Using Honeynets and the Diamond Model for ICS Threat Analysis
May 2016 • Technical Report
John Kotheimer, Kyle O'Meara, Deana Shick
This report presents an approach to analyzing approximately 16 gigabytes of full packet capture data collected from an industrial control system honeynet—a network of seemingly vulnerable machines designed to lure attackers.
Software Engineering Institute
CMU/SEI Report Number
The use of a honeynet—a network of seemingly vulnerable machines designed to lure attackers—is an established technique for collecting threat intelligence across various network environments. As a result, organizations have begun to use this approach to protect networked industrial control systems (ICS). Organizations hope to observe attempts to compromise their systems in an isolated environment, enabling them to deploy mitigations and harden their networks against emerging threats.
This report presents an approach to analyzing approximately 16 gigabytes of full packet capture data collected from an ICS honeynet. The data is analyzed in the context of other open source information about known threats to ICS to understand how adversaries interacted with the network and the types of attacks they attempted. To provide a more rigorous approach to characterizing these threat actors, the study employed the well-known Diamond Model of Intrusion Analysis. It applied this model to define and categorize several groups of potential threat actors observed within the data. The study also evaluated the effectiveness of honeynets as a tool for ICS threat intelligence. This report includes several recommendations for their deployment and emphasizes active interaction with external hosts to generate higher quality data.