Detecting the bad guys through deception
Recently, I've been digging into Honeypot's after finishing Chris Sanders new book Intrusion Detection Honeypots: Detection through Deception (a book which I HIGHLY recommend btw) and I thought I'd post a quick how-to guide on how to deploy one of my favorite Open Source Honeypot's from the founders of Thinkst Canary. I am a huge fan of these as they are free, provide high fidelity detection of malicious acitivity, and dead simple to deploy.
What are Honeypots?
I find Wikipedia sums it up fairly well:
In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site that seems to contain information or a resource of value to attackers, but actually, is isolated and monitored and enables blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as "baiting" a suspect.
In English - it's something that is meant to trick cyber criminals into interacting with it. Once they interact with it, an alert is generated.
With this in mind, we'll want to try and deploy our Honeypots in a way that will be attractive to attackers.
Step 0: Planning
As with all things security, you should have a use case or reason for what it is that you're doing. My specific use case was to identify if an unauthorized user was attempting to view/access sensitive data contained in a folder on a Windows server.
One way I can do this for free and in a way that will only take a few minutes to setup was through the use of a Honeypot. CanaryTokens offer a free and easy to deploy a fake windows folder, that should someone open, will trigger an email alert.
Step 1: Creating the Token
Navigate to https://canarytokens.org/generate and fill out the form as seen below. Be sure to put a helpful note so that you can remember where the token was deployed, especially if deploying multiple tokens.
Step 2: Download and Unzip the .zip File
Download your Zip file and extract it into your existing folder. This will drop a folder entitled
My Documents which contains the file
.ini file is what triggers the alert in question. How does this work? From the documentation:
Dropping a desktop.ini file in a folder allows Explorer to set a custom icon for a file. Since this icon can reside on a remote server (via a UNC path), using DNS we can effectively make use of a token as our iconfile.
If you're concerned about what data is sent to Thinkst Canary (canarytokens.org) here are the contents of the
In English this means:
- The username of the user opening the directory containing the
- The hostname of the system opening the directory containing the
- The name of your organization's Domain
- The Source IP of the referring DNS server and typically NOT of the user that has opened the directory containing the
desktop.inifile. (Because this token utilizes DNS to trigger, it is only able to gather the Source IP of the system querying the nameserver for canarytokens.org. This should be kept in mind when looking at the source IP included in the canary alert.)
Step 3: Deploy the Honeypot!
desktop.ini file in any folder that you wish to be alerted on and that's it! Anytime any user opens the folder that contains the
desktop.ini file, you'll receive an email alert for you to start your investigation as seen below:
And if you click through to
More info on this token it'll take you to a dashboard that will show you a history of activity for the token in question:
Honeypots are great and are definitely something that organizations should work to incorporate within their environment for an easy, high fidelity way, to detect even the most advanced attackers.
Find a technical error in a blog post?
Contact me on twitter @signalblur