
OPSEC for honeypots - luck87
http://xiphosresearch.com/2015/12/09/OPSEC-For-Honeypots.html
======
n-exploit
I know security by obscurity doesn't work in the real world, but what if some
of those honeypots are actual ICS systems made to look like a poorly
configured honeypot? One could host a mock service (representing a poorly
configured ICS) on the cloud that acts as a wall to turn away those who don't
dig deeper, but the required services are redirected to a legitimate ICS on
the ground.

~~~
gherkin0
In this case, I think the engineering effort required to proxy a real one to
make it look like a poorly-configured honeypot would be greater than actually
implementing some proper security measures, like a firewall plus a VPN for any
needed external access.

~~~
ilyanep
I had the same thought as GP as well. Could you not implement some of the
"disguise-as-honeypot" features (such as setting the name to "HoneyTrap" or
"Error: rand...") in addition to the normal security features?

~~~
gherkin0
In this case we're talking about embedded industrial control systems, I doubt
they're easy to modify in that way.

------
eponeponepon
Interesting stuff - I can't decide whether to read it as an useful reminder
about planning and analysis ('measure twice, cut once', if you will) or to
read it just as a collection of hilarious failures.

My Friday brain is steering me very much toward the latter, I must confess.

------
achillean
Here's a webapp I built that does a bunch of checks to determine whether an IP
is an ICS honeypot or not:
[https://honeyscore.shodan.io](https://honeyscore.shodan.io)

