Honeypot Boo Boo: Better Breach Detection with Deception Inception

protection with deception Inception awesome thanks so much thank you everyone for being here I'm excited to give this talk this is actually the fifth talk of 2022 I've been giving with slight variation so hopefully this is the best version so I'm Justin Varner the best way to describe what I do is philosophize about security so I think about security problems and I try to post Solutions I've been partnered with thinks Canary out of Cape Town South Africa they're a relatively new company and they work on breach detection they provide a free service called canarytokens.org and I'm going to talk to you about what we've been doing in brief detection that isn't working why we need a paradigm shift and

walk you through a ton of practical examples for how you can deploy deception technology right now so that you don't get pwned so it would help to first talk about honey pots honey tokens and honey traps a hunting trap can be a honey pot or a honey token this is really part of the discipline known as deception technology and the key with deception technology is trickery and being more slick than the adversary if you can out dupe your adversary you're going to be effective at detecting breaches um the reason we need honey traps honey tokens honey boxes because we need a better level of High Fidelity low volume alerts we have analysts that are looking

through Sims and soars and burned out their changing careers we're already at a deficit of several million jobs depending on which report you read and we need a new solution because I feel for the analysts and they need some help and most importantly what we're doing for breaches Now isn't working you know it takes a long time and I'll get into the statistics here shortly to even detect the breach let alone mitigated reach it's costing lots of money and simple incidents should just stay incidents but they're becoming catastrophes and we need a new way to lower our mean time to detection and mitigate the blast radius and like I said keep our Security Professionals happy and within the same industry

so some of you may remember laundry room biking and this is an analogy to people in the security analyst world you know the whole philosophy was you should just stay up all night triage alerts nothing wrong with 100 Hour Week um but it's not sustainable right so this isn't going to work and you're going to be fighting an uphill battle this is a metaphor for your inundation of alerts when um you're told hey go go take a look at the uh the Splunk Sim and try to find a needle in the haystack good luck with that but why why do we need deception technology of all things for grease detection well I'll tell you why we need

something else just look at the past 10 years you can go back to Snowden in 2013. most sophisticated spy surveillance agency in the world had no idea that he was rummaging around and exfiltrated all this data um you know you look at the mo you know most people still have post-traumatic solarwinds disorder PTSD if you go back to 2019 everything now is third party risk and how do we mitigate supply chain uh we're still feeling the effects there may be 18 000 or so departments that have been affected by solarwinds and the effects are still being felt you know if you look at last year this affected this part of the world with the colonial

pipeline breach this was an interesting case of physical and Virtual Worlds converging you know you had actual pipeline delays and oil shortages for about 10 days because of a ransomware attack and anyone has a credit score which is anyone here over 18 which I think is everyone you've been affected by Equifax you know in 2017. um and this you know people were trying to tell Equifax hey for months there's this problem we have Apache struts we need to fix this issue nobody listened or they didn't care they didn't know the extent of the problem so deception technology is a new approach that gives you higher Fidelity and lower volume this is why we need it

anyone here remembers Jimmy McMillan he was a 2012 presidential candidate and Republican ticket this whole platform was about the price of rent being too damn high and he was right but cyber crime is even higher if you look at some of the statistics it was estimated to cost six trillion dollars to the global economy in 2021 um every 39 seconds roughly there's another breach uh last year there was 847 000 cyber complaints to the FBI and up until now there was probably no hope of a solution but let's talk about why there may be now and so I kind of talked about earlier how long it takes to detect a breach 212 days is the IBM report 2021 an estimate

of how long it takes to even not even breach that amount of time allows for a significant amount of accounts to be dumped if you look at some of the biggest breaches in history you have Cam4 what's interesting here is you've got almost 11 billion accounts and there's only seven and a half billion people on planet Earth which means that there are some people doing naughty things didn't want people to know that they were doing them so that's a lot of accounts you look at Yahoo every vertical within Yahoo has been breached you got fantasy sports Finance they had multiple breaches three billion accounts you know you've been your information's been out there if you ever

had a Yahoo account and then the one that was pretty devastating it had some really really real world ramifications a d h a r that was India's attempt to digitize their entire economy and link your driver's license to your 401k to your bank account so on except the identity system wasn't super secure and the government advertised hey if anyone can reach my account well you give this an invitation to hackers in less than a day later everyone in India's account has been compromised so it's entirely too long so I want to talk now about things Canary and you know the canary and the code line or the coal mine however you want to say it

