ANALYZING INDUSTRIAL-CONTROL-SYSTEMS ATTACKS WITH INTEGRATED SECURITY-MONITORING TOOLS AND ADVERSARY EMULATION

Abstract

Cyberattacks on Internet-connected industrial control systems create risks to critical infrastructures. Mitigating these risks requires recognizing attack patterns, methods, and behavior of attackers. This research investigated ways to gather intelligence on adversaries using honeypots (deceptive systems for specifically collecting information) using intrusion-detection and security-information and event-management technologies. We deployed a cloud-based set of honeypots situated in several countries to collect data and analyze real-world attacks on simulated power grids and industrial (BACnet and Modbus) devices. Data collected by our honeypots was analyzed using Splunk, a commercial security-event-monitoring product, and Zeek, an open-source intrusion-detection system, to detect and characterize cyberattacks. We used the MITRE Caldera adversary-emulation toolset and the MITRE ATT&CK framework to simulate realistic attacks. We created Splunk queries and Zeek scripts, informed by the simulated attacks, to extract insights from collected data to generate Splunk alerts. We observed many exploits of network protocols and legitimate services, remote code execution, brute-force credential cracking, and denial of service. Our results confirmed that honeypots with integrated security monitoring can offer defenders a richer set of real-time alerts and actionable information about malicious activities than using single tools alone.