The document discusses honeypot systems which are decoy network resources designed to be attractive targets for cyber attackers. Honeypots record attacker activity and data to analyze attack methods and motives. They consist of modules to induce attacks, deceive attackers with simulated data, and analyze the attacker behavior. Both low interaction honeypots with limited functionality and high interaction honeypots simulating full systems are described. The document outlines a methodology used to design an industrial control system honeypot, including defining the system scope, implementing security monitoring, and exposing the simulated system online to attract attacks. The benefits of honeypots for active network defense and data collection are balanced with their risks

1. Honeypot: Defense through the
deception

2. Presented by:
Karthik Bharadwaj A R
bharadwajkarthik4@gmail.com
Manoj M
manoj09633@gmail.com
Department of Electronics and Communications
Jawaharalal Nehru National college of engineering, Shivamogga

3. Background
 Industrial control systems (ICS) are typically defined as the systems which govern an
industrial process.
 Business processes relying upon ICS Operational Technology (OT) have high operational
demands, often having safety-related functionality and specific system performance criteria.
Introduction
 For computer network, its own characteristics such as the diversity of linking forms, the
openness, and interconnectivity make the network vulnerable to hackers, malicious software
and other forms of attack.
 The information security mechanisms in traditional sense are generally passive defense, such
as firewalls, intrusion detections systems, and encryption, and so on.
KARTHIK BHARADWAJ A R MANOJ M

4.  However, with the continuous development of attack technology, the existing protection
technology often does not recognize the new attack, always in a passive position.
 Honeypot uses beguiled technology, is a voluntary means to protect the network, and the
research on it mainly is to study how to design a strict deception environment.
 It can detect unknown attacks and collect invasion information at the same time to observe
the behavior of the invader, record their activates so that analyzing the level, purpose, tools
and means of the invader
KARTHIK BHARADWAJ A R MANOJ M

5. Honeypot System Principle
₾ Honeypot system is a network resource; it is created to be a host which actually exist and has
attraction to hackers; but it’s main purpose is to be used for being attacked and explored.
₾ Honeypot records the network communicating data between the hackers and honeypot host,
and then using analytic tools to interpret and analyses these data, thus the methods and
motives of the attackers entering the system will be found.
KARTHIK BHARADWAJ A R MANOJ M

6. ₰ Honeypot system is generally composed by induced, deceived and analysis modules.
₰ The induced modules is used to attract the attackers to attack on the honeypot system; thus
deceived module calls the simulating information from the database.
₰ The analysis module is used for adjusting the induction and deception strategy momentarily.
KARTHIK BHARADWAJ A R MANOJ M

7. Honeypot defense system design idea
ꙃ The existing trap networks are laid with low interaction and high interaction.
ꙃ Pure honeypots are full-fledged systems where an attacker’s activity is monitored by a bug
tap installed on the honeypot’s link to the network. Being a full OS based honeypot made
them difficult to scale and open to compromise.
ꙃ Low interaction needs fewer resources but has a great limitation. It can only interact with the
hackers for one or two times, which makes it easy for hackers to find that this a trap.
ꙃ The high interactive trap network make use of the actual vulnerable service or software. They
are usually complex solutions as they involve real operating systems and applications.

8. ◊ Control Center is a host which configures and manages the agents in the segment, and its main
function is to complete alarm receiving and display, alarm analysis and results show, and other
function.
◊ Low interaction and high interaction of honeypot simulates the host operation system and
some basic services in it to construct virtual Honeypot, generate the second level of agent
nodes and then redirect the hacker attack part of the second level agent nodes to the first level
of agent node.
◊ Because Honeypot does not simulate every aspect of the operation system, but only simulates
network services, thus the behavior of the hackers will be limited to network level
Defense system mechanism
KARTHIK BHARADWAJ A R MANOJ M

9. Making Honeypot attractive
‫ﻡ‬ Google tools were therefore used to ensure the system appeared in Google searches and were
searchable using Google search terms known as ‘dorks,’ for the specific internet facing control
system components.
‫ﻡ‬ The findings indicated that the Shodan (www.shodan.io) search engine used industrial
protocols to obtain specific information from automation devices. Normally search engines
such as Shodan would identify the processor type from standard HTTP requests.
An engineering approach to Honeypot design
 Control system honeypots have been widely deployed as virtualized systems, which tend to
have a low level of fidelity.
 The research developed a methodology which can be applied to multiple sectors for active
defense. The research intent was to implement and operate an industrial control system
honeypot.
 In the initial stages the project scope was defined to inform the design and ultimately the
development and operation of the system. The areas addressed at this stage were the type of
system to be modeled, and the situational awareness requirements.
KARTHIK BHARADWAJ A R MANOJ M

10. Methodology overview
 Facilitate Industry/stakeholder workshop to define industry needs and desired outcomes;
 Methodology report/system specification; x Control system and process build;
 Data capture and analysis
 Infrastructure design and implementation;
 ICS System deployment;
 Ongoing campaign and analysis;
 Final report and presentation with collated findings.
Honeypot implementation was undertaken in six stages:
1. Industrial sector and control process selection;
2. Construction of the control system. This included the selection of components, PLC
programming, HMI and SCADA development, plant process simulation and system modeling;
3. Implementation of security monitoring infrastructure, including selection of software and
systems.
4. Integration of control system and security monitoring infrastructure;
5. System testing;
6. Exposure to the Internet.
KARTHIK BHARADWAJ A R MANOJ M

11. The OT honeypot consists of four major components:
1. Control systems and process simulation;
2. Situational Awareness and Forensics (SAF) platform;
3. The attacker’s infrastructure;
4. Remote monitoring infrastructure for the honeypot
This was implemented in a standalone environment. The aim being to explore the feasibility of
different implementations, whilst making the system attractive, and maintain separation from
actual operational systems.
KARTHIK BHARADWAJ A R MANOJ M

12. KARTHIK BHARADWAJ A R MANOJ M

13. Advantages
 Data Collections
o Only captures relevant data
o Small data sets
o High value
 Minimize recourse usage
o Less bandwidth or activity than other security
implementation
 Simplicity
o Less complex than other security mechanism
such as intrusion detection systems
o Less chance of misconfiguration
 Cost
o No need for high resource usage
o Depends on the application
Disadvantages
 Single point of attack
o Useless if it is not attacked
 Risk
o Have a risk of being exploited - depends on
the type of honeypot
 Limited view
o Limited data – only captures what interacts
with it and not the whole scope of the
system
 Costs
o Development costs, analysis costs
o Depends on the applications
KARTHIK BHARADWAJ A R MANOJ M

14. Questions
KARTHIK BHARADWAJ A R MANOJ M