLIDE 1

traffic lights

smart grid

space station

steel mill

power plant

supertanker

death star

gas pipeline

sewage plant

wind turbine

) (

Honeypots in ICS Environments

slide-2
SLIDE 2

) (

cypherpunk

chaotic neutral

privacy activist

researcher

developer

honeynet

project

member

DI Daniel Haslinger, BSc.


IT Security Researcher Institute of IT Security Research

  • St. Poelten University of Applied Sciences

The Honeynet Project

Norwegian “honeynor” chapter

slide-3
SLIDE 3

2010: Stuxnet

2008: Lodz

2006: Browns Ferry

2013: Shamoon

2011: DUQU

2012: Flame

2000: Maroochy Shire

1999: Gazprom


2014: HAVEX

(published) ICS vulnerabilities are on the rise

slide-4
SLIDE 4

40 80 120 160 2009 2010 2011 2012 2013 2014

No of published vulnerabilities found on the web

slide-5
SLIDE 5

Signature Based Detection Mechanisms

Intrusion Detection Systems

Data Loss Prevention Gateways

L7 Firewalls

Fuzzy Detection Mechanisms

(

slide-6
SLIDE 6

“gathering needles since 1998”

HONEY POTS

slide-7
SLIDE 7

Valuable Intelligence: WHO is attacking us? WHAT is the attacker trying to achieve? HOW is the actual attack carried out?

slide-8
SLIDE 8

“Who’s really attacking your ICS Equipment” 


published 2013, trend labs

laos

poland

japan

north korea

russia

china

united states

brazil

vietnam

great britain

chile

) (

slide-9
SLIDE 9

Advantages of Honeypots (in general) Small Data Sets

you only need to analyze data that matters…

Reduced False Positives

what you see is what you … got

Catching False Negatives

to measure the performance of conventional
 
 security techniques

slide-10
SLIDE 10

Pros & Cons of Honeypots (in general) Crypto aware

the honeypot is the endpoint

IPv6 aware

the final frontier

Flexible & cheap

most solutions run on commodity hardware

slide-11
SLIDE 11

Risk may be involved

especially if you use high interaction honeypots

Limited field of view

you do not see the whole picture

Not a real security solution to count on

after all, you still need conventional security

Pros & Cons of Honeypots (in general)

slide-12
SLIDE 12

Products & Solutions CIAG SCADA Honeynet

scadahoneynet.sourceforge.net
 telnet, ftp, modbus, http very minimal interaction, but profits from honeyd (network, os decept.) ~ 2004 - 2005

SHaPe

C-based low interaction module for Dionaea IEC61850

slide-13
SLIDE 13

Products & Solutions Digital Bond SCADA Honeynet

Honeywall based approach based on SNORT works with emulated and real hardware will not work properly with encrypted protocols

General Purpose Honeypots (ENISA, 2012)

Amun, Dionaea, KFsensor, Honeyd, Honeytrap, nepenthes, Tiny Honeypot, …

slide-14
SLIDE 14

Products & Solutions Conpot

developed from scratch based on python Modbus, HTTP, SNMP, S7comm, Kamstrup Hybrid Interaction through request forwarding Central Databus all across the protocols TAXII*, HPfriends, SQL, Syslog No OS deception stack (yet) Still under heavy development

* DHS

slide-15
SLIDE 15

Deployment Strategies

Every entity contains the whole logic

Thick Deployments

Global high interaction honeypot?

  • shipping, customs and hardware costs

Individual maintenance involved Entity operator has physical access to your data

slide-16
SLIDE 16

Deployment Strategies

A central server spawns instances of honeypots Each instance serves one “honey traffic reflector” Little to no hardware costs on the receiving site

Thin Deployments

Traffic is forwarded without the loss of vital information Logs and logic always stay in your hands

slide-17
SLIDE 17

72.23.4.1 192.92.13.5

10.0.0.x 10.0.0.y 10.0.0.z 10.0.0.1

  • penVPN

HP BACKEND

Deployment Strategies

Thin Deployments

slide-18
SLIDE 18

72.23.4.1 192.92.13.5

10.0.0.x 10.0.0.y 10.0.0.z 10.0.0.1

  • penVPN

HP BACKEND

Deployment Strategies

Thin Deployments

POOH

slide-19
SLIDE 19

72.23.4.1 192.92.13.5

10.0.0.x 10.0.0.y 10.0.0.z 10.0.0.1

  • penVPN

HP BACKEND

Deployment Strategies

Thin Deployments

POOH

slide-20
SLIDE 20

72.23.4.1 192.92.13.5

10.0.0.x 10.0.0.y 10.0.0.z 10.0.0.1

  • penVPN

HP BACKEND

Deployment Strategies

Thin Deployments

POOH

slide-21
SLIDE 21

72.23.4.1 192.92.13.5

10.0.0.x 10.0.0.y 10.0.0.z 10.0.0.1

  • penVPN

HP BACKEND

Deployment Strategies

Thin Deployments

POOH

DNAT

slide-22
SLIDE 22

72.23.4.1 192.92.13.5

10.0.0.x 10.0.0.y 10.0.0.z 10.0.0.1

  • penVPN

HP BACKEND

Deployment Strategies

Thin Deployments

POOH

slide-23
SLIDE 23

72.23.4.1 192.92.13.5

10.0.0.x 10.0.0.y 10.0.0.z 10.0.0.1

  • penVPN

HP BACKEND

Deployment Strategies

Thin Deployments

POOH

LOG & RESPOND

slide-24
SLIDE 24

72.23.4.1 192.92.13.5

10.0.0.x 10.0.0.y 10.0.0.z 10.0.0.1

  • penVPN

HP BACKEND

Deployment Strategies

Thin Deployments

POOH

slide-25
SLIDE 25

72.23.4.1 192.92.13.5

10.0.0.x 10.0.0.y 10.0.0.z 10.0.0.1

  • penVPN

HP BACKEND

Deployment Strategies

Thin Deployments

POOH

SNAT

slide-26
SLIDE 26

72.23.4.1 192.92.13.5

10.0.0.x 10.0.0.y 10.0.0.z 10.0.0.1

  • penVPN

HP BACKEND

Deployment Strategies

Thin Deployments

POOH

slide-27
SLIDE 27

Lessons learned

Creating good templates is a work for perfectionists Don’t be overly attached to your CC OS deception is a MUST Sifting through aggregated data is serious work