This course focuses on SCADA/ ICS systems. The title of this course is: Advanced Threat Detection in ICS – SCADA Environments.
In this course we take a look at the effectiveness of honeypots within a SCADA/ ICS context. A honeypot typically consists of data, or a network site that appears to be part of the organization’s network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.
How To Protect Your Website From Bot Attacks is a one-hour continuing education course. After successfully completing the course and final exam, you will be awarded a certificate of completion that you can use towards fulfilling your continuing education requirements.
We are delighted to have Gary Miliefsky on our second Hacker Hotshot of 2013! Gary is the Editor of Cyber Defense Magazine, which he recently founded after years of being a cover story author and regular contributor to Hakin9 Magazine. In partnership with UMASS, he started the Cyber Defense Test Labs to perform independent lab reviews of next generation information security products. Gary is also the founder of NetClarity, Inc., which is the world's first next generation agentless, non-inline network access control (NAC) and bring your own device (BYOD) management appliances vendor based on a patented technology which he invented.
"How To Defeat Advanced Malware: New Tools for Protection and Forensics" is a FREE continuing education class that has been designed specifically for CIO's, CTO's, CISO's and senior executives who work within the financial industry and are responsible for their company's endpoint protection.
How to tell if that pop-up window is offering you a rogue anti-malware productGFI Software
Rogue anti-malware products are a bane for every Internet user, especially those who have little or no technical knowhow. These are hundreds of scare ware ‘products’ on the Internet. This white paper examines this type of scam, explains how they work, what to look out for and how to prevent your computer from being infected.
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
Bitdefender - Solution Paper - Active Threat ControlJose Lopez
This Solution Paper describes how Bitdefender's Active Threat Control can protect Windows Endpoints both desktops and servers from Advanced and 0-day threats like Cryptomalware thanks to a proactive-by-design, dynamic detection technology, based on monitoring processes’ behavior, along with tagging and correlating suspect activities with minimal footprint
How To Protect Your Website From Bot Attacks is a one-hour continuing education course. After successfully completing the course and final exam, you will be awarded a certificate of completion that you can use towards fulfilling your continuing education requirements.
We are delighted to have Gary Miliefsky on our second Hacker Hotshot of 2013! Gary is the Editor of Cyber Defense Magazine, which he recently founded after years of being a cover story author and regular contributor to Hakin9 Magazine. In partnership with UMASS, he started the Cyber Defense Test Labs to perform independent lab reviews of next generation information security products. Gary is also the founder of NetClarity, Inc., which is the world's first next generation agentless, non-inline network access control (NAC) and bring your own device (BYOD) management appliances vendor based on a patented technology which he invented.
"How To Defeat Advanced Malware: New Tools for Protection and Forensics" is a FREE continuing education class that has been designed specifically for CIO's, CTO's, CISO's and senior executives who work within the financial industry and are responsible for their company's endpoint protection.
How to tell if that pop-up window is offering you a rogue anti-malware productGFI Software
Rogue anti-malware products are a bane for every Internet user, especially those who have little or no technical knowhow. These are hundreds of scare ware ‘products’ on the Internet. This white paper examines this type of scam, explains how they work, what to look out for and how to prevent your computer from being infected.
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
Bitdefender - Solution Paper - Active Threat ControlJose Lopez
This Solution Paper describes how Bitdefender's Active Threat Control can protect Windows Endpoints both desktops and servers from Advanced and 0-day threats like Cryptomalware thanks to a proactive-by-design, dynamic detection technology, based on monitoring processes’ behavior, along with tagging and correlating suspect activities with minimal footprint
Cyber Security: User Access Pitfalls, A Case Study Approach Aviva Spectrum™
Worried your passwords are not strong enough for today’s sophisticated hackers? Cyber security breaches happen every day, as evidenced in recent headlines. Presentation covers key User Access threats both internal and external and ways to protect yourself and your company from malicious hackers. Learn from key case studies.
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
In a confusing web world of "Like" buttons, tweets, Instagram'ing, and files being stored in clouds like Dropbox, organizations are challenged with how to protect the network, while not hindering business. To make matters worse, vendors are confusing the deployment methods by introducing On Premise Web Security Gateways, Cloud Web Security Gateways and Next Generation Firewalls.
1. Cyber Ethics and Cyber Crime
2. Security in Social Media & Risk of Child Internet
3. Social media in Schools and photo privacy
4. Risk of OSNs and Security, Privacy of Facebook
5. Risk and Security of Social Networking site Facebook and Twitter
6. Risk analysis of Government and Online Transaction
IBM MobileFrist Protect - Guerir la Mobilephobie des RSSIAGILLY
La Mobilephobie : Un ensemble de craintes qui touche généralement les RSSI et d'autres professionnels de la sécurité, relativement à l'adoption et au déploiement d'une stratégie de sécurité Mobile qui favorise l'accès à travers l'entreprise, le partage des données de l'entreprise ou des interactions avec les partenaires, clients et autres tiers via des appareils mobiles et les applications.
Cyber Security: User Access Pitfalls, A Case Study Approach Aviva Spectrum™
Worried your passwords are not strong enough for today’s sophisticated hackers? Cyber security breaches happen every day, as evidenced in recent headlines. Presentation covers key User Access threats both internal and external and ways to protect yourself and your company from malicious hackers. Learn from key case studies.
