Impact
Improved understanding of low-visibility attacker paths in IoT-like environments.
Impact
Produced realistic telemetry for tuning detections and investigation procedures.
Impact
Created a reusable lab for adversary simulation and analyst training.
Deliverables
- Segmented lab environment with representative device services and monitoring.
- Protocol-aware detection and observation workflows for IoT traffic.
- Research outputs that translate lab findings into training and detection value.
References
Artifacts
- Lab topology artifact slot reserved for upcoming diagram
Problem
IoT ecosystems create a different visibility problem than traditional endpoints, especially when protocols, embedded constraints, and weak defaults combine to create inconsistent telemetry.Approach
- Build a segmented lab with representative device services, simulated controllers, and protocol-aware monitoring.
- Recreate attack behaviors such as credential abuse, insecure command channels, and lateral movement through management surfaces.
- Capture packet, process, and event artifacts that can be converted into rules, dashboards, and training content.
Architecture / Workflow
- Lab services simulate constrained devices, broker traffic, and insecure administration workflows.
- Monitoring stack records protocol activity and suspicious behavior across network zones.
- Analysis outputs feed detections, scenario documentation, and repeatable training exercises.
Tools and Technologies Used
Python, Zeek, Suricata, Docker, MQTT
Results / Impact
- Improved understanding of low-visibility attack paths in IoT environments.
- Produced realistic data for tuning detection logic and investigation procedures.
- Created a reusable environment for adversary simulation and analyst training.
Key Technical Takeaways
- Lab realism matters more than raw service count.
- Protocol-aware monitoring is essential for meaningful visibility.
- Simulations are most useful when tied directly to detection outcomes.