Learn Cyber Deception!
Key Takeaways
The video covers cyber deception techniques and tools, including the use of canary tokens, decoy files, and AI-generated traps to detect and deceive attackers. It also discusses the importance of early detection and the role of cyber deception in cybersecurity.
Full Transcript
Learn cyber security and focus technical training with just hacking.com, where all-star instructors and industry experts provide hands-on, affordable, and practical learning across courses, free upskill challenges, hackalong training videos, and capture the flag competitions. There's always something to hack with new content twice a month all throughout the year. plus bimonthly live streams. You can sharpen your skills in our ondemand and interactive lab environments. Advance your career and level up regardless of your experience or budget. Forget all the noise and get to just hacking. Sign up now at just hacking.com. Hello everybody. Welcome, welcome back. Welcome to another just hacking training live stream. Hey, super sweet to be hanging out with you all. Happy Friday, happy weekend coming up quick and goodness gracious, happy holidays. Merry Christmas, happy new year everybody tuning in. I really hope that you're taking some time to wind down, get a chance to relax, take it easy. I'm hoping that all the obligations and deadlines and deliverables are at least starting to slow down. Uh they are for me and I'm super grateful for that. But look, we have quite a show for you today. Uh super special guest, Adrien Sinabria. Uh, we'll be diving into some cyber deception. I think he's got some sweet demos, a couple little magic tricks, some fireworks to set off. So, we'll have some fun with that. But, if you don't mind, please do bear with me for the usual run of show. Uh, where I get just a little bit of time, like I 10 minutes, I don't know, maybe 15 if I keep rambling and yapping like I tend to. Um, but let me go through all of the announcements. The spiel, you know, the voice in the back of my head. uh backstage production in my ear that tells me, John, these are the things that you got to say. Don't forget, these are our notes, the stuff that we want to spread the word for. But honestly, it's a cool celebration of all the awesome stuff that we have been up to. You know, one of the wildest things is that this is our last like just hacking training live stream for this year for 2025 because we're cruising into 2026, but my goodness, this has been a pretty awesome year. We got just hacking training up and running. Uh we got some rocket fuel poured onto this thing. We got a jetpack cruising and I think that we're having a lot of fun. We've done 27 of these live streams, almost 30 where it's just us hanging out, bantering, sharing some sweet education, some cyber security education material, lessons, courseware, curriculum, training. I hope it has been some really sweet accessible, approachable, hands-on and practical stuff. But with that, just hacking training itself, you know, like the platform has 80 items on the shelf. We we have 80 things in the catalog between the courses, between the hackalong trainings, between all of our upscale challenges that are totally free. Anyone can dive in. They're small bite-sized digestible things and some of the sweet capture the flag archives. Um, there's actually been a really cool little uh new improvements, new uh developments for the CTF efforts. So, when we pull in what was Huntress CTF 2025, I think we'll get a lot more awesome capability and I'm hoping we're going to do maybe a little bit more CTF for 2026. Uh, so 2026 is going to be great is all I'm saying. It's going to be a wild ride. So, I hope you hang with us. I hope you continue the journey with all the things that we're up to. But, let me get to the real stuff. Let me go ahead and screen share and then I can cruise through this. I promise I'll do my darnest so I'm not rambling for too long because you're not here for me. You're here for Adrian and some cyberdeception stuff. Let me go through the spiel super quick. Here I am online atjustthacking.com. But we've got some super cool stuff for you. It is the holiday season after all. We didn't want to do just Cyber Monday after Black Friday and those kind of discount deals. We thought it would be sweet to let it ride, let it keep cruising, and do an awesome Cyber December. So, there is a cool little discount code for you. Cyber25 gets 25% all of our courses until the very end of the year, midnight Eastern time, December 31. That does exclude bundles and the name your price items. Granted, the name your price items, you name your price, you pay what you can, you pay what you want. Hopefully, that's still relatively accessible for you. And uh the bundles are oftentimes already pretty well discounted because you can get more with that. But with that, I do want to note some of the cool stuff that we are cooking up because I wanted to give you a gift, a present, real Christmas spirit and cheer. Hey, we've been able to share, scream and shout about this in the newsletter and it's actually been a really awesome sweet success. I think we've seen about 500 folks dive in to Michelle Khan and his course for OPSSEAC or operational security privacy for you privacy for security professionals. And gosh darn it, we made it free. Free till the end of the year. It expires uh midnight December 31st again. But uh I do hope that you dive in. I do hope that you play with that cuz that is some super cool practical stuff to protect you to protect yourself and when you're doing operational security opsec then you can do a little bit more of the sweet investigation some stuff with OSENT or open source intelligence and you all know Michelle he's phenomenal he's incredible he's a wizard he's been here with us for a lot of these different live streams we see him all the time at events and conferences but I am stoked to help spread the holiday cheer and uh give you all a gift to make that course free I hope you dive I think there'll be some links flying around in chat. But with that, I am already 6 minutes in. Burned my time of our sweet little celebrations and announcements here. So, let me keep us cruising. I also wanted to highlight some of the other cool things that are accessible here for us. The courses and paths