At Thinkst Canary, we make the world’s easiest to deploy and manage honeypots. The high-level architecture for each customer is a web-based management dashboard (called the Console), plus the honeypots that the customer has deployed into their networks. We run the dashboard, customers run the honeypots. Our Console fleet is thousands of machines at this time, and this blogpost describes how we recently upgraded our fleet without any customer-noticeable downtime. Background: Canary Consoles Customers manage their honeypots, configure alerting, and …
Blog Posts
A file share is pretty irresistible to an attacker. Check how Canaries can detect these attacks and alert you to them. …
Any Thinksters who have been in physical or virtual proximity to me over the last year have likely suffered at least one whinge session about “the Glorifier”. The especially fortunate have suffered several. I’m relieved to say that, at long last, the whinges are over. In this post, I’m going to walk through the travails of producing the Glorifier mostly as a cathartic exercise but extracting a few lessons from the experience. Our story is told in seven parts: Let’s …
This post focuses on the most recent DFIR Report, IcedID to Dagon Locker Ransomware in 29 Days. …
We are releasing two new versions of the token which alert you when an attacker is using an AitM attack against one of your sites. …
Recently friend-of-Thinkst (and CTO of NCSC) Ollie Whitehouse tweeted this interesting tidbit: We’re always looking for new types of Canarytokens, so it would be cool if we used this method to create video file Canarytokens. Quick background explainer We build Canaries that act as entire machines, require almost no configuration and boot as various Operating Systems. The logic is that it takes you less than a minute to set it up, and when an attacker lands on your network, they …
You can do complex things with Canaries but you don’t need to. Even basic configurations can catch attackers off guard. …
tl;dr: You can now create breadcrumbs to lure attackers to your Canaries with just a few clicks. Canaries and (their) Discoverability Our thesis with Canary has always been simple: Attackers who land in your infrastructure need to situate themselves and they do this by looking around. They run commands and touch systems that regular users never need to. By being selective about which services Canaries offer we can find the sweet-spot of services that are super-trivial to deploy, super likely …
Attackers on your network love finding stray credentials. They are an easy way to elevate privileges and are often one of the first things attackers look for during post-exploitation. There’s no shortage of places where these credentials can be found and surprisingly, there’s very little downside to attackers trying them… …unless there’s a way to drop decoy credentials. This isn’t a new idea, but it usually requires heavy tooling and configuration. Our newest AD tokens allow you to create fake …
Our Cloned Website Token has been available for a long time now, both on our public Canarytokens.org site as well as for our Canary customers. It’s helped users all over the world detect attacks early in the process. We wanted to take a moment and go over some of the details of this token: how it works, how to create and use one, and critically, how it fares against the new “Adversary-in-the-Middle” (AitM)-generation of phishing attacks.. The cloned website token …