Honeypot Boo Boo: Better Breach Detection With Deception Inception

everyone thanks for being here uh this is my first version of this talk this year last year I gave it six times and this is an evolution so I'm excited to talk to you all about deception technology and a new paradigm shift for real-time breach detection first it helps to talk about what honey traps are they can be honey tokens or they can be honey pots and they're designed to be security mechanisms that will entice adversaries to make mistakes uh we need these because we need a higher Fidelity of um you know low volume alerts so that we can mitigate the blast radius of events and reduce the meantime the detection and save some of our Security Professionals

that are burning out and leaving the industry um all of this is part of a larger discipline known as deception technology being a trickster is what will make you most successful and you you'll see over time if you outd your adversary you'll increase the chances of being able to De anonymize and figure out when a breach happens at that point as well as um you know being able to uh reduce the amount of time it takes to actually remediate it so to the point of the analyst burning out you know this is the meme of the linger room Viking and the relevance here is um you know the Pyramid of pain is a a known concept I feel for the

analysts and what happens is you know you're working 100 hour weeks and you're you know tring tickets but you're not getting ahead and you end up dead so don't do that um let's let's take care of our people why specifically deception technology it works and also what we're doing doesn't work look at the headlines from 2013 on Snowden stole from the NSA NSA is supposed to be the best at what they do they had no idea he walked out look at Equifax every person who has a credit score has been forever affected code Cove um Colonial pipelines was an example of a digital and physical conversion uh convergence where there was an impact to you know pipelines and

Fuel and so it's not just digital and physical it's converging you know Bruce schneer talks about the internet of thing or the internet of smart things and it's all becoming one and then if you look at solar winds people are still suffering from post-traumatic solar winds disorder right everything is third party risk W I mean this do doesn't work you know what we're doing isn't working if anyone remembers Jimmy McMillan he had a platform specifically about the price of rent being too high he was right but he wasn't anywhere near talking about cyber crime so $6 trillion 2021 is what they estimated it will cost then 10.5 trillion in 2025 about every 39 seconds the business has

breached 847 th000 cyber complaints and it didn't seem to be a solution until now I hope here's another interesting statistic 212 days is the average according to IBM's breach report before anyone even knows that they've been breached this results in dumps of massive record volumes cam 4 is a naughty streaming site almost 11 billion accounts interest ly enough you know there's 8 billion humans so what was going on there Yahoo got pwned across the board Finance Sports multiple times and then ADH is an interesting study it was India's attempt to use digital identity across the board so driver's license 401K retirement the mistake was the government said this is secure uh I I invite you hackers to show it so 2

hours later this results you don't it doesn't work um and so you don't you don't do that no specifically I want to talk about canaries and the relevance here so a few years ago I started researching and partnering with a company called thinks Canary they are based out of Cape Town South Africa their CEOs rir great company they bootstrap themselves you know into a really successful company and they use this concept of birds as honey pots and a new context and Canary tokens which are honey tokens and I'm going to walk you through each of these examples birds are meant to be devices that look real you know dumb terminal smart SK you know smart coffee machine um whatever you

want you know to configure it'll look just like the real thing and then the canary tokens are various types of trip wires that manifests API Keys kubernetes tokens QR codes you the point is you want to litter them everywhere you want to create a Minefield of these things to force adversaries to trip over them and trip over them all the while building for forensics and giving ourselves an ability to De anonymize this person and um actually figure out you know what's happening you know while it's happening cuz we won an early you know warning breach system so let's talk more about the bird itself yeah so window to the laws so if you're a company that's over 10 years

old you probably run domain controllers they service active directory that's a way to essentially manage machines users passwords and files problem is there's 20 years of research on how to take over active directory you know curb roasting DC Shadow DC syn it's really hard to secure it and adversaries know if you can get it you can pretty much take over the company so the idea here is we make a bird that looks just like a domain controller and this is what happens when you're onun end map so end map for those not familiar it's a classic ort service enumeration tool we can interrogate a bird on ports that are common for active directory you know like 88 keros and you