just that page. You might know that I love our constructing defense course. Uh constructing defense is the giant ginormous behemoth massive course in curriculum that really makes the blue team aspect like cyber security defense cyber uh back and forth testing different attacks a little bit of purple teaming because then you can write your own detectors. You can check this out in a seam solution work through maybe alerts that you might see similar inside of a sock or security operation center environment. Uh, I would love if you would be willing to snag that at the low low price that it's available at right now because 2026 is coming around. And you might notice h this has a sly little title of cyber or constructing defense 2025. There will be a new release and a new update for 2026, but all of y'all that have it already will get a free upgrade to the 2026 edition. That will include some of the sweet new capability um that Anton, the genius uh developer and mastermind behind that course has been cooking up with some of the AI magic. I know he's been uh loving a lot of the MCP or model control model context protocol servers to make even more accessible stuff uh with all of the information that's available in constructing defense. So I hope you do give that some love and then then you'll be able to get upgraded for free to the 2026 edition that'll include that sort of AI teaching assistant for a lot of the material. Um hope you dive in. Links again flying around in the chat. Last one I did want to scream and shout about. Um, the most recent release that we've got out the door, we had our Windows threat hunting or Windows log analysis with seamless threat hunting where you don't have to use a seam security information event management platform because I know not everybody has that. I know you don't always have a Splunk or whatever elk stack. Sometimes you got to do not to say poor man practitioner work, but literally genuinely seriously rip up Windows event logs with open source tools and utilities like Chainsaw, etc. But anyway, that's not the screen that I'm on. I did want to give that some love. But we're also stoked that Davided Schllo, uh, his phenomenal and incredible style, his humor, his presentation approach uh, has kept things cruising for Windows malware development. WMD, you know that this uh has been a sweet saga. Already had kind of a beginner path for the introduction, but we're cruising and continuing onwards with the more intermediate and advanced stuff where we're building out beacons, crafting a C2 or command and control agent. So, super cool stuff. More on the offensive security red team side of the house. Look, I don't know if it's obvious to you. I don't know if it's clear, but one of the coolest things with just hacking training is that we're diving into all of these different parts and pieces of cyber security. There's blue team, there's purple team, there's OPSSEAC, there's OSENT, there's active directory, there's cryptography, there's a little bit of AI, there's quantum programming and coding, dark web thread intelligence stuff. More on that super duper soon. And of course, the free upskill challenges make these all super duper accessible. We do have one coming out for you super duper soon. I don't think we had it ready in time for the live stream, but we have one of the upscale challenges specifically for PowerShell coming out like checking both my watches cuz you know I weird too like a psychopath. um coming out today, coming out this week, coming out as soon as we can get it all bundled up, but super excited to help showcase a new developer, new instructor with us, Andrew Pla, and then give some love to PowerShell. You know, a lot of these are covering Golang and a little bit of Python and the real star of the show today, Deception with Adrian. Um, hope you give that some love and please do keep your eyes peeled for our PowerShell upskill challenge coming out super duper soon. Last one. Last one for me, I promise. I think I'm almost at the 10-minute mark. I don't know. [laughter] Look, it has been uh starting to slow down for the end of the year as to what we've been up to. All the different events that we've been able to attend, Defcon, Black Hat, RSA, Bides, Besides Chicago with our live and in-person training, that was a huge success. One other thing that we gave some love to and really wanted to spend some time with was uh Andrew Cra and his Ginger Hacker Initiative. uh got to dive in on a live stream with him this past weekend alongside Michelle and that was really really awesome. Genuinely, it's just a new mission, a new initiative, and a good cause. Thank you all so much for the folks that joined and helped support that worthy cause, and I appreciate you all letting me uh be part of the party. So, okay, I think I'm done rambling. I think I can tee up the real star of the show today, Adrien. Um, before I bring him in, let me help set the context. Let me help set the stage for you all. The upskill challenge for deception and detection via cyber deception is so cool. I am going to nerd out when we hang out with Adrian and I maybe I'm going to embarrass myself already before I jump in with him, but this is one of my favorite topics. This is the coolest thing because deception and cyber deception literally makes the highest fidelity indicator that there is a bad actor in your environment. They hit a canary. They trigger a trip wire. They touch your landmine that you've prepared so that you know there are hackers in there. Um, so so cool. Super sweet stuff. But let me stop rambling and let me bring in the real star of the show. So, I'm going to stop my screen share. Stop screen share. Not stop screen. Not sh I was almost going to click the stop streaming button and you know that's very real and very live in the moment when I do that. But I think we're ready. Adrian, if you if you're with us, I can't see you backstage. I I asked for this thumbs up when I still can't see you, but I don't know. Maybe it helps. Thank you again again for being willing to join us. Adrian, if you're ready, I'll bring you in with the sweet little countdown. Three, two, one. Adrien. Hey, how's it going? >> Hey, I'm phenomenal, my friend. How are you? >> I am great. Uh, as we were talking uh backstage before we went live, this is the last thing