Here’s another quick overview graphic of how HoneyPoint Trojans work. We have been using these techniques since around 2008 and they are very powerful.
We have incorporated them into phishing exercises, piracy studies, incident response, intrusion detection, intelligence gathering, marketing analysis and even privacy research. To hear more about HoneyPoint Trojans, give us a call.
If the graphic below is blurry on your device, you can download a PDF version here.
Today, I just wanted to provide a quick update on the ProtoPredator family of products. As you may recall, we have released ProtoPredator for Smart Meters (PP4SM) as a commercial product. It became available over one year ago and continues to be a strongly performing tool for validating the optical security of smart meters.
I have gotten several questions from clients and the community about the ProtoPredator family and what was next. I am pleased to say that we are continuing to develop and enhance ProtoPredator for Raw Serial (PP4RS). This is currently a private, in lab tool for our testing. But, we do plan to release it eventually as a commercial tool. The tool is designed to discover serial communications, explore them, adaptively identify protocols and patterns and introduce the ability to fuzz those protocols on demand. The tool has been a long time coming and we are continuing to develop its capabilities. We want to make sure we have it fully functional prior to release.
Additionally, we are working on ProtoPredator tools for ModBus, DNP3 and other ICS protocols. Those versions are behind PP4RS in development and testing, simply due to the “scratch your own itch” workload we are using for testing. Though, DNP3 is quickly rising to the front burner.
If you have any questions about ProtoPredator, or any of the products we are working on, please let us know. We are always happy to discuss our work under NDA with folks in the ICS security field. As always, rest assured that just like PP4SM, while the products are commercially available with support and upgrades, WE DO NOT RELEASE THEM TO UNVETTED PARTIES. We think smart meter testing belongs in the hands of the professionals, as does testing other ICS protocols, so we don’t release our tools to folks not involved with utilities, manufacturing of the devices or other testing groups. If you are such a stakeholder and have an interest in the tools, please get in touch.
Thanks for reading and as always, stay safe out there!
For quite some time now, we have been using HoneyPoint Agent and Console to do some passive inventory and mapping exercises for clients, particularly those involved in ICS and SCADA deployments where active scanning to get inventories is often strongly discouraged. We had particular success with a specific client in this space a couple of weeks ago, and I wanted to discuss it here, since it has proven itself to be a useful tool and is on the top of my mind at the moment.
To get an inventory of the Windows systems on a collision domain, you simply install the Agent on a Linux box (or I suggest using the virtual appliance we already have built for your ease) and implement it and the Console. Once HoneyPoint is operational, you configure a UDP listener on port 138. From there, all of the NETBios speaking Windows systems will begin to send traffic to the host, as per the usual behavior of those systems. In this case, however, HoneyPoint will capture each source IP and log it to the Console. It will also capture the UDP datagrams from that conversation and place them as event data in the logs. By reviewing the source IPs, you can quickly and easily take stock of the Windows systems on the collision domain without sending any traffic at all to the systems. As a bonus, if you dig into the datagram data, you will also see the names of the hosts and other information.
Most of the time, this technique captures only Windows boxes, but if you have other devices out there running NETBios, they will likely get detected as well. This can include embedded systems, Unix systems running SAMBA, printers and copiers, Windows CE systems (often seen in many field equipment deployments), etc. You might be surprised what you can find.
Try this with a laptop, and move the laptop around your environment. You can pretty quickly and easily get an inventory by collision domain. You can also try dialing other NETBios ports and see if you get traffic that is routed across your switching fabric. Depending on your configuration, you might be able to gather a great deal of inventory data from a single location (especially if your network is flat and switches are poorly configured).
Give this a shot or get in touch if you would like us to come onsite and perform the inventory for you. We think it is a pretty useful technique and one that many folks are enjoying the benefits of. Let us know what you think when you give it a run in your network!
As always, thanks for reading, and until next time, stay safe out there!
PS – You can also do this with HoneyPoint Personal Edition on a Linux system, which makes it very easy and cheap to do if you don’t want to invest in a full blown HoneyPoint Security Server implementation. (You should invest though, it is a FANTASTIC detection tool!)
**(The link above is for HPPE on Windows, but if you purchase a license and contact us, we will send you the Linux build right away. You can’t easily capture port 138/UDP traffic in Windows HPPE because Windows has those ports in use…)
Don’t forget, Brent will be presenting on the SANS webinar today to discuss ICS/SCADA honeypots. Check it out and register here.