can make it so convincing that it looks like they're connecting to a real domain ad. things.com similarly with 389 ldap uh 80 is I so if you hit that page you get an i splash screen and it'll even capture your login it's looks just like the real thing even SQL Server you shouldn't run that on domain controller but people do it all the time uh cuz they're dumb but SQL Server the build all the information You' be hard pressed to tell this apart from the real deal the moment this happens you don't need to light up your own Christmas tree cuz look at this on the left side we've got not only Port scanning attempts but attempts to

authenticate the services like Microsoft SQL for know 1433 FTP we're capturing it uh the incident stuff's on the top and you can send it to like any number of alerting end points slack pag of Duty email it's Rich data you can then ship it to a Sim I'll talk more about it um but this is really helpful and and one thing I have to note I have to show you another example because the domain controller bird is so convincing that than doesn't recommend it because it interacts with your environment so it causes issues with active directory that's how realistic it is so here's an example of Juma Juma has been pwned all the time so it's attractive on the

internet and if you stand it up with the generic flower my site looks real and then you visit it and in the process you're going to get a lot of useful information the IP the location the user agent why this is helpful is you start to build a forensic Trail um if any of you play video games and use valve they constantly gather data about Hardware survey indexes why this is helpful is like I'm in Richmond there's only so many Macs and you know there's only so many people running Chrome m1's you start to see how you can shrink your you know your friends of pool and this is just the start of things right and I

wanted to also talk about the native integration that just happened with grey noise and how it's relevant to research Honeypot so traditionally before thans a Honeypot just sat on the internet listening for traffic trying to figure out what the you know the vibe of the day was it wasn't particularly useful so you can configure a bird in that way and it's really helpful thing to use something like gry noise because gry noise is a meta service it looks at showed in Risk IQ and goes above and says we know that's not important we know cloud flar is that but what does matter targeted IPS ones we we don't know about that um we want to filter it

out so you can take hundreds of thousands of ID IPS and duplicate them and save so much time and get rich context and then similarly you can use run zero they go together like pretzel and beer cheese so run zero is uh HD moris creation he's the first person to figure out how to do asset Discovery well and the secret sauce is go it's fast but what's cool with this integration and I wrote a time story automation I'll tell you about is you can take the canary token IPS map it to assets and then you can figure out if these assets should be doing these things if an asset's talking to tour that's probably not good right and so

you can start to understand your assets get contacts and try to figure out what's happening um now that's tasty all right let's talk about tokens now um let's start with Recon rest in peace Chris Farley so Recon tokens there's a of them one of them is uh DNS deceive nosy token you that could be an external one or an internal and the idea here is we can create a token with a c name for something that sounds attractive SSO do uh bides muni.org whatever uh when people and then internally this is great because we can have a dark Network segment nothing on there nobody should be poking around so if they do a reverse lookup and they're trying to Target it

it'll tell us that they're doing DNS enumeration it's important to note you're going to get the IP not of your server but the DNS server but even from that it could determine I was using Cloud flare and Richmond so right off the bat you have an idea just from this very simple token that can be deployed um but there's an even better token probably one of my favorites for no zonal out there it's called the slow redirect the idea here is you have a site right and you can test this yourself but you go to um you know VPN do um besides muni.org the C name actually redirects to your token and it's so quick they don't realize it and

it sends them to the page you gather so much information you know this is just a snippet but you'll get the JavaScript agent the user agent and it also builds a uh detailed uh uh profile of the Geo activity so this can to help you understand is this part of a larger threat context is it sporadic you know trying to understand what's the pattern here and so it's really easy to deploy and it's uh it's fun in fact there's a lot of these QR codes that have been distributed you probably found it's using a slow that was me a slow redirect it says Wi-Fi blah blah blah there a lot of people that clicked on it cuz how can

