Security researchers will try almost anything to find out who is attacking their clients and how. One of their best-loved and most effective techniques is a honeypot. First developed about a decade ago, a honeypot is a decoy system or network – a tempting target for attackers that is not really a target at all, but a trap. The objective is to lure attackers into the honeypot and then watch how they work. Attackers’ methods are almost like fingerprints; researchers who are familiar with a number of attackers can often identify the attackers simply by watching their step-by-step process of discovery through the honeypot. Researchers do have other methods as well, such as tracing IP addresses or even fingerprinting the attackers’ browser – adding source code to the attackers’ browser that reveals more about their identity.
Attackers are, of course, aware that honeypots exist, so preparation of an effective honeypot must be extremely detailed. To set up a honeypot requires a fair bit of planning to make the target look as realistic as possible. Eventually, the attackers will realize that they’ve been had, so the objective is to keep them in the honeypot as long as possible to gather as much information as possible about their methods and their identity.
One security researcher described one of his honeypots in a talk at the SANS 9th Annual ICS Security Summit. Kyle Wilhoit of Trend Micro described a scenario in which he set up juicy but fake targets on five continents and then watched them be attacked. Each was a model of a control system for a small municipality water pump. Connected directly to the Internet and with insufficient protection, this water pump looked like easy pickings, and it was attacked nearly 100 times. Again, the attackers were not attacking an actual water pump but were instead sending commands to a simulation of a water pump – the honeypot.
Perhaps most disturbing to me is that most of the attacks that Wilhoit reported were attempted sabotage, not data exfiltration. Nearly all of my recent research indicates that large-scale persistent attacks against control networks have been data exfiltration for competitive advantage. In this case, however, data exfiltration attempts were a minority of all attacks. Even some well-known attack teams supported by hostile nation-states attempted to disable the water pump, not simply exfiltrate its data. For me, this requires a rethink: Is all that data exfiltration really just for competitive advantage or are attack plans being prepared? As ever, only the attackers know, but this one project suggests that there may be more attack planning than has been assumed.
You might think that attackers seeing a control device connected directly to the Internet would say, “Nah, this is too good to be true.” And then seeing a control device directly connected to the Internet with little or no security – “It just has to be fake, right?” Sadly, no. Attackers are accustomed to discovering real systems like this all day long – directly connected to the world and with no protection.
My conclusion is mixed. Honeypots are an effective tool for learning about our adversaries. Yet, honeypots work because the unprotected systems that they mimic are commonplace in our industry.