”Please, Come and Hack my SCADA System!”

Mikael Vingaard, IT-Security Consultant – EnergiNet.dkCISSP - GICSP

l11th Annual EnergySec Security & Compliance Summit | Sept. 14-16 | Washington D.C.

1

Introduction, WHOAMI and takeaway

EnergyNet.dk (Danish National TSO) are responsible for the

national infrastructure, which supplies Denmark with electrical

power and natural gas. We are a non-profit enterprise fully

owned by the Danish government.

$whoami

After this presentation, a non-technical overview combined

with real-life cases will highlight the possible advantages a

honey-pot network may provide to the sector.

2

What is a Honeypot?

The goal of having a Honeypot (a fake ‘vulnerable’ IT-system/

service) is to learn more about your attackers and the methods

they will use to breach your systems.

3 different deployment “modes” (Internal, DMZ and external).

The research concentrates on the last – external honeypots.

A great cost effective way to gather (close to) real time threat

intelligence, if done right.

3

Con Honeypots

Deployment must be careful planned – especial in DMZ and

external mode.

PR/ Media and potential legal questions must be considered.

“To be breached or not to be breached”- an ongoing process to

prevent your assets from becoming a liability.

A word on Geo-location.

Intelligence gathering is a process – not a destination.

4

Pro Honeypot

Cost effective, real time threat intelligence compare to some

external vendors threat feeds.

As generic (or custom made) information as you want it to be.

Depending on the different deployment scenarios, you can

establish if a specific attack is directed at your organization or

“everyone”.

Deployment methods and options have matured much the last

years.

Last but not least, FUN!

5

4 types of attackers (external only)

6

Y = Dedication to harm YOUR organizationX = Technical Knowledge & ressources .

Y

X

Technical setup – 4 types of Honeypots

Type 1: “Crash and burn”

Red Storm Rising, Ultimate level: "Life can be brutal and short.“

Type 2: “To fake to be true”

Run - if you have any understanding of I.T/O.T systems.

lType 3: “Regular Honeypots”

I am right here…

Type 4: “Hidden Honeypots”

Breach me – if you can find me

7

Case ”Human or automated attack”

Type 1: “crash and burn”

From ”boot” to ”oh-no – Houston, we do have a problem” – shortest time

was 26 min.

192.168.1.141:22 192.168.1.5:44586 ESTABLISHED

192.168.1.141:22 101.227.241.251:57705 ESTABLISHED

192.168.1.141:22 115.239.248.238:35325 ESTABLISHED

192.168.1.141:22 1.85.44.222:44587 ESTABLISHED

…..

MOTD Banner fun:

“You are currently breaching my honeypot,

ABUSE report with PCAP evidence will be mailed

to your ISP”

8

Case ”The Internet are NOT your oyster”

Type 2: “To fake to be true”

Reply to an abuse report (honeypots on public cloud

providers).

“These connections are part of an Internet-wide research study

being conducted by computer scientists at the University of

Michigan. The research involves making benign connection

attempts to every public IP address. By measuring the entire

public address space, we are able to analyze global patterns

and trends in protocol deployment and security.

If our scans are causing problems, we would be happy to

exclude your host or network from future research scans from

the University of Michigan. Simply send us your IP address or

CIDR prefix.”9

Case ”Smile - you are on camera”

Type 3: “Regular Honeypots”

The attacker first tries the following combination of password

and user name: username: PlcmSpIp password: PlcmSpIp

Above combination are the factory default access for many

Polycom.com's products e.g. the SoundPoint SIP (VOIP)

phones.

Immediately afterwards the attacker tries the combination of

root:TANDBERG This happens to be the default password/user

name on Tandberg/Cisco boardroom videoconferencing

systems . - Surveillance on camera/voice

10

Case ”The day before Zero”

Huawei Wimax CPE bm632w (undocumented backdoor).

Reversed binary configuration (router firmware)

< UserInfoInstance InstanceID="1" Username="admin"

Userpassword="admin" UserLevel="2">

< UserInfo NumberOfInstances="1">

< UserInfoInstance InstanceID="1" Username="wimax"

Userpassword="wimax820" Userlevel="0"/>

< /UserInfo>

Date : 30 May 2015 | Exploit Author : Koorosh Ghorbani |

Site : http://8thbit.net/

11

Honeypots, SCADA & open source

Open Source can get you a long way – even on a tight budget.

• Tools and deployment methods are available to make your

life (more) easy as Honeypot asset owner.

• Possible to Proxy/mix Honeypot with real (e.g. older /

decommissioned ) SCADA devices.

• DefCon/Blackhat observations.

12

Closing remarks

Yes, it is possible!

• 50+ reports send to various organizations, like ISP's,

CERT's, universities, corporations and governmental

agencies.

“The more you give, the more you get”

• 800+ Indication Of Compromise (IOC) detected

• 25.000+ password/ user names combination collected.

Future areas of research:

More “type 4” honeypots - automated threat feeds in various

formats: STIX/taxii and IDS signatures.

13

Questions

Deal of the day: “Ask me two good questions, and the third

question are free” :-)

Thank you for your attention

Contact details:

Mikael Vingaard | mvf@energinet.dk,

14