Presented at
BSidesLV 2019,
Aug. 7, 2019, 5:30 p.m.
(25 minutes).
Canary tokens are not a new idea, but are woefully underused. In this talk I will outline particular use cases and techniques to get more mileage out of the base concept. Rather than just a simple tripwire with limited environments it can be set in, we'll cover how you can bait these canaries to provide additional context, such as the attackers IP or useragent, which victims visit a phishing page, or the accounts used in exfiltration. Depending on the context, you could even replace creds attackers are trying to phish for without the attackers attackers knowledge, or expand the beacon into something more C&C.
The implementations I will cover include a stealthy JS-based payload designed to trigger when ran outside it's normal domain, a G-suite payload, as well as PDF/DOCX bait files. Additionally, explanations of how you can use various communication channels such as DNS to expand the reliability and stealthiness. For the DNS channels, a quick coverage of the necessary constraints you need to be aware of will be included, such as allowable character sets, subdomain lengths, # of subdomains, and multipacket stitching for longer messages.
Presenters:
-
Gregory Caswell
Greg Caswell is an engineer at heart who enjoys helping make software systems slightly less terrible. For the past five years he has been building and managing an application security team at Indeed, responsible for teaching security concepts to developers, assessing the security of 1000's of applications, triaging bug bounty submissions, and automating as much as they can in the process. He holds degrees in electrical and computer engineering. Outside of security, he enjoys bee-keeping, aquaponics, and cooking.
Links:
Similar Presentations: