1

This work investigates how interaction level, network type, and geographic location affect the attractiveness of ICS honeypots. We deploy both low-and high-interaction honeypots, alongside a physical device, across corporate and cloud networks in various geographic regions. We collect and analyze network interactions involving HTTP, S7Comm, and Modbus protocols from 16 honeypots with diverse configurations over a three-month period. Our results show that network type has the largest impact on ICS honeypot traffic, while interaction level and geographic location play a minor role. We also find that low-interaction honeypots capture traffic comparable to high-interaction setups, supporting their use for general threat intelligence.

We propose the SuriCap measurement platform and organize Jeopardy-style workshops in which participants compete to engineer Suricata rules. We collect a rich dataset consisting of over 364 rules from 28 participants. Preliminary results suggest our experimental design is viable and, together with the SuriCap measurement platform, can enable us to answer several research questions surrounding the engineering process of network intrusion detection rules.

In this paper, we characterize the rules in use at a collaborating commercial (managed) SOC serving customers in sectors including education and IT management. During this process, we discover six relevant design principles, which we consolidate through interviews with experienced rule designers at the SOC.We then validate our design principles by quantitatively assessing their effect on rule specificity. We find that several of these design considerations significantly impact unnecessary workload caused by rules. We show that these design principles can be applied successfully at a SOC to reduce workload whilst maintaining coverage despite the prevalence of violations of the principles.

In this work, we evaluate the effect of label imbalance on the classification of network intrusion alerts. As our use-case we employ DeepCASE, the state-of-the-art method for automated alert classification. We show that label imbalance impacts both classification performance and correctness of the classification explanations offered by DeepCASE. We conclude tuning the detection rules used in SOCs can significantly reduce imbalance and may benefit the performance and explainability offered by alert post-processing methods such as DeepCASE. Our findings suggest that traditional methods to improve the quality of input data can benefit automation.

In this work, we collaborate with a commercial SOC to develop an alert investigation support tool to help inexperienced analysts identify and collect all the information relevant to the investigation of an alert. We evaluate the prototype tool with two qualitative studies. Our findings suggest that employing the tool helps inexperienced analysts form a more accurate understanding of attacks, at no time cost.

In this paper, we perform the first in-depth study of the operation of a large (500 KV) real-world substation automation network. Our work provides a deep-dive discussion of these critical networks in a real-world system and sheds light on their operation, configuration and security.

In this paper, we first define a notion of attack “cost” focusing on the required CPS-specific attacker knowledge. We then identify several context factors that may influence this cost and, finally, provide a methodology to analyze the relation between attack cost and CPS-context factors using past cyberattacks. To validate the methodology in a reproducible way, we apply it to publicly reported CPS incidents with physical impact. Though this constitutes only a small set of attacks, our methodology is able to find correlations between context factors and the attack cost, as well as significant differences in context factors between CPS domains.

In this paper, we profile a new threat actor, referred to as the unspecialized OT attacker, who performs targeted, OT-related cyber-attacks with at most basic generic knowledge. We show the relevance of this threat actor by identifying past OT-related cyber-attacks that match this threat actor profile’s capabilities; we do so by mapping the types of tools used during these cyber-attacks and the knowledge required to use them. To further substantiate our analysis, we investigate readily-available tools that can assist threat actors in performing OT-related cyber-attacks. The combination of our findings highlights the present-day lowered entry level requirements to attack OT environments while limiting the scope of current assumptions.

In this paper, we study two pieces of malware that attempted to create blackouts in Ukraine. Our findings include new malware behavior not previously documented (such as the detailed algorithm for the MMS protocol payload) and an illustration of how attacking different targets will produce different effects.

This paper dissects operational SCADA networks of three essential services: power grids, gas distribution, and water treatment systems. Our analysis reveals some distinct and shared behaviors of these networks, shedding light on their operation and network configuration.