you not but anyway and there's another token that's really helpful clone websites so the idea here is you take a couple lines of JavaScript code offis skate it put on your pages if somebody copies it and they redeploy it on a domain that isn't relevant like thinks. I I bought that for them and transferred it cuz it was a highly valuable domain when I do that it says oh someone's cloned it why this is valuable well it's probably a fishing campaign and there's not a whole lot you can do in those cases but what you can consider is your legal team sending threatening letter so the registar you know cease and assist but the important part is you know that

it's even happening cuz how how do you know otherwise that this is happening you don't let's talk about API Bert Macklin's on it uh alert protect investigate my favorite token of all Amazon web services everyone wants the keys to the kingdom like Bor and the reason being is cuz if you get these Keys you can take over AWS everyone uses it uh but we can in Mass deploy fake keys in places that you wouldn't expect them suq in marketing has a set of keys or you know Bob Jordan in finance whatever the point is and adversaries make this mistake they'll take the key off the machine use it on their own machine Dean de anonymize themselves

because we're going to get information like the command they ran their actual machine you know it's not smart but again you're building a forensic Trail we can also continue along that path and get more bang for the bucket by using an AWS simple storage service bucket this is just a way to have raw storage you know Amazon back in the day didn't actually care about security so they just opted you into having your buckets exposed so a lot of like pii and sensitive data ended up on these why this token is great is it can blend in with everything and just the mere fact of listing buckets will trigger this alert and so it even tells you um the

command uh the user agent we know from this that it was the boto 3 you know Linux CLI the user of the IP again building the forensic Trail starting to narrow down who this could be before they even insid our Network and then there's just a lot going on here I like memes so if you remember Pimp My Ride with exhibit he wanted to put a fish tank inside of a fish tank inside of his car and so similarly with slack you can drop a slack token and a slack space and then you go back to mypace um but the point here is I see this all the time there's slack tokens and slack or GitHub

and these tokens Legacy ones had so many permissions uh you could spoof CH uh messages from basically anyone to anyone and they're not good but they're all over the place and so drop these in there if a slack account gets compromised and this is there you're going to know pretty quickly someone's in your network and then there's a pretty recent token about k8s K8 letters s get it kubernetes kubernetes takes containers you know which are a way to run applications um you know agnostic of os and so on but you can do it with hundreds and thousands in you know easy way and so this is all enticing uh in a similar way to AWS because you can use

the cube config file and uh put it on every machine and so when they hit an endpoint it'll tell you the user agent Cube cuddle version oh um Linux arm 64 again more information just from a simple token this is really great and then there's another one if you guys remember the meme about the I accidentally 93 lbs of mangoes I just think this is funny um so you can use an executable like who am I net sta that something that wouldn't be executed on a Windows machine in a normal environment like you know again susq is running Powershell or whatever so you wrap the token in that and it fires an alert based off a registry key so this is

really helpful as well um you know you can do this to Linux binaries uh it's it's is really helpful uh let's talk about your device itself and here's some tokens that I recommend using on your mobile phone right now cuz they will help you for example there's a wire guard VPN token wire guard is the new and improved open VPN it's faster uses you know salsa different algorithms and you can drop a token on your phone with the idea that if your phone gets pwned as it has done with Pegasus and other spyware someone on that phone's going to try to you know interrogate your enable your VPN it's not actually valid but doing so will will trigger it I've like

half a dozen people I know actually found out that their phone was pwned from this cuz otherwise how are you going to unless you do detailed forensics you just don't know and so this is easy you can do it now for free Canary tokens. org I highly recommend it there's and this is also this isn't a trap but you can use QR codes there's a lot of uses for this not only just drop and fake Wi-Fi you know because most people are going to push out Wi-Fi securely with j or otherwise but you know people snooping around um are going to look for you know access and so the best way to use these though that I I

