Turning the Tables: Using Deception to Catch Attackers in ICS Environments

TLDR: Industrial Control Systems (ICS) are increasingly targeted by sophisticated actors who exploit the lack of visibility in OT networks. By deploying high-fidelity deception tactics like fake credentials and emulated services, defenders can force attackers to reveal their presence early in the kill chain. This approach shifts the advantage back to the blue team by turning the attacker's reconnaissance into a high-confidence alert.

Industrial Control Systems (ICS) and Operational Technology (OT) environments are notoriously difficult to secure. Unlike standard IT infrastructure where you can easily deploy EDR or run aggressive vulnerability scans, OT networks are fragile. A single malformed packet can crash a legacy PLC or disrupt a critical process. Because of this, many organizations rely on passive monitoring, which often leaves them blind to an attacker who has already established a foothold. The reality is that if an adversary is inside your OT network, they are likely moving laterally, hunting for credentials, and mapping your environment.

Instead of waiting for an alert from a traditional security tool, you can use deception to force the attacker to reveal themselves. By planting "tripwires" that look like legitimate assets, you create a scenario where any interaction with them is inherently suspicious.

Mapping Deception to the MITRE Engage Framework

The MITRE Engage framework provides a structured way to think about adversary engagement. Rather than just focusing on detection, you are actively managing the adversary's experience. In an ICS context, this means creating a high-fidelity environment that mimics your actual production setup.

The goal is to move beyond simple "honey-tokens" and build out a believable ecosystem. If you are running a Siemens S7 environment, your deception strategy should include emulated S7 services. If you are using Modbus or DNP3, those protocols must be present in your decoy network. The key is to ensure that the deception is indistinguishable from the real thing to an attacker who is performing reconnaissance.

Practical Seeding: In-Memory Credentials

One of the most effective ways to catch an attacker is to plant fake credentials in memory. Attackers frequently dump memory using tools like Mimikatz or by accessing the LSASS process to harvest credentials for lateral movement.

You can seed your environment with fake, high-privilege domain accounts that are never used by legitimate users. If these credentials appear in a memory dump or are used to authenticate against a service, you have a 100% confidence alert. You can automate this process using simple scripts that inject these credentials into memory on startup.

For example, you can use the cmdkey command to cache fake credentials in the Windows Credential Manager:

cmdkey /add:TargetServer /user:FakeAdmin /pass:Password123

Once these are cached, any attempt by an attacker to dump credentials or use them to access a remote service will trigger an immediate alert in your SIEM. Because no legitimate user or service should ever touch these credentials, you effectively eliminate the noise that plagues traditional SOC operations.

Emulating ICS Services

When building out your honeypot, you need to emulate the services that an attacker would actually look for. Tools like OpenCanary or Honeyd are excellent for this. You don't need to run a full-blown, expensive PLC to catch an attacker. You just need a listener that responds to common ICS protocols like Modbus or DNP3.

If an attacker scans your network and finds a device responding to Modbus, they will likely attempt to read registers or push new ladder logic. By monitoring these interactions, you gain visibility into their specific TTPs. Are they trying to change the state of a valve? Are they looking for specific memory addresses? This information is gold for your incident response team.

The "Theory of 99"

A core principle in securing OT is the "Theory of 99," which posits that 99% of attacks against ICS will originate in the IT-production environment. Attackers rarely jump straight into the OT network; they compromise an IT workstation, move to a jump host, and then pivot into the OT environment.

Your deception strategy should reflect this. Place your most attractive decoys in the IT-production subnets where the pivot occurs. If you can catch the attacker at the jump host level, you stop them before they ever touch a PLC or an HMI.

Moving Forward

Deception is not a "set it and forget it" solution. It requires constant tuning. If your decoys are too obvious, a smart attacker will ignore them. If they are too noisy, your SOC will stop paying attention. The key is to integrate your deception alerts directly into your existing incident response workflows. When a decoy triggers, it should be treated with the same urgency as a confirmed breach of a production asset.

Stop treating your network as a static perimeter. Start treating it as a battlefield where you control the terrain. By placing high-fidelity decoys in the path of least resistance, you force the adversary to play by your rules, making their job significantly harder and your detection capabilities significantly stronger. The next time you are on an engagement, look for the gaps in the network where an attacker would naturally pivot. That is exactly where your next trap should be.