Chapters
Shownotes Transcript
Hello everyone, this is Tom Uren and I'm here with another Risky Business News sponsor interview. Today I have with me Marco Slaviero of Thinkst. G'day Marco, how are you? I'm well Tom, how are you? I'm good. So for people who are totally unaware of Thinkst, you make honeypot-like tokens of all different sorts that you can just scatter around a network and will warn you if someone runs into them or triggers them.
And one of the things you mentioned to me is that Thinkst goes through the DFIR report. So that's an annual forensics report about different incidents. And you go through and you look at how you could use canaries effectively.
in those incidents and how they would trip up attackers. So that's a regular process you go through to try and keep up with what attackers are doing. Is that the way to think about that? Yes. So that's pretty much how we think about it. So the folks at DFR Reports put out these pretty regular reports. And what they basically do is it's incident response folks who...
catalog incidents that they have been involved with sort of from start to finish. And one of the dangers on the security vendor side is that you sort of get used to trying
trying to detect or improve the lives of red teamers. So either if you're on the blue team, you find yourself trying to detect red teamers. If you're writing tools for the red team, you're trying to defeat blue teamers. But when we actually, as a security vendor, are trying to say we're going to detect attackers, it's not sufficient for us to just say, look, we need to watch what red teamers are doing. We actually need to see what real life attackers are doing.
attackers are doing. And the DFR reports are fantastic for that. And so they sort of give you the snapshot of what current attack tooling and current attack approaches look like. And so for us, it's a pretty regular event that when the next report comes out, one of our folks is going to go through it and try and pull out what are the points that we could help if we were deployed in that environment. Are we missing opportunities or are we making sure that we would be in the path of that attacker?
And so what kind of things are you finding? I mean, I guess if you were doing it in a really structured way, you'd say, you know, we've got X percent coverage of what people are doing or something like that.
Yeah. So the reports don't come out that frequently. You know, this is one incident. This is not aggregate data of several incidents. And so I think if you were just following one report, you wouldn't have a good overview of what attackers in general are doing. The thing from this particular one that is very striking is...
organizations tend to get blinded by the threat of zero day and sort of nation state attackers and that sort of thing. And this example is really like a bucket of cold water on that idea because this organization was fished. The threat actor basically deployed a cobalt strike beacon. On day two, they started browsing network shares inside the organization. They spent a
Another 27 days, basically just running around the network, running off the shelf tools. And on day 29, they deployed ransomware. And that situation is much more likely for most organizations than nation state zero day.
And so the report just gives you this very clear view of what happened almost on every day. This company obviously had a good telemetry to be able to let them rebuild what the attackers were doing. But really, it is not zero-day. It is off-the-shelf tools, and it is browsing network shares. That was the attacker behavior here. Yeah, yeah. I think in terms of business continuity...
unless you're a Ukrainian organization, there's almost nothing to fear from nation state attackers. And so, you know, most of them should be concerned about ransomware first.
A nation state is like a national security threat, like a serious national security threat, but in terms of business operations, business as usual. I mean, RSA, so this is going to be coming out in the week of RSA. And I'm pretty sure if you do the rounds at RSA at the booths, you're going to see advanced persistent threat mentioned. You're going to see stop zero day as a bullet point on a lot of folks' signage.
And again, that's just not the threat that most organizations are facing. Now, I do think we provide something for those organizations who are concerned about zero-day, but by and large, actually, the DFI report shows what most organizations would be up against these days.
Well, I guess your positioning is all about assuming compromise, right? So whether it's zero day or it's fishing or whatever, the whole point of a canary is that you can say, well, they got in. I don't care how they got in. Exactly. But we've detected them. So in that DFIR report, has it actually made you think of doing something differently?
