Please, Come and Hack my SCADA System!
0 likes1,141 views
Mikael Vingaard, an IT security consultant at Energinet.dk, discusses the benefits and methodologies for deploying honeypots to enhance cybersecurity within the energy sector. Honeypots serve as deceptive systems to study potential attackers and their techniques, offering real-time threat intelligence while requiring careful planning to address legal and media concerns. Vingaard emphasizes the effectiveness and cost-efficiency of honeypots in gathering threat data and suggests future research into automated threat feeds and the development of more sophisticated honeypot types.
Please, Come and Hack my SCADA System!
- 1. ”Please, Come and Hack my SCADA System!” Mikael Vingaard, IT-Security Consultant – EnergiNet.dk CISSP - GICSP l11th Annual EnergySec Security & Compliance Summit | Sept. 14-16 | Washington D.C. 1
- 2. Introduction, WHOAMI and takeaway EnergyNet.dk (Danish National TSO) are responsible for the national infrastructure, which supplies Denmark with electrical power and natural gas. We are a non-profit enterprise fully owned by the Danish government. $whoami After this presentation, a non-technical overview combined with real-life cases will highlight the possible advantages a honey-pot network may provide to the sector. 2
- 3. What is a Honeypot? The goal of having a Honeypot (a fake ‘vulnerable’ IT-system/ service) is to learn more about your attackers and the methods they will use to breach your systems. 3 different deployment “modes” (Internal, DMZ and external). The research concentrates on the last – external honeypots. A great cost effective way to gather (close to) real time threat intelligence, if done right. 3
- 4. Con Honeypots Deployment must be careful planned – especial in DMZ and external mode. PR/ Media and potential legal questions must be considered. “To be breached or not to be breached”- an ongoing process to prevent your assets from becoming a liability. A word on Geo-location. Intelligence gathering is a process – not a destination. 4
- 5. Pro Honeypot Cost effective, real time threat intelligence compare to some external vendors threat feeds. As generic (or custom made) information as you want it to be. Depending on the different deployment scenarios, you can establish if a specific attack is directed at your organization or “everyone”. Deployment methods and options have matured much the last years. Last but not least, FUN! 5
- 6. 4 types of attackers (external only) 6 Y = Dedication to harm YOUR organization X = Technical Knowledge & ressources . Y X
- 7. Technical setup – 4 types of Honeypots Type 1: “Crash and burn” Red Storm Rising, Ultimate level: "Life can be brutal and short.“ Type 2: “To fake to be true” Run - if you have any understanding of I.T/O.T systems. lType 3: “Regular Honeypots” I am right here… Type 4: “Hidden Honeypots” Breach me – if you can find me 7
- 8. Case ”Human or automated attack” Type 1: “crash and burn” From ”boot” to ”oh-no – Houston, we do have a problem” – shortest time was 26 min. 192.168.1.141:22 192.168.1.5:44586 ESTABLISHED 192.168.1.141:22 101.227.241.251:57705 ESTABLISHED 192.168.1.141:22 115.239.248.238:35325 ESTABLISHED 192.168.1.141:22 1.85.44.222:44587 ESTABLISHED ….. MOTD Banner fun: “You are currently breaching my honeypot, ABUSE report with PCAP evidence will be mailed to your ISP” 8
- 9. Case ”The Internet are NOT your oyster” Type 2: “To fake to be true” Reply to an abuse report (honeypots on public cloud providers). “These connections are part of an Internet-wide research study being conducted by computer scientists at the University of Michigan. The research involves making benign connection attempts to every public IP address. By measuring the entire public address space, we are able to analyze global patterns and trends in protocol deployment and security. If our scans are causing problems, we would be happy to exclude your host or network from future research scans from the University of Michigan. Simply send us your IP address or CIDR prefix.” 9
- 10. Case ”Smile - you are on camera” Type 3: “Regular Honeypots” The attacker first tries the following combination of password and user name: username: PlcmSpIp password: PlcmSpIp Above combination are the factory default access for many Polycom.com's products e.g. the SoundPoint SIP (VOIP) phones. Immediately afterwards the attacker tries the combination of root:TANDBERG This happens to be the default password/user name on Tandberg/Cisco boardroom videoconferencing systems . - Surveillance on camera/voice 10
- 11. Case ”The day before Zero” Huawei Wimax CPE bm632w (undocumented backdoor). Reversed binary configuration (router firmware) < UserInfoInstance InstanceID="1" Username="admin" Userpassword="admin" UserLevel="2"> < UserInfo NumberOfInstances="1"> < UserInfoInstance InstanceID="1" Username="wimax" Userpassword="wimax820" Userlevel="0"/> < /UserInfo> Date : 30 May 2015 | Exploit Author : Koorosh Ghorbani | Site : http://8thbit.net/ 11
- 12. Honeypots, SCADA & open source Open Source can get you a long way – even on a tight budget. • Tools and deployment methods are available to make your life (more) easy as Honeypot asset owner. • Possible to Proxy/mix Honeypot with real (e.g. older / decommissioned ) SCADA devices. • DefCon/Blackhat observations. 12
- 13. Closing remarks Yes, it is possible! • 50+ reports send to various organizations, like ISP's, CERT's, universities, corporations and governmental agencies. “The more you give, the more you get” • 800+ Indication Of Compromise (IOC) detected • 25.000+ password/ user names combination collected. Future areas of research: More “type 4” honeypots - automated threat feeds in various formats: STIX/taxii and IDS signatures. 13
- 14. Questions Deal of the day: “Ask me two good questions, and the third question are free” :-) Thank you for your attention Contact details: Mikael Vingaard | [email protected], 14