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
In a confusing web world of "Like" buttons, tweets, Instagram'ing, and files being stored in clouds like Dropbox, organizations are challenged with how to protect the network, while not hindering business. To make matters worse, vendors are confusing the deployment methods by introducing On Premise Web Security Gateways, Cloud Web Security Gateways and Next Generation Firewalls.
1. Cyber Ethics and Cyber Crime
2. Security in Social Media & Risk of Child Internet
3. Social media in Schools and photo privacy
4. Risk of OSNs and Security, Privacy of Facebook
5. Risk and Security of Social Networking site Facebook and Twitter
6. Risk analysis of Government and Online Transaction
IBM MobileFrist Protect - Guerir la Mobilephobie des RSSIAGILLY
La Mobilephobie : Un ensemble de craintes qui touche généralement les RSSI et d'autres professionnels de la sécurité, relativement à l'adoption et au déploiement d'une stratégie de sécurité Mobile qui favorise l'accès à travers l'entreprise, le partage des données de l'entreprise ou des interactions avec les partenaires, clients et autres tiers via des appareils mobiles et les applications.
Defending Your Base of Operations: How Industrial Control Systems are Being T...AFCEA International
Mike Assante
Lead for Training for ICS and SCADA
SANS Industrial Control
We are used to taking the fight to the enemy, but we are entering into an age where it is expected that the enemy will be doing the same.
Андрей Аваданей - Как с помощью honeypot защитить критические активы компанииHackIT Ukraine
Когда вы имеете дело с критически важной информацией, богатством, комплексными инфраструктурами или вы являетесь поставщиком какого-либо продукта для обычных пользователей, вы должны быть готовы к худшему и принимать упреждающие меры для защиты и предотвращения инцидентов от повреждения вашей сети, активов, репутации или утечки конфиденциальной информации. В любом виде атаки, есть короткий промежуток времени, когда злоумышленники наиболее уязвимы. В докладе будут отображены несколько точек зрения, а также примеры того, как мы можем идентифицировать, дезинформировать или контр-атаковать злоумышленника. Также будет рассказано об IoT, honeypots, наступательных подходах, APT, вредоносных программах, контратаках и минимальные требования для защиты устройств от "кибер рабства".
"Honeypot 101"
Computing Society, Royal Holloway, University of London
March, 2015
Abstract: How many times have you come across the term “honeypot” in your lectures and textbooks, or security talks? How much do you know about them? Is “honeypot” a security tool or concept? In this presentation, I’ll walk you through the basics of honeypots, discuss its applications, and demonstrate some honeypots used by researchers.
Presenter: Mikael Vingaard, EnergiNet.dk
The goal of having a Honeypot (a fake ‘vulnerable’ IT-system/ service) is to learn more about your attackers and the methods they will use to breach your ICS/SCADA systems – but how can the Energy Sector actual benefit from using a Honeypot?
The Danish information security researcher, Mikael Vingaard has taken various free open source software to deploy ICS/SCADA Honeypot systems, and will share his experiences from the research and present interesting findings from the collected informations.
The talk will be discuss the pros and cons of honeypots, how to use honeypots as an early-warning system and add some interesting points seen from the energy sector of using Honeypot systems.
The presentation will showcase that gaining access to actual ICS threat intelligence can be done – even in budget constrained organizations.
Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.
Day by day the internet is becoming an essential part of everyone’s life. In India from 2015 – 2020, there is an increase in internet users by 400 million users. As technology and innovation are increasing rapidly. Security is a key point to keep things in order. Security and privacy are the biggest concern in the world let it is in any field or domain. There is no big difference in cyber security the security is the biggest concern worrying about attacks which could happen anytime. So, in this paper, we are going to talk about honeypot comprehensively. The aim is to track hacker to analyze and understand hacker attacker behavior to create a secure system which is sustainable and efficient. Anoop V Kanavi | Feon Jaison "Honeypot Methods and Applications" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd38045.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/38045/honeypot-methods-and-applications/anoop-v-kanavi
Security Onion includes best-of-breed free and open tools including Suricata, Zeek, Wazuh, the Elastic Stack and many others. We created and maintain Security
Learn the 6 practical steps every IT admin should take to ensure SIEM success in your environment. The promise of SIEM is clearly an essential one–better security visibility. Aggregate, correlate, and analyze all of the security-relevant information in your environment so that you can:
• Identify exposures
• Investigate incidents
• Manage compliance
• Measure your information security program
Unfortunately, going from installation to insight with a SIEM is a challenge. Join us for this 45-minute session to learn tricks for getting the most out of your SIEM solution in the shortest amount of time.
The paper covers honeypot (and honeynet) basics and definitions and then outlines important implementation and setup guidelines. It also describes some of the security lessons a company can derive from running a honeypot, based on the author experience running a research honeypot. The article also provides insights on techniques of the attackers and concludes with considerations useful for answering the question “Should your organization deploy a honeynet?”
Everything you really need to know about IDS (Intrusion Detection Systems) Combining with HoneyPots. Deployment and usage techniques used in the past and today. How to setup and deploy onto any network including the cloud. Reasons why this should be used in all networks. How to bring BIG DATA down to Small Data that is easy to understand and monitor.