so things Canary I'm not actually an employee of theirs I am a partner and I believe so sincerely in what they're doing that I'm willing to go on these talks and and discuss their their stuff because personally I have seen what would have been four headline worthy breaches avoided I've seen really sophisticated pen tests and arrogant red teamers no offense to the Del secureworks people but I uh they've come in thinking they were going to pone the environment in eight minutes they tripped over a token and then they tripped over another token and you know there was a really funny story I tell a couple years ago where there was a report that was generated by X-Force on

a red team assessment that went on for three weeks and they you know came in they dropped the report it was a 711 page report of all their findings but while they were doing this I was also compiling a report of everything that they were tripping over my report was 94 pages and so when they came in acting all arrogant throwing their stack of papers down I met them with a larger stack and they felt pretty stupid so let's so let's talk about how you can use these canaries right so the idea of a canary could come in the form of a bird which is a Honeypot traditionally and a token which is a honey token birds are

anything that looks like a legitimate device so you can have a scada system a dumb coffee machine a smart frit whatever you want to call it it's gonna look just like the real thing and the idea is to entice an adversary an adversary is going to try to interrogate this system and when they do it's going to fire alerts and it's going to immediately tell you that something is amiss that's the idea with these Canary birds and then you've got Canary tokens like I mentioned at the beginning there's a free site canarytokens.org where you can go and generate an unlimited number of tokens and these tokens Can Be QR codes like so many scans a QR code and it automatically

fires an alert and it might Rick roll them or you can get creative there it might be AWS Keys you know you can drop them on every laptop in your company if somebody tries to access the keys it's going to fire an alert and over time when you start to layer these tokens together you end up creating such a detailed forensic trail that you have a pretty good idea of who this person may be uh and if you don't you can hire a third-party company or start to use an incident response tool Alima Charlie for example and you can start to really dig in and figure out with a high degree of certainty who this person may be yeah

you can be anonymize the pull of people pretty easily based off more and more information you gather from these tokens and I'm going to walk you through that but first let me show you what a bird looks like we'll talk about the bird is the word so let's talk about the window to the walls no so Windows is used in pretty much any Enterprise that's 10 years or older they use active directory active directory there's a way to essentially manage users passwords devices printers and it's also like open to being compromised there's like 20 years of research on how to attack active directory you've got Kerber roasting you've got um you know DC sync DC shadow

um golden ticket you go you name it so this is a very attractive Target for an adversary so what we can do is we can spin up a domain controller that looks just like a domain controller and you'll see on the next slide and it it's so legitimate actually that I'm gonna have to show you another slide on another device because the recommendation is if you already have Windows you may not want to deploy this because it's so realistic it may start interacting with your environment causing issues so let me just show you so for those that are familiar with nmap it's a classic service important numeration tool might be a little hard to see from here but I basically just

ran a detailed nmap scan against the IP of a bird targeting ports common and active directory and if you look at all the service information starting at like 22 SSH and notice that it's Microsoft Windows you could hard-pressed to tell the difference 80 is I internet Information Services if you were to visit this IPM Port 80 you'd actually hit an IES flash screen and you wouldn't know but I would know and you also have Kerberos Port 88. it's even so customizable down to the domain if you see under Kerberos at the bottom it says tc-80.thinks.com you can customize this to be 80. besidescharleston.org or whatever you want to make it look as believable as possible even and this is

a bad idea but even SQL Server don't put it on with a domain controller but people do it all the time but it even tells you like the version the patch number all of that stuff and so the moment they a bad guy starts to fire off in that this thing lights up like a Christmas tree so what you can see on the left here these are just a bunch of alerts and so not only are you getting port scan alerts you also get alerts um if people try to run an FTP command so maybe somebody's going to try to access FTP on this hose it says here FTP login attempt or HTTP like I mentioned IIs if you visit that

site and enter credentials you'll see on the right side here well it's hard to read but it says password and username not supplied if they were to type in spaghetti and pizza or whatever these both will pop up it captures every bit of information and in the process you get an IP this is where you're going to start your investigation and then you also get and the number of alerting endpoints I'm using slacker as an example you can send it SMS email age or Duty jira really anything you can use this orchestration platform called times that's free and awesome to basically create any scenario you want and orchestrate and so now we have an IP

this is a great place to start with our forensic Trail but I also wanted to show you a non-windows scenario so a lot of people love g-ball pen testers and red team just love Joomla because June was vulnerable and when it's on the Internet it's a Target it's a Content management system and it's kind of a bird running Juma looks pretty legit I mean if you didn't customize it and use a nice little flowery background but you know you customize it and again like we get the IP address this is helpful we also get um the user agent so we already know this is our de-anonymization pool they're on a map and they're running it

