Implementation of Security Information and Event Management Software in a Honeypot
Abstract
Many industrial control systems (ICS) were originally designed as standalone systems, unconnected to the Internet, that provided little cybersecurity to maximize reliability and response time. Increasingly, these systems have been exposed to the Internet for better control and management, making them vulnerable to cyberattacks. We explored the use of security information and event management (SIEM) technology to improve an ICS honeypot (decoy) system's ability to detect and respond to attacks against electrical-power grids. We integrated commercial SIEM software into the honeypot architecture and deployed a SIEM-enabled instance in a commercial cloud environment. Our experiments showed that SIEM's real-time alerts, data collection and aggregation, and threat analysis helped speed up the discovery of several living-off-the-land and botnet cyberattacks on the honeypot. This work provides a framework for ICS defenders in the Department of Defense and private sectors to use SIEM and honeypot technology to protect critical assets.
Document Details
- Document Type
- Technical Report
- Publication Date
- Dec 01, 2023
- Accession Number
- AD1225530
Entities
People
- Jesse Sciuto
Organizations
- Naval Postgraduate School