DEFENICA ICS HONEYPOT in action - "SPOT the Honeypot(s)" at CS3STHLM
During this year’s CS3STHLM – the Stockholm international summit on SCADA (Supervisory control and data acquisition) and ICS (Industrial Control Systems), we deployed a numbers of DEFENICA SecuriOT HoneyPot in the ISC Lab. For the first time ever, we had build the completion “Spot the Honeypot(s)” - where delegates could scan the ICS/SCADA equipment, deployed on the 4 networks in order to spot the honey pot.
During the conference, many delegates asked me for further information and had a numbers of questions - both on DEFENICA and honeypot deception in general, which inspired me to write this blog post; so let’s get started - First, what is a Honeypot - To sum up; It's a system/device, build for the sole purpose to alert defenders that someone are communicating with the honey pot. To put things into perspective;
“Knowing that someone active is exploiting and hacking your internal Industrial systems right now, can reduce the overall impact, damage and potential loss from the incident ..What if you could have a early warning on such attack... Even better, - what if the attacker was wasting precious time to attack a believable decoy, rather that the real infrastructure... while you gets the required time to respond and stop the attack!”
A Honey pot can be either low, medium or High interactive. Low interaction are too easy to spot - one can say that the more 'interaction' the honey pot can provide, the better deception it provides and the longer time the attacker would spend - allowing the Blue Team defense cavalry to scramble and respond to the threat.
In order to have the "defense in depth"mantra, I personal believe that deception technology (Honeypots) is an important part of our overall ICS defense tool box.
Meet DEFENICA- (DEFENd Industrial Control Assets) - The ICS/SCADA Honeypot
As a part of my contribution to the ICS Lab team, I had prepared and deployed the DEFENICA SecuriOT HoneyPot NET units borrowed from Securiot.
It is a small physical unit with a numbers of different ‘templates’ - each template can be deployed on one (or several) ‘virtual’ IP addresses - making it possible to have the DEFENICA to simulate a numbers of various Industrial and IT devices across the industrial network;
During the whole “Spot the Honeypot(s)”, completion, we ensured a very dynamic environment, both to showcase the options and to research how the delegates approached and attacked the different templates - We deployed e.g.
Several IT/industrial firewalls like:
Various PLC like;
Lots of different Windows and Linux systems
and - last but not least - the ever present Moxa serial-to-ethernet
The day before the conference, we did need to change a lot of the templates — to dilute /degrade, so it would not be as effective as on a real deployment.
We did 3 levels of challenge complexity;
The Easy level was intended to get the crowd engaged with the task - e.g scanning some 'selected' IP addresses with the Nmap -O (aka. "tell me the operative system of the scanned device") would inform the 'attacker' that the device was a “Sony play station 3” ... surely something you (hope full!) newer would see in a real Industrial environment, but gave some good laughs, when people came to that network segment
The Medium level was to encourage to use other tools than nmap - one case was a high interactive device, who acted like a real PLC - however querying the 'selected' IP addresses with e.g PLCscan would return a result like "ICS LAB Honeypot BEER Factory" - to surely prove it indeed was a Honey pot.
The Hard level was to showcase that a well-planned Honey pot can be rather effective in a ICS environment. The way it was deployed was via proxy - so when the attacker hit the virtual IP assigned by the physical DEFENICA device, DEFENICA would proxy the traffic to a real ICS device - located on the same network. The technician term would be "man-in-the-middle" (MITM) - or in this case it would be appropriated to name it "Honeypot-in-the-middle".
Such deployment are - from the attacker's point of view - interacting with the real device, and it is very hard to establish it is actual a honey pot - which is very good from our defense point of view - as the alerts flowing in, will tell us that the enemy are in our network..
The Flags was e.g when using telnet to .114 the real device would announce it’ got’ .115 - hard to spot, even when you know that there would be honey pots on the network
A picture says more than 1000 words - and Anton Shipulin (Twitter:@shipulin_anton) from KasperskyICS, did send this twitter during my presentation .. It’s the true spirit of honey pots :-)
Many thanks to my fellow ICS Lab rats - you are awesome!
Lars-Erik Smevold of KraftCERT
Erik Hjelmvik of NETRESEC
Many thanks to SecuriOT for providing the DEFENICA Units.
Well done to our winner, Matan!
and -last … but not least to whole CS3STHLM Team; Cissi Thorell, Erik Johansson and Robert Malmgren for a 5th Anniversary of “ICS family reunion“ - and to the Norwegian National Security Authority and KraftCERT for providing new interesting equipment to the ICS Lab.
Personal I do hope the blue teams/defenders can change the mantra
"Hackers only need to get it right once; we need to get it right every time...”
“Hackers only need to hit our honey pot once; then we will know and can respond!”
Feel free to reach out for further information
Kind regards, Mikael Vingaard