OPSEC for honeypots
xiphosresearch.comI know security by obscurity doesn't work in the real world, but what if some of those honeypots are actual ICS systems made to look like a poorly configured honeypot? One could host a mock service (representing a poorly configured ICS) on the cloud that acts as a wall to turn away those who don't dig deeper, but the required services are redirected to a legitimate ICS on the ground.
In this case, I think the engineering effort required to proxy a real one to make it look like a poorly-configured honeypot would be greater than actually implementing some proper security measures, like a firewall plus a VPN for any needed external access.
There was an article somewhere, which recommended installing vmware tools on a non-vm OS, just because virus/malicious payloads will detect it, think it's a honeypot vm and shred itself so as not to get discovered. It's a nice way to protect yourself from payloads that may otherwise have executed and be invisible in honeypots.
It better for everyone if honeypots and normal systems looks as similar as possible.
I had the same thought as GP as well. Could you not implement some of the "disguise-as-honeypot" features (such as setting the name to "HoneyTrap" or "Error: rand...") in addition to the normal security features?
In this case we're talking about embedded industrial control systems, I doubt they're easy to modify in that way.
You're probably right.
Interesting stuff - I can't decide whether to read it as an useful reminder about planning and analysis ('measure twice, cut once', if you will) or to read it just as a collection of hilarious failures.
My Friday brain is steering me very much toward the latter, I must confess.
Here's a webapp I built that does a bunch of checks to determine whether an IP is an ICS honeypot or not: https://honeyscore.shodan.io