I'm doing this year. Uh, that's on camera in my studio. Uh, so, uh, uh, I I think it's a perfect thing to end the year with because like you, I just I nerd out like crazy, uh, when we get into deception. It's it's it's one of the most funs I one of the most fun things I think you can do as a defender. >> Well, thank you again. >> You don't get a lot of fun stuff. >> No, I know it. But thank you so much, seriously, for being willing to do all of this. Thank you for your help and contributions with this whole just hacking training endeavor. Thank you for jumping on the live stream. I know I'm going to say it all too often. I'm going to sound like a broken record, but it's always just gratitude from me. Uh, and especially thank you for helping share some of the sweet education with this. Uh, before we dive in though, would you be willing just to, I don't know, kickstart the party with some intros, who you are, what you're up to, and how did you get to doing what you're doing these days? >> Yeah, sure. So, uh, I I've been in cyber security since 2001. Uh, before that I was doing IT stuff also. uh have a background doing tech support for dialup uh internet and broadband internet right when it came out. Uh two of the toughest jobs I've ever had uh patience-wise. Um yeah, imagine trying to fix somebody's internet, but they can't try anything because they're talking to you on the device that they need to connect to the internet. So you're you're just looking for stuff wrong, you know, and you can't see their screen. So, you know, think of the most non-technical person you know and imagine walking them through something uh on a Mac, on a PC without being able to see what they're seeing. [laughter] >> So, that that that prepared me uh for a career in information security where you have to have a lot of patience. But I was on the enterprise side for a decade. Uh wore pretty much every hat. chief incident handler for five years of my career at uh large payment processor was a great place to learn cyber security. They didn't want to hire extra people so I was young. Uh I put in 80our weeks. They would let me wear every hat, do everything. So I I built everything from security awareness to uh you know building security into the uh uh developer life cycle, setting up our first SIM, building secops, uh doing investigations. Um, so many investigations. Uh, never never hacking stuff either. Like you don't hear that a lot, but uh people dealing drugs internally, embezzling money, uh, espionage, uh, you know, foreign agents inside the the company, uh, working as, uh, as uh, contractors, all kinds of crazy stuff. Um, I was a pen tester for many years. Um, and a PCI QSA at the same time, which was sometimes interesting. Um, generally I don't think you're supposed to be the pen tester for the company that you're auditing for PCI at the same time in the same week, but that happened a few times. And um then I got I became an industry analyst and I wrote about the industry for a long time. So I learned what uh you know all about VC, all about funding, all about uh startups and founders and and talked to tons and tons of companies in the industry. Started my own consulting firm uh which got acquired by uh a vendor and and we were mostly focused on enterprise services uh you know pentesting and things like that. I actually tried to rebuild the pentest from the ground up. Uh you can still find a it's time to kill the pentest titled talk that I gave at RSA back in 2018. Um, that's a different discussion though. And uh, and yeah, now I'm independent and I worked for a bunch of startups. I got tired doing that and I'm mostly in front of the camera now. I do a couple of podcasts. Uh, I do a lot of advisory work through Ians. I'm faculty over at Ions and and do a lot of work for enterprises there. So I I get visibility into what problems people have. And then on the other side, I'm doing a bunch of webcasts and podcast for Cyber Risk Alliance. Uh, so I interact with vendors a lot too. Uh, so it's always interesting to see how, you know, what people are selling kind of match up with the problems that people have or or don't match up as as is often the case. Well, I'll admit I had known you and I think gotten to know you a little bit through Security Weekly, one of those shows that you are always out and about with. Um, and I think that's been a huge success. I think a lot of folks maybe tuning in are already familiar with that one and maybe listening already. Um, but I remember when we get to catch up at person, maybe this is silly, but I have this memory that sticks out in my mind and I don't know why I remember it, but at RSA, you and I got a chance to catch up uh amongst the like crazy zoo vendor floor trade show and we're just kind of sitting on the couch chilling out talking about content creation, talking about, you know, education, talking about the work that we do. I don't know why it sticks in my mind. Yeah. But that was such a sweet experience because I just remember the chaos surrounding us and we're just kicking back, chilling on the couch. [laughter] >> Yeah. So I I wasn't sure if this is going to work. Uh so training is new for me. People have been asking me to do training for a while and uh you know the tough thing is I I spend the majority of my time on vulnerability management. I do a lot of research into it. I have a lot of strong opinions on it. >> But everybody who does training already has vulnerability management. So, I had to find something else and that led me to deception. Heck yeah. Well, I think if you're willing, unless there's anything more we'd like to banter about, it would be really cool to do some sweet showand tell. If you've got a demo or anything you'd like to light some fireworks for, I think we'll also be keeping an eye on the chat in case anyone has any questions, any thoughts, anything that we'd like to uh dig into. Uh the the floor and the show is yours. >> All right. Well, I'm going to share my screen. I did put put together a couple of slides uh nothing bullet point heavy but I I feel like uh this requires some context uh and understanding of the philosophy behind cyber deception. So, usually you hear about honeypotss uh uh with uh when we talk about cyber deception and I I generally dislike the term deception uh because really what