In a previous blogpost,  we briefly introduced the concept of Moving Target Defense (MTD), mentioning also the property of time as a parameter than defines the moving aspect of a MTD cybersecurity solution. In addition, we discussed a way to configure effectively the honeypots in order to mimic vulnerable nodes. In this one we aim to elaborate on the notion of the MTD Honeypots and further elaborate on the design and implementation aspects of the cybersecurity solution that we develop in the context of the IoT-NGIN project.

Starting from the Moving Target Defense (MTD) aspect of our solution, it is worth mentioning that MTD characteristics target to alleviate or reduce the possibility of an attacker identifying a service or a node as not genuine. The attack risk is lowered by decreasing attacker motivation and the knowledge of the system. MTD is a good defense tool for decreasing attacker knowledge by constantly changing various system properties. In this way, the attack surface exposed to attackers appears chaotic and changes over time. Therefore, significantly reducing the probability of a successful attack and increasing its effectiveness on safeguarding the authentic part of the network. 

MTD techniques accomplish defensive deception through randomization and reconfiguration of networks, assets, and defense tools. The categories of Moving Target Defense strategies include software transformation techniques focusing on the software/application as the moving parameter, dynamic platform techniques focusing on hardware and OS attributes of a platform, and Network address shuffling activities. 

Honeypots are security resources which help attract, detect, and gather attack information. In principle, honeypot is a security tool that aims to imitate some real system’s functionality and thus lure attackers. In such scenario, we target to deceive the attacker by offering to them a vulnerable node that is not part of the real IoT infrastructure instead of a genuine one. Utilizing honeypots as a defense mechanism we achieve two main goals. The first one concerns the protection of the IoT system against cyberattacks, whilst the second one pertains to the exploitation of the attack information that can be captured once an attacker enters a honeypot and subsequently delivers a malicious payload. The latter also allows us to capture and monitor sophisticated attack methodologies, attack trends and strategies, that could even potentially expose a previously unknown zero-day attack.

Honeypots are a suitable candidate to realize an MTD mechanism tailored for protecting sensitive IoT networks. The combination of these two cybersecurity strategies result to an adaptive and configurable honeypot solution known as MTD honeypot Framework.

Within IoT-NGIN we develop an MTD Honeypot Framework that aims to provide a method to enhance the protection of all the vulnerable devices found in a network from possible security breaches and attacks. The MTD aspect that has been decided to be incorporated into our solution is IP randomization. Effectively, the IPs of the honeypots will randomly change at periodic intervals and as a result the attacker will become unable to easily map them. In addition, the IoT-NGIN MTD Honeypot Framework derives as an input the vulnerability reports that an additional IoT-NGIN cybersecurity-oriented component (the Vulnerability Scanner) provides. This vulnerability report details all the vulnerabilities identified in particular (vulnerable) IoT node. Then, the IoT-NGIN Honeypot Framework decides which are the required honeypots that mimic the detected vulnerabilities and deploys the necessary honeypots to the network. 

The IoT-NGIN MTD Honeypot Framework is already developed and at the time of writing the development team is finalizing the latest technical updates that will result to the production of the final version of the component. Then, the tool will be demonstrated within the IoT-NGIN Living Labs and get tested and validated based on various Use Cases.