It’s all over the news that data breaches occur daily! I asked WHY these hackers can download terabytes of data in timespans of months without being noticed. What are these companies paying their SOC team millions of dollars for? How come all the money is going to devices to prevent breaches and little to none in detecting when they occur? Don’t people know there are only two types of companies “those that been hacked, and those that don’t know they been hacked”. What can I do to detect a breach within seconds on any network scale? I think I figured it out. In my talk you’ll learn how you and your clients can benefit by applying my exclusive techniques, which I’ve successfully deployed. So the next time you get hacked the hacker would not be able to steal all those credit cards and photos of that Halloween party.
The slides on Honeypot, a cyber security. This involves the mechanisms of defense, its system principle, and its engineering approach. This also includes the advantages and disadvantages of Honeypot
ScenarioSummaryIn this lab, you will explore at least one IDS, IP.docxronnasleightholm
Scenario/Summary
In this lab, you will explore at least one IDS, IPS, or Honeypot currently offered by product vendors and cloud service providers. You will be making a security recommendation, related to the protection of a target network of your choice.
There are a few different paths you may take in this lab, so let's address some of the distinguishing features and definitions that are out there.
IDS and IPS Overview
·
An intrusion detection system (IDS) generally detects and logs known intrusions or anomalous network activity. Generally, no real-time protection actually occurs, therefore false-positives create little or no damage. Optionally, suspicious network traffic can be routed to an alternate network, such as a honeypot.
·
An intrusion protection system (IPS) generally detects, logs, and then blocks known intrusions or anomalous network activity. False-positives are an issue and will result in a self-inflicted denial of service condition. Optionally, suspicious network traffic can be routed to an alternate network, such as a honeypot.
Honeypot Overview
·
Honeypots come in several broad categories. The most common labels we apply to them are research honeypots, active honeypots, and offensive honeypots. They are designed to do what their label suggests, and here is a brief summary.
Note: Seek qualified legal advice before deploying any type of honeypot.
·
Research honeypots generally collect and analyze data about the attacks against a decoy-network. They can also route the attacker to new decoy-networks, to gather more details about the potential attacks. The data gathered are used to understand the attacks and strengthen the potential target networks.
·
Active honeypots have many of the features found in a research honeypot, but they also hold special content that, once taken by the attackers, can be used as evidence by investigators and law enforcement. For example, active honeypots may have database servers containing a fake bank account or credit card information.
·
Offensive honeypots are configured with many of the features of the active honeypots, with one interesting and dangerous addition: they are designed to damage the attacker. When used outside of your own network, this type of honeypot can result in vigilantism, attacks against false-targets, and may result in criminal charges against the honeypot operators. Offensive honeypots are not recommended for non-law-enforcement organizations. However, when used fully within your own network, this technique can detect and neutralize the attacker.
Any of the above services can be implemented on a privately managed network, or through a cloud service. The selection of one platform over another will generally determine where the specific protection occurs—on your network or in the cloud.
The reason for this lab is to give you an understanding of how special network technology can be used as a security research tool, while also providing varying degrees of protection.
Doc.
When talk about intrusion, then it is pre- assume
that the intrusion is happened or it is stopped by the intrusion
detection system. This is all done through the process of collection
of network traffic information at certain point of networks in the
digital system. In this way the IDS perform their job to secure the
network. There are two types of Intrusion Detection: First is
Misuse based detection and second one is Anomaly based detection.
The detection which uses data set of known predefined set of
attacks is called Misuse - Based IDSs and Anomaly based IDSs are
capable of detecting new attacks which are not known to previous
data set of attacks and is based on some new heuristic methods. In
our hybrid IDS for computer network security we use Min-Min
algorithm with neural network in hybrid method for improving
performance of higher level of IDS in network. Data releasing is
the problem for privacy point of view, so we first evaluate training
for error from neural network regression state, after that we can get
outer sniffer by using Min length from source, so that we
hybridized as with Min – Min in neural network in hybrid system
which we proposed in our research paper
Learn all about this biggest leak of sensitive data - ever. And - learn how the hack happened...here's the link for more information: https://www.concise-courses.com/learn/panama-papers-hack/
Learn all about the ever-increasing influence of ISIS and Cyber Terrorism...Although the use of cyberspace by Jihad organizations is not new, ISIS uses the Internet, and primarily social media, more effectively than any other terrorist organization before it. Here's a link for more information: https://www.concise-courses.com/learn/isis-cyber-terror/
Learn how the Silk Road became a multi-million dollar Dark Web & Narcotics platform - that spawned a new industry using encryption within the Dark Web...here's the link to the full course: https://www.concise-courses.com/learn/silk-road/
In this course you'll learn how Brian Krebs, a well-known cyber blogger, first broke the story revealing that a group of hackers, known as ’The Impact Team’, published approx 40 MB of sensitive internal data stolen from Avid Life Media, the organization that owns Ashley Madison and a number of other dating/ hookup services. The data dump included customers’ credit cards and internal documents. From there the situation got ’from bad to worse’ with certain demands being made by the hacker/s ’not met’. For the video course please follow this link here: https://www.concise-courses.com/learn/ashley-madison-hack/
While phishing is an “old-fashioned” cyber security threat, attacks continue to increase. This course will better prepare you to defend against this threat.
What Everybody Ought to Know About PCI DSS and PA-DSS.
