session id:spo3-w12 honeypots 2.0: … id: #rsac lane thames, phd. honeypots 2.0: defending...
TRANSCRIPT
![Page 1: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Lane Thames, PhD
HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION
SPO3-W12
Senior Security ResearcherTripwire, Inc.@Lane_Thames
![Page 2: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/2.jpg)
#RSAC
Motivation
2
Who has the upper hand in cybersecurity? The good guys or the bad buys? Why?
![Page 3: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/3.jpg)
#RSAC
Agenda
3
Industrial Internet of Things
Cybersecurity challenges for the Industrial Internet of Things
Deception Technologies for CybersecurityHoneypots
Dynamic DeceptionNext generation HoneypotsScale
![Page 4: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/4.jpg)
#RSAC
INDUSTRIAL INTERNET OF THINGS AND ITS CYBERSECURITY CHALLENGES
![Page 5: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/5.jpg)
#RSAC
Industrial Internet of Things
5
Smart Power Grids, Smart Logistics, Smart Inventory, Smart Machine Diagnostics
Self-monitoring, Group-monitoring
Self-configuration, Group-configuration
Self-healing, Group-healing
Provides:
Operational Efficiencies
Outcome-driven Processes
Machine-to-Human Collaboration
Countless Value Creation Opportunities
![Page 6: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/6.jpg)
#RSAC
Industrial Internet of Things
6
What is a “Digital Twin”?
Wikipedia:
Digital twin refers to a digital replica of physical assets, processes and systems that can be used for various purposes. The digital representation provides both the elements and the dynamics of how an Internet of Things device operates and lives throughout its life cycle.
Digital Twins integrate artificial intelligence, machine learning and software analytics with data to create living digital simulation models that update and change as their physical counterparts change.
![Page 7: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/7.jpg)
#RSAC
Industrial Internet of Things
7
![Page 8: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/8.jpg)
#RSAC
Industrial Internet of Things: What will prevent us from achieving its full potential?
8
![Page 9: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/9.jpg)
#RSAC
Our Approximate Cybersecurity Solution
9
![Page 10: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/10.jpg)
#RSAC
Time is always against us. How can we change that?
10
![Page 11: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/11.jpg)
#RSAC
DECEPTION TECHNOLOGIES FOR CYBERSECURITY AND DYNAMIC DECEPTION
![Page 12: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/12.jpg)
#RSAC
Deception Technologies
12
![Page 13: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/13.jpg)
#RSAC
Deception-based Cyberattacks - General
13
Social Engineering
Phishing
Spam
![Page 14: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/14.jpg)
#RSAC
Deception-based Cyberattacks – IIoT Specific
14
Spoofed SignalsSensor measurements
Control inputs
Timestamps
Identity information
![Page 15: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/15.jpg)
#RSAC
Deception-based Cybersecurity
15
HoneypotsA computing asset used for detecting, deflecting, or counteracting authorized use of information systems (Wikipedia)Can be used to create “Confusion”— Confusion induces a time delay on the attack source— Gives us more time to counteract appropriately
Can be used to increase to cost of attack thereby reducing attack motivationScale was once upon a time an issue
![Page 16: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/16.jpg)
#RSAC
Deception-based Cybersecurity
16
Honeypots & Dynamic DeceptionIP-based dynamics— DevOps Tool Chains
Port-based dynamics— Software-based implementation— Managed/Deployed via DevOps Tool Chains
Goals:Primary: Create significant confusion via scale for attackers in such a way to cause delays for their activitiesSecondary: Use dynamic deception at scale to detect real-time attacks, to generate threat intelligence, and to implement real-time controls
![Page 17: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/17.jpg)
#RSAC
Deception-based Cybersecurity
17
![Page 18: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/18.jpg)
#RSAC
Dynamic Deception: Port-based Dynamics
18
![Page 19: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/19.jpg)
#RSAC
Dynamic Deception: Port-based Dynamics
19
![Page 20: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/20.jpg)
#RSAC
Dynamic Deception: Port-based Dynamics
20
![Page 21: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/21.jpg)
#RSAC
Dynamic Deception: Port-based Dynamics
21
![Page 22: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/22.jpg)
#RSAC
Dynamic Deception: Port-based Dynamics
22
Problems with the aforementioned approach?Code complexityLight-weight honeypot interaction
We can solve these problems with ‘Twisted’!
![Page 23: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/23.jpg)
#RSAC
Dynamic Deception: Port-based Dynamics
23
What is Twisted?An event-driven networking engine written in Python— Based on a reactive programming model— Essentially lets you work with highly asynchronous applications
Comes “with batteries”— Web servers, Mail Servers, SSH servers, Chat servers and many more
Let’s the programmer focus on the Application ProtocolMany projects available based on Twisted that fit well with creating honeypots— IoT based projects— OT (Operational Technology) based projects
![Page 24: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/24.jpg)
#RSAC
Dynamic Deception: Port-based Dynamics
24
![Page 25: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/25.jpg)
#RSAC
Dynamic Deception: Port-based Dynamics
25
![Page 26: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/26.jpg)
#RSAC
Dynamic Deception: Port-based Dynamics
26
![Page 27: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/27.jpg)
#RSAC
Dynamic Deception: Port-based Dynamics
27
![Page 28: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/28.jpg)
#RSAC
Dynamic Deception: Port-based Dynamics
28
![Page 29: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/29.jpg)
#RSAC
Dynamic Deception: Port-based Dynamics
29
![Page 30: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/30.jpg)
#RSAC
Dynamic Deception: Port-based Dynamics
30
![Page 31: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/31.jpg)
#RSAC
Dynamic Deception: Port-based Dynamics
31
![Page 32: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/32.jpg)
#RSAC
Dynamic Deception: Scale
32
![Page 33: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/33.jpg)
#RSAC
Summary
33
Industrial Internet of Things
Dynamic DeceptionDynamic & Static Honeypots— Port Based Dynamics— IP Based Dynamics— Scale
Python Twisted Networking Framework
Code available at Github:https://github.com/jlthames2/ddt
![Page 34: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/34.jpg)
#RSACApply What You Have Learned Today
34
Next week you should:Consult with your IT/IS teams. Consider taking advantage of Honeypots and scalability with DevOps Tool Chains
In the first three months following this presentation you should:Deploy honeypots within your networks using unused IP space.Consider using the DDT as a guide to have your IT/IS staff implement honeypots with a mixture of static (traditional) and dynamic instances
Within six months you should:Integrate data collected by your new honeypots into your threat intelligence feeds, and possibly be creating real-time security controls based on this intelligenceConsider sharing your threat intelligence with the larger community, at least in terms of IP sources and other indicators of compromise
![Page 35: SESSION ID:SPO3-W12 HONEYPOTS 2.0: … ID: #RSAC Lane Thames, PhD. HONEYPOTS 2.0: DEFENDING INDUSTRIAL SYSTEMS WITH DYNAMIC DECEPTION. SPO3-W12. …](https://reader030.vdocument.in/reader030/viewer/2022021515/5b1aeca67f8b9a37258e2ef9/html5/thumbnails/35.jpg)
#RSAC
THANKS FOR ATTENDING!
QUESTIONS?