Advanced Threat Detection in ICS – SCADA Environments

Advanced Threat Detection in ICS – SCADA Environments
Section 1
In computer terminology, a honeypot is a purposely designed trap set to detect, deflect, or, in
some manner, counteract attempts at unauthorized use of networks and systems - in this case,
SCADA systems.
A honeypot typically consists of data, or a network site that appears to be part of the
organization’s network, but is actually isolated and monitored, and which seems to contain
information or a resource of value to attackers.
Think of a honeypot in the same way the police would bait a criminal and then conduct under-
cover surveillance.
1.0 Introducing Honeypots!

Section 1
1.1 The Myriad of Honeypots
There are, essentially, 5 types of Honeypots:
Production Honeypots
Production honeypots are easy to use, but capture only limited information.
Research Honeypots
Research honeypots gather information about the motives and tactics of hackers targeting different networks.
Pure Honeypots
Pure honeypots are fully-fledged production systems. The activities of the attacker are monitored by using a trap that has been
installed on the honeypot’s network link.
High-Interaction Honeypots
High-interaction honeypots imitate the activities of the production systems that host a variety of services and, therefore,
attackers may be allowed access to services in order to waste his or her time.
Low-Interaction Honeypots
Low-interaction honeypots simulate only the services frequently requested by attackers. Since they consume relatively few
resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time,
and less code is required, reducing the complexity of the virtual system’s security.
1
2
3
4
5

Section 1
1.2 What do Honeypots Discover?
• Malware
• Illegal scans & probes
• Illicit behaviors & bad actors
• Misconfigurations & inadvertent exposures
• Noisy components, polling & unexpected protocols
• Poking around in file shares & data repositories
1.3 Honeypots Summary
Conceptually, almost all honeypots work the same.
They are resources that have no authorized activity and do not have any production value. Theoretically, a honeypot should see
no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or
malicious activity.
Any connection attempts to a honeypot are most likely a probe, attack, or compromise. While this concept sounds very simple
(and it is), it is this very simplicity that give honeypots their tremendous advantages.

Section 2
2.0 Honeypot Pros
2.0 Honeypot Cons
• Low noise, high value data
• May create additional time for defense
• Easy, passive visibility in difficult networks
• No choke point or fail state issues for ICS & SCADA
• Can be creatively used to establish deep, nuanced detection capability through
#FAIL modeling
• Limited view, NOT a complete detection solution
• Increase risk if vulnerabilities exist in the software
• Add complexity, more to patch & manage
• High interaction requires extensive forensics skills & data analysis
• Monitoring is still required & many tools only log locally
PRO’s
CON’s

Section 2
2.2 Low Interaction vs High Interaction (Honeypots)
If you are researching security solutions for a SCADA/ ICS system then you will likely come across these statements:
- A high-interaction honeypot simulates all aspects of an operating system.
- A low-interaction honeypot simulates only some parts, for example the network stack.
2.3 Low Interaction Honeypots For Detection
Low Interaction Honeypots are favored by many due to their ability to:
• Emulate basic services & deployments
• Capture attacker interaction and frequency
• Give insight into the attackers capability
• Be easily maintained
• Collect and analyze attack data
Low-interaction honeypots simulate only services that cannot be exploited to get complete access to the honeypot.
Low-interaction honeypots are more limited, but they are useful to gather information at a higher level, e.g., learn about network
probes against your SCADA system.

Section 3
3.0 Honeypot Maturity Model
Working effectively with Honeypots requires understanding the following steps:
Exploration, admin personnel use, planning, fail state analysis, strategy development, tool selection, prototyping and lab deployments,
scoping and permission analysis.
Simple honeypots deployments, document and socialize processes, demonstrate ROI, basic detections and data flow profiling.
Expanded honeypot presence, exploration of other formats, projection into partner and business networks, growing focus on nuance detec-
tions, sting operations, DNS blackholing and threat encounter reduction techniques.
Integration with risk assessment, pro-active studies and intelligence gathering, deeper fail-state monitoring, risk and threat modeling for
better decision making, metrics development techniques.
Step 1: Proof of concept phase
Step 2: Basic visibility phase
Step 3: Advanced visibility phase
Step 4: Intelligence and Analytics Phase

Section 4
4.0 Honeypots as Intelligence and Analytics Tools
Once the basics of honeypots are understood and the management teams are comfortable with honeypot
techniques, then organizations can use honeypots as intelligence gathering tools (exposing them to the
Internet to determine threat sources, establish blacklists, understand potential network changes, etc.).
Honeypots can also be quickly deployed during incidents to grab better intelligence and analytics around
attacker intent, capabilities and focus. “What If” scenarios can be empowered to gather real world metrics
for risk assessments, initiatives and funding choices — essentially they can be key in providing data for met-
rics-based decision making.
4.1 Socializing Honeypot Data
Advanced users of honeypots should have a methodology for socializing data gathered via honeypot mechanisms. This should in-
clude delivering raw data for indicator of compromise analysis to their incident response teams, trend data to their risk assessment
teams and summary of threat actives to management and the board.
By using threat data gathered from honeypots judiciously and effectively, organizations can begin to reduce decision making at all
critical levels where decisions are focused on FUD, emotional feelings and non-metrics focused data. By bringing real-world data
gathered from honeypots to the decision makers, decision accuracy and rational approaches should begin to prevail, leading to or-
ganic maturity and process improvements throughout the information security program.

