Using Honeynets and the Diamond Model for ICS Threat Analysis
Abstract
The use of a honeyneta network of seemingly vulnerable machines designed to lure attackersis an established technique for collecting threat intelligence across various network environments. As a result, organizations have begun to use this approach to protect networked industrial control systems (ICS). Organizations hope to observe attempts to compromise their systems in an isolated environment, enabling them to deploy mitigations and harden their networks against emerging threats. This report presents an approach to analyzing approximately 16 gigabytes of full packet capture data collected from an ICS honeynet. The data is analyzed in the context of other open source information about known threats to ICS to understand how adversaries interacted with the net-work and the types of attacks they attempted. To provide a more rigorous approach to characterizing these threat actors, the study employed the well-known Diamond Model of Intrusion Analysis. It applied this model to define and categorize several groups of potential threat actors observed within the data. The study also evaluated the effectiveness of honeynets as a tool for ICS threat intelligence. This report includes several recommendations for their deployment and emphasizes active interaction with external hosts to generate higher quality data.
Document Details
- Document Type
- Technical Report
- Publication Date
- May 11, 2016
- Accession Number
- AD1044935
Entities
People
- Deana Shick
- John Kotheimer
- Kyle Omeara
Organizations
- Carnegie Mellon University