this is is a detection mechanism. Like people hear deception, they're like I don't know if legal is going to let us do that, right? [laughter] It's like it's it's it's just would they not let you put in a a burglar alarm, right? would they not let you put in a, you know, alarms on your building on the locks on your doors and stuff like that or on your windows? Uh, and that's effectively what it is. So, I I think of it more as like um early detection, an early detection mechanism. Um, [clears throat] so I, you know, I think that helps some people get past it. Uh, you'll notice a lot of the commercial vendors out there that do deception, uh, have different terms for it. uh they they don't use the terms honeypotss often. They don't use uh the term um uh honey tokens and things like that. They they've breadcrumbs. There's all these different terms that they use. Uh but it's really it's really the same thing. And you know, I I I think what's so exciting about this is security operations and detection engineering is really hard, right? like uh you know later on in here I I have a slide that's the attack matrix and there's so many things that attackers can do uh but the thing the attack matrix doesn't show you is how many of those actually get used which is a tiny tiny subset right the the minor attack frameworks is an encyclopedia of everything that's possible and as a defender you don't really need the whole encyclopedia you just need what you need to worry about today which is maybe like 5% of it right a lot of credentials theft, a lot of lateral movement with credentials. You know, I think uh exploitation is way overplayed. Uh but if you have one of these five devices from these uh five manufacturers, absolutely you're going to get owned as soon as there's uh remote code execution in that. And you know, for whatever reason, you have the management port of your firewall exposed to the public internet, which is never a good idea. So, [clears throat and cough] the nice thing here, yeah, I you've all probably heard the the terrible saying that that just gets me fired up every time. An attacker only needs to be right once and a defender has to be right every time. And that really only holds weight for that initial foothold. So, sure, from the public internet, they get to hammer you w with as much stuff, as much as they want. But the moment they're in your environment, uh, that flips. All of a sudden, they have to be sneaky. They don't want to set off alarms. They don't want to get caught. Uh, now they have to be right every single time. And you only have to catch them once. And the the math of the thing flips. So, and the reason that is is because they don't know what to expect in your environment. And we might actually see this change with AI agents. Uh with AI agents, if if your enterprise had uh you know the the poor uh foresight to give an AI agent too much uh you know too much access to your environment, too much knowledge, uh some of these AI agents that run on your endpoint. We've already seen attacks uh where malware uh incorporates a uh a prompt and says uh I don't know where the good stuff is. You show me where where are the SSH keys. Find them for me. Uh zip them up. Upload them to this GitHub repo where I'll pick them up later. And uh so this kind of fog of war that the attackers have forces them to do certain things. They have to scan your environment. They have to search around for things. They've got to go find some file servers, plunder them for documents for, you know, the the passwords.xlsx that always exists. Uh even in 2025, will continue into 2026. There are organizations that require their employees to put clear text credentials for services that are shared into spreadsheets. And uh and that's going to continue. And you can use that against them. Uh because generally we know what they're going to be looking for. we know what's going to get them excited. Uh if they find credentials, if they find a document that looks like it has juicy intel in it, uh you know, we can name something uh that that we know is going to get uh attackers, whether they're attackers or pentesters, you know, and I think that's one of the keys here in uh rolling out deception is you should be catching your pentesters every time, just all day, every day. And if you're not, you've used it incorrectly because it should be super easy to do. Um, and and yeah, passwords.xlsx sounds like, oh, that's way too obvious. I can't name it that. They'll know uh that it's a ruse. But that is literally what these documents are are called. I spent a lot of my time investigating doing postmortems uh when there's public info for stuff. And I comb through some of these leaks that come out of enterprises. There's passwords.xls. XLSX in every one of them or passwords.docex. People people are still doing that. Um, so there's a couple different ways of approaching this and one of those is uh what I'm going to talk about today and what I kind of subscribe to. So this is like a a becomes like a personal religion philosophy in deception is I like the simple approach uh like there's just a token or a a system or a service or something like that that if you touch it an alert fires off we get it uh we go into action do whatever you need to do to contain eradicate kick out the the threat. Um, but there's this other, you know, so I've got uh two bridges here, right? One very simple, probably cheap to build, probably didn't take a ton of time, and then a very complex one was probably very expensive, uh, took a lot of time to construct. And uh the other side of it is building these kind of like cyber rangers ranges that mirror your environment. This kind of uh pocket dimension for the attacker that you trap them in and uh they still think they're hacking you and you can study their behavior and stuff like that. But when I actually talk to people, nobody's got time to build that. Nobody's got time to monitor attacker behavior. They just don't want them in their environment, right? They just like if you think back to Fire Eye, Fire Eyee's big thing was uh oh, we're going to catch the really sophisticated uh malware and analyze it for you, right? Nobody I've ever met has time to dig into that analysis. They're five people too short. Uh you know, it would be lovely if we had the time, but we