Posts

RDP, cmdkey, Canary (and thee)

Image
Last month Florian Roth (cyb3rops) reacted to the news of Mimikatz dumping RDP credentials by asking how we could easily inject fake credentials into machines. https://twitter.com/cyb3rops/status/1397440903476883458 Markus Neis pointed out that on Windows, cmdkey allows you to do this:  https://twitter.com/markus_neis/status/1397472760859856897 This is pretty awesome. Mimikatz is used by attackers the world over and having control of the data a Mimikatzer will see is a powerful tool to have. One route to looking for Mimikatz usage is injecting false credentials into lsass and watch for their usage in Active Directory, but tracking that credential usage will require some work on your domain controllers (or your SIEM). With the RDP service back on version 3 Canaries, we can use cmdkey to point attackers at our Canaries, and not have to worry about Active Directory integration. Let’s start by setting up a Canary as a Windows Server (called \\02-FINANCE-02 ). This will take all of 1 minut

Would you know if your phone was hacked?

Image
Would you know if your phone was hacked? Even the most powerful people in the world ( if you use wealth as a proxy for power ) don’t. The problem is that much like your networks there are an almost unlimited number of ways for attackers to break into them, so this problem seems intractable at first blush.  But (just like when they break into your networks) attackers who break into your phones are looking to achieve certain objectives, and you can use these objectives to reliably detect them. Today we released our new version of Canary , and with it, customers also get the shiny new WireGuard Canarytoken appearing on their consoles. What’s a WireGuard? WireGuard is the incredible VPN built by Jason Donenfeld. We love it. We use it. People smarter than us think you should too. What’s a WireGuard Canarytoken? Once a serious attacker gets onto your device, they have a certain set of objectives. Grab salacious data; Grab access to other services; Ensure repeat access or spread their compro

We bootstrapped to $11 million in ARR

Image
This year Thinkst Canary crossed the line to $11M in ARR. That number is reasonably significant in the startup world, where Lemkin refers to it as “initial scale” . For us; it’s a happy reminder of Canary's spread into the market. $11M ARR certainly isn’t our end goal, but it provides the fuel for us to keep building the company we want to work at. We got here without raising a dime in capital, shipping a hardware/SaaS hybrid, sitting way outside Silicon Valley. That’s different enough from many startups that we figured it was worth a post with some thoughts on how we got here¹. Bootstrapping To be clear, we’re not anti-VCs. From the beginning though, we wanted to try bootstrapping. In the past we’ve spoken on how founder ego can nudge you towards building VC-backed companies (and why you might not need to), but that’s less focused on VCs and more aimed at founders. ( Bootstrapping, ego, and the path less travelled: 13m48s ) Launch Canary launched in mid-2015, after we worked on i

On SolarWinds, Supply Chains and Enterprise Networks

Image
The recent SolarWinds incident has managed to grab headlines outside of our security ecosystem. The many (many) headlines and columns inches dedicated to the event are testament to the security worries that continue to reverberate around the globe.  But we think that most of these articles have buried the lede.  Most discussions take the position that our enterprises are horribly exposed because of supply chain issues and that any network running SolarWinds should consider themselves compromised.  We think it's actually more dire than that (and suspect it's going to get worse). Let us lay out the case for why SolarWinds should concern you even if their tools are nowhere near your networks. It’s easy to whip up a think-piece in the wake of a public security incident, especially as a vendor. The multitude of vendor mails riding the SolarWinds incident are overflowing our inboxes. But even a stopped clock is right twice a day, and this is one of those times. An abstracted, low res

Hackweek 2020

Image
Because we can One of our great pleasures and privileges at Thinkst is that every year we set aside a full week for pure hacking/building. The goals for our "Hackweek" are straightforward: build stuff while learning new things. Last week was the 2020 Hackweek work-from-home edition, and this post is a report on how it went.  Now in its the fourth year, our Hackweek has come to serve as a kind of a capstone to our year, and folks start thinking about their projects months in advance. The previous   editions produced some truly awesome projects, and topping would be was a serious challenge. Without q uestion  this has been our finest so far. We run Hackweek for multiple reasons. We're a company of tinkerers and builders, and dedicating time towards scratching that itch just feels right to us. Of course, there's sometimes downstream benefits to the Thinkst, either in terms of the projects folks worked on, or skills they've picked up. (Replacing our Redmine with Phab