Ghost Trains in the Network: A very British Rant About Catching Hackers Before They Derail You

Ghost Trains in the Network: A very British Rant About Catching Hackers Before They Derail You
Photo by Tak Kei Wong / Unsplash

If you’ve ever queued on a windswept platform at Clapham Junction at half past seven on a February morning, you already understand pain. Now imagine you’re the poor soul in charge of the digital bits that keep Britain’s railways moving, the signalling servers, the smart-ticketing APIs, the timetable database some consultant knocked together in 2003 and then vanished to Marbella. Your network is an ageing patchwork of Windows boxes, embedded Linux gizmos and a mystery Sun workstation humming in a cupboard marked Do Not Switch Off (so naturally someone did during the Christmas party, and the East Coast Main Line was fifteen minutes late for a week).

Welcome to UK rail IT security, where you’re expected to defend a critical-national-infrastructure behemoth with the budget of a village cricket club’s tea rota. And here you are, proudly piping every last firewall log into the SIEM you bought on a three-year instalment plan, drowning in red alerts that scream Brute-force attempt detected while you’re still trying to get the coffee machine to stop leaking. Lovely.

Why “Threat Intelligence” Often Isn’t

The Brits are fond of collecting stamps, antique teapots and, apparently, IOC feeds. Every morning your nosey SIEM ingests yet another file of “high confidence” malicious IP addresses compiled by someone in Kansas who scraped Shodan after lunch. You dutifully block them all in your firewall, congratulate yourself on “being proactive,” then go home to watch Taskmaster. Alas, half those IPs are already retired, a quarter belong to a university lab in Germany studying honeypot traffic, and the rest are Tor exit nodes that rotate faster than a Blackpool roller-coaster. When real trouble comes clattering down the line, your dashboard is too busy flashing Warning in neon red to notice.

The depressing truth is that anything already on a public threat feed is yesterday’s fish-and-chip paper. Attackers worth their salt treat blacklists the way we treat the service update board at Waterloo: an inconvenience, but hardly a reason to cancel the trip. If your entire defensive strategy relies on someone else’s stale list, you’ll find out you’ve been compromised the same way you discover the 16:47 to Portsmouth has been cancelled, via an apologetic announcement after you’re stuck on the platform.

Enter the Honeypot: Marmite for Miscreants

It’s time to embrace a simpler, more entertaining hobby: building honeypots. Think of them as unattended late-night kebab shops for cyber thugs, tantalising, greasy and very likely to make the customer ill. Pop one on a spare IP address that “just so happens” to expose an SSH banner reading Debian GNU/Linux 7.0 (a version so antique it probably voted in the Brexit referendum). Or better, stand up a bogus RailSys API endpoint returning plausibly dull JSON about train formations. Advertise it on port 443 with a self-signed cert bearing the name “prod-rail-core.internal” for that authentic corporate aftertaste.

The second your honeypot goes live, the usual rabble appears: Mirai descendants banging on Telnet, cryptominers prodding at Docker-API, some Russian script-kiddy trying every default password known to humanity. It’s like opening the pub doors at 11 p.m., the regulars storm in first. Fascinating for a moment, then unbearably repetitive. Fortunately you’re British; endurance in the face of dreary repetition is practically a national sport.

Tea Strainer for the Soul: Filtering Out the Obvious

Here’s where you channel your inner railway signalman, flick the levers and route the rubbish straight to /dev/null. You take those feeds,AbuseIPDB, Spamhaus, AlienVault OTX, GreyNoise, the lot, and you filter your honeypot logs against them. Every source IP that’s already famous? Bin it. Every user-agent string tied to mass scanners? Off you pop. Every ASN so notorious it may as well have its own Crimewatch segment? Ta-ra.

What remains is the quiet tapping you can hear when the train announcer’s fallen silent and the pigeons have finally shut up. A single IP address here, an IPv6 range there, almost no history, never once mentioned in public chatter. Yet it just asked your fake API for getTimetableBySignalBox, a method name buried on page 117 of an internal spec only Network Rail staff usually see. Either you’ve stumbled onto a curious rail enthusiast with a gift for packet crafting or, more likely, someone is mapping out your infrastructure for reasons that won’t end with a polite “mind the gap”.

A Spot of British Context: Why Rail Makes a Brilliant Victim

Ask any commuter: Britain’s railways run on equal parts caffeine, tradition and IT systems older than half the passengers. There are signalling boxes in Yorkshire whose logic dates back to the 1970s, now duct-taped to cloud analytics platforms to keep the Department for Transport happy. Franchise boundaries shift, subcontractors multiply, and every vendor insists on remote access “for maintenance” from assorted offices in Bangalore and Warsaw.

Unlike a Silicon Valley start-up pivoting every six weeks, rail infrastructure can’t just migrate to shiny new servers, shutting down the West Coast Main Line for a firmware upgrade is frowned upon. Attackers know this, so they test bespoke exploits slowly, quietly, slipping between franchised operators, TOCs and rolling-stock maintenance depots until they find a configuration no one patched because the service desk labelled it “heritage”.

