I run a honeypot software company, with our customers being mid-large enterprises. While the case presented here is certainly interesting, it's actually fairly uncommon for companies to run internet-facing honeypots, mostly due to it being a huge resource sink, and it's fairly difficult to learn anything truely useful from observing attacks coming from (mostly) bots.
The more interesting use case for most is planting these in your network internals, which gives an added benefit of early, high-fidelity threat detection in addition to the "threat intelligence" bonuses. It's not completely trivial to set up, but can be a reasonably quick way to build good detection capability into even very disparate environments.
A vast majority of organizations still lack good situational awareness of their infrastructures and this is one way of improving on that.
A fun example of a honeypot was that placed by Cliff Stoll in 1986 on a computer system at Lawrence Berkeley when trying to get a repeated attacker to stay on the line long enough to be traced, as described in The Cuckoo's Egg and portrayed in this PBS NOVA recreation: https://www.youtube.com/watch?v=hTx9h3Sm29I
Did you plant internally to detect malicious actors from within the organization or as a way to definitively detect external actors who have presumably entered the network through an exploit?
Nice, your software looks pretty polished! Have you published any kind of best practices guides for using decoys, or alternatively are you aware of any other good guides?
I've seen decoys mentioned in infosec Twitter quite a few times recently (I think more about OSS ones), and I'd like to learn more about how they are generally actually used, what the expectations are etc.
There was a recent WSJ article I submitted recently that details how companies such as Land O' Lakes are doing just that -- honeypots on internal networks.
Hopefully one of your honeypots simulates NetBackup. eg the Veritas (was Symantec) software
That should be reasonably easy to simulate, and (I'm guessing) Netbackup infrastructure would be significantly interesting to any hacker once they've popped an org.
This is interesting, but like most honeypot discussion kinda melodramatic. They got scanned by a bunch of known internet scanners, and a few mysteries including a "store that sells weaponry" (which turns out to just be scopes and red dots -_-). It's always good to people reporting that they discovered nothing, but it is a bit boring.
Almost every power plant is effectively internet connected even if it has old control equipment that predates IP as the vast majority of SCADA systems have IP connected HMIs or other core components.
There may be steps involved in getting your RDP exploit to send commands over vendor proprietary RS-485 protocols, but except for certain nuclear plants that are truly air gapped, but it's fewer than you'd sleep soundly knowing about.
I once had a network admin at a major US transmission utility tell me with a straight face that all of their SCADA was pure serial as I was telnetting into the Zhone mux doing those serial channels via a WiFi connection.
Stuxnet[0] for example. A highly sophisticated attack using several Windows 0-day exploits and infecting USB Flash drives to get to a air gapped Notebook that is used to program PLCs.
The book Sandworm by Andy Greenberg also goes a little into depth about attacking powerplants and other industrial control systems. Can highly recommend!
i learned to my displeasure that thick manuals are sometimes distributed with products as USB sticks these days, i immediately thought of this when i opened up an inverter box and saw a USB stick sitting there
Digital system are just not mature and harden enough for security. Seems like we need to harden them on the software and hardware level before they can be trusted for driving car and other machinery stuff.
FWIW I interned at a US nuclear plant. They intentionally don't upgrade to digital systems for fear of being hacked, everything in the plant was analog when I was there 6 years ago.
Good for them!
These vary from simple “smart” light switches, to machinery used in industrial plants
This line makes me cringe. Current IT infrastructure are just NOT secure. Until the major IT tech companies and nation state can prove otherwise, important machineries, especially nuclear ought to be kept off internet and digital system.
Would be interested in a follow up article, especially if it baited more activity. The conclusion is woefully short, and I could speculate on some of the results, particularly the activity from the .tw domain. More investigation welcome.
For anyone looking to experiment with honeypots TPOT is awesome. They've really done a great job of building a simple, well presented and fairly stable tool that pulls together a lot of honeypots into the one place. A sophisticated attacker can usually detect it but it's very good and easy to setup all the same. You really need to run it on 16gb RAM if you are using the full thing.
It's very interesting the results you see depending on where you put it (internal/external etc). Pretty quickly you get a decent sense of the pulse of the internet - XYZ is spreading, ABC range is compromised etc. Though you also get heaps of data so you need to find ways to really drill down also.
Scanning the whole IPv4 Internet goes pretty fast (I think you can do it on a private subscriber line in a few days). What about IPv6? If I "hide" my service in my public /64 network, can I feel safe against IP scanning? That would be some security by obscurity based on the huge address space (similar to changing default TCP ports)
I think that you'll be safe for outside scans. But IPv6 devices usually talk via ICMPv6 inside their subnet, so if there are other guys on your subnet, they might find out your address. That was the case in some VPS hosters that I used, with tcpdump I was able to see addresses of other nodes.