came up with is you drop this in is like Duo enrollment code MFA whatever unre email you can do it with a Gmail token to every user and they don't even know and so if an adversary is in there snooping around they're going to use it and then boom trigger you know this capture information you can have it do whatever you can Rick Roll people you can send them anywhere um this one in particular I think I don't remember what it does but it's it's not a trap I promise you that that if you look at this long enough you will hallucinate so but let's talk about mind games this is the point where adversaries getting further along they

maybe know you know what they're doing they may not know it so time to mess with their head and get them to leave or consider a career choice so data basically should be D well so database tokens right they're pretty new and you can have them contain useless information but sound attractive right so just taking this SQL um token and you know importing it with there's nothing there a useless pile of nothing but you could put tokens in here so you could wrap tokens inside of tokens and build this layer of deception which is really helpful and as a result you also get an alert um there's a lot of potential there and I recommend it then you can start to get

into docks and uh conspiracy Keanu had a point what if conspiracy theories are actually conspiracy realities some are right operation MK Ultra Northwoods the whole idea here is you make something sound compelling and then you drop a truth bomb on them because at that point you're just messing with them right um if you know and maybe they make a career choice maybe they learn about post scarcity economics and the failure of the Legacy banking system you know maybe they stop being petty scumbags and leave that's the Hope right and you can also do this with Google Sheets any DB Cooper fans out there you know only successful skyjacking to this day may be alive may

not they closed the uh case in 2016 but why not use a spreadsheet that sounds good and drop a bunch of information maybe this person learns about DB Cooper he comes another DB Cooper no that's not going to be good but maybe they want to follow up on this this is their new passion and they make the reward better than um you know making money off uh exploiting people and companies that's what I say um now time T tin put it all together tin is a security orchestration automation response platform they have a really good premium service great team out of Dublin I wrote this story uh to pull together a lot of different things

like I talked about getting Canary creating run zero um all this is made really simple at times you could do it yourself but you know you're going have to get it all janky and write your own python this allows you to put events together using their API and different triggers and so this particular story is in their library but it does all the stuff you know run zero uh gry noise and it's only going to take stuff that matters um but it's available and I have a link to it so I love times and then there's another service called lima charlie this is like a security automation platform that's really helpful um because you can send all

these Canary alerts and build a forensic timeline um it's not quite a Sim but it does Sim like things and it's really helpful they have another generous here um you know their founder Christopher Lutz is a great dude and he uh you created this token specifically because it's important to know like Canary isn't just the Panacea for everything it's for real-time breach detection you still need preventative controls you still need forensics like a Sim is really great at historical analysis it's really terrible at real-time Discovery that's why we need this right but you need those in conjunction to actually do the analysis but I highly recommend it it's great and now I want to just show you a

way and scenario of looping this together and what I call deception Inception seven layer dip or seven layers it is here's a scenario bad guy pops a server web server right maybe it's a bird maybe it's not but on it you've got a bunch of tokens you have net stat wrapped in a token fires an alert to Le n Sim get it cuz Sim I'm funny uh then maybe n map is also wrapped and they happen to find a Windows host on 445 that's convenient with a document with AWS keys to an S3 bucket so that you hit all these tokens and as a result you're going to have a pretty good idea of who this person is

this is what happens like I always tell the story about why I believe in this one I've seen multiple companies not make headlines because some token saved the day I've seen pen testers from various organizations come in and you know trip on a token after minutes and fail and continue IBM's X Force um you know has an engagement that lasts 3 weeks they write a report that's 70 Pages I'm writing a report on everything they're doing that's 94 Pages quite to their dismay they felt pretty stupid so you know cuz they thought they pwned the environment and it wasn't even a real environment so you can have fun with this and there is no limit to what you

