Executive summary - The Honeypot concept in a nutshell
A honeypot system is a passive monitoring system, that is designed with “early warning' capabilities for especially production environments and critical infrastructure. The honeypot system appears to be a legitimate part of a customer core infrastructure. The core functionality in the solution is to give alerts and warnings, if the infrastructure has been breached by hackers or malware-related activities.
To describe the key concept, we can compare the honeypot concept as being a digital version of the caged canaries used in the mining industry in the 1900'
Mine workers were carrying caged canaries (birds) into the mining tunnels. If dangerous gases such as carbon monoxide appears in the mine, the gases would kill the canary before killing the miners, thus providing a warning that something was out of the ordinary and actions was required to minimize the loss. This means that the miners have time to do the prober actions and save the day before disaster strikes.
The “digital” canaries are a honeypot solution deployed on the core network of the production site or a plant: It will warn your security team at an early attack stage. The hacker would be fooled to believe, that the hacker is interaction with a real ICS-unit, like e.g. a Programmable logic controller (PLC), an Ethernet-to-serial converter or a Human-Machine Interface (HMI). while each interaction with the Honeypot would be alerting to the cybersecurity team in the company.
The core benefit of a honeypot solution is the “early warning” on such attack. By having knowledge about someone or something is actively exploiting and hacking your business-critical systems right now, can reduce the overall impact, damage and potential loss from the incident. Another great benefit is that the attacker is wasting precious time on attacking a believable honeypot, rather that the real infrastructure... and your security team gets more time to respond and stop the attack.
Honeypots deployments is different from all other OT security equipment since there are no valid reason for any communication to/from this device - as it only purpose are to alert - this approach ensure that your company will not waste time on 'false positives' (event/alerts, that use many internal resources).
Our honeypot is a High interaction honeypot - providing the best deception to keep the hacker busy
… while you can initiate your counter attack
The Technology behind a high interaction honeypot;
Our unique service let the honeypot;
Fool Nmap to say “Yes it’s Moxa, Win-XP or Siemens PLC”
PLCscan provides the expected reply
Read – and writable modbus’ unit - just like a real device