Given that a fair few devices will fill-in the "interface" bits of the IPv6 address with their MAC (SLAAC), it might be possible to reduce the number of addresses to scan in an IPv6 /64 prefix assuming you know what devices are likely to be used on that network.
It's also very likely your device will be syncing it's clock with an NTP server such as (pool.ntp.org) which can be scraped by running your own stratum 2/3 server and adding yourself to the pool.
while at uni a colleague discovered zmap and scanned 0/0 from the 1gps line for the port of the intel amt management a day after a remote code exec bug was found there. he was just curious but watching the fallout and the angry forwarded mails these days was quite fun...
Any time you connect to a website, you reveal your IPv6 address. I can bet there is a market for making lists of valid IPv6 addresses from web logs and selling those lists to people who want to port scan those hosts.
You might even find big carriers mine IP packets to find IP addresses they can sell.
Several power plants in the uk have their control systems entirely open on the net. No authentication or encryption, you just need to know the IP address
There are plenty of real power plants connected to the internet today in the form of virtual aggregations of large batteries. In a decade there will be gigawatts of them online, so let's hope those companies take security seriously because it'd be simple to break things with the instant availability of several gigawatts on some circuit.
At work I have access to servers controlling dozens of manufacturing plants around the world. All the PLCs and the control equipment are behind a local firewall with very strict controlled inbound addresses; that means I cannot interact with it from my computer, only from the server that is collecting and archiving data. This setup is approximately the standard in the industry, there are a small number of solutions everyone is using and the implementation guidelines are very clear and easy to follow. That makes any honeypot an obvious honeypot because there is no such thing as a PLC accessible from Internet in a real production site.
> there is no such thing as a PLC accessible from Internet in a real production site.
That is so massively optimistic. I don't doubt you know your stuff, but manufacturing is a huge field, widely distributed, it is done by small companies as well as large ones, and specifying and purchasing a PLC system can be done to satisfy operational needs without necessarily having suitable network infrastructure and security expertise. The number of PLCs "accessible from Internet in a real production site" is probably in the thousands.
that will just move the target of those attacks to these servers (or now yourself who stated to have access to these) with apparently a lot more rewarding outcomes too.
"One of the concerns .. was the lack of insight into malicious digital (state sponsored) activity towards vital infrastructure."
Have these people ever given consideration to not connecting their vital infrastructure to the Internet. Instead using VPNs running on embedded hardware providing a .. virtual private network.
This seems like a really really obvious honeypot. I mean a nuclear power plant with an internet facing PLC??? I mean probably even haX0r bois aren't that stupid? Maybe they are it didn't seem like he got any real hits from a malevolent hacker.
Instead of using reverse DNS to see where traffic is from (e.g. the optisan.com.tw fqdn) you might be better to do a whois lookup on the source IP addresses. Reverse DNS can point anywhere, but you can't make IP addresses in TCP connections.
So all the traffic is various indexing companies and none of them made an effort to contact the author? What if, you know, the guys pretending to be good are actually just baddies selling out?
Yes because a nuclear power plant would have a plc Nat'd to the internet. Multi-million dollar budget, we'll just NAT the plc so joe can work from home.
If you run a fake host (honeypot) to waste their resources, won’t they run a fake attack to waste your resources? Unless it is a substantial asset, all a honeypot will do is detect a honeypot detector?
When the attack comes from dhcp-XX-XX-XX-XX.rotation5.pool7.isptelecoms.co.abc, you can now determine to block all further attacks from that IP address, but to what positive effect? The next probe will come from
somewhere else and just skip over your detector?
The point of honeypots is not to block malicious IPs, but to become aware of places in your security concept where more hardening is needed, be it exploits, misconfigured firewalls, etc.
That can be a lot of things, blocking IP ranges can be one of those things if you e.g. only want to allow access to your assets from your building, but that's a general step and not reactionary to attacks.
[+] [-] waihtis|5 years ago|reply
The more interesting use case for most is planting these in your network internals, which gives an added benefit of early, high-fidelity threat detection in addition to the "threat intelligence" bonuses. It's not completely trivial to set up, but can be a reasonably quick way to build good detection capability into even very disparate environments.
A vast majority of organizations still lack good situational awareness of their infrastructures and this is one way of improving on that.
[+] [-] TazeTSchnitzel|5 years ago|reply
[+] [-] SCHiM|5 years ago|reply
I don't imagine you're catching many serious attackers just by exposing fake servers vulnerable to MS17 for example.
Could you explain more about your strategies and which types of attackers you can say you'd catch with surety?