looks like Mozilla and so I know the IP I'm in Richmond there's only so many Macs and there's only so many windows or um uh Mozilla browsers this data is actually collected all the time if you use uh steam the service for gaming there's the valve Hardware Hardware index where they ask you to upload your information all your Hardware information is up there so you can start to see where this might be helpful I also wanted to mention in the world of Honey pots traditionally so the way thanks looks at Honey pots they call them production honey pots these are more focused on you as a person and what's interesting but if you look at

the research around honeypots for 20 years all they used to do is sit on the internet and listen for intelligence they used to say well this is a bad thing there's an SSH worm there's this and that well you can actually use your honey pots in a similar way as an outside bird and you can run it through this tool called gray noise they're in DC super neat tool what they do is they look at the thread Intel they look at like cloudflare and AWS and Showdown and they say we know these IPS are not important because they're deterministically scanning internet here's everything that you need to care about and they give you what's left so

as an example I threw like about 5000 IPS and spit out like 800 the one the ones that were at fault were China no good surprise there in Russia and you can see they have an API that's free a website super cool company highly recommend it free service also there's another company here it used to be called Rumble not run zero HD Moore to uh Creator Metasploit um Chris Wallace two awesome dudes they got together and they tried to figure out how to solve asset inventory because they said hey this is a really hard problem most of the time people are trying to defend things and they don't even know what things they need to

defend and so run zero is unique and it has a native integration with Canary and what's cool about this is you can use alerts from Canary to send IPS automatically to assets so why this would be helpful is maybe you have a log 4J alert from an endpoint internally and you kind of want to know about this in your ass in inventory like if one of your machines is communicating to a tour endpoint you're like what's going on it's probably compromise this is a great way to have contacts and enrichment of your alerts and you know Canary and run zero go together like Shack and broken backboards and if you don't believe me I mean

this is just a couple of examples right you know there's probably another 12 that he's broken in half so yeah just a match made in heaven all right so I talked about birds let's talk about tokens tokens all the way down I'm going to talk about Recon and there's a few examples of Recon rest in peace Chris Farley so the first type of token you can use is called a deceive nosy stranger token DNS token and so the domain name system is a way to map names like besidescharleston.org to an IP so you don't have to remember it most people don't like remembering numbers unless you mean and you know you don't have to do that so what we can do and

kind of reversing this Paradigm we can use a DNS token on a dark Network segment what's a dark segment it's you guessed that it's a place where nothing exists or nothing should exist and what we can do is we can use the DNS token and say this name maps to this IP in the dark segment if there's a pen tester an adversary or a bad person that tries to resolve it and reverse it fires an alert boom Snoop Dogg's in the building and you can see down here um well you'll notice that there's a there's a name here dot canarytokens.com it's worth mentioning that when you pay for their host of service you get to

customize your domain so it's not as evident like hey I use deception technology you know you don't want people to know that you have this so you can customize your vanity domain through your actual company domain um and yeah they have better so cheap just look him up very exciting and so what's interesting about the DNS token it doesn't tell me my IP right it tells me the IP of the resolver but even that it knew that I was in Richmond so the first token of value they use the cloudflare 1112 DNS server and I knew I was in Richmond that's already like the anonymizing the pool of who this could be so that's a good bit of information

to start off with now probably my favorite enumeration token though is called the web redirect token what's great about this is you can have like a c name uh like any kind of endpoint that's attractive like SSO dot besidescharleston.org portal Dot thinks that I owe and when they visit it they quickly get redirected to a canary token site and it grabs all this information in the user browser this is where you get a wealth of information that's useful for forensics so you start to see here you got the user agent again that's a Mac it even knows that it's a Mac M1 and there aren't that many Mac cabin ones because of the supply chain issues

so I have a Mac M1 I'm in Richmond I'm having to use Mozilla it even knows JavaScript and the version and uh this is just from hitting hitting an endpoint tons of useful information and it's worth noting that this information all the while should be sent to a Sim this isn't a replacement for your um preventative controls or all of your you know endpoint detection response all that Telemetry this is merely a way to know when you've been breached in real time if you still want to do forensics you still want to collect and pulley and activate and so you shouldn't be sending these alerts and you can easily send the Json syslog directly from things just