Learn how to comply with the training requirements of PCI DSS, protect cardholder data, avoiding social engineering and malicious downloads and how to update software and anti-virus programs.
Learning Objectives:
James gave us our overview of the following points:
1. Why security is dead and rugged is the new currency.
2. Why automating security tests and putting them in your deployment pipelines is where security can add business value.
3. And, learn more about Gauntlt, the open source framework that helps you accomplish the technical side of automating security tests.
More Hacker Hotshots: http://www.concise-courses.com/
In this Hacker Hotshot Hangout, Jason explains:
1. How web applications are one of the most common ways that business-critical data is made available to users, and as a result, they are also one of the most popular targets for security attacks.
2. How authentication weaknesses in web sites can be particularly disastrous, essentially allowing attackers to walk through your virtual front door to steal your critical information.
This session highlights key techniques that are used for attacking web site authentication, and will provide countermeasures to protect against such attacks.
More Hacker Hotshots: http://www.concise-courses.com/
Nadeem Douba, GWAPT, GPEN currently situated in the Ottawa (Ontario, Canada) valley, Nadeem provides technical security consulting services primarily to clients in the health, education, and public sectors. Nadeem has been involved within the security community for over ten years and has frequently presented talks in his local ISSA chapter, and most recently at DEF CON 20 on the topics of Open Source Intelligence and mobile security. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego.
Marcia Hofmann is a senior staff attorney at the Electronic Frontier Foundation, where she works on a broad range of digital civil liberties issues including computer security, electronic privacy, free expression, and copyright. She is also a non-residential fellow at the Stanford Law School Center for Internet and Society and an adjunct professor at the University of California Hastings College of the Law. She tweets about law and technology issues at @marciahofmann.
Adam Baldwin is the Team Lead at Lift Security, a web application security consultancy and the Chief Security Officer at &yet (andyet.net). He at one time possessed a GCIA and CISSP. Adam is a highly knowledegable information security expert having created the DVCS pillaging toolkit, helmet: the security header middleware for node.js, a minor contributor to the W3AF project, and has previously spoken at DEF CON, Toorcon, Toorcamp, Djangcon, and JSconf.
In this Hacker Hotshot Hangout John explains:
1. Key considerations when creating a risk aware and security conscious culture
2. How to use risk management as a concept and tool to remove the fear of security in organizations
3. The value and benefits of developing an information risk profile
4. Understanding of the current behaviors of organizations and whey they exist in regard to information security
5. Effective approaches to change behaviors and culture within organizations
6. How to leverage users effectively as an beneficial asset in supporting risk management and security activities
7. How to use threat and vulnerability analysis to identify and educate organizations on the highly probable and business impacting threats can effect them
8. Using control objectives as an approach to effectively manage information risk in a way that will be embraced by organizations.
For more Hacker Hotshots, please visit: http://www.concise-courses.com/
Nadeem Douba, GWAPT, GPEN currently situated in the Ottawa (Ontario, Canada) valley, Nadeem provides technical security consulting services primarily to clients in the health, education, and public sectors. Nadeem has been involved within the security community for over ten years and has frequently presented talks in his local ISSA chapter, and most recently at DEF CON 20 on the topics of Open Source Intelligence and mobile security. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego.
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
We all have good and bad thoughts from time to time and situation to situation. We are bombarded daily with spiraling thoughts(both negative and positive) creating all-consuming feel , making us difficult to manage with associated suffering. Good thoughts are like our Mob Signal (Positive thought) amidst noise(negative thought) in the atmosphere. Negative thoughts like noise outweigh positive thoughts. These thoughts often create unwanted confusion, trouble, stress and frustration in our mind as well as chaos in our physical world. Negative thoughts are also known as “distorted thinking”.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxEduSkills OECD
Andreas Schleicher presents at the OECD webinar ‘Digital devices in schools: detrimental distraction or secret to success?’ on 27 May 2024. The presentation was based on findings from PISA 2022 results and the webinar helped launch the PISA in Focus ‘Managing screen time: How to protect and equip students against distraction’ https://www.oecd-ilibrary.org/education/managing-screen-time_7c225af4-en and the OECD Education Policy Perspective ‘Students, digital devices and success’ can be found here - https://oe.cd/il/5yV
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
This is a presentation by Dada Robert in a Your Skill Boost masterclass organised by the Excellence Foundation for South Sudan (EFSS) on Saturday, the 25th and Sunday, the 26th of May 2024.
He discussed the concept of quality improvement, emphasizing its applicability to various aspects of life, including personal, project, and program improvements. He defined quality as doing the right thing at the right time in the right way to achieve the best possible results and discussed the concept of the "gap" between what we know and what we do, and how this gap represents the areas we need to improve. He explained the scientific approach to quality improvement, which involves systematic performance analysis, testing and learning, and implementing change ideas. He also highlighted the importance of client focus and a team approach to quality improvement.
How to Create Map Views in the Odoo 17 ERPCeline George
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
Advanced Threat Detection in ICS – SCADA Environments
1. Advanced Threat Detection in ICS – SCADA Environments
Section 1
In computer terminology, a honeypot is a purposely designed trap set to detect, deflect, or, in
some manner, counteract attempts at unauthorized use of networks and systems - in this case,
SCADA systems.
A honeypot typically consists of data, or a network site that appears to be part of the
organization’s network, but is actually isolated and monitored, and which seems to contain
information or a resource of value to attackers.
