True Analytics™ - Energy Savings, Comfort, and Operational Efficiency
Honeypots are one of the latest tools being used to lure in unsuspecting hackers into a trap. These systems are designed to mimic original data hubs, but instead, capture the methods being used to track better and block system attacks.
Chipkin Automation Systems Inc
Introduction: Hackers are always
looking for new ways to steal your information. Whether it be social
security numbers, credit cards, passwords, or other identifying data –
we are constantly under attack. But, just as hackers are growing in
stratagem, so are the people defending our data. Honeypots are one of
the latest tools being used to lure in unsuspecting hackers into a
trap. These systems are designed to mimic original data hubs, but
instead, capture the methods being used to track better and block
system attacks. Let’s take a more in-depth look at Honeypots, their
use, and their benefits to future cybersecurity threats.
the day to day growth of internet users in an information
revolution, how secure are we and our data?
From social media to banking, everything is over the internet!
How to protect our valuable data from hackers? What are HONEYPOTS? What
has that to do with the security of the data? Let’s check out.
Fig: Network diagram of a honeypot deployed on a DMZ to detect attacks
Well, what are honeypots?
is a decoy computer system that simulates the behavior of a real
system having data that seems to be a legitimate part of the
network/site, but it is actually isolated and closely monitored for
trapping hackers or tracking unconventional or new hacking methods,
which are then blocked/trapped.
The main purpose of a Honeypot is to detect and learn from the attacks
and further use the information to improve security.
The value/worth of the honeypots
depends on the information that could
be gathered from it. There are two popular reasons for setting up a
1. Gain Understanding
To understand how hackers probe and attempt to gain access to your systems. Since a record of the hacker activities is kept, one can gain an understanding of the attack methodologies incorporated and improve the security of the network/system by eliminating the loopholes.
2. Gather Information
Gather forensic information that is needed to aid in the prosecution of hackers. This is the sort of information which is often needed to provide law enforcement officials with the details needed to prosecute.
Honeypots can also protect an organization from insider threats. According to the 2016 Cyber Security Intelligence Survey, IBM found that 60% of all attacks were carried by insiders.
2. Types of honeypots:
are mainly two types of honeypots based on the use-case scenario:
2. Production Honeypots
Based on design criteria of the honeypots are further
2. High-interaction honeypots
3. Low-interaction honeypots
honeypots are full-fledged production systems. The activities of
the attacker are monitored by using a bug tap that has been installed
on the honeypot's link to the network. No other software needs to be
installed. Even though a pure honeypot is useful, stealthiness of the
defense mechanisms can be ensured by a more controlled mechanism.
honeypots imitate the activities of the production
systems that host a variety of services and, therefore, an attacker may
be allowed a lot of services to waste his time. By employing virtual
machines, multiple honeypots can be hosted on a single physical
machine. Therefore, even if the honeypot is compromised, it can be
restored more quickly. In general, high-interaction honeypots provide
more security by being difficult to detect, but they are expensive to
maintain. If virtual machines are not available, one physical computer
must be maintained for each honeypot, which can be exorbitantly
expensive. Example: Honeynet.
honeypots simulate only the services frequently
requested by attackers. Since they consume relatively few resources,
multiple virtual machines can easily be hosted on one physical system,
the virtual systems have a short response time, and less code is
required, reducing the complexity of the virtual system's security.
3. What are
Honeynets, how is it different than
or more honeypots on a network form a honeynet. In some cases, only
one honeypot will not be sufficient (example: databases, ATC) therefore
a honeynet plays a vital role in monitoring the entire network at a
and honeypots are usually implemented as parts of larger
network intrusion detection systems.
addition to the honeypots, a honeynet usually has real applications
and services so that it seems like a normal network and a worthwhile
target. However, because the honeynet doesn't actually serve any
authorized users, any attempt to contact the network from without is
likely an illicit attempt to breach its security, and any outbound
activity is likely evidence that a system has been compromised.
this reason, the suspect information is much more apparent than it
would be in an actual network, where it would have to be found amidst
all the legitimate network data. Applications within a honeynet are
often given names such as "Finances" or "Human Services" to make them
sound appealing to the attacker.
honey farm is a centralized collection of honeypots and analysis
tools. A virtual honeynet is one that, while appearing to be an entire
network, resides on a single server.
4. Could honeypots be set up wirelessly?
you can- With the exponentially increasing use of wireless
devices, the threat of wireless attacks is also growing. The goal of
deploying wireless honeypots is to capture behaviors of our system in a
wireless area and obtain some information and statistics.
Honeyspot is the well-known wireless honeypot project supported by Spanish Honeynet Project.
what are the typical steps in configuring a wireless honeypot?
