search menu icon-carat-right cmu-wordmark

Using Honeynets and the Diamond Model for ICS Threat Analysis

Technical Report
This report presents an approach to analyzing approximately 16 gigabytes of full packet capture data collected from an industrial control system honeynet—a network of seemingly vulnerable machines designed to lure attackers.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2016-TR-006

Abstract

The use of a honeynet—a network of seemingly vulnerable machines designed to lure attackers—is an established technique for collecting threat intelligence across various network environments.  As a result, organizations have begun to use this approach to protect networked industrial control systems (ICS). Organizations hope to observe attempts to compromise their systems in an isolated environment, enabling them to deploy mitigations and harden their networks against emerging threats.

This report presents an approach to analyzing approximately 16 gigabytes of full packet capture data collected from an ICS honeynet. The data is analyzed in the context of other open source information about known threats to ICS to understand how adversaries interacted with the network and the types of attacks they attempted. To provide a more rigorous approach to characterizing these threat actors, the study employed the well-known Diamond Model of Intrusion Analysis. It applied this model to define and categorize several groups of potential threat actors observed within the data. The study also evaluated the effectiveness of honeynets as a tool for ICS threat intelligence. This report includes several recommendations for their deployment and emphasizes active interaction with external hosts to generate higher quality data.

Cite This Technical Report

Kotheimer, J., O'Meara, K., & Shick, D. (2016, May 6). Using Honeynets and the Diamond Model for ICS Threat Analysis. (Technical Report CMU/SEI-2016-TR-006). Retrieved May 24, 2024, from https://insights.sei.cmu.edu/library/using-honeynets-and-the-diamond-model-for-ics-threat-analysis/.

@techreport{kotheimer_2016,
author={Kotheimer, John and O'Meara, Kyle and Shick, Deana},
title={Using Honeynets and the Diamond Model for ICS Threat Analysis},
month={May},
year={2016},
number={CMU/SEI-2016-TR-006},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://insights.sei.cmu.edu/library/using-honeynets-and-the-diamond-model-for-ics-threat-analysis/},
note={Accessed: 2024-May-24}
}

Kotheimer, John, Kyle O'Meara, and Deana Shick. "Using Honeynets and the Diamond Model for ICS Threat Analysis." (CMU/SEI-2016-TR-006). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, May 6, 2016. https://insights.sei.cmu.edu/library/using-honeynets-and-the-diamond-model-for-ics-threat-analysis/.

J. Kotheimer, K. O'Meara, and D. Shick, "Using Honeynets and the Diamond Model for ICS Threat Analysis," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Report CMU/SEI-2016-TR-006, 6-May-2016 [Online]. Available: https://insights.sei.cmu.edu/library/using-honeynets-and-the-diamond-model-for-ics-threat-analysis/. [Accessed: 24-May-2024].

Kotheimer, John, Kyle O'Meara, and Deana Shick. "Using Honeynets and the Diamond Model for ICS Threat Analysis." (Technical Report CMU/SEI-2016-TR-006). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 6 May. 2016. https://insights.sei.cmu.edu/library/using-honeynets-and-the-diamond-model-for-ics-threat-analysis/. Accessed 24 May. 2024.

Kotheimer, John; O'Meara, Kyle; & Shick, Deana. Using Honeynets and the Diamond Model for ICS Threat Analysis. CMU/SEI-2016-TR-006. Software Engineering Institute. 2016. https://insights.sei.cmu.edu/library/using-honeynets-and-the-diamond-model-for-ics-threat-analysis/