Section 5
5.0 How To Use Honeypots Inside SCADA/ ICS Environments
Over the past 14 years, honeypots have moved into the mainstream and are now part of the detective and “defence in depth”
capability for ICS and SCADA networks.
Typically, organizations have adopted one of two strategies: either an “enclaved” honeypot strategy, i.e. where the SCADA network
has been separated from the business network. In this scenario, organizations create fake SCADA components and expose them to
the business network.
Or, deploying honeypots inside the ICS and SCADA (for example, in control units, inside operational segments, and even all the way
to the pole).

Section 6
6.0 The Maturity Stack
In developing this course, we asked SCADA honeypot expert, Brent Huston (CEO at Microsolved), how organizations can determine
where they are in the maturity stack. Microsolved’s “Honeypot Maturity Model” breaks the maturity stack into 4 bands.
“You’ve got the folks that are still… stuck back in the 90’s and 2000’s. Either they’re not using honeypots, or they’re still in the proof
of concept phase. These folks might be playing with honeypot data, but they haven’t systemically started to deploy the tool set.
They’re using it maybe “ad hoc” as a result of an incident”, says Brent.
Phase 1 organizations typically depend on log monitoring and traditional NIDS, (Network Intrusion Detection Systems), i.e. in high
noise, low signal environments.
Phase 2 of the “Honeypot Maturity Model” is called the “Basic Visibility Phase’” Organizations use simple honeypot deployment,
including fake web servers and/ or applications in the business network. And in some cases, organizations have exposed a degree of
simulated SCADA to the business network.
Phase 2 organizations will most likely start to realize the benefits of honeypot deployment, including the ease with which they can
be dropped and managed.
Phase 1 of 4
Phase 2 of 4

Section 6
Phase 3 is the “Advanced Visibility Phase”. Organizations start to be creative with their honeypot deployment. Organizations move
away from ONLY using honeypots for business network monitoring.
As Brent Huston explains, Phase 3 organizations say, ‘Okay I have this problem, I lacked visibility in this phase of the network. So they
start to deploy honeypots where they don’t have visibility and begin using different honeypot formats in order to launch sting operations
and/ or black holing, i.e. discarding packets in a network based on some criterion.’
About 20% of organizations that use and leverage honeypot techniques in ICS and SCADA go on to the fourth phase of
Microsolved’s model, the “Intelligence And Analytics Phase”. Organizations start to leverage their Phase 3 exploratory capability, and
begin launching proactive studies.
For example, if an organization has a risk assessment finding that shows potential exposure to the Internet (via Shodan), then they
pull those systems down, replace them with fake systems, and now instead of interacting with an actual ICS component, they’re
using the honeypot to gather intelligence, including getting answers to questions such as: “Who was looking at our network?”. And
“What were they intending to do?”
Phase 4 organizations feed that data back into their threat modelling processes and start to move those processes away from gut
feeling, to more data focused, data centric information. Microsolved call it “real-world or rational data threat modelling and rational
risk assessment”.
Phase 3 of 4
Phase 4 of 4

Section 7
7.0 Communication Challenges
The first challenge to SCADA honeypot deployment is understanding the
data, and communicating the issues effectively. Simply put, the source of
the data that comes from a honeypot is ‘all suspicious at best, and all
malicious at worst’!
Now, this varies and has an entirely different context than the data points
that organizations receive from log aggregation or network intrusion
detection, for example, where the huge possibility of false positives exist.
If organizations risk assessment and threat modelling processes don’t in-
clude tools that can effectively translate honeypot data quality, then their
risk assessment and threat modelling processes will be impacted.
So it’s critical to understand that if organizations are going to take honeypot data and roll it into data focused modelling, then they
must have a data maturity, data quality model to help them achieve that goal because honeypot data is extremely high quality (i.e.
high believability).
As Microsolved CEO, Brent Huston states, “So we really want to tackle that and make sure that when we’re communicating this into
threat modelling and to risk assessment folks, or the auditor folks when they come in, that we’re talking specifically about tools that
are high data quality and that need to be balanced with some sort of reduction mechanism, and normalize that against what is normally
noisy data”.