Fig: Wireless Honeypot setup configuration
are different types of attack scenarios and based on which the
layers of the network are configured with the deployment of the
5. How to configure/Setup a simple Honeypot?
6. Honeypots securing SCADA network, how?
Control and Data Acquisition (SCADA) is an integrated part
of a process control network. SCADA has applications in many complex
and critical places like a nuclear power plant, electricity grid, air
traffic control, satellite launch center and lot more. The “Stuxnet
virus” and “Duqu” proved the need for process control network security
which caused substantial damage to Iran’s nuclear program.
typical process control network (PCN) is categorized by four levels,
starting at Level 0.
example as a temperature control in a factory floor-
0: Temperature sensor senses the temperature of a boiler and
sends the values to the controller- typically the signals are analog in
Based on the sensed value required actions are executed by the
controller, either regulate the temperature or turn it ON/OFF.
On the factory floor there might be several of these
controllers, these are connected to a centralized control system
(SCADA) that supervises the control to ensure synchronization between
Here advanced controllers are deployed to optimize the
processes, includes historians and optimization controllers.
Level 1 to Level 3 can use the Ethernet for connectivity. The
business network that is not part of the PCN is considered as Level 4,
and care is taken to control access between these two networks only on
a need basis. SCADA at Level 2, is one of the most important parts of
the PCN. It is used to monitor and record various process parameters
centrally. Here, the processes may be running at one physical location
and SCADA may be located at entirely different locations. As per the
requirement, WAN/LAN links are used for interconnection between them.
could be deployed at level2 mimicking SCADA
systems. An attacker may attack a SCADA honeypot perceiving it to be a
true SCADA system.
SCADA network of water pumping station attack
How to set up a honeypot on SCADA?
An open source honeypot
defined by honeyd.org, Honeyd is a small daemon that creates virtual
hosts on a network. These hosts can be configured to run arbitrary
services, and their personality can be adapted so that they appear to
be running certain operating systems.
enables a single host to claim multiple addresses (tested up to
65536) on a LAN for network simulation. Honeyd improves cyber security
by providing mechanisms for threat detection and assessment. It also
deters adversaries by hiding real systems in the middle of virtual
Honeyd configuration file defines how the configured honeypot will
respond to various types of requests such as ICMP Ping, requests on UDP
ports, TCP SYN, etc., thus, in a way, defining the status of various
ports and services. This reply is interpreted by the scanning tool as a
system running a corresponding service.
How Honeyd works
up Honeyd on Ubuntu:
7. Advantages and Disadvantages of setting up a honeypot.
concerns related to honeypots!
Every country has different laws regarding honeypot usage and information capturing. Earlier there were some confusions on honeypot for several reasons; one the concept was very new and different variants of it deployed. Based on the use case scenarios there are different legal issues that are concerned with the same scenario. There are no precedents for honeypots. Also, there were no legal cases recorded on the issues.
There are three issues that are commonly discussed on honeypots,
More detail study:
9. Firewall and Honeypots. How they inter-work together?
a firewall is designed to keep the attackers out of the
network whereas honeypots are designed to entice the hackers to attack
is done so that a security researcher can know how hackers operate
and can know which systems and ports the hackers are most interested
in. Also, firewalls log activities and logs also contain events related
to production systems.
on the application and size of networks honeypots are deployed
either inside the firewall or outside.
in the case of honeypot, the logs are only due to
non-productive systems, these are the systems that no one should be
interacting with. So a firewall log contains 1000 entries of all the
systems of the network whereas the honeypot’s log only contains 5-10
& automation, a bigger game!! -
Communication protocols - PLC, FTP,
infrastructures mostly comprise of two levels: operations (Master
stations and databases) and field networks (PLC, RTU). Various
communication protocols interoperate in the infrastructure. We’ll look
at Modbus honeypot which is deployed at a field network of SCADA system
acts as a PLC.
API module specifically implements the Modbus TCP protocol
variant which is widely used in ICS (Industrial Control Systems). Its
ease of operation and deployment makes its use widely.
Modbus Honeypot implementation on SCADA infrastructure
are typically four components,
Modbus Honeypot Software architecture
The information is processed at event monitor which is obtained from the front-end interface module. It has submodules:
architecture is very simple and could be implemented on a simple
SOC like Raspberry Pi; the implementation has two Python libraries to
manipulate the Modbus data (Modbus-tk-0.4.2 and pymodbus-0.9.0).
Raspberry Pi - SOC
Modbus messages are parsed by pymodbus library, SNMPD and
modules are composed by a complete service implementation and a script
to check its logs – they run NET-SNMP and VSFTPd
the scripts parse service logs, looking for activity and
port Scan module uses libpcap (C-module).
About the Author
Chipkin is the President of Chipkin Automation Systems Inc - a company
with a reputation for excellence in service and customer support. With
over 30 years of experience in automation, controls, and in
Communications and Automation software development, Peter still relies
on honesty and integrity to make sure each job is done right.
While originally from South Africa, Peter now resides in Vancouver with his family - including Jack the Husky.
[Click Banner To Learn More]
[Home Page] [The Automator] [About] [Subscribe ] [Contact Us]