[Updates to this story appear on page two.]
On Tuesday, Bloomberg published a story based on honeypot scans, which was a follow-up to a previously published piece that explored the nature of attacks against industrial-control systems.
Bloomberg's stories were made possible by ThreatStream, the providers of Optic, a next generation, threat intelligence platform.
At first glance, after a reader shared Bloomberg's story with Salted Hash, they seemed to have a great article looking at attacks against ICS and the assets they control. However, something didn't add up. The Bloomberg author briefly discussed the honeypot that ThreatStream configured for them, and then dived into the attack figures.
Briefly, honeypots are traps. They are designed to mimic vulnerable systems or networks, which are used to gather intelligence on an attacker, such as tactics and motives, as well as an understanding of their workflow.
The raw data from the ThreatStream honeypot used in Bloomberg's stories showed the U.S. as the top source of attacks, followed by China, Russia, and the Netherlands (oddly enough). In the follow-up story, Bloomberg said that ThreatStream "went deeper" and offered additional insight into the data that was originally collected.
From the article:
"Hidden in the larger dataset, which catalogued thousands of reconnaissance probes against our honeypots, was a subset of attacks that revealed the location of computers used to not only find Internet-connected control systems, but to manipulate them as well with specialized software and communications protocols. In other words, these were recon missions sent by machines that also had some level of ability to do damage."
When comes to reconnaissance, ThreatStream told Bloomberg that Turkey, followed by the U.S. and China were the top countries where control-system commands were detected. When this data was sorted by city, Beijing remained the top source, followed by Chattanooga, TN.
Greg Martin, the founder and chief technical officer of ThreatStream, told Bloomberg in an interview for the original story that it was possible some of the probes could be from security companies and academia.
But, he added, "the dataset is large and diverse enough that it probably includes a large amount of military organizations, if not all of them (proxied or not)."
And that's where things fall to pieces.
The scans from Chattanooga were not nation-state actors. The scans likely came Stephen Hilt, a researcher for Digital Bond, Inc., who was performing tests for a talk that was given last weekend at DerbyCon.
Hilt's talk was centered on Redpoint, a Digital Bond research project to enumerate ICS applications and devices.
"The Redpoint tools use legitimate protocol or application commands to discover and enumerate devices and applications. There is no effort to exploit or crash anything," the project's documentation explains.
A new Redpoint script was released publicly after the DerbyCon presentation. Redpoint scripts include the ability to identify and enumerate BACnet devices, EtherNet/IP devices from Rockwell Automation and other vendors, Siemens SIMATIC S7 PLCs, and Modicon PLC's made by Schneider Electric. It's important to note that Modicon was the newly released script, the others have been available since April.
When asked if his research was the likely source of the data collected by ThreatStream, Hilt confirmed that it was possible, as their honeypots were some of those discussed during his talk.
When questioned by Salted Hash, ThreatStream said the honeypots that were scanned for the Bloomberg story did not advertise any legitimate services.
"The scans were on tcp port 102 and the requests were mostly protocol compliant. Siemens utilizes port 102 to administer their products, mostly the SIMATIC Series 7 PLCs (SCADA). We are not familiar with other services that use this port. We are not sure what the intent of the scans are; however we are not finished analyzing this data set," ThreatStream's statement explained.
Given the nature of the Redpoint tools, and Hilt's slide deck (which includes the scans on the S7 PLC); at this point ThreatSim confirmed that they detected the researcher's scans.
But how is it that the researcher's probes didn't stand out, given that all of them were from the same location and were fingerprinting ICS assets. How was an anomaly of this size overlooked?
"We filtered out all the known researcher servers that we know of for this story. The Chattanooga IP in particular did not show up in DShield or any other security feeds or security mailing lists we reviewed – both public and private," ThreatStream said.
A lack of intelligence on known researcher's IP addresses isn't surprising, neither is a lack of intelligence on open source tools used to protect critical infrastructure, but it is disappointing, given that the data was used in a nationally syndicated article on the topic.
The point being, while ICS security is a very serious topic, something that isn't to be taken lightly, addressing the risks associated with those infrastructures requires more than a honeypot and a best guess.
Bloomberg's story is pure FUD, and there is no clear answer as to why ThreatStream didn't try and inject some clarity into the dataset while working with the story's author during development. However, they stand by their results.
When questioned about the Chattanooga IP, after being told that the scans were from a researcher working on a talk for DerbyCon, ThreatStream said that the intent of the scans was unclear to them, adding that they couldn't say "whether or not they are harmless yet."
"They are definitely suspicious and we are continuing to investigate."
If anything, this incident proves two things; Redpoint scans will be detected by a honeypot, and when it comes to threat intelligence - sometimes it's not all that smart.
For most organizations, threat intelligence offerings or honeypot usage becomes another collection of logs and rules that may or may not offer actionable information.
When it comes to reporting on the data collected by honeypots or threat intelligence products, Bloomberg's story proves why caution is needed.
Thirty-five probes from Chattanooga, TN doesn't come close to the number of actual attacks that critical infrastructure is faced with daily. It isn't news, but now that story can be used for marketing, and executives are going to needlessly worry about the southern states, when they should be worrying about the fact that their ICS assets are public facing and exposed.