Honeypot 4.0: We presented our ongoing works on the Cyber CNI experimentation platform at the ECW/C&ESAR!
Today we presented our ongoing works on the Cyber CNI experimentation platform at the European Cyber Week (ECW) / Computer & Electronics Security Applications Rendez-vous (C&ESAR)! The presentation was very well received, which reflected in the excellent questions. You can find the corresponding paper here. The recording of your presentation is available here.
What is the ECW / C&ESAR?
Based in the heart of France’s Cybersecurity region, Rennes Brittany, the European Cyber Week (ECW) presents the cutting edge of cyberdefense and cybersecurity. This year’s edition features scientific and technical conferences on the topic “Artificial Intelligence and Cybersecurity”. The focus of the C&ESAR is on “digital decoy”.
Our presentation is about
Operational Technology (OT) plays an essential role in modern societies. It is pivotal for applications such as water or power supply, healthcare, or transportation. At the same time, OT is often connected to the Internet for enabling remote-control and collaboration. Its societal impact makes OT an attractive attack target. Its connectivity to the Internet significantly increases the attack probability.
For protecting against attacks, it is important to identify and study them. Honeypots enable such studies. However, realistic honeypots are difficult and expensive to setup. They are also inflexible as their setting is typically static.
In collaboration with Airbus Cybersecurity, the chaire Cy- ber CNI currently develops a mixed-interaction honeypot for critical infrastructures. The targeted setup combines physical and virtualized elements that can flexibly be reconfigured. This allows running diverse settings distributed in time or space. The virtualized part allows scaling the experiments. The goal of the Cyber CNI honeypot is enabling the closer study of Information and Operational Technology (IT & OT).
The discussion with the audience went around the following topics
What is the progress of the project in relation to its goals: Training? Training? Immersion in a real environment?
The goals of the project are :
1) Experimenting, testing algorithms from us and others.
2) To examine real attacks in this experimentation lab.
3) Teaching. At the end we will have three parts of the platform:
- a) In the demo space at the SRCD department in Rennes where you are welcome!
- b) In our area in the new Censyble building.
- c) In our Restricted Resources Zone (ZRR) for critical security experimentations, as well as data from our industrial partners.
This allows using parts of it in the very important important cybersecurity education.
Concerning the advancement, we have installed and used all parts separately for a long time. The current challenge is to integrate everything, and to add functionality to manage the system in a way that allows:
- reproducible experimentation
- dynamic reconfiguration to conduct several experiments in parallel in time and space
How is the attack traffic defined: is it based on particular dataset or by the action of a red team?
In the search we take from time to time naturally the position of a red team. That way, yes of course, we’ll do that.
In addition, we are going to make replays of the data acquired by our partners, industrial companies and other researchers.
Of course with a honeypot we want to atttract and observe attackers. Since we have the situation of having real miniaturized factories, I think we have a good chance of catching them.
Also important for me: we want to open up a part of the platform for other researchers. This will allow the obeservation of even more attacks, and most important, it will enable collaboration!
I expect this new infrastructure to enable us to conduct unique experiments. In Addition, the unique visualization part will give us unique insights. Great research opportunities are coming up!
On the Airbus CyberRange, both are feasible: actions and pre-recorded scenarios (in JSON and transmitted to vm and dockers by various means – ssh, vmtools, agents…). Also real human actions performed by a red team.
As an example, the CICAT Framework, derived from MITRE’s ATT&CK Framework, makes it possible to ‘simulate’ attacks on physical cyber systems.
Does it make sense to consider mixed reality for the behavior of attackers?
The visualization has two major goals:
1) It allows to provide a novel way of access to the things that happen in the ambience.
As humans we cannot perceive what happens in computer systems. Visualization gives us access to this information. Our goal is to develop an intuitive access to what is happening in the system, to enable humans to understand what is happening and to experiment with counter measures by seeing the effects in real time.
The visualization will be with headsets but also with “looking glasses” like your smartphone. You know the principle from games such as Pokémon GO.
2) Mixed Reality systems will gain importance in the upcoming years. Therefore, they pose a new attack surface. The Cyber CNI experimentation platform will therefore enable us to assess and improve the security of Mixed Reality systems, and to investigate attacks against them.