hit up their support team there's also another really great enumeration ticket uh Earth's open weather it is the Clone website token and even though imitation maybe this is serious form of flattery probably means you're about to be fished and so what you can do here you create a token gives you five lines of JavaScript all you do is you embed that JavaScript like obfuscate it put in your HTML Pages if somebody takes your site clones it and then redeploys it so besides Charleston maybe there's an extra s in there dot org if you visit it it's going to fire an alert and it's going to tell you whoa somebody just took my site and they're

maybe it's part of a larger threat campaign and you can start to gather the metadata and figure out all right is this just some punk who's interested or is it a developer that's cloning the site locally to test you can add to it on a loud list and ignore lists but you start to learn a lot of stuff and what you can do with this is get your legal team to send a cease and desist letter I've seen this be effective in taking down doppelganger domains or you can just scare them either way you'll let them know that you're on to him awesome so we talked about enumeration tokens let's talk about API tokens application programming

interface ask Bert Macklin he's on it so my favorite token of all I think yeah the Amazon web services token these are so useful because if you're a pen tester a bad guy you want these These are the keys to the kingdom you get a set of keys you'd be hard-pressed not to use them you tell me any pen tested it's not going to try these AWS keys well the moment they do it fires an alert it also creates a Geo map which is really nice so why this is helpful is you can again start to build a forensic Trail is this part of a larger campaign are they accessing AWS keys in one particular

region is it distributed the mistake that a lot of adversaries see see I do and I've seen in the wild they will take these keys off of Susie Q's laptop and they'll use them on their machine well when they do we grab a bunch of metadata to grab the IP the City Country we even know the command that they run list buckets you know and so maybe they're you know most of the time they're going to run AWS STS get caller identity figure out who you are but you know you can learn a lot about a person by what commands they run so you know consider that and then here's the memo because on my laptop here's the key

and you can also token these keys and give them fake permissions which I'll show you because this will give you more bang for the bucket the other type of token in AWS land a simple storage service S3 is just raw bucket storage you can put stuff over the years people have accidentally put sensitive information and Amazon didn't really opt you into security until recently and your buckets used to be accessible and writable with anyone on the internet that's a problem but we can use this uh to our advantage knowing that pen test is going to look for buckets so you can token an entire bucket and you can have a token to the set of keys so that if

somebody tries to access this bucket looks great like Aetna pii great there's probably something useful in there not really but it tells you here the type of request man like ahead request user agent again this was run on Moto 3 SDK and Linux or Mac rather it was um I think it was pit tells you all of this stuff again more information for the trail even tells you the user um and couple that with the AWS API key and you're starting to build a pretty robust forensic Trail okay there's a lot going on this slide and so I'll just tell you this so heavy metal slack what you can do with slack is they have slack tokens and the way that I

like to drop slack tokens is similar to the way exhibit likes to drop fish tanks inside of fish tanks inside of your car if you ever watch Pimp My Ride if not you should so what you can do is you can drop a slack token inside of a slack channel so when somebody uses slack you know they get stunned and anyway there's a lot going on here but meta layering of tokens is the way to go because the more that you layer the more likelihood you're going to have them trip over these tokens and then they're going to continue to create a forensic Trail and de-anonymize themselves so I love it there's also in the API World a new

pretty new token that came out it's kubernetes K8 it's a nickname if you if you see why it's K8 letters s get it okay it's anyway so it's a platform for orchestrating a large amount of containerized applications and a container is just a self-contained application that's OS agnostic well these are also pretty attractive similar to AWS Keys drop these on every machine and your Enterprise put a memo you don't want to put something like test because that doesn't tell you anything you know that that's one mistake that people have all these tokens test token this that no make a unique memo you can automate this with like um any kind of endpoint management system on endpoints you can use SCCM or

jamf um in the infrastructure world uh probably limit Charlie you could use ansible shaft puppet you name it you can automate kind of Distributing all this stuff and then there's another one that just came out a few uh months ago that I really like this is if anyone remembers the uh I accidentally uh 93 megabytes of R files that Meme is just so good but anyway so you can you can tripwire an executable and in window actually and in Windows what it does is it creates a registry entry so that anytime a command is run like who am I or netstat or something that is used for situation awareness similarly it fires an alert and so you

know you're going to know pretty quickly if like someone in marketing or human resource or people the people department they shouldn't be running Powershell right so if you want to wrap Powershell on a token or maybe you want to wrap and netcat or any anything that you would not expect to be running on the particular machine cool so those were API here's a couple of tokens for your phones and you can put these on right now and I recommend you do starting with wire guard so wire guard is a new VPN protocol that's kind of supplanting openvpn and there's a token for this and what you can do and the idea here is you want to be able to detect when an