[+] [-] wwv25|5 years ago|reply
[+] [-] GordonS|5 years ago|reply
I've seen decoys mentioned in infosec Twitter quite a few times recently (I think more about OSS ones), and I'd like to learn more about how they are generally actually used, what the expectations are etc.
[+] [-] hcrisp|5 years ago|reply
https://news.ycombinator.com/item?id=25741589
[+] [-] justinclift|5 years ago|reply
That should be reasonably easy to simulate, and (I'm guessing) Netbackup infrastructure would be significantly interesting to any hacker once they've popped an org.
[+] [-] varispeed|5 years ago|reply
[+] [-] some_random|5 years ago|reply
[+] [-] butwhywhyoh|5 years ago|reply
[+] [-] papaf|5 years ago|reply
Edit. There is also a more in depth Scientific American article. Search for "Hacking the Lights Out".
[+] [-] netflixandkill|5 years ago|reply
There may be steps involved in getting your RDP exploit to send commands over vendor proprietary RS-485 protocols, but except for certain nuclear plants that are truly air gapped, but it's fewer than you'd sleep soundly knowing about.
I once had a network admin at a major US transmission utility tell me with a straight face that all of their SCADA was pure serial as I was telnetting into the Zhone mux doing those serial channels via a WiFi connection.
[+] [-] hutzlibu|5 years ago|reply
There are more interesting ways, to do it:
https://hackaday.com/2017/02/02/hacking-the-aether/
[+] [-] zwog|5 years ago|reply
0: https://en.wikipedia.org/wiki/Stuxnet
[+] [-] merlinscholz|5 years ago|reply
[+] [-] cmrx64|5 years ago|reply
[+] [-] deepstack|5 years ago|reply
[+] [-] jakespracher|5 years ago|reply
[+] [-] deepstack|5 years ago|reply
This line makes me cringe. Current IT infrastructure are just NOT secure. Until the major IT tech companies and nation state can prove otherwise, important machineries, especially nuclear ought to be kept off internet and digital system.
[+] [-] beckingz|5 years ago|reply
[+] [-] binarysneaker|5 years ago|reply
[+] [-] secfirstmd|5 years ago|reply
It's very interesting the results you see depending on where you put it (internal/external etc). Pretty quickly you get a decent sense of the pulse of the internet - XYZ is spreading, ABC range is compromised etc. Though you also get heaps of data so you need to find ways to really drill down also.
https://github.com/telekom-security/tpotce
[+] [-] ktpsns|5 years ago|reply
[+] [-] vbezhenar|5 years ago|reply
[+] [-] e2le|5 years ago|reply
It's also very likely your device will be syncing it's clock with an NTP server such as (pool.ntp.org) which can be scraped by running your own stratum 2/3 server and adding yourself to the pool.
https://www.ntppool.org/en/
[+] [-] nisa|5 years ago|reply
be careful :)
[+] [-] londons_explore|5 years ago|reply
You might even find big carriers mine IP packets to find IP addresses they can sell.
[+] [-] ourlordcaffeine|5 years ago|reply
[+] [-] mercora|5 years ago|reply
[+] [-] eli|5 years ago|reply
[+] [-] hyper_reality|5 years ago|reply
[+] [-] lambda_obrien|5 years ago|reply
[+] [-] AdrianB1|5 years ago|reply
[+] [-] rm445|5 years ago|reply
That is so massively optimistic. I don't doubt you know your stuff, but manufacturing is a huge field, widely distributed, it is done by small companies as well as large ones, and specifying and purchasing a PLC system can be done to satisfy operational needs without necessarily having suitable network infrastructure and security expertise. The number of PLCs "accessible from Internet in a real production site" is probably in the thousands.
[+] [-] acct776|5 years ago|reply
[+] [-] mercora|5 years ago|reply
[+] [-] Stierlitz|5 years ago|reply
Have these people ever given consideration to not connecting their vital infrastructure to the Internet. Instead using VPNs running on embedded hardware providing a .. virtual private network.
[+] [-] stjohnswarts|5 years ago|reply
[+] [-] Moody_10001|5 years ago|reply
[+] [-] stefan_|5 years ago|reply
[+] [-] throwawaysea|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] SMAAART|5 years ago|reply
[+] [-] alisausaaa|5 years ago|reply
[deleted]
[+] [-] collsni|5 years ago|reply
[+] [-] gorgoiler|5 years ago|reply
When the attack comes from dhcp-XX-XX-XX-XX.rotation5.pool7.isptelecoms.co.abc, you can now determine to block all further attacks from that IP address, but to what positive effect? The next probe will come from somewhere else and just skip over your detector?
[+] [-] meibo|5 years ago|reply
That can be a lot of things, blocking IP ranges can be one of those things if you e.g. only want to allow access to your assets from your building, but that's a general step and not reactionary to attacks.