Baited Canaries - Monitoring attackers with active beacons

BSidesLV 2019

Presented by: Gregory Caswell
Date: Wednesday August 07, 2019
Time: 17:30 - 17:55
Location: Proving Ground

Canary tokens are not a new idea, but are woefully underused. In this talk I will outline particular use cases and techniques to get more mileage out of the base concept. Rather than just a simple tripwire with limited environments it can be set in, we’ll cover how you can bait these canaries to provide additional context, such as the attackers IP or useragent, which victims visit a phishing page, or the accounts used in exfiltration. Depending on the context, you could even replace creds attackers are trying to phish for without the attackers attackers knowledge, or expand the beacon into something more C&C.

The implementations I will cover include a stealthy JS-based payload designed to trigger when ran outside it’s normal domain, a G-suite payload, as well as PDF/DOCX bait files. Additionally, explanations of how you can use various communication channels such as DNS to expand the reliability and stealthiness. For the DNS channels, a quick coverage of the necessary constraints you need to be aware of will be included, such as allowable character sets, subdomain lengths, # of subdomains, and multipacket stitching for longer messages.

Gregory Caswell

Greg Caswell is an engineer at heart who enjoys helping make software systems slightly less terrible. For the past five years he has been building and managing an application security team at Indeed, responsible for teaching security concepts to developers, assessing the security of 1000’s of applications, triaging bug bounty submissions, and automating as much as they can in the process. He holds degrees in electrical and computer engineering. Outside of security, he enjoys bee-keeping, aquaponics, and cooking.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats