1
Secure Identity Research Group http://www.inf.fu-berlin.de/groups/ag-si/ Towards Highly Interactive Honeypots for Industrial Control Systems Stephan Lau, Johannes Klick, Stephan Arndt and Volker Roth <firstname>.<surname>@fu-berlin.de Internet-facing Siemens PLCs About 3700 Siemens S7 PLCs are connected to the Internet, at least 230 honeypots can be trivially identified. Adversaries are likely aware of their existence and may perform a thorough inspections to avoid them. We should improve ICS honeypots regarding their in- teractivity in order to use them effectively. Honeypot Classification in the ICS World Unlike usual honeypots, which only emulate a specific software, In- dustrial Control Systems are general computing devices. They allow interaction with the system and its loaded program separately. We extended the traditional honeypot classification to account for that: Low-interactive The adversary can interact with the host only. Medium-interactive The adversary can interact with the host and the program. High-interactive The adversary can additionally read and write programs. The First High-interactive ICS Honeypot XPOT is the first high-interactive PLC honeypot and can be used to distract and analyze advanced adversaries. Since it is software- based, it is very scalable and enables large decoy or sensor net- works. XPOT can be connected to a simulated industrial process in order to make adversaries’ experiences comprehensive. XPOT – A Programmable PLC Honeypot We developed XPOT, a software-based high-interactive PLC honeypot which can run programs. It simulates a Siemens S7-314C-2 PN/DP. • modifiable memory areas • debuggable with monitor mode • programmable with common IDEs • executes program, supports compilation and interpretation • spoofed TCP/IP stack, mimics OS fingerprint and quirks Kernel Space User Space Netfilter Stack Modifikator Hardware NIC Packet Queue XPOT • execution time is close to a genuine PLC PLC XPOT • most instructions are supported (100 out of 146) flow jumps logical memory word count time DB float fixed comp accu cast shift/rotate Features and Classification of ICS Honeypots less-interactive medium-interactive high-interactive TCP/IP stack spoofing read System State List HTTP SNMP list blocks read memory write memory start/stop CPU up-/download blocks execute program Conpot – – – – – – – – Snap7 – – ( ) ( ) ( ) ( ) – – CryPLH2 ( ) – XPOT SNMP
![Open Proxy Honeypot - --[Honeypots]-- Monitoring and …honeypots.sourceforge.net/open_proxy_honeypots.pdf · Open Proxy Honeypot In order to learn more about what types of abuses](https://static.documents.pub/doc/80x56/5a72d90c7f8b9ab1538df2b0/open-proxy-honeypot-honeypots-monitoring-and-open-proxy-honeypot.jpg)
![Honeypots & Honeynets - start [APNIC TRAINING WIKI]...Honeypots & Honeynets Network Security Workshop 30 May 2015 2.0-draft 1 Contents 1.Objectives 2.Definition of Honeypot & Honeynets](https://static.documents.pub/doc/80x56/5ecd038e36a47132e852a59c/honeypots-honeynets-start-apnic-training-wiki-honeypots-honeynets.jpg)