If you unearth a host trying credentials tailored to the naming scheme of a particular depot in Crewe, that’s not spray-and-pray. That’s a saboteur walking the network like a seasoned commuter who already knows where the trolley service hides the decent biscuits.

Celebrating the Ghost Train

When the ghost appears, traffic hitting only your decoy nodes, using commands no public scanner ever bothers with, you feel a thrill no amount of vendor marketing can replicate. You’ve uncovered evidence of reconnaissance before the wider world even suspects someone is plotting. You’ve spotted the train moving through a red signal while everyone else is still reading yesterday’s timetable. You have something the feed vendors will beg to list next quarter, before the attacker swaps locomotives and changes the livery.

Now comes the peculiarly British bit: you kettle that suspect IP, you replay its payloads in a sandbox, you pour a cup of tea, perhaps grumble about Southern Rail for good measure, and you start hunting. Did the same address pop up in your real logs? Do you see mirrored traffic against your actual booking-engine backend? Was a developer’s laptop phoning out at 03:12 after the pub quiz? Suddenly threat intelligence is personal, vivid, yours.

Sharing Is Caring (Even South of Watford Gap)

British reserve is marvellous for queueing, but naff for security. If you’ve found a ghost probing rail systems, chances are another operator, ScotRail, say, will be next. The attacker already knows the layout of one franchise; hopping to another is as simple as mis-printing a ticket. So you do the decent thing: pass the IOCs to the Railway ISAC, ring a mate inside the Department for Transport, maybe drop an anonymous tip to someone at the National Cyber Security Centre who owes you a pint. They’ll mutter something about “trusted circles” and you’ll both pretend GCHQ didn’t know already, but at least you tried.

By sharing, you gain allies. More honeypots spring up across the network, more filters strip away the noise, and suddenly the once-invisible attacker sees his reconnaissance reflected back at him via blocks and resets on every route from Penzance to Inverness. It’s the cyber equivalent of closing ticket barriers at all stations simultaneously: the fare-dodger can run, but he can’t ride.

Practically Speaking, Without a Bullet List

Achieving all this doesn’t require an MI5 budget. An old Raspberry Pi will cheerfully pose as a vulnerable SSH endpoint all week. A bit of Python glued to AbuseIPDB’s API can sponge off their blacklist faster than you can say “another rail fare rise”. Pipe your logs into whatever log aggregator you fancy, Elastic, Loki, even syslog-ng writing to a text file, and run a cron job that diff-filters new IPs against your blacklist dump every hour. Store the leftovers in a separate index labelled spooky. Review spooky every morning between the first coffee and the second sigh about delays into London Bridge. When you find something odd, pivot through your real network logs, look for matching payload shapes, user-agent fingerprints, or odd bursts of traffic at silly o’clock. It’s unglamorous work, but so is cleaning the loos on the Caledonian Sleeper, and people still do that.

Why the Method Works for Blighty

Britain’s digital rail estate is big enough to interest capable adversaries yet small enough for patterns to emerge quickly. A single attacker can test code against a Southeastern Railway ticketing API on Monday, tweak it on Tuesday against West Midlands Trains, and by Wednesday hit the national Rail Delivery Group clearing-house. If your honeypot stands anywhere along that little jaunt and you’re weeding out the global background, you’ll see the pattern before a continent-spanning ISP even wakes up. That’s the strategic edge of local focus: you spot the oddity because you know how British Rail IDs its carriages, you recognise that EMU_Class377 in a GET request isn’t normal for a public endpoint, and the Yank maintaining a generic feed doesn’t.

Mind the Gap and Watch the Signals

At some stage management will ask why you’re sinking time into luring hackers instead of “closing vulnerabilities”. Explain it like this: patching is locking the carriage doors, honeypots are CCTV on the platform. One deters, the other tells you who’s lingering in the shadows. If they still don’t get it, remind them what happens to a network that never looks for new threats, ask any operator still recovering from WannaCry, which hammered the NHS so badly every tabloid splashed ransomware across its front page for a fortnight. That was 2017 and people still whisper about “the virus that cancelled operations”. Rail’s moment will come unless you’re watching.

Final Whistle

Threat intelligence isn’t about who can collect the most feeds or colour the fanciest heat map. It’s about seeing the one thing everyone else missed, the signal sliding past the red light while the guard dozes. Honeypots give you the eyesight; filtering gives you spectacles polished free of grime. Put them together on British rails, and you’ll spot the ghost train before it rattles the sleepers loose.

So brew yourself a proper cup of builder’s, spin up that decoy signalling server, and keep an ear out. The next knock you hear on port 22 might not come from a teenage script-kiddy in Minsk, it might be an engineer-turned-marauder who knows exactly how many seconds to wait for a points change. Catch him while the network still belongs to you, not the evening news.

Now, if only Southern could do the same for their timetables, we’d all be laughing.

Read more