Section 7
7.1 The Maturity Stack Challenges - Socializing Honeypot Data
The second big challenge that organizations face is socializing hon-
eypot data, i.e. how to go to management and say, “I’m going to set
up these fake systems and I’m going to let them be attacked. Their
whole purpose in life will be to be attacked, so that I can grab the
indicators of compromise and feed that back in order to make the
incident response and risk assessment”.
Organizations that have succeeded with this challenge are able to
demonstrate that the indicators of compromise delivered by
honeypots speed up the incident response process.
In other words, demonstrate the ability to achieve better and
faster incident response. More effective and quicker incident
response are quantifiable metric-driven decision points that
professionals can back-up with data.
The second benefit honeypots yield is a data set, i.e. empirical
information on what is actually happening, that professionals can
use to cut right through FUD. So if an organization has a historic,
non-metric focused data plan, if their security initiative is based on fear, uncertainty and doubt, and they want to move towards ra-
tional data focused decision-making, then honeypot data becomes an excellent knife to slice off all that fear, uncertainty and doubt
and say, “okay we always thought this was the case, and it is the case, because the data backs it up’. Or, ‘we always thought this was the
case and we’re just not seeing that, so we should pull the resources off X and focus them on Y”.
Organizations that socialize that honeypot data properly, are the ones that really succeed in taking their security posture to the next
level.

Section 8
8.0 Honeypot Case Studies
You don’t have to look very far to see utility organizations that are not monitoring properly.
Whether it’s ICS/ SCADA tampering, targeting, infiltration or removal of intellectual property,
there attacks are in the headlines every day. With that said, Brent Huston, CEO at Microsolved
shares two case studies where honeypot technology has paid off.
The first case study Brent offered took place during an indirect threat. Brent told us “So it had
nothing to do with a bad guy sitting on the other end the keyboard hammering away, trying to
break in, but we were simply in the initial deployment phase when we started to see activity from
the Internet on a telnet port to a number of honeypots that we’d just deployed”.
After the network admin’s confirmed that they did not route telnet traffic in the ICS environ-
ment, Microsolved decided to look at the firewall and router rules, and what they found was
one particular firewall rule, where a temporary rule had been set up to allow company X to
come in for 30 days and manage “2 IP’s on port 23”, which reached the telnet port. But when you
looked at that firewall rule, they found out that it was miss-keyed and the entire network was
open to port 23 traffic, and it had been that way for several years!
In another example, Brent shares a case study with direct interaction with the attacker: “So during an incident response program we
were working through a breach. The breach had occurred in the business network”. Microsolved quickly set up a couple of our honey-
pot appliances and essentially seeded into one of the conversation streams.
“We quickly, within 24 hours, watched them move against that environment. Tracked what they were looking for. Offered up some fake
(Trojanized) data, which they quickly took. Microsolved watched the date move out of the network and saw it opened in various parts of
the world.”
“So we were able to identify their sources, shut them down, but also feedback into the intelligence process and discover what their intent
and capabilities were”.

Section 9
9.0 HoneyPoint Managed Services
Microsolved, a leader in effective Honeypot management, designed ‘HoneyPoint.’ The Honeypoint strategy is simple, yet effective.
The HoneyPoint Security Server Console includes three specific managed services that can help a SCADA/ ICS organization:
1. HoneyPoint Agents
2. HoneyPoint Wasp
3. HoneyPoint Web

Section 9
9.1 HoneyPoint Agents
HoneyPoint Agent has HoneyPoints that are flexible pseudo-server applications, able to emulate thousands of real services such
as web, email, database systems and others. Since these pseudo-services are not real applications, there is no reason for anyone to
interact with them in any way. Thus, once deployed, any activity to a HoneyPoint is, by default, suspicious. Since attackers do their
work by scanning for and examining services looking for vulnerabilities, the HoneyPoints lie in wait, trapping the attacker in the act
of doing the exact thing that attackers seek to do — find vulnerable services.
9.2 HoneyPoint Wasp
HoneyPoint Wasp monitors Windows systems for new applications running that it has not seen before (white-listing detection),
includes new listening network ports, modification of selected files in the file system, DNS poisoning attacks, and direct probes
against the system from the network and changes in user accounts.
With HoneyPoint Wasp, the asset owner would receive an alert whenever a new piece of code runs. It is self-tuning: no updates, no
signatures. Finally, it has central visibility meaning there are no pop-up alerts for the end-user which mean no help desk calls.
HoneyPoint Wasp on Windows jump hosts works beautifully. It searches for changes to
sensitive files, modifications of configuration, new processes running that are not known to you
and even changes in user and admin populations, all of which are common signs of a successful attack. In other words, your team
gets a level of visibility and defensive capability not
commonly available to them in the past.

