Honeypot: New threat detection functionality of InprOTech Guardian

In the current context, industrial networks are facing an increasing number of cyber-attacks, therefore, more proactive and specialized security solutions are required. InprOTech Guardian emerges as an advanced monitoring tool, designed to protect critical infrastructures without disrupting their operations.

With the addition of its new capability. Guardian enables the incorporation of a honeypot, which acts as a decoy, attracting and recording malicious activity. This functionality allows potential attacks to be identified at an early stage, providing plant operators with key information to mitigate risks quickly and effectively, which significantly strengthens network security and optimises the performance of our tool.

This article written by Samuel Pampillón, software developer at InprOTech, discusses the honeypot concept, the rationale behind our InprOTech Guardian tool and how the fusion of these technologies offers a considerable boost to the security of industrial environments.

Why InprOTech GUARDIAN?

InprOTech Guardian is a cybersecurity tool specifically designed and developed to protect industrial networks. Its main objective is to monitor the traffic generated in production environments and analyse it based on a combination of static, an IDS and AI-powered rules. This approach makes it possible to effectively identify threats and issue alerts in real time, directly notifying plant managers and/or operators of possible attacks or operational failures, enabling them to anticipate and reduce the impact.

Particularly noteworthy is the incorporation of Machine Learning and Intelligence algorithms and technology, which allows it to dynamically adapt to complex behavioural patterns to analyse traffic, statistics and even process variables.

In addition, InprOTech GUARDIAN allows to inventory wired or wireless industrial assets, manage plant vulnerabilities, analyse traffic, or generate service reports.

¿What is a Honeypot?

A honeypot, commonly known as a “trap system” or “decoy”, is a highly effectively security tool. Its purpose is to simulate a real device within the network, appearing to be vulnerable to lure potential attackers into believing that they have accessed a real system. However, this environment is completely isolated, allowing detailed monitoring and analysis of the techniques and vulnerabilities they are trying to exploit, making it a powerful solution for threat detection and analysis.

How is it used?

When a honeypot is installed, it is usually deployed on a machine that is not in production. This system acts as the target of the attack, allowing it to gather valuable information about the tactics employed by the attackers and then apply protection measures on the critical devices of the company.

To implement them correctly, is essential to configure the infrastructure in such a way that any external attack entering the network is first directed towards the honeypot. In this way, attackers will focus their efforts on this trap system rather than on critical assets.

It is important to keep in mind that honeypots, like any other computer system, can have fails or vulnerabilities. Moreover, their capabilities are limited to detecting and logging attacks specifically targeted against them. They cannot prevent or stop threats that affect other devices on the network. They should therefore be seen as a complementary tool within a broader cyber security strategy.

When implementing a honeypot in an infrastructure of a company, there are two main options:

• Physical honeypot: consists of a dedicated machine, integrated into the network with its own IP address. It presents itself as a legitimate server, but in reality, it is highly protected and monitored, sending detailed information about the attackers to administrators for analysis
• Virtual honeypot: runs within a virtualization environment, sharing resources with other systems in a physical server. It is a more costs and resources efficient option, as it allows for threat detection without the need for dedicated hardware.

Honeypot types

We can classify honeypots into five main categories, according to their interaction level and purpose.

• Highly interactive honeypot:  simulates a full operating system with real services and applications, allowing deep interaction with attackers. They are highly sophisticated and collect detailed data on intrusion tactics and vulnerability exploitation.
• Low interaction honeypot: these simulate specific services, such as Modbus, OPC UA, TCP or web servers, with limited functionality. They are easier to implement and maintain than high interaction ones, but still provide valuable information.
• Honeynets: consists of a network of interconnected honeypots that simulate a real infrastructure, allowing attacks to be monitored from multiple points. It provides a broader view of attackers’ methods and behaviour in complex networks.
• Hardware honeypots: physical device designed to simulate services and vulnerabilities within a network. It is used in environments where virtualization is not feasible, such as industrial or IoT networks.
• Malware honeypots: focus on attracting malware for analysis. It simulates known vulnerabilities and allows new variants to be studied, helping to develop more effective defence measures

Combining technologies

The integration of the honeypot in InprOTech GUARDIAN represents a significant advance in the monitoring and protection of industrial networks. In this first implementation, we have incorporated a low interaction honeypot, specifically designed to simulate Modbus, one of the most widely used protocols in industrial infrastructures. Thanks to this capability, we can attract and log malicious access attempts without compromising the security of real systems.

By combining the threat detection capabilities present in InprOTech GUARDIAN with the power of honeypots as trap systems, we have achieved a synergy that takes cyber security to a new level.

This new functionality not only detects attacks in their early stages, but also collects and analyses data on intrusion attempts, providing key information to understand the tactics used by attackers and improve the cyber security strategies of the company

With this new implementation, InprOTech, following our philosophy of innovation and commitment to industrial security, reinforces our capacity for anticipation and response, offering our clients a more robust, adaptable and effective solution in the defence of their critical infrastructures

Benefits

The use of trap systems such as honeypots can be key to improving cyber security planning and has multiple benefits:

• Early identification of threats: they enable proactive detection of attacks by attracting attackers before they can compromise real systems. This early identification provides a significant advantage in incident response and mitigation of potential damage.
• Threat intelligence gathering by recording the activity of attackers, honeypots provide key information about their tactics, techniques and procedures, enabling better understanding of threats and more effective reinforcement of defences.
• Training and coaching: the implementation of honeypots provides an opportunity to train security personal in threat detection and response, allowing them to improve their skills by analysing attacks in a controlled environment.
• Attack diversion: by luring attackers into simulated environments, honeypots divert attention away from real systems, reducing the risk of compromise and damage to critical infrastructure.
• Security system assessment: assesses the effectiveness of existing defences by analysing how attackers attempt to evade them, providing key information to optimise and strengthen security measures.
• Forensic investigation: honeypots provide valuable data for forensic investigations, allowing to reconstruct the flow of events and assess the scope and impact of an attack through captured activity logs.
• Protection against unknown attacks: honeypots detect attacks that may go undetected by conventional security tools, providing an additional layer of protection against unknown threats and advanced attacks.

Summary

In an environment where cyber threats are constantly evolving, the security of industrial networks requires innovative and adaptive solutions. InprOTech GUARDIAN is an advanced threat detection and monitoring tool designed specifically for critical infrastructures.

Now, with the integration of a specialized low-interaction honeypot, GUARDIAN takes industrial cyber security a step further. This technology acts as a decoy that simulates a real device, attracting potential attackers and recording their intrusion attempts. With this fusion of advanced monitoring and deception techniques, we not only improve risk visibility, but also significantly strengthen incident response capabilities.

At InprOTech, we remain committed to developing solutions that not only detect threats, but transform knowledge into proactive strategies for protecting industrial environments.

Contact Us

If you found this new feature interesting and would like to learn more about it, please do not hesitate to contact us by clicking here. Our team will be ready to help you at any time.

Resources 

[1] Guardian – InprOTech 

[2] Honeypot: una trampa para los ciberdelincuentes | Empresas | INCIBE 

[3] incibe-cert_guia_implantacion_honeypot_industrial.pdf 

[4] What is a Honeypot in Cybersecurity? | CrowdStrike  

[5] Qué son los Honeypot, para qué sirven y cómo funcionan 

[6] Honeypots: Atrapa a los ciberatacantes | Cibersafety