Showing posts from September, 2021

Good attacks make good detections make good attacks make..

 (The making of a MySQL Canarytoken) tl;dr Consider this scenario:  An industrious attacker lands on one of your servers and finds a 5MB MySQL dump file (say, called prod_primary.dump ). What do they do next? Typically, they would load this dump-file into a temporary database to rummage through the data. As soon as they do, you get an email/SMS/alert letting you know: Eds note: You can create and deploy these by visiting (completely free; no registration needed) There are obvious benefits to these sorts of booby-traps, but some rise above the rest: They can be deployed in seconds; They aren’t prone to high false-positives; An attacker who suspects you are using these is no better off for knowing this (if nothing else, they now have to second-guess everything they touch); It's such a pure illustration of attack-minded defense. In this post I'm going to write about the process of discovering and building our new MySQL dump-file token. It Begins... While working