Think of a honeypot in the same way the police would bait a criminal and then conduct under-
cover surveillance.
1.0 Introducing Honeypots!
2. Advanced Threat Detection in ICS – SCADA Environments
Section 1
1.1 The Myriad of Honeypots
There are, essentially, 5 types of Honeypots:
Production Honeypots
Production honeypots are easy to use, but capture only limited information.
Research Honeypots
Research honeypots gather information about the motives and tactics of hackers targeting different networks.
Pure Honeypots
Pure honeypots are fully-fledged production systems. The activities of the attacker are monitored by using a trap that has been
installed on the honeypot’s network link.
High-Interaction Honeypots
High-interaction honeypots imitate the activities of the production systems that host a variety of services and, therefore,
attackers may be allowed access to services in order to waste his or her time.
Low-Interaction Honeypots
Low-interaction honeypots simulate only the services frequently requested by attackers. Since they consume relatively few
resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time,
and less code is required, reducing the complexity of the virtual system’s security.
1
2
3
4
5
3. Advanced Threat Detection in ICS – SCADA Environments
Section 1
1.2 What do Honeypots Discover?
• Malware
• Illegal scans & probes
• Illicit behaviors & bad actors
• Misconfigurations & inadvertent exposures
• Noisy components, polling & unexpected protocols
• Poking around in file shares & data repositories
1.3 Honeypots Summary
Conceptually, almost all honeypots work the same.
They are resources that have no authorized activity and do not have any production value. Theoretically, a honeypot should see
no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or
malicious activity.
Any connection attempts to a honeypot are most likely a probe, attack, or compromise. While this concept sounds very simple
(and it is), it is this very simplicity that give honeypots their tremendous advantages.
4. Advanced Threat Detection in ICS – SCADA Environments
Section 2
2.0 Honeypot Pros
2.0 Honeypot Cons
• Low noise, high value data
• May create additional time for defense
• Easy, passive visibility in difficult networks
• No choke point or fail state issues for ICS & SCADA
• Can be creatively used to establish deep, nuanced detection capability through
#FAIL modeling
• Limited view, NOT a complete detection solution
• Increase risk if vulnerabilities exist in the software
• Add complexity, more to patch & manage
• High interaction requires extensive forensics skills & data analysis
• Monitoring is still required & many tools only log locally
PRO’s
CON’s
5. Advanced Threat Detection in ICS – SCADA Environments
Section 2
2.2 Low Interaction vs High Interaction (Honeypots)
If you are researching security solutions for a SCADA/ ICS system then you will likely come across these statements:
- A high-interaction honeypot simulates all aspects of an operating system.
- A low-interaction honeypot simulates only some parts, for example the network stack.
2.3 Low Interaction Honeypots For Detection
Low Interaction Honeypots are favored by many due to their ability to:
• Emulate basic services & deployments
• Capture attacker interaction and frequency
• Give insight into the attackers capability
• Be easily maintained
• Collect and analyze attack data
Low-interaction honeypots simulate only services that cannot be exploited to get complete access to the honeypot.
Low-interaction honeypots are more limited, but they are useful to gather information at a higher level, e.g., learn about network
probes against your SCADA system.
6. Advanced Threat Detection in ICS – SCADA Environments
Section 3
3.0 Honeypot Maturity Model
Working effectively with Honeypots requires understanding the following steps:
Exploration, admin personnel use, planning, fail state analysis, strategy development, tool selection, prototyping and lab deployments,
scoping and permission analysis.
Simple honeypots deployments, document and socialize processes, demonstrate ROI, basic detections and data flow profiling.
Expanded honeypot presence, exploration of other formats, projection into partner and business networks, growing focus on nuance detec-
tions, sting operations, DNS blackholing and threat encounter reduction techniques.
Integration with risk assessment, pro-active studies and intelligence gathering, deeper fail-state monitoring, risk and threat modeling for
better decision making, metrics development techniques.
Step 1: Proof of concept phase
Step 2: Basic visibility phase
Step 3: Advanced visibility phase
Step 4: Intelligence and Analytics Phase
7. Advanced Threat Detection in ICS – SCADA Environments
Section 4
4.0 Honeypots as Intelligence and Analytics Tools
Once the basics of honeypots are understood and the management teams are comfortable with honeypot
techniques, then organizations can use honeypots as intelligence gathering tools (exposing them to the
Internet to determine threat sources, establish blacklists, understand potential network changes, etc.).
Honeypots can also be quickly deployed during incidents to grab better intelligence and analytics around
attacker intent, capabilities and focus. “What If” scenarios can be empowered to gather real world metrics
for risk assessments, initiatives and funding choices — essentially they can be key in providing data for met-
rics-based decision making.
4.1 Socializing Honeypot Data
Advanced users of honeypots should have a methodology for socializing data gathered via honeypot mechanisms. This should in-
clude delivering raw data for indicator of compromise analysis to their incident response teams, trend data to their risk assessment
teams and summary of threat actives to management and the board.
By using threat data gathered from honeypots judiciously and effectively, organizations can begin to reduce decision making at all
critical levels where decisions are focused on FUD, emotional feelings and non-metrics focused data. By bringing real-world data
gathered from honeypots to the decision makers, decision accuracy and rational approaches should begin to prevail, leading to or-
ganic maturity and process improvements throughout the information security program.
