I thought the same. Wouldn't it be trivial to just replace 'whoami' or 'sudo' with a script that silently fires some kind of alarm and still gives the expected output? Or am I missing something here?
I use security onion for this, sysmon generates events and they are shipped to security onion using winlogbeats. Stuff like whoami execution shows up on my alerts. I wouldn't mind making some canary tokens for files inside shares with sensitive information as a warning for me to be prepared to be fired.
Got to be honest as someone trying not to get caught it’s probably something I would look to check before I ran that command.
In that kind of environment making assumptions like that could often mean the difference between jail or not in some cases. If it were me… I’d certainly see what I could find out about the binary before I ran it.
However I do think trying to make the sha256sum and or strings binary to both work and log (ideally silently and externally) would be a neat idea.
Similar concept but before these tokens, I remember (I think in 2014) when someone uploaded a word file to dropbox and got notified that it was open, and if I’m not mistaken it was also when they had E2E encryption, but not sure about the last part.
But the concept is interesting and sounds reasonable, and is novel (to me anyway). I'm assuming Krebs deems this worthwhile to share and he has sufficient cred not to instantly assume this is content marketing.
Maybe it's me but I know how to set up FOSS based logging, web servers, databases data lakes and the kitchen sink. But intrusion detection systems seem to be something that passed me by or is not well known. I mean Inremeber setting up tripwire databases back in the day but Inwas wondering what is state of the art in IDS these days in the FOSS world?
The knife cuts both ways. Since most people don't look up, it's a good place to be when you're conducting surveillance.
The rest of this is security theater brought to you by Kevin McAllister. A trap needs to either contain or kill the prey to be effective. Canary objects do neither and are a waste of fucking time; if the predator isn't interested in your bait enough to trip anything, you're going to assume you're safe when in reality you just failed to anticipate their behavior and appetite. The competent ones already know to check for sandboxed environments.
There are only so many ways in and out of your environment. Anybody intruding got in somehow, and will attempt to exfiltrate something or call home for payloads or further instructions at some point. Be the apex predator-- look up. Position yourself to stalk them from above by getting your network logs in order and implementing DPI. Be able to account for where the intruder came from, where they went, and how they exited. Your CISO will ask you these questions when you report that there was an intrusion. Being able to identify which canaries were molested provides zero actionable intelligence.
I’ve never heard anyone talk about them this way and I say this as someone who is also a bit skeptical of them but things like your last sentence just don’t compute with me at all.
I’m kind of curious as to what you see their role as to begin with?
I was actually writing a post this weekend that was about setting these kinds of basic tripwires up in your web apps.
Here is an example of one in node where I set up an endpoint /admin to both redirect back to the homepage and set a cookie that says key: authz value: unset
That should be enough to turn up in any kind of automated scan looking for endpoints they could attack.
I then (not shown in the pic) set up a piece of middleware that looks for anyone coming in with a cookie that has the key of authz and the value of anything besides unset because that’s the moment I will know that this is no longer an automated scan and that I should probably look into this so it hooks up directly with my cloud providers security alerting system and that takes care of the rest like showing me all the activity associated with that IP address etc.
As a meteorologist, I don’t understand why people don’t spend more time looking up. Clouds are pretty. So are stars. Being aware of the weather means you aren’t caught unaware. Being able to orient yourself by the sun means you don’t get easily lost.
Forgetting to look up means missing out on the world around you.
Also you need to avoid the drop bears. They’re vicious.
I can tell you the exact moment when I stopped looking up with a childlike wonder.
I was on the beach in preschool, and just walking along the sand, enjoying my day, and gazing at the sky, because what obstacles could there be on a flat, sandy beach?
Well, apparently I stepped on a jellyfish or something. It was a big deal and everyone made a scene and I remember having no pain or ill effects from the thing at all. My foot was fine.
But I never heard the end of the incident because my mom shamed me for years about staring up at the sky and not watching where I was going. So I basically developed a downcast gaze where I scrutinized every inch of the sidewalk as I strolled along. Sad.
The security team at work implemented these policies. The first time we saw the alert it was exciting - they have fired enough that now everyone ignores them
Is it normal for the security team to be hated at a company?
Hah, fair. I guess my main gripe is that there doesn't seem to be any avenue for backpressure - the security team makes an edict about how things have to be in order to be secure, and after that there's no reasoning with them. No explaining why their argument doesn't apply in this case, etc. etc. Perhaps because they are so used to everyone hating them that they can't listen, since people will always argue with them.
Our security team also engages in social engineering - making practices deemed insecure gradually more and more difficult through artificial roadblocks (e.g., adding y/n dialogues to commands that previously had none). Doesn't do a whole lot to build goodwill
Yeah, that is actually a really common problem, and it genuinely is the fault of the security team.
One good way to communicate and discuss security requirements is using threat models. A nice data flow diagram or architecture diagram showing the threat actor and attack vector helps a lot, along with any controls that exist.
Unfortunately, security often doesn't seem to feel the need to explain themselves or discuss anything if they have a magic edict to wave about. I think that's a mistake, we should try to bring people along with us. And even find out we were wrong occasionally!
Y/n dialogues don't generally do a lot to stop social engineering attacks. People get used to clicking through them. A better strategy for really sensitive things is to require a separate approver, but that does slow things down.
Sounds familiar. If you are a developer and quietly forsee a future problem with the code base and fix it, are you rewarded for that? Nope, the code will quietly continue working, and that's what it's supposed to do. Rarely do people recognize the ability to avoid problems. In most cases you would benefit more personally by letting things get screwed up (but not too bad) and then be the hero fixing the mess.
Sounds like better PR might be in order. If you're quietly averting disaster that's not enough, you have to make sure people are aware of that. Easier said than done, I know.
26 comments
[ 4.3 ms ] story [ 70.7 ms ] threadIn that kind of environment making assumptions like that could often mean the difference between jail or not in some cases. If it were me… I’d certainly see what I could find out about the binary before I ran it.
However I do think trying to make the sha256sum and or strings binary to both work and log (ideally silently and externally) would be a neat idea.
TLDR: Ransomware does reconnaissance on infected computers, invest in canary tokens!
But the concept is interesting and sounds reasonable, and is novel (to me anyway). I'm assuming Krebs deems this worthwhile to share and he has sufficient cred not to instantly assume this is content marketing.
One of the reasons are discussed here: https://news.ycombinator.com/item?id=29911195
The rest of this is security theater brought to you by Kevin McAllister. A trap needs to either contain or kill the prey to be effective. Canary objects do neither and are a waste of fucking time; if the predator isn't interested in your bait enough to trip anything, you're going to assume you're safe when in reality you just failed to anticipate their behavior and appetite. The competent ones already know to check for sandboxed environments.
There are only so many ways in and out of your environment. Anybody intruding got in somehow, and will attempt to exfiltrate something or call home for payloads or further instructions at some point. Be the apex predator-- look up. Position yourself to stalk them from above by getting your network logs in order and implementing DPI. Be able to account for where the intruder came from, where they went, and how they exited. Your CISO will ask you these questions when you report that there was an intrusion. Being able to identify which canaries were molested provides zero actionable intelligence.
I’ve never heard anyone talk about them this way and I say this as someone who is also a bit skeptical of them but things like your last sentence just don’t compute with me at all.
I’m kind of curious as to what you see their role as to begin with?
Here is an example of one in node where I set up an endpoint /admin to both redirect back to the homepage and set a cookie that says key: authz value: unset
That should be enough to turn up in any kind of automated scan looking for endpoints they could attack.
I then (not shown in the pic) set up a piece of middleware that looks for anyone coming in with a cookie that has the key of authz and the value of anything besides unset because that’s the moment I will know that this is no longer an automated scan and that I should probably look into this so it hooks up directly with my cloud providers security alerting system and that takes care of the rest like showing me all the activity associated with that IP address etc.
Here’s the code if anyone is interested. It’s a super high signal to noise ratio and easy to build. https://media.infosec.exchange/infosecmediaeu/media_attachme...
To top it off, we should have the phone's UI around this photo (so clock and 2% battery on the top left, network name on the top right...).
Forgetting to look up means missing out on the world around you.
Also you need to avoid the drop bears. They’re vicious.
I was on the beach in preschool, and just walking along the sand, enjoying my day, and gazing at the sky, because what obstacles could there be on a flat, sandy beach?
Well, apparently I stepped on a jellyfish or something. It was a big deal and everyone made a scene and I remember having no pain or ill effects from the thing at all. My foot was fine.
But I never heard the end of the incident because my mom shamed me for years about staring up at the sky and not watching where I was going. So I basically developed a downcast gaze where I scrutinized every inch of the sidewalk as I strolled along. Sad.
Is it normal for the security team to be hated at a company?
If you don't get hacked, everything we asked you to do was a waste of time and resource. If you do get hacked, we were incompetent.
Our security team also engages in social engineering - making practices deemed insecure gradually more and more difficult through artificial roadblocks (e.g., adding y/n dialogues to commands that previously had none). Doesn't do a whole lot to build goodwill
One good way to communicate and discuss security requirements is using threat models. A nice data flow diagram or architecture diagram showing the threat actor and attack vector helps a lot, along with any controls that exist.
Unfortunately, security often doesn't seem to feel the need to explain themselves or discuss anything if they have a magic edict to wave about. I think that's a mistake, we should try to bring people along with us. And even find out we were wrong occasionally!
Sounds like better PR might be in order. If you're quietly averting disaster that's not enough, you have to make sure people are aware of that. Easier said than done, I know.