Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Technical Report

Using Honeynets and the Diamond Model for ICS Threat Analysis

  • May 2016
  • By John Kotheimer, Kyle O'Meara, Deana Shick
  • This report presents an approach to analyzing approximately 16 gigabytes of full packet capture data collected from an industrial control system honeynet—a network of seemingly vulnerable machines designed to lure attackers.
  • Vulnerability Analysis
  • Publisher: Software Engineering Institute
    CMU/SEI Report Number: CMU/SEI-2016-TR-006
  • Abstract

    The use of a honeynet—a network of seemingly vulnerable machines designed to lure attackers—is an established technique for collecting threat intelligence across various network environments.  As a result, organizations have begun to use this approach to protect networked industrial control systems (ICS). Organizations hope to observe attempts to compromise their systems in an isolated environment, enabling them to deploy mitigations and harden their networks against emerging threats.

    This report presents an approach to analyzing approximately 16 gigabytes of full packet capture data collected from an ICS honeynet. The data is analyzed in the context of other open source information about known threats to ICS to understand how adversaries interacted with the network and the types of attacks they attempted. To provide a more rigorous approach to characterizing these threat actors, the study employed the well-known Diamond Model of Intrusion Analysis. It applied this model to define and categorize several groups of potential threat actors observed within the data. The study also evaluated the effectiveness of honeynets as a tool for ICS threat intelligence. This report includes several recommendations for their deployment and emphasizes active interaction with external hosts to generate higher quality data.

  • Download

Cite This Report

SEI

Kotheimer, John; O'Meara, Kyle; & Shick, Deana. Using Honeynets and the Diamond Model for ICS Threat Analysis. CMU/SEI-2016-TR-006. Software Engineering Institute, Carnegie Mellon University. 2016. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=454233

IEEE

Kotheimer. John, O'Meara. Kyle, and Shick. Deana, "Using Honeynets and the Diamond Model for ICS Threat Analysis," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Report CMU/SEI-2016-TR-006, 2016. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=454233

APA

Kotheimer, John., O'Meara, Kyle., & Shick, Deana. (2016). Using Honeynets and the Diamond Model for ICS Threat Analysis (CMU/SEI-2016-TR-006). Retrieved September 21, 2017, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=454233

CHI

John Kotheimer, Kyle O'Meara, & Deana Shick. Using Honeynets and the Diamond Model for ICS Threat Analysis (CMU/SEI-2016-TR-006). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2016. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=454233

MLA

Kotheimer, John., O'Meara, Kyle., & Shick, Deana. 2016. Using Honeynets and the Diamond Model for ICS Threat Analysis (Technical Report CMU/SEI-2016-TR-006). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=454233

BibTex

@techreport{KotheimerUsingHoneynets2016,
title={Using Honeynets and the Diamond Model for ICS Threat Analysis},
author={John Kotheimer and Kyle O'Meara and Deana Shick},
year={2016},
number={CMU/SEI-2016-TR-006},
institution={Software Engineering Institute, Carnegie Mellon University},
address={Pittsburgh, PA},
url={http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=454233} }