8. Advanced Threat Detection in ICS – SCADA Environments
Section 5
5.0 How To Use Honeypots Inside SCADA/ ICS Environments
Over the past 14 years, honeypots have moved into the mainstream and are now part of the detective and “defence in depth”
capability for ICS and SCADA networks.
Typically, organizations have adopted one of two strategies: either an “enclaved” honeypot strategy, i.e. where the SCADA network
has been separated from the business network. In this scenario, organizations create fake SCADA components and expose them to
the business network.
Or, deploying honeypots inside the ICS and SCADA (for example, in control units, inside operational segments, and even all the way
to the pole).
9. Advanced Threat Detection in ICS – SCADA Environments
Section 6
6.0 The Maturity Stack
In developing this course, we asked SCADA honeypot expert, Brent Huston (CEO at Microsolved), how organizations can determine
where they are in the maturity stack. Microsolved’s “Honeypot Maturity Model” breaks the maturity stack into 4 bands.
“You’ve got the folks that are still… stuck back in the 90’s and 2000’s. Either they’re not using honeypots, or they’re still in the proof
of concept phase. These folks might be playing with honeypot data, but they haven’t systemically started to deploy the tool set.
They’re using it maybe “ad hoc” as a result of an incident”, says Brent.
Phase 1 organizations typically depend on log monitoring and traditional NIDS, (Network Intrusion Detection Systems), i.e. in high
noise, low signal environments.
6.1 The Maturity Stack
Phase 2 of the “Honeypot Maturity Model” is called the “Basic Visibility Phase’” Organizations use simple honeypot deployment,
including fake web servers and/ or applications in the business network. And in some cases, organizations have exposed a degree of
simulated SCADA to the business network.
Phase 2 organizations will most likely start to realize the benefits of honeypot deployment, including the ease with which they can
be dropped and managed.
Phase 1 of 4
Phase 2 of 4
10. Advanced Threat Detection in ICS – SCADA Environments
Section 6
6.2 The Maturity Stack
Phase 3 is the “Advanced Visibility Phase”. Organizations start to be creative with their honeypot deployment. Organizations move
away from ONLY using honeypots for business network monitoring.
As Brent Huston explains, Phase 3 organizations say, ‘Okay I have this problem, I lacked visibility in this phase of the network. So they
start to deploy honeypots where they don’t have visibility and begin using different honeypot formats in order to launch sting operations
and/ or black holing, i.e. discarding packets in a network based on some criterion.’
6.3 The Maturity Stack
About 20% of organizations that use and leverage honeypot techniques in ICS and SCADA go on to the fourth phase of
Microsolved’s model, the “Intelligence And Analytics Phase”. Organizations start to leverage their Phase 3 exploratory capability, and
begin launching proactive studies.
For example, if an organization has a risk assessment finding that shows potential exposure to the Internet (via Shodan), then they
pull those systems down, replace them with fake systems, and now instead of interacting with an actual ICS component, they’re
using the honeypot to gather intelligence, including getting answers to questions such as: “Who was looking at our network?”. And
“What were they intending to do?”
Phase 4 organizations feed that data back into their threat modelling processes and start to move those processes away from gut
feeling, to more data focused, data centric information. Microsolved call it “real-world or rational data threat modelling and rational
risk assessment”.
Phase 3 of 4
Phase 4 of 4
11. Advanced Threat Detection in ICS – SCADA Environments
Section 7
7.0 Communication Challenges
The first challenge to SCADA honeypot deployment is understanding the
data, and communicating the issues effectively. Simply put, the source of
the data that comes from a honeypot is ‘all suspicious at best, and all
malicious at worst’!
Now, this varies and has an entirely different context than the data points
that organizations receive from log aggregation or network intrusion
detection, for example, where the huge possibility of false positives exist.
If organizations risk assessment and threat modelling processes don’t in-
clude tools that can effectively translate honeypot data quality, then their
risk assessment and threat modelling processes will be impacted.
So it’s critical to understand that if organizations are going to take honeypot data and roll it into data focused modelling, then they
must have a data maturity, data quality model to help them achieve that goal because honeypot data is extremely high quality (i.e.
high believability).
As Microsolved CEO, Brent Huston states, “So we really want to tackle that and make sure that when we’re communicating this into
threat modelling and to risk assessment folks, or the auditor folks when they come in, that we’re talking specifically about tools that
are high data quality and that need to be balanced with some sort of reduction mechanism, and normalize that against what is normally
noisy data”.
12. Advanced Threat Detection in ICS – SCADA Environments
Section 7
7.1 The Maturity Stack Challenges - Socializing Honeypot Data
The second big challenge that organizations face is socializing hon-
eypot data, i.e. how to go to management and say, “I’m going to set
up these fake systems and I’m going to let them be attacked. Their
whole purpose in life will be to be attacked, so that I can grab the
indicators of compromise and feed that back in order to make the
incident response and risk assessment”.
Organizations that have succeeded with this challenge are able to
demonstrate that the indicators of compromise delivered by
honeypots speed up the incident response process.
In other words, demonstrate the ability to achieve better and
faster incident response. More effective and quicker incident
response are quantifiable metric-driven decision points that
professionals can back-up with data.