Section 9
9.3 HoneyPoint Web
HoneyPoint Web are immersing, adaptive, customizable web applications with focused intelligence gathering and human detection.
It is an entirely emulated web portal that emulates remote activity to the SCADA system. It can also emulate a fake human machine
interface (HMI). It can be placed anywhere around the perimeter of the SCADA, on the Internet, or in the business network so you
can tell when someone is poking or prodding and trying to get to the SCADA system when they shouldn’t be.
When an alert comes through HoneyPoint Web, there is a certainty that an attacker is attempting to breach the system. You will be
able to see the credentials they are using, what they know about the system, and take appropriate measures to stop them.
It is important to note that honeypots are not a solution in themselves. They are a tool. How much they can help you depends upon
what you are trying to achieve.

Section 10
10.0 Brent Huston, CEO and Founder, Explains HoneyPoint Managed Services
Our clients were the inspiration behind Managed HoneyPoint. Many have come to really love the simple, effective security that Hon-
eyPoint brings, but were hesitant to take on another product to manage in their environ-
ments. Even with the “no noise approach” that HoneyPoint leverages, we found that they re-
ally wanted all of the benefits without needing to manage the product. Thus, that is exactly
what Managed HoneyPoint provides.
It allows folks to work with our team of certified Hon-
eyPoint administrators and engineers to deploy the
software, virtual decoy hosts or soon, the HoneyPoint
appliances in their networks, then have MSI complete-
ly manage the console portion of the product to pro-
vide real-time security event alerting and reporting to
them on an ongoing basis.
The most obvious way HoneyPoint Managed Services helps an organization is to free them
from the alerting avalanches they are likely getting today from traditional security monitoring
tools.
As we have been discussing for years now, HoneyPoint doesn’t create false positives, re-
quires no ongoing tuning and can become a powerful mechanism for allowing security teams
to focus only on the most serious events that create risk in their environment.

Section 10
10.0 Brent Huston, CEO and Founder, Explains HoneyPoint Managed Services continued
For smaller organizations who may have little technical expertise onsite or only a basic IT staff, it can give them security visibility
to identify malware outbreaks, scans and probes against the network and other dangerous behaviors without needing a full time
administrator to manage the tool. Customers routinely remark that they often forget that HoneyPoint is even deployed on their
network until the few times it alerts them to the presence of something truly bad going on. Users of HoneyPoint talk about just how
capable the tool is and how it has changed their security teams’ focus from analyzing several thousand network IDS alerts per day
to handling about four true HoneyPoint incidents per year. They claim they were getting much better security with a whole lot less
work — and that is exactly why we created HoneyPoint in the first place!
HoneyPoint Managed Services cut through the noise and makes identifying true threats simpler and easier. That frees up your team’s
resources so they can focus on other projects. A true “win-win” for all.

Section 10
What is included in Managed HoneyPoint?
Customers who purchase Managed HoneyPoint receive phone support for the HoneyPoint installs and configurations, ongoing alert-
ing via email and monthly event reporting via email.
Users can also take advantage of discounted rates for incident response, investigation, threat analysis and forensics, should they
ever require those services.

Section 10
Is outsourcing expensive?
Actually, no. For small to mid-size organizations, they can likely get started for less than a
hundred dollars per month! Managed HoneyPoint is priced per host where HoneyPoint is
deployed.
You can deploy the product as software on your existing hosts, build a special physical host to house the HoneyPoints (as in Scatter-
Sensing), use our virtual (VMWare) decoy host appliance or deploy our physical mini-appliance device. You can even mix and match
these in any combination.
What is the difference between purchasing HoneyPoint Security Server and Managed
HoneyPoint Security Server is the software package that the Managed Services is based upon. Users who purchase the HoneyPoint
product get the full applications, the console application in addition to the capability to deploy and manage the devices as needed.
However, they will need to manage the console, create their own reports, etc.
The Managed Service model allows the customer to buy the capability as a service instead of as a software product and offload the
management of the console to MSI. For a low monthly obligation/ fee/ assessment, users get all of the power of HoneyPoint, with-
out the need to manage or interact with the console in any way.
Users receive alerts and reports over email and instead of going to the console for more information, and simply place a call to a
HoneyPoint administrator. In addition, for both types of HoneyPoint users, MSI offers both phone and email support for incident
response and threat handling, plus onsite incident response support, forensics, if needed, all at rates discounted from MicroSolved’s
normal “street” rate for those services!

Advanced Threat Detection in ICS – SCADA Environments

More Related Content

What's hot

Viewers also liked

Similar to Advanced Threat Detection in ICS – SCADA Environments

More from London School of Cyber Security

Recently uploaded

Advanced Threat Detection in ICS – SCADA Environments