+ All Categories

Download - Honeypot Classification in the ICS World Unlike usual honeypots, which only emulate a specific software, In-dustrial Control Systems are general computing devices. They allow interaction

Transcript
Page 1: Honeypot Classification in the ICS World Unlike usual honeypots, which only emulate a specific software, In-dustrial Control Systems are general computing devices. They allow interaction

Secure Identity Research Grouphttp://www.inf.fu-berlin.de/groups/ag-si/

Towards Highly Interactive Honeypots for Industrial Control SystemsStephan Lau, Johannes Klick, Stephan Arndt and Volker Roth

<firstname>.<surname>@fu-berlin.de

Internet-facing Siemens PLCs

About 3700 Siemens S7 PLCs are connected to the Internet, at

least 230 honeypots can be trivially identified. Adversaries are likely

aware of their existence and may perform a thorough inspections to

avoid them. We should improve ICS honeypots regarding their in-

teractivity in order to use them effectively.

Honeypot Classification in the ICS World

Unlike usual honeypots, which only emulate a specific software, In-

dustrial Control Systems are general computing devices. They allow

interaction with the system and its loaded program separately. We

extended the traditional honeypot classification to account for that:

Low-interactive

The adversary can interact with the host only.

Medium-interactive

The adversary can interact with the host and the program.

High-interactive

The adversary can additionally read and write programs.

The First High-interactive ICS Honeypot

XPOT is the first high-interactive PLC honeypot and can be used

to distract and analyze advanced adversaries. Since it is software-

based, it is very scalable and enables large decoy or sensor net-

works. XPOT can be connected to a simulated industrial process in

order to make adversaries’ experiences comprehensive.

XPOT – A Programmable PLC Honeypot

We developed XPOT, a software-based high-interactive PLC

honeypot which can run programs. It simulates a Siemens

S7-314C-2 PN/DP.

• modifiable memory areas

• debuggable with monitor mode

• programmable with common IDEs

• executes program, supports compilation and interpretation

• spoofed TCP/IP stack, mimics OS fingerprint and quirks

KernelSpace

User Space

Netfilter

Stack Modifikator

Hardware NIC

Packet Queue

XPOT

• execution time is close to a genuine PLC

PLC

XPOT

• most instructions are supported (100 out of 146)

flow

jumps

logical

memory word

count time DB

float

fixedcomp

accu

castshift/rotate

Features and Classification of ICS Honeypots

less-interactive medium-interactive high-interactive

TCP/IP stack

spoofing

read System

State ListHTTP SNMP list blocks read memory

write

memory

start/stop

CPU

up-/download

blocks

execute

program

Conpot – – – – – – – –

Snap7 – – ( ) ( ) ( ) ( ) – –

CryPLH2 ( ) –

XPOT SNMP

Top Related
Honeypots Correct
Honeypots Correct

Documents

Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots.
Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots.

Documents

IoTCandyJar: Towards an Intelligent-Interaction Honeypot ... · PDF fileIoTCandyJar: Towards an Intelligent-Interaction Honeypot ... honeypots are nothing more than an ... work toward
IoTCandyJar: Towards an Intelligent-Interaction Honeypot ... · PDF fileIoTCandyJar: Towards an Intelligent-Interaction Honeypot ... honeypots are nothing more than an ... work toward

Documents

Wearable Honeypot - Worcester Polytechnic Institute · wearable honeypot. to add security to a BAN. Previous honeypots are mostly used in enterprise environments. Recently, there
Wearable Honeypot - Worcester Polytechnic Institute · wearable honeypot. to add security to a BAN. Previous honeypots are mostly used in enterprise environments. Recently, there

Documents

Active Honeypots - MegaSecurity.orgmegasecurity.org/papers/Joho_Dieter.pdf · Problems of Active Honeypots 7. Active Honeypot Feasibility 8. Summary, Conclusions and Future Work Chapter
Active Honeypots - MegaSecurity.orgmegasecurity.org/papers/Joho_Dieter.pdf · Problems of Active Honeypots 7. Active Honeypot Feasibility 8. Summary, Conclusions and Future Work Chapter

Documents

Using Honeypots to Monitor Spam and Attack Trends - · PDF fileUsing Honeypots to Monitor Spam and Attack Trends ... • Only data directed to the honeypot is collected ... Using Honeypots
Using Honeypots to Monitor Spam and Attack Trends - · PDF fileUsing Honeypots to Monitor Spam and Attack Trends ... • Only data directed to the honeypot is collected ... Using Honeypots

Documents

CERT-GOV-GE Regional Cooperation, Activities & Services Regional Cooperation-CERT.pdf · CERT-GOV-GE Honeypots •Emulation Of Popular Vulnerable Software •Using Open Source Honeypot
CERT-GOV-GE Regional Cooperation, Activities & Services Regional Cooperation-CERT.pdf · CERT-GOV-GE Honeypots •Emulation Of Popular Vulnerable Software •Using Open Source Honeypot

Documents

Honeypots: Catching the Insider Threat - ACSAC 2017 · PDF fileYour Speaker! President, Honeypot Technologies Inc.! Founder, Honeynet Project & Moderator, honeypot mailing list! Author,
Honeypots: Catching the Insider Threat - ACSAC 2017 · PDF fileYour Speaker! President, Honeypot Technologies Inc.! Founder, Honeynet Project & Moderator, honeypot mailing list! Author,

Documents