Skip to main content

Mirage — OT Deception

Mirage deploys intelligent honeypots across your OT network to detect adversaries who have bypassed perimeter defenses. It creates convincing decoy PLCs, HMIs, switches, and field instruments that attract attacker reconnaissance while generating high-fidelity alerts.

How It Works

  1. Environment Setup — Define a deception environment for each site or network zone
  2. Decoy Deployment — Mirage deploys protocol-accurate decoys that emulate real OT devices (EtherNet/IP, Modbus TCP, S7comm, PROFINET, OPC UA)
  3. Interaction Monitoring — Any interaction with a decoy is suspicious by definition — no legitimate traffic should reach them
  4. Alert Generation — Interactions trigger high-confidence alerts with full session details, source IP, protocol used, and MITRE ATT&CK mapping

Key Features

  • Protocol-Accurate Emulation — Decoys respond to industrial protocols exactly like real devices (Rockwell, Siemens, ABB, Schneider, Emerson)
  • Purdue-Level Placement — Deploy decoys at every Purdue level (0–3) for defense in depth
  • Moving Target Defense — Automatic decoy rotation on configurable schedules to defeat fingerprinting
  • MITRE ATT&CK for ICS Mapping — Every interaction mapped to relevant tactics and techniques
  • Zero False Positives — Decoys have no legitimate function; any contact is an indicator of compromise
  • Tiered Decoy Types — Network responders (Tier 1), full protocol emulators (Tier 2), and high-interaction honeypots (Tier 3)

Dashboard

The Mirage dashboard shows:

  • Active deception environments and decoy counts
  • Recent interactions with severity and source attribution
  • Threat actor session timelines
  • IOC extraction (IPs, ports, protocol fingerprints)
  • TTP mapping to MITRE ATT&CK for ICS framework

Alert Codes

CodeSeverityDescription
7001CriticalActive exploitation attempt on decoy
7002WarningNetwork scan touching decoy IPs
7003WarningProtocol enumeration on decoy
7004InfoPassive reconnaissance detected

Configuration

Navigate to Settings → Mirage to configure:

  • Deception environments per site
  • Decoy density and placement strategy
  • Emulated vendors and protocol versions
  • Moving target defense schedule
  • Alert routing (email, Slack, Teams, webhook)