See you online and we hope you enjoy the event!
Our Founder and CEO, Brent Huston (@lbhuston) will be leading a SANS webinar on ICS/SCADA honeypots. The webinar is scheduled for November, 25th, 2013 and you can find more information and register by visiting this page.
The webinar will cover when honeypots are and are not useful, basic deployment strategies and insights into using them for detection in field deployments and control environments.
Check it out, tune in and give Brent a shout out on Twitter. Thanks for reading and we hope you enjoy the webinar.
Thanks to the attendees and speakers who participated yesterday in the 3rd Annual ICS/SCADA Security Symposium. It was another great event and once again, the center of the value was in the interactions of the audience with the speakers and each other. It’s great to hear asset owners discuss what is working, what is challenging and what is critical in their minds.
Thanks again to those who attended and contributed to making this event such a wonderful thing again this year. We appreciate it and we can’t wait until next year to do it all again.
Thank YOU!
SANS Asia Pacific ICS Summit and Training 2013 – Singapore
If you have any responsibility for security of control systems – policy, engineering, governance or operations you won’t want to miss the Asia Pacific ICS Security Summit taking place 2-8 December 2013 where you will:
Learn all about the new Global ICS Professional Security Certification
Gain the most current information regarding Industrial Control System threats and learn how to best prepare to defend against them
Hear what works and what does not from peer organizations.
Network with top individuals in the field of Industrial Control Systems security and return from the Summit with solutions you can immediately put to use in your organization.
Listen to 15+ speakers from a variety of companies who will cover exceptional content throughout the two-day Summit.
Earn CPE credits for the summit and course you attend
ICS410: ICS Cyber Security Essentials, (Brand New course) – 4-8 December taught by SANS Faculty Fellow Dr. Eric Cole will provide a standardized foundational set of skills, knowledge and abilities for Industrial Cyber Security professionals. This course is designed to ensure that the workforce involved in supporting and defending Industrial Control Systems is trained to perform work in a manner that will keep the operational environment safe, secure and resilient against current and emerging cyber threats.
Agenda highlights for the summit include:
A Community Approach to Securing the Cyberspace to Enhance National Resilience
The Good, Bad and the Ugly: Certification of People, Processes and Devices
SCADA Security Assessment Methodology: The Malaysia Experience
The State of Critical Control System Security in Japan
Smart Security : Strengthening Information Protection in Your ICS
To learn more about the Summit and Training, or register now and save 5% on your registration with code SANSICS_MSI5, please visit: http://www.sans.org/info/142537
Just a quick announcement that the 3rd annual Midwest ICS/SCADA Security Symposium date has been announced. We will be holding the event on November 14th, 2013 in Columbus, Ohio.
It is a single track, single day event which is highly focused on peer to peer interaction between asset owners, utilities, manufacturers and other interested parties. The attendees usually span the various types of ICS asset holders from water, power, natural gas, chemical, automated manufacturing and other critical infrastructures. The focus is on real world threats, changing regulatory guidance, what controls work and work less, scenarios and tactics that have helped improve security and overall changes in protection strategies in the last 12 months.
The conversations are often candid, to the point and the open forum leads to passionate and real world discussions.
All attendees are vetted to ensure confidentiality and maintain focus on real content minus vendor sales pitches. The cost to attend is FREE and coffee, snacks and lunch is provided.
To learn more about the event or to qualify for an invitation, please drop us a line via email (info A T microsolved D O T com) or via aTwitter (@lbhuston or @microsolved). If you have attended or qualified in the past for the event, your invitation will be forthcoming shortly.
Speaker selection is now underway, so watch this blog for the agenda in the near future.
I often get asked about how utility companies deploy HoneyPoint in an average implementation. To help folks with that, I whipped up this quick graphic that shows a sample high level deployment.
Thanks for reading! Let me know what you think, or if you have an interest in discussing an implementation in your environment.
Next Monday, June 17th, I’ll be presenting at the EPRI conference in Chicago. My topic is a threat update on what attackers are targeting and what kind of value future state designs and other research/planning data has on the attacker market. If you’re going to be at the event, please join me for my presentation. If you’d like to grab a coffee or the like, let me know. I’ll be around all day.
Thanks for reading and I hope to see you there!