adversary is on your device and it's really hard to do that if you look at the Pegasus filer from last year in the NSO group nope nobody really knew without doing detail forensics that this was even happening and how would you know if your iPhone got iPhone well the idea here is if you put a wireguard VPN token you can create an attractive name like Enterprise VPN endpoint and if somebody activates it and it won't be you because you know it's bogus they're gonna trip this alarm and they're going to fire an alert again you get a slack memo it's a pretty good indicator your phone's phone and then from there again you can do you can use imazing and do

some detail forensics or you know any number of forensic tools and call your incident Response Team um yeah because so much flow through your mobile device now I mean people there's more Mobile Traffic than computer traffic now so like if your phone is your Target and your phone runs a lot of the same software as your computer so just protect it you can create this token right now highly recommend you do also you can scan this QR code it's not a trap but don't do it if you don't want to but the idea with these QR codes is you can do some really cool things because people like scanning QR codes really like legitimize them they've been

around forever but you know toast Tab and all these companies they're like wow QR code quick response let's put some data in here well what I like to do is drop these QR codes in mailboxes that are unread and you say like OCTA enrollment code Duo device code something something people are going to trip on and I've seen it happen a dozen times and you're like wait or you put the wi-fi password around the office but maybe you don't have a Wi-Fi password maybe you do things the right way and you push it out with jamf or you do it securely well they're gonna scan it and be like cool nope all right if you stare at this too long

you will hallucinate but let's let's talk about the last category of tokens associated with mind games at this point if an adversary has gotten this far you are just playing psychological warfare with them and if they don't know that you know they're about to know and this is how you know oh so I could start with uh databases right database get it data basically I'm pretty funny sometimes anyway so what you can do is you can create a token database that looks like legitimate data I don't know what this is but it looks pretty good so the moment they insert the data just insert it right and then open it fires an alert um you know you can make it sound like

um you know FTA oh sorry FTX or ft whatever like make it something pertinent and topical to where they're going to want to open it and then when they do okay there's a ton of info um including yeah so you got your memo you get your IP um pretty great way to start you can even insert a database like that has a bunch of tokens in it why not or just something in it that says I know that you are in my network you should leave you know for example conspiracy Keanu I think he was on to something he might have he's conspiracy theories or conspiracy realities right well what you can do here with Google

Docs or word docs or PDF files as tokens you can create a file that says something like you know FTX Financial Ledger or whatever and 2022 Compensation Plan people are going to open it and the moment they do you can drop a truth ball model so you can put in something there about operation Northwoods or harp or some conspiracy theory reality whatever you want and you might just blow their minds so much that they change careers and just decide to be a legitimate you don't know right but this is the point you've got to be thinking like a bad guy and what would you do if you open this and all of a sudden you learn something

I don't know but I think it could be effective and then lastly kind of on that same line you can spread some [ __ ] bullshits and you can use financial documents as spreadsheets or Google Docs and I don't know if there's any DB Cooper fans here if there are let's talk but this is such a fun mystery that's now closed by the FBI but it is intriguing still and you can dump your whole spreadsheet full of info of what we think we know about DB Cooper and that he hopped on a an airline on November 24th 1971 it's the only person who successfully skyjacked an airplane and he might be dead but he might not

but the rewards 100 million dollars so maybe they changed careers right maybe they're done being petty scumbags that send phishing emails perhaps now let's talk about the final kind of you know a wall up here how do we pull this all together and make it something useful that you can then package up nicely to your friend 16. well let's talk about deception Inception to leave the better breach detection mouthful so here's the scenario and there's a zillion this is what's fun creativity is your only limit you've got an adversary who pops your server maybe it's like a legitimate bird or maybe it's just something with executables that are token well once they're on there they

run netstat well that's token you send it to your lean niece and you get it because Liam Neeson s-i-e-n are pretty funny so they run next step and then they probably run nmap because they want to figure out situational awareness and they want to say what else do you have on your network oh they happen to find a Windows files here and that also happens to have a document on it with AWS keys that gives you access to an AWS bucket by the time it's all said and done you might not know who they are but you're going to figure it out because you have a pretty detailed forensics Trail and that's just one example I mean you can literally token

and layer and the more the better you can there's no limits of tokens you can create either for free or on the hosted console it's a lot of fun and so this is a new paradigm shift like I said I believe in it wholeheartedly by what I've seen I hope that this has been useful and I wanted to open it up for questions thank you so much foreign