And so when we go through it, we're basically just trying to understand that the attackers flow and see if there are places that we are missing. And so for us, like one of the actions that kind of brings a smile to our lips is, you know, often when we speak to folks, one of the demos we do with the canaries will show them an open file share on the canary and you can put in a file that looks tempting on their passwords.doc. And folks would go, why would I click on that? The reality is you absolutely as a red team would click
And what the DFIR report shows is also this is what those attackers did. Like they literally pulled files from a file share that had open clear text passwords in it because the attackers expect to find that stuff. Like that's what a real world is. What was it called? Was it called passwords? They didn't give the file name. They didn't actually give the name of the file, but they mentioned that files were pulled that had clear text passwords.
passwords in them. And so for example, they're running SharpHound inside this network. They're running off-the-shelf network scanning tools. And so those are absolutely things that we would help you pick up on your network. That's already built in. I mean, we'd also consider the ideas for canary tokens. So if you drop certain canary tokens on your public-facing machines or on your end-user workstations, that would help you detect the breaches when the initial beachhead is
is formed, but the canaries by themselves, the honeypots would detect that share enumeration, they'd detect sharp hound being run across the organization. So in reading this, our view is this attack path is one that we've thought about before, and in reading the report, for us it's more of a validation that yes, we would detect several points of that attack chain. Okay, how often do you learn about something that's happened
And it makes you take a step back and really think about how canaries would be useful. Is it every single time you hear about something and do you go to yourself, if only they'd had our canaries? I mean, I'm guessing most vendors are going to have that thought. Look, I've been on Risky Biz in the past and said very clearly, we're not going to help you with your ransomware.
which is almost the worst thing to say on a podcast is say where you can't help people. My view has softened a little bit in recent times, mostly because of the behaviors of those sorts of ransomware actors. Previously, they'd compromise a machine and then immediately just start ransomware and stuff. Now, for several years, they've been trying to exfil data. And so in that situation, actually, I think we do help in that regard. Most large breaches that we hear about, we're going to pause and go,
Is there an opportunity for us to learn something here about what the attackers are doing? And if we were deployed in that environment, would we have gotten the path of the attackers or not? And so generally, we will try and apply our minds when there is some large breach.
Now, let's talk about a different kind of, well, potential breach. The XZ, or for the Americans in the audience, the XZ supply chain attack, where an open source project was compromised. The attackers, which seemed like a state group because of the time and the effort they put into it, basically earned the trust of the sole maintainer over a couple of years. Yep.
So have you thought about that kind of attack in terms of how canaries would fit into responding to that? For sure. XZ seems like a bit of a watershed moment, at least internally. That's how we see it. So we did an internal talk on our thoughts on this, actually. The short version here is, and you mentioned it, which is we're not there to prevent breaches. We're there to help you detect them. And in this case,
The way that a breach happens, however they establish a beachhead, it could be via phishing, it could be via zero-day, it could be via a backdoor like this, it could be via credentials that are misused or misplaced or brute-forced. At some point, if an attacker winds up inside the network, their actions after that start to look very similar. And it's that lateral movement, it's the reconnaissance that they're trying to do inside the network as they're trying to understand it. That's the point at which canaries help. And so with XZ,
We're not going to prevent that backdoor from happening or being exploited or from that vulnerability being introduced at all. Our view there is we help you once that thing has been exploited and once the attacker is already inside the network. I actually like trying to detect attackers after initial compromise because...
I think it's part of a holistic approach, right? You want to make yourself as resilient as possible in the first place, as hard to compromise, but there's no guarantees. Things like zero days exist. Things like the XZ supply chain attack exist. And one day, one of them will be successful for an organization. So the question is, I mean, you can make your honeypots attractive products,
by putting, calling them password.txt or whatever. But do you think there are other approaches that would make them, I don't know, shine a spotlight on them or make them more visible or make them...
make it even more likely that an attacker will stumble across them? So yes is the answer. So we've been playing with the notion of breadcrumbs where breadcrumbs are files that or other artifacts that would lead you towards your honeypots and so it could be things like
SSH conflict file entries could be like an FTP profile for various client software or HTTP or HTTPS links or even file share links. And so that's the thing that we've currently got internally and we're sort of playing with it. Our view on the breadcrumbs is we think they
are kind of a nice to have for customers who want to do more. We don't think that they are necessary. What I mean here is we think you get like, I'm going to make up a number here, but the vast majority of your benefit comes in deploying the honeypot. You know, maybe that's 80% of the benefