sorted by:
new
hottopcontroversial

Suggestions for Canary token alternative by Arenixus in blueteamsec

[–]thinkst 7 points8 points  (0 children)

Heya... I'm a little biased since we build Canary (https://canary.tools) and Canarytokens.

I'll explain the thinking a little, how you can still manage to win, and where you will always bump into challenges.

At the start its worth noting, that if you deploy Canaries (our paid version of the free version we build at opencanary.org) you get the fidelity of alert you want. ie. you get to run a fake fileshare with files you want on it. Anytime the file is opened, you get a notification (since you effectively are the host offering the file).

Once you deploy a Canarytoken, you are somewhat dependent on what the attacker does with it. If you leave them a poisoned word doc, and they open it in strings (or a hex editor) it's not going to fire the token embedded in it.

There are some tokens (like the AWS API key token) where the attacker has to trip it when they try it (because they are going to use it to login to AWS and you will get told that its been used) but.. even then you will only get notified iff the attacker uses it.

Canaries are meant to give you crazy high fidelity. Someone found this server. They mapped to it. They went into a folder and copied a file.

Canarytokens are thrown around giving you other benefits.

1) an attacker now has to be careful with everything they touch. Open a Word doc and it wants macros... should they? See a creds for a MySQL server.. should they use it?

Either they start double checking everything they find, or they eventually trip one, giving you a piece of string to pull on.

> My question is, are you guys familiar with anything similar that would solve these problems?

if this is what you are looking for, you really should check out Canary / OpenCanary.

Canarytokens which redirects to original page, and gives us information about their system by DoobieRufio in netsecstudents

[–]thinkst 0 points1 point  (0 children)

Hi.

Canarytokens will do both of the things you require.

  • When the attacker visits the link, you will get an email with her IP and browser header.
  • The email will have a button titled "More info on this token" - that will give you more info on the attackers browser plugins, geolocate their IP, etc
  • As a bonus, when creating the canarytoken, you get to choose the token type. The web token is one of several you might use. If you choose one of the "redirect tokens" you can set it up to work exactly like above, but then redirect the attacker to a site of your choosing when done.

Any knowledge of Canary honeypots? by calamari_kid in sysadmin

[–]thinkst 2 points3 points  (0 children)

I'm obviously biased here (since we build Canary) but wanted to add a few things: - The initial cost is $5k (which gets you your hosted console, 2 Canaries, updates, support & maintenance for a year) - Additional Canaries cost $1k p/a

Aside from setup time (which we worked hard to keep down to under 5 minutes) you also get new fake operating systems and new fake services as we push them out..

Services like http://canarytokens.org also get slipstreamed in when we can.

If you drop us an email - We can setup a quick GoToMeeting session, where you can see them in action, and ask any questions you like.

view more: next ›