it's a good question what's the difference between a Honeypot and a wire attack so a wiretap is essentially sitting in line between a Communications channel so like if the FBI needs to figure out where some deals happening they'll probably contact ATT and they'll sit upstream and they'll listen and they'll make a copy of it a honey pot is like here's a here's a trap go this way you know like here's a sticky honey putt like Winnie the Pooh yeah exactly there's lots of money here real money just kidding you know and then so you kind of you entice them to make them this mistake and almost a wiretaps like they've made a mistake and now you're

trying to prove it I don't know that's a good question though yeah [Music] how do they get over it it's a good question being very careful right and that's actually a good Counterpoint some of the elite red teamers like what have you run into environments like this do you even know see that's the fun part is like when you've seen the offensive security side of things you can start to think okay how do I trip up an adversary but if I'm an adversary you know it's a cat and mouse game and the old saying is you know Defenders thinking um graphs or sorry Defenders thinking lists attackers thinking graphs until that changes it'll never be like

attackers win right and so attackers are going to find a way right they're gonna um they're gonna get more creative there are people that deploy this haphazardly not stealthily and so they make it pretty obvious that they have honey pots or like I'm here and I'm not telling you who I represent because I don't want to paint a Target on my back and say I have an ADT sign break into my house right because it means I have valuable things here so it is discretion but also you need a discretion with your teams internally right so like for example if you want to push a code change to drop AWS keys in your bit bucket or GitHub

repository you have to know let a few people know but not too many because if everybody knows then The Jig Is up so there isn't really a good answer it's a good question though I would open it up to any pen testers here for their take yes so um

so thanks Canary their honey pot is fully customizable down to the banners to the ports so like if you know and I they even have uh support now I want to say for like a um a smart fridge or something but they also have scada systems and like they have templates for like this is what a device looks like but if you have an idea of like this um let's say like an Amazon Alexa listens on what 617 I don't forget the port but you can actually customize the banners the headers make it look just like it and then they're super cool so if you submit to them this template they'll they'll add it to their to their catalog

like they're the coolest people ever I can't say enough good things obviously they do they make these birds and their whole pitches in four minutes or less you can be online it's true you know plug it in and yep and then you can templatize it automate it with the API like I've I love seeing how many birds I can configure in one Fell Swoop you know you can do hundreds literally once you get this automated super cool yeah what's that oh yeah Justin Varner and I'll share this slide deck out but yeah let's I'll give it to you I I need business cards I don't know why not please share them yeah oh yeah absolutely

I have more so stuff but like on frame like with containers or something or people use the clouds yeah it's a good question so they have open Canary which is super cool they actually just baked that into the latest version of security onion um so if you use security onion with it's now they have open Canary I've used both I'm lazy so I like their Hostess solution but also when when you pay for the hosted solution you get the custom vanity domain like I don't know if you have a team of people that can manage infrastructure great but most companies with small teams need a little help and they have excellent up time you know and

I don't know I I feel like it's a pleasure dealing with their support team because every time they you do they just send you free swag I don't know what it is about them they're just great people so I mean but you can totally like like anything in the right security model freemium is best when you give enough to people where they can do it themselves if you have the time but you pay for it if you don't and you want the support you know that's the right model that's how great noise and run zero and uh you know all the good times lima charlie all those companies that have that right approach you know they're the ones that I really

believe in anyone else

uh the Google alone I was curious about Davis yeah so you create like a copy of a Google doc that has like a Google app script that runs transparently in the background so the moment you share you share it to everyone so somebody opens it boom you know yeah it's great it's one of the best and they're always like there are people that are going to be sleeping around like legitimately yeah but then you kind of see a trend like I this is great for Insider threat like I have seen this find several people that were up to no good and like it was part of a larger narrative you know so okay

testers that have completely invaded this and they have some boasting rights because you're saying it's tripping I'm I'm inviting them I have not because a lot like I don't know what it is and I've dealt with a lot of pen testers companies praetorian X-Force stage you name it they always trip over something and then it's cascading but then again it's like if you how can you not when you litter it with just garbage right it's like even if you're the most careful pen tester by the time you're done you're not going to do anything right and you normally you're in a Time limited engagement and speed is of the essence and so if they have to slow down

for every little thing well you'll probably have enough time to figure this out and that's the whole point it's not necessarily even to detect them it's to slow them down so they move on to an easier Target yeah just imagine they're all mines though right

thank you so much