can do other than your creativity I think that's why I love this so much it allows us to you know be creative and Technical in our our approach when we want to figure out how do we protect our companies better how do we uh you know in real time actually know when breach is happening not 212 days in the future when it's too late you know um we want to know then and now so that we can get on top of it and and stop the bleeding cuz you know it's just we're not in a good place so we need a new approach this is my attempt to present something that I think uh is useful and I believe

a lot in it and uh it's why I go and you know give these talks I travel across the world cuz I believe in it cuz it it works and uh it's awesome so and I flew through that but I just wanted to Now open up for questions how am I doing on time all right cool awesome up 42 questions anymore awesome timing I said 428 I did it we're on pretty good okay any questions anybody wants questions questions oh yes test test T well thank you for the great talk I think this is the way to go and we need to do more of this definitely h a question is there any best practice or

deployment patterns for honey tokens like for example how to is it easy is it easy to determine where how to put enough of them to you know to be able to build a timeline with the tool to set but not too many that they actually get in the way of doing actual work because every second file is a a great question so thinks talks about some of their customers with hundreds of thousands of tokens and the whole point is in an Ideal World you maybe get an alert a year early on you're going to get tons of alerts as you experiment but you can never put enough High Fidelity signals in a place you do have the

concern of like people tripping over them inadvertently you know but maybe they're an Insider threat and so the whole point is you can look at the pattern of tokens like maybe it starts out that they hit a Google doc but then all of a sudden they look in AWS keys right so it's a balance of discretion you can you only can tell certain people this exists even within the environment and also why I don't talk about who's using it cuz I don't want to paint a Target on their back but you also you know you need to tell enough people but not too many cuz then the The Jig Is up um so I just have to say like deploy

them where it makes sense if you get a lot of noise early on probably turn it off or use it as a research so I have a slow redirect token and the QR that I just used used to see who hits it and like hundreds of people hit it all the time but that's not what like is important and so they have this idea of flocks where you can segment like important alerts versus noisy alerts there's a lot of granularity so but good question any more question um thank you so much for the talk um it it does sound sometimes that um these canaries uh what you're putting is a bit of manual work so how do you

keep track of all these canar is how do you keep um everything in one place so that you know um even if it takes years or months until someone trip into that Canary so that that does sound like also a bit complicated it's it's important one to have good memos with these tokens but also to leverage iic so there's a lot of really useful things that Canary utils I've contributed a few like there's terraform for deploying an ec2 bird or deploying AWS tokens and like they make the point use a good memo don't say test token say this is a token at this particular time so that you actually know when it's tripped over what its relevance is you know so that

that's important but leveraging your tools your anible trying to avoid menial work like leveraging times you know because it's always going to be the token years down the road that saves you and you need to know its relevance you know um so you know know what the token is give it a good description and try to rely on your normal Automation in the way that you should hopefully deploy things securely and you know in in an automated workflow so that's my recommendation we're at Time same question as before any questions we have time for

one um yeah thank you for the um presentation um I think the um active defense or active or the decep Technologies um have um are very important especially if you consider aot fatique um I have a question on the other side so how can someone detect that something is a um a honey token for example from a red team's perspective that's a good social engineering attempt no I right you tell me no so the thing is like harun and these team they used to be red teamers and so they understand this they have to design something so compelling that they would force themselves and the idea is you put something that's so valuable like an a

WS token if recovered has to be used no one who's a good pentester is just going to look at and not use it so the idea is you got to think from adversaries perspective and this is a good question it's a cat and mouse game if all of a sudden adversaries start to see a pattern and there's tokens you have to shift gears and that's what you do nothing you know the whole idea is like adversaries thinking graphs Defenders thinking lists and until that changes like adversaries win so you can't expect that this is going to work forever and you have to adopt me methods and keep keep on on top of it but good question

and I would love to know red teamer experiences and you know I haven't heard too many successful attempts in a heavily token environment but I like to be surprised good question cool so for any further questions I guess after the talk you yeah oh yep I'll be around speaker event let's chat I love this stuff cool thank you very much again thank so much everyone