The second benefit honeypots yield is a data set, i.e. empirical
information on what is actually happening, that professionals can
use to cut right through FUD. So if an organization has a historic,
non-metric focused data plan, if their security initiative is based on fear, uncertainty and doubt, and they want to move towards ra-
tional data focused decision-making, then honeypot data becomes an excellent knife to slice off all that fear, uncertainty and doubt
and say, “okay we always thought this was the case, and it is the case, because the data backs it up’. Or, ‘we always thought this was the
case and we’re just not seeing that, so we should pull the resources off X and focus them on Y”.
Organizations that socialize that honeypot data properly, are the ones that really succeed in taking their security posture to the next
level.
13. Advanced Threat Detection in ICS – SCADA Environments
Section 8
8.0 Honeypot Case Studies
You don’t have to look very far to see utility organizations that are not monitoring properly.
Whether it’s ICS/ SCADA tampering, targeting, infiltration or removal of intellectual property,
there attacks are in the headlines every day. With that said, Brent Huston, CEO at Microsolved
shares two case studies where honeypot technology has paid off.
The first case study Brent offered took place during an indirect threat. Brent told us “So it had
nothing to do with a bad guy sitting on the other end the keyboard hammering away, trying to
break in, but we were simply in the initial deployment phase when we started to see activity from
the Internet on a telnet port to a number of honeypots that we’d just deployed”.
After the network admin’s confirmed that they did not route telnet traffic in the ICS environ-
ment, Microsolved decided to look at the firewall and router rules, and what they found was
one particular firewall rule, where a temporary rule had been set up to allow company X to
come in for 30 days and manage “2 IP’s on port 23”, which reached the telnet port. But when you
looked at that firewall rule, they found out that it was miss-keyed and the entire network was
open to port 23 traffic, and it had been that way for several years!
In another example, Brent shares a case study with direct interaction with the attacker: “So during an incident response program we
were working through a breach. The breach had occurred in the business network”. Microsolved quickly set up a couple of our honey-
pot appliances and essentially seeded into one of the conversation streams.
“We quickly, within 24 hours, watched them move against that environment. Tracked what they were looking for. Offered up some fake
(Trojanized) data, which they quickly took. Microsolved watched the date move out of the network and saw it opened in various parts of
the world.”
“So we were able to identify their sources, shut them down, but also feedback into the intelligence process and discover what their intent
and capabilities were”.
14. Advanced Threat Detection in ICS – SCADA Environments
Section 8
8.0 Honeypot Case Studies
You don’t have to look very far to see utility organizations that are not monitoring properly.
Whether it’s ICS/ SCADA tampering, targeting, infiltration or removal of intellectual property,
there attacks are in the headlines every day. With that said, Brent Huston, CEO at Microsolved
shares two case studies where honeypot technology has paid off.
The first case study Brent offered took place during an indirect threat. Brent told us “So it had
nothing to do with a bad guy sitting on the other end the keyboard hammering away, trying to
break in, but we were simply in the initial deployment phase when we started to see activity from
the Internet on a telnet port to a number of honeypots that we’d just deployed”.
After the network admin’s confirmed that they did not route telnet traffic in the ICS environ-
ment, Microsolved decided to look at the firewall and router rules, and what they found was
one particular firewall rule, where a temporary rule had been set up to allow company X to
come in for 30 days and manage “2 IP’s on port 23”, which reached the telnet port. But when you
looked at that firewall rule, they found out that it was miss-keyed and the entire network was
open to port 23 traffic, and it had been that way for several years!
In another example, Brent shares a case study with direct interaction with the attacker: “So during an incident response program we
were working through a breach. The breach had occurred in the business network”. Microsolved quickly set up a couple of our honey-
pot appliances and essentially seeded into one of the conversation streams.
“We quickly, within 24 hours, watched them move against that environment. Tracked what they were looking for. Offered up some fake
(Trojanized) data, which they quickly took. Microsolved watched the date move out of the network and saw it opened in various parts of
the world.”
“So we were able to identify their sources, shut them down, but also feedback into the intelligence process and discover what their intent
and capabilities were”.
15. Advanced Threat Detection in ICS – SCADA Environments
Section 9
9.0 HoneyPoint Managed Services
Microsolved, a leader in effective Honeypot management, designed ‘HoneyPoint.’ The Honeypoint strategy is simple, yet effective.
The HoneyPoint Security Server Console includes three specific managed services that can help a SCADA/ ICS organization:
1. HoneyPoint Agents
2. HoneyPoint Wasp
3. HoneyPoint Web
16. Advanced Threat Detection in ICS – SCADA Environments
Section 9
9.1 HoneyPoint Agents
HoneyPoint Agent has HoneyPoints that are flexible pseudo-server applications, able to emulate thousands of real services such
as web, email, database systems and others. Since these pseudo-services are not real applications, there is no reason for anyone to
interact with them in any way. Thus, once deployed, any activity to a HoneyPoint is, by default, suspicious. Since attackers do their
work by scanning for and examining services looking for vulnerabilities, the HoneyPoints lie in wait, trapping the attacker in the act
of doing the exact thing that attackers seek to do — find vulnerable services.
9.2 HoneyPoint Wasp
HoneyPoint Wasp monitors Windows systems for new applications running that it has not seen before (white-listing detection),
includes new listening network ports, modification of selected files in the file system, DNS poisoning attacks, and direct probes
against the system from the network and changes in user accounts.