don't. We would just rather kill the malware, right? And and go back to whatever other thing that that we're trying to get done. So, I kind of subscribe to the simple side of this rather than the complex. And John, feel free to jump in. You know, I've noticed you you kind of pop back and forth. >> No, I'm keeping some visuals, you know, making a all the attention span, retention stuff, but I think I'm right there with you. I I think the simple stuff tends to work. And I sometimes I feel like we forget what we maybe even belittle as like, oh, the barebone baby basics. But like the reason a lot of us keep screaming and shouting about that is because it's the right answer. And I know even, you know, for my day job, I'm over at Huntress, we work with a lot of folks in the channel like managed service providers, small mid-market businesses, but we're moving up to get a little bit more enterprise, all companies support. But yeah, the truth of the matter is, hey, we saw this wild infection. We see this threat actor. We see this hacker doing all this elite stuff. Oh, here are these commands. Here are this implant. Here's this DLL hijacking. At the end of the day, end customer does not care. They don't care about the attribution. They just want the malware gone. They don't want that intrusion. They don't want the compromise. So, I I agree. Sorry. I think that just rings true. And I I'll give you the plus one. >> They they you know, uh December 19th, 5:00 p.m. on a Friday, they want to go home and wrap some presents and drink some eggnog. Uh you know, or some boozy eggnog or something like that. They don't want to be there the whole weekend because, you know, some some incident went down. And uh and yeah, you're you're absolutely right. And you know, again, like just getting past this like like why would we make it easy on attackers? What if we thought of malware as fragile? What if we thought about attacks that uh assume the environment that they're going into as fragile? Uh like in a lot of cases, even if you install Windows on a D drive instead of a C drive, all of a sudden a lot of malware just breaks. It doesn't know what to do. like they could have written the malware using environment variables to see like where the app data directory is and things like that, but no, they don't. They hardcode it, right? Like they could have been smarter about it, but uh yeah, I don't know if they were smarter about it. They might not be criminals. They, you know, they might be doing some legitimate gigs if they're available where they live. Um but uh but yeah, why why not have a bunch of booby traps? And so I I am going to hold some things back today because there's so much you can go into in this training course and I'll get to some details on that later. But one of those like immediately some of the questions start popping up. Well, I don't want to catch my own employees. You know what about false positives stuff like that. So there there's a whole uh you know system of thinking that you go through for that. But a lot of the work that you do, John, a lot of these details do help you figure out uh you know what deception techniques am I going to use? where am I going to put them? Uh because they help you spot those patterns that are common. Like every single time malware has to do this, you know, you know, if somebody runs Mimi Cats, why not have a fake account in there, right? You know, make it look really juicy, you know, let them dump the creds and and use the fake creds. And the moment they use those fake creds, we know that they're there. Uh so, you know, that's a great place to get that uh like DFIR report I'm a big fan of because they they go into tons of detail. they share it publicly. Um, yeah. Yeah, there's lots of sources of of good information. Go back and watch Home Alone and Goonies uh to get ideas if you need to. And yeah, like I like I said before, you know, you can you can flip this script, right? you know, like this uh this moment in Watchmen stands out in my mind where [laughter] Yeah, it's it's um you know, maybe you shouldn't be excited to get into uh somebody's environment, to hack into some somebody's environment. If you know that it's a a mindfield of stuff, you can kind of move away from this victim mindset and say, "Yeah, you know what? You're in danger. You're you're in you're in my house now." How can we scare the hackers? [laughter] >> I hear the uh you know, I know you were alluding to it earlier, the attackers only need to be right once. And some thing that I've likened to when we do flip the script um and treat it so that oh, you're on our turf now. You're in the defenders home playground. The defenders only need to be right once. And that acronym is very funny to me because it's don't, bro. [laughter] So, I always use that as the backend response to attackers only need to be right once. Hey, hey, hey, that's goes both ways. Defenders can be right once when we lay these right traps and canaries. >> Yeah, exactly. And uh and yeah, so what happens when it So, this is one of the questions that often comes up like uh could the attacker figure out that it's a trap without triggering the trap? And the answer is sure. Uh but how is your behavior as a pentester uh thinking with an attacker mindset going to change the the moment you notice that there's traps? The moment you notice you're standing in the middle of a minefield, how is your behavior going to change? You're going to slow way down. You're going to be much more careful. Or maybe you go after a different target altogether. Uh you know, with so many targets out there, you know, this is something we we hear often. You know, like, yeah, an attacker got in. We can see they got to this point and then they just pieced out. All right. Um, so this is going to be hurting cats, but I have ADHD, so all the cats are right here. They are in my own head. So let's see how this goes. Uh, so first I I want to talk about just some of the basic uh tokens here and how they work. Uh, a lot of these tokens work by reaching out to a web server somewhere and just touching it, right? you know, the fact that you loaded a page on a website is enough. Uh, you know, if if we uh so we'll jump in here. We'll create some uh or pinging a DNS uh address because you can create like infinite CNAMES and and things like