OPSEC for honeypots (opens in new tab)

(xiphosresearch.com)

75 pointsluck8710y ago8 comments

8 comments

I know security by obscurity doesn't work in the real world, but what if some of those honeypots are actual ICS systems made to look like a poorly configured honeypot? One could host a mock service (representing a poorly configured ICS) on the cloud that acts as a wall to turn away those who don't dig deeper, but the required services are redirected to a legitimate ICS on the ground.

gherkin010y ago

In this case, I think the engineering effort required to proxy a real one to make it look like a poorly-configured honeypot would be greater than actually implementing some proper security measures, like a firewall plus a VPN for any needed external access.

Pharaoh210y ago

There was an article somewhere, which recommended installing vmware tools on a non-vm OS, just because virus/malicious payloads will detect it, think it's a honeypot vm and shred itself so as not to get discovered. It's a nice way to protect yourself from payloads that may otherwise have executed and be invisible in honeypots.

It better for everyone if honeypots and normal systems looks as similar as possible.

ilyanep10y ago

I had the same thought as GP as well. Could you not implement some of the "disguise-as-honeypot" features (such as setting the name to "HoneyTrap" or "Error: rand...") in addition to the normal security features?

1 more reply

n-exploit10y ago

You're probably right.

eponeponepon10y ago

Interesting stuff - I can't decide whether to read it as an useful reminder about planning and analysis ('measure twice, cut once', if you will) or to read it just as a collection of hilarious failures.

My Friday brain is steering me very much toward the latter, I must confess.

achillean10y ago

Here's a webapp I built that does a bunch of checks to determine whether an IP is an ICS honeypot or not: https://honeyscore.shodan.io

j / k navigate · click thread line to collapse

8 comments

n-exploit10y ago

gherkin010y ago

Pharaoh210y ago

It better for everyone if honeypots and normal systems looks as similar as possible.

ilyanep10y ago

1 more reply

n-exploit10y ago

You're probably right.

eponeponepon10y ago

My Friday brain is steering me very much toward the latter, I must confess.

achillean10y ago

Here's a webapp I built that does a bunch of checks to determine whether an IP is an ICS honeypot or not: https://honeyscore.shodan.io

j / k navigate · click thread line to collapse