With HoneyPoint Wasp, the asset owner would receive an alert whenever a new piece of code runs. It is self-tuning: no updates, no
signatures. Finally, it has central visibility meaning there are no pop-up alerts for the end-user which mean no help desk calls.
HoneyPoint Wasp on Windows jump hosts works beautifully. It searches for changes to
sensitive files, modifications of configuration, new processes running that are not known to you
and even changes in user and admin populations, all of which are common signs of a successful attack. In other words, your team
gets a level of visibility and defensive capability not
commonly available to them in the past.
17. Advanced Threat Detection in ICS – SCADA Environments
Section 9
9.3 HoneyPoint Web
HoneyPoint Web are immersing, adaptive, customizable web applications with focused intelligence gathering and human detection.
It is an entirely emulated web portal that emulates remote activity to the SCADA system. It can also emulate a fake human machine
interface (HMI). It can be placed anywhere around the perimeter of the SCADA, on the Internet, or in the business network so you
can tell when someone is poking or prodding and trying to get to the SCADA system when they shouldn’t be.
When an alert comes through HoneyPoint Web, there is a certainty that an attacker is attempting to breach the system. You will be
able to see the credentials they are using, what they know about the system, and take appropriate measures to stop them.
It is important to note that honeypots are not a solution in themselves. They are a tool. How much they can help you depends upon
what you are trying to achieve.
18. Advanced Threat Detection in ICS – SCADA Environments
Section 10
10.0 Brent Huston, CEO and Founder, Explains HoneyPoint Managed Services
Our clients were the inspiration behind Managed HoneyPoint. Many have come to really love the simple, effective security that Hon-
eyPoint brings, but were hesitant to take on another product to manage in their environ-
ments. Even with the “no noise approach” that HoneyPoint leverages, we found that they re-
ally wanted all of the benefits without needing to manage the product. Thus, that is exactly
what Managed HoneyPoint provides.
It allows folks to work with our team of certified Hon-
eyPoint administrators and engineers to deploy the
software, virtual decoy hosts or soon, the HoneyPoint
appliances in their networks, then have MSI complete-
ly manage the console portion of the product to pro-
vide real-time security event alerting and reporting to
them on an ongoing basis.
The most obvious way HoneyPoint Managed Services helps an organization is to free them
from the alerting avalanches they are likely getting today from traditional security monitoring
tools.
As we have been discussing for years now, HoneyPoint doesn’t create false positives, re-
quires no ongoing tuning and can become a powerful mechanism for allowing security teams
to focus only on the most serious events that create risk in their environment.
19. Advanced Threat Detection in ICS – SCADA Environments
Section 10
10.0 Brent Huston, CEO and Founder, Explains HoneyPoint Managed Services continued
For smaller organizations who may have little technical expertise onsite or only a basic IT staff, it can give them security visibility
to identify malware outbreaks, scans and probes against the network and other dangerous behaviors without needing a full time
administrator to manage the tool. Customers routinely remark that they often forget that HoneyPoint is even deployed on their
network until the few times it alerts them to the presence of something truly bad going on. Users of HoneyPoint talk about just how
capable the tool is and how it has changed their security teams’ focus from analyzing several thousand network IDS alerts per day
to handling about four true HoneyPoint incidents per year. They claim they were getting much better security with a whole lot less
work — and that is exactly why we created HoneyPoint in the first place!
HoneyPoint Managed Services cut through the noise and makes identifying true threats simpler and easier. That frees up your team’s
resources so they can focus on other projects. A true “win-win” for all.
20. Advanced Threat Detection in ICS – SCADA Environments
Section 10
What is included in Managed HoneyPoint?
Customers who purchase Managed HoneyPoint receive phone support for the HoneyPoint installs and configurations, ongoing alert-
ing via email and monthly event reporting via email.
Users can also take advantage of discounted rates for incident response, investigation, threat analysis and forensics, should they
ever require those services.
21. Advanced Threat Detection in ICS – SCADA Environments
Section 10
Is outsourcing expensive?
Actually, no. For small to mid-size organizations, they can likely get started for less than a
hundred dollars per month! Managed HoneyPoint is priced per host where HoneyPoint is
deployed.
You can deploy the product as software on your existing hosts, build a special physical host to house the HoneyPoints (as in Scatter-
Sensing), use our virtual (VMWare) decoy host appliance or deploy our physical mini-appliance device. You can even mix and match
these in any combination.
What is the difference between purchasing HoneyPoint Security Server and Managed
HoneyPoint Security Server is the software package that the Managed Services is based upon. Users who purchase the HoneyPoint
product get the full applications, the console application in addition to the capability to deploy and manage the devices as needed.
However, they will need to manage the console, create their own reports, etc.
The Managed Service model allows the customer to buy the capability as a service instead of as a software product and offload the
management of the console to MSI. For a low monthly obligation/ fee/ assessment, users get all of the power of HoneyPoint, with-
out the need to manage or interact with the console in any way.
Users receive alerts and reports over email and instead of going to the console for more information, and simply place a call to a
HoneyPoint administrator. In addition, for both types of HoneyPoint users, MSI offers both phone and email support for incident
response and threat handling, plus onsite incident response support, forensics, if needed, all at rates discounted from MicroSolved’s
normal “street” rate for those services!