[SCADASEC] SCADA, control systems and forensics
Mark Fabro
fabro at loftyperch.com
Thu Feb 7 16:00:31 CST 2008
Hiya Ken,
We have been running some honeypots for a while and they can provide some (but limited) intel. Our work lately has also had us doing kernel snapshots and hashing certain builds of applications to watch for changes. Using hashed of whatever we can get our hands on works fairly well.
Matt Franz is lurking (I know he must be!) so he better chime in here as he knows a lot about honeypots from his DB days...and if we are lucky maybe hear from Dale and the DB crew.
-----Original Message-----
From: scadasec-bounces at news.infracritical.com [mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Ken Møller
Sent: Thursday, February 07, 2008 4:52 PM
To: scadasec at news.infracritical.com
Subject: Re: [SCADASEC] SCADA, control systems and forensics
I'm tempted to install a 'standalone' honeypot with a tempting systemname to have log/audit files probably not tampered with.
Been thinking of a backdoor zone keeping snapshots of sytem logfiles constantly are mirrored and kept for a suitable time.
-ken..(norway)
-----Original Message-----
From: scadasec-bounces at news.infracritical.com [mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Bob Radvanovsky
Sent: 7. februar 2008 21:01
To: scadasec at news.infracritical.com
Subject: [SCADASEC] SCADA, control systems and forensics
One of the issues that I have raised within the 'CIP' community has been *how* to identify threats (and their attempts) post-facto; meaning, how do I perform a forensics analysis on something that is, for sake of better terms, 'dumber than a door knob'? It's one thing to conduct post-facto forensics best practices on a server, or within an IT environment, but this isn't 'IT'. Older protocols don't include date and/or time stamps within the communications packets, and often times, comm packets are terse (if that). So...how do *we*, as SCADA professionals define and establish methods for performing post-facto forensics analysis and management of a given control system environment?
I'd like to get some feedback from the list. The entire premise here is to encourage discussion. OK -- here's your opportunity... ;)
-rad
P.S. This message will self-destruct in 5 seconds...
_______________________________________________
To unsubscribe from this mailing list, please visit:
http://news.infracritical.com/mailman/listinfo/scadasec
To review our privacy statement, please visit:
http://www.infracritical.com/privacy.html
scadasec at news.infracritical.com
http://news.infracritical.com/mailman/listinfo/scadasec
-------------------------------------------------------------------
The information contained in this message may be CONFIDENTIAL and is
intended for the addressee only. Any unauthorised use, dissemination of the
information or copying of this message is prohibited. If you are not the
addressee, please notify the sender immediately by return e-mail and delete
this message.
Thank you.
_______________________________________________
To unsubscribe from this mailing list, please visit:
http://news.infracritical.com/mailman/listinfo/scadasec
To review our privacy statement, please visit:
http://www.infracritical.com/privacy.html
scadasec at news.infracritical.com
http://news.infracritical.com/mailman/listinfo/scadasec
More information about the scadasec
mailing list