Detecting, fingerprinting and tracking reconnaissance campaigns targeting industrial control systems

Abstract

Industrial Control Systems (ICS) are attractive targets to attackers because of the significant cyber-physical damage they can inflict. As such, they are often subjected to reconnaissance campaigns aiming at discovering vulnerabilities that can be exploited online. As these campaigns scan large netblocks of the Internet, some of the IP packets are directed to the darknet, routable, allocated and unused IP space. In this paper, we propose a new technique to detect, fingerprint, and track probing campaigns targeting ICS systems by leveraging a /13 darknet traffic. Our proposed technique detects, automatically, and in near-real time such ICS probing campaigns and generates relevant and timely cyber threat intelligence using graph-theoretic methods to compare and aggregate packets into campaigns. Besides, it ascribes to each observed campaign a fingerprint that uniquely characterizes it and allows its tracking over time. Our technique has been tested over 12.85 TB of data, which represents 330 days of darknet network traffic received. The result of our analysis allows for the discovery of not only known legitimate recurrent probing campaigns such as those performed by Shodan and Censys but also uncovers coordinated campaigns launched by other organizations. Furthermore, we give details on a campaign linked to botnet activity targeting the EtherNet/IP protocol.