that uh on a on a domain and uh if those can be unique, you can use those to know that hey, this was this token in this place uh at this time. >> Can I help uh color the picture here? I think Yeah, go for because you you jumped over to Canary tokens, canary tokens.org, which is described. >> Awesome. No, I mean it comes from thinks Canary, which we know and love. Uh, super smart folks over there. But one of the best things about this, and I know some of the other resources that you're going to show are that these are free. They're they're totally accessible. Like anyone can go to this resource, go to this website online and get one of these things up and running, right? >> You don't even have to create an account. You can just start creating tokens. Um, yeah, feel feel free to pull up canary tokens.org while I'm doing this and and create some and play with them yourself. Uh, but yeah, let me um I'm going to have to now that I'm doing a demo reconfigure my sharing so that I also have uh a terminal up as well. >> Cool. If you need to drop the screen share anything, I can help cover uh any air coverage. But, uh, look, these are some of the sweet resources that I know are in, uh, Adrian's upskill challenge. Again, free re, totally accessible, uh, all online. We'll have some links flying around, but I love the fact that anyone can play with this. Um, I love the things, canaries, and we've showcased these in a couple YouTube videos on my own channel. Um, and I know there's a lot more to dive into. Yeah. So, uh, pretty pretty easy to to jump in here. So email is kind of the default here. Um you can also add a web hook. So if you want to use uh you know one of the things I used to talk about is uh if if you don't even have a SIM uh you could use Trello as a simple SIM and you could set up uh in Trello it's like a conbon board and uh you can use a web hook uh so that every time one of your uh one of your canary tokens alerts it creates a card in your investigate uh tab and as you go through your flow you can move uh or or alert uh you can have an alert column, move it over to the investigate column, move it over to the uh, you know, completed, however many columns in your investigation workflow you need. Uh, you know, just an example, you could have it come into Slack, into Teams, anything else that uh that supports web hooks. But uh, today I'm just going to use a an email address. Uh, we all have funny domains. This is one I just I just have uh for moments like this. >> [clears throat and cough] >> All right. So, this URL and you can see it's kind of obvious, canary tokens.com. So, there are ways to do this where you can hide that. You can use different domains. Um, and uh you can make it look more sneaky, but honestly, in my experience, you generally don't need to do that. There are a lot of ways to use these base building blocks for uh tokens that uh where the attacker is never going to see it, right? You know, they're gonna they're going to click a link uh you know, with the words highlighted uh or you know, they're they're going to trigger. I I'll show you a little bit later how how I use this in more advanced tokens where uh there's no way the attacker is going to see it or at least they wouldn't have an opportunity to see it until it's too late and they've already triggered it. But just to demonstrate this basic one, we can just uh w get this, we can come over to manage canary token. We see it's been triggered one time. We can check the history and there we go. [clears throat] We can click this and we can see it was a web bug token over HTTP. Uh I use wget. Even shows you the version. So, uh, pretty much any kind of browser, anything, uh, will send over some kind of user agent. Even if it's like an AI bot crawling website, stuff like that, they all have a user agent field, and generally that tells you some information about it. You can totally spoof this. Uh, and again, uh, my more advanced example, I'll show you how you can actually smuggle information into this, and you can put information into this user agent field to tell you more about who the attacker is and what they've done. But this is the most basic example of what a deception token can do. Uh you get the source IP. Uh this is coming from my home network. So [laughter] spare me please. I I didn't have time. It it will tell you if it's tour or not. Um I didn't know how that would work with Riverside being on being on the same box. So I didn't connect my my ProtonVPN. But um but yeah. Yeah, that's the basic one. and and now I know uh you know if I put this in my password database for example or something like that now I know somebody's in there because that's the only way that you could have triggered this is you know because I wrote it down on a piece of paper and put it in a safe or I put it in my password database and that's kind of the idea with these tokens. Obviously with a web bug that's not quite the right form for putting in a safe or something like that but you know what here's a QR code. All that QR code does is translate to a web bug, right? Uh so most of these have either the DNS uh functionality, which we can create a DNS token real quick, too. Cyber Chainsaw go burr. >> I do love that email. >> It's an old meme. [laughter] I do love the variety of all these different kinds of tokens that thinkst and canary tokens.org offers because you can get super clever. You can get crafty. It could be execution when a command is ran on a Windows host. You could have something listening, sitting, waiting in registry. You could have it a favicon on a website or anything. Tons of options. I >> I'm so old. John, how how do you what were so nsookup was replaced by dig? What replaced dig? Help. >> Uh, I don't know if a lot did, truth be told. Um, >> why is Digg not here? >> It might not be pre-installed in the Ubuntu instance. You could pull it down if you really wanted to. Uh, but or we could just keep cruising if if the DNS one isn't a quick, you know, one and done [laughter] rabbit out of the hat. I am also surprised that the dig client is not uh already there. Uh, NS lookup isn't either. Well, anyway, not to not to fall down the rabbit hole, but [laughter] now I know you have Canary tokens up and running. I know you also have a tab open for Tracebit, who are some good friends. They