Guardado en:
Detalles Bibliográficos
Autores principales: Williams, Jacob, Edwards, Matthew, Gardiner, Joseph
Formato: Preprint
Publicado: 2024
Materias:
Acceso en línea:https://arxiv.org/abs/2410.17731
Etiquetas: Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
_version_ 1866909360345579520
author Williams, Jacob
Edwards, Matthew
Gardiner, Joseph
author_facet Williams, Jacob
Edwards, Matthew
Gardiner, Joseph
contents The convergence of information and operational technology networks has created previously unforeseen security issues. To address these issues, both researchers and practitioners have integrated threat intelligence methods into the security operations of converged networks, with some of the most valuable tools being honeypots that imitate industrial control systems (ICS). However, the development and deployment of such honeypots is a process rich with pitfalls, which can lead to undiagnosed weaknesses in the threat intelligence being gathered. This paper presents a side-channel method of covertly identifying ICS honeypots using the time-to-live (TTL) values of target devices. We show that many ICS honeypots can be readily identified, via minimal interactions, using only basic networking tools. In a study of over 8,000 devices presenting as ICS systems, we detail how our method compares to an existing honeypot detection approach, and outline what our methodology reveals about the current population of live ICS honeypots. In demonstrating our method, this study aims to raise awareness of the viability of the TTL heuristic and the prevalence of its misconfiguration despite its presence in literature.
format Preprint
id arxiv_https___arxiv_org_abs_2410_17731
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Time-to-Lie: Identifying Industrial Control System Honeypots Using the Internet Control Message Protocol
Williams, Jacob
Edwards, Matthew
Gardiner, Joseph
Cryptography and Security
Systems and Control
The convergence of information and operational technology networks has created previously unforeseen security issues. To address these issues, both researchers and practitioners have integrated threat intelligence methods into the security operations of converged networks, with some of the most valuable tools being honeypots that imitate industrial control systems (ICS). However, the development and deployment of such honeypots is a process rich with pitfalls, which can lead to undiagnosed weaknesses in the threat intelligence being gathered. This paper presents a side-channel method of covertly identifying ICS honeypots using the time-to-live (TTL) values of target devices. We show that many ICS honeypots can be readily identified, via minimal interactions, using only basic networking tools. In a study of over 8,000 devices presenting as ICS systems, we detail how our method compares to an existing honeypot detection approach, and outline what our methodology reveals about the current population of live ICS honeypots. In demonstrating our method, this study aims to raise awareness of the viability of the TTL heuristic and the prevalence of its misconfiguration despite its presence in literature.
title Time-to-Lie: Identifying Industrial Control System Honeypots Using the Internet Control Message Protocol
topic Cryptography and Security
Systems and Control
url https://arxiv.org/abs/2410.17731