are a partner of ours over on the YouTube channel. So, I I love the stuff that they're up to. Um, and even more community edition stuff. But Oh, cool. Looks like you're getting a ton of hits here. Yeah, look at that. Yeah. So, uh just running dig uh somehow hit it six times. So, that's interesting. You know, sometimes uh you learn the behavior of different things. So, sometimes enterprises deploy uh these uh deception methods and they find that some security software was doing stuff that they they weren't aware of. Like a lot of AV uh agents will run port scans uh and a lot of people aren't aware of that, you know. So the moment they install like a honeypot on their network and starts getting scanned by other workstations, they think there's something going on. Uh, and this is something every time I've I've trained incident trainers, understanding the behavior environment in your environment is super important because if the first time you're looking at pcaps or you're looking at um, you know, uh, application software behavior, there's a lot of stuff that's going to look fishy, that's going to look really bad, but it's just totally normal, you know. So there are a lot of uh AV EDR agents out there that will just run port scans on stuff around them and uh and people get alerts and freak out but it's it's uh normal behavior. Maybe it's not behavior you want uh but it is normal behavior. Uh so yeah again we get some basic details there what IP address they came from [clears throat] and uh and yeah so so these are the basics and as John mentioned there's a ton of other uh uh different options out there uh and like I said most of them are just either that web bug or DNS uh uh functionality baked into something else you know a couple of them are different AWS uh you know thinkst actually manages an AWS enir environment uh that these keys come from and the moment they get used you get an alert. Um you know fake app you can put on your phone. I think this one is just a web bug. Uh you know I know the my SQL one is just a web bug. So so very simple in how they work. Uh but that makes them super flexible to use. You know like uh I I could have like an NFC tag or something like that and I could I could write Wi-Fi credentials on it or something like that and put one of these web bugs uh on that NFC tag. If you have an Android phone, super easy to modify, you know, just a a cheap little NFC tag, stick it on the wall somewhere, see if anybody scans it. So, right now, we're going to create uh a word token. And some of these do have limitations. And again, so the philosophy here, uh, you a lot of people get caught up in, oh, like I don't want to use the word token because if you opened it in a hex editor, you could see, you know, the the web bug embedded in it. Uh, or or you could, you know, it's a zip file. You could rename it to a zip file, open it up and inspect it. Sure. But, um, [clears throat] first of all, a lot of people aren't going to do that. Uh, because they're not expecting to get trapped again. like they're they're not expecting the trap. So, uh you know, it would super slow them down if they had to inspect every single word doc. Um I'm really bad about typing and talking at the same time. Um [clears throat] let's see. While you are getting this cooking, uh there was one question that came through. Granted, I think we might have already addressed it out loud, but maybe in case or refrain for folks that might have joined in a little bit later. Uh, Anthony was asking, "Look, defenders might be right or they must be right constantly, not always, just once. Does deception like these honeypotss, honey tokens, does that meaningly shift that balance in modern offensived driven environments?" >> I think you touched on it. >> Um, yeah. So, you know, again, uh, an attacker when they come into your environment, you know, maybe there's a million touch points that you could gather on everything that they did. And again, you can practice this if you have an internal pentesting team or every time you have a pentest. Uh, you should be noting this. You know, what were all the ways that you could detect them? Uh, very rarely in my pentest career, and again, this is kind of like time to kill the pentest. One one of my big points there is very rarely are people using it to improve their uh, detection engineering. you know, their their detect and respond uh capabilities, but um you don't have to detect everything they're doing. So, again, uh all you're looking for is just, you know, the notification that somebody is in the environment. You know, you only need one of these traps to trip uh to know that they're in there. And then you turn to your uh you know your EDR, your NDR, you know, all the other data that you have because uh that thing that triggered is going to give you an IP address. It's going to give you some idea of where they are in the environment because again uh the only place that that canary token lived was on that one web server, right? So now now you know where they are. You know somebody's in there doing something they shouldn't. Maybe it's an insider, maybe it's an outsider, but that's where you start the investigation. So the purpose of this is not to gather all the information on the attacker. Again, it's just early detection. Sweet. Okay. So, we produced a word doc here. I'm going to open it up. And by opening it up uh with Word. So again, like if I were to open this up with Google Docs uh and not with Microsoft Word, it probably wouldn't trigger, you know. So, it's it's good to understand the limitations of some of these. Um, and it's just a blank document. And I didn't name it anything really interesting. Uh, but what if I were to rename this? [clears throat] Let's see. Let me rename it real quick. Let me use the name that I I put in here. So, this memo is super important. The last thing you want to do is create a Word doc like this and put it on every employees laptop because then what happens? it triggers which laptop? I don't know. It could be any of the thousand laptops. So, actually what you want to do is you want to write a script that deploys these uh these tokens uh across all the laptops so that uh when it does trigger uh you know exactly uh where it happened and you can pinpoint that. All right. So again uh better name but still blank. Uh but I have uh prepared another document. Yeah, because this is a functional word document. I mean it is triggering uh and I just had chat GPT uh produce something that looks like maybe what what a build document might look like in an organization. Maybe it's not what it looks like in your organization and and you definitely want to pull all the AI prompts out of it uh before you actually deploy it. But um but yeah like there's a lot of very specific information in here. You know I basically did a find replace for my for my use case. Uh AI was very useful for this for uh and in general is very useful for creating uh you know names that sound real and uh see which one of now I'm mixed up. [laughter] Which one of these is the is the trap? >> The trap is on the right I believe but >> okay. Yeah, that one is in the deception demos category. Okay, so we're gonna close that one. Uh this is our trap. And uh so we should already have some triggers from this. Looks like we do because [clears throat] I opened it with Microsoft Word. But then what else can we do with this? Uh we've got a credit card number in here. Uh you know, maybe they want to mess with that. Uh maybe they're not interested in a single credit card. May maybe they want uh you know a seven-digit ransom, right? Um you know, so they're going to look for something in here they can use to to pivot. Ah there's an AWS access key and secret key, you know. So uh you know, you guys could take those if anybody wants to. We'll put that in the chat [laughter] and you can mess with those if anybody's I didn't have time to to get set up to to trigger these, but again, they're going to trigger in the same way. uh the moment somebody uses that AWS access key and why would you not use it right any attacker's got to know what's behind that like they are not doing their job as an attacker if they don't uh jump at that and use it immediately uh and you can see it several times in here even says what region [clears throat] a lot of convincing details in here um or maybe they take this AMX card and I don't know they they want to order some coffee online. You can go you can SSH to and they're not paying me to say this. I I just think it's fun, but you can SSH to terminal.shop [clears throat] and you can buy some coffee over SSH. Terminal folks are great. [laughter] I do want to make sure we give you some time to dig into trace bit and some of the others. Uh but there were some really cool questions that were coming in and folks were asking for the word doc specifically. I don't know truthfully the implementation or how that is done for Microsoft Word and Office documents but does that use macros is is that macros does that fire in preview mode or anything protected mode? >> No. So, so generally um you know most of the places like the PDF one also uh you know in some of them you can attach a certificate to it and by validating that certificate it has to reach out to uh an HTTP website. Um you know so that's generally how these work is it's some piece of metadata something that when you open the document it validates that which is why it doesn't work with like Google Docs because they don't care about the validation. and they don't care about some of these features that you might use for for DLP or or something like that. Um, but uh yeah, the more fullfeatured, you know, like Adobe Reader and Microsoft Word have all these extra features in them, which is how you can put the the traps into them. So, yeah, [clears throat] enabling macros is not necessary for this to trigger, but opening it with Microsoft Word is. Uh, no, you can't do rce because uh you're not actually running any code. Uh, the most you can do is get them to reach out and and touch a website. Uh, so yeah. Yeah. No, no. I mean, that would be a vulnerability, right? You know, if if uh if things built one of these and they found they could do rce, I would think they would be obligated to disclose it as a vulnerability and Microsoft would fix it. >> That would definitely be a bigger problem. [laughter] >> Yeah. Uh, one little question that again I think leads us a little bit more to the creative uh, further imagination we could do. Uh, Bo is saying, "Hey, you know, the domain does seem pretty obvious. Would a bad actor really fall into that trap?" But we could decorate, right? You we could make that hidden or use whatever anything else we might like, right? >> Yeah. So, uh, they they do have documentation on how to roll with your own domain. Um I believe somewhere here uh these are more details about the different Canary tokens. Yeah, I know if you used a paid service, you can use what whatever domain that you want. That might be one of the differences from the free version and that uh but again in a lot of situations that you deploy these, they're never going to see the domain. Um yeah, I've I've got another I've got a few more examples here. Um yeah, and and maybe after that we talk about trace bit. [cough and clears throat] I uh I have so many environments here. I made some notes on where I actually put these, you know. So, for my Collie uh uh VM here, if we go to [clears throat] Okay, let let's say I stole some SSH keys, right? And I'm going to I'm going to try and use them. See if I'm able to log into a box. Um, okay. Maybe it's passwordbased authentication. Uh, stole creds. Not not a uh [clears throat] Oh, is that a different uh let's see. Ah, that's right. No. And that's a okay if we see a couple that don't come to fruition. I think we're maybe eight minutes to the top of the hour. So, totally want to be respective of your time and everyone else's. So, [laughter] if we got to showcase, that'd be cool. >> I just uh yeah, just uh typed in the wrong username. Okay, so P
Original Description
Just Hacking Training livestream with special guest Adrian Sanabria on Friday, December 19 at 10am Pacific, 1pm Eastern Time! https://justhacking.com
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
The best malware removal software of 2026: Expert tested and reviewed
ZDNet
Best Institute for Ethical Hacking Course in Delhi
Medium · Cybersecurity
GitHub and Google Sites lures distributing Remus Stealer
Medium · Cybersecurity
The Biggest Cybersecurity Mistake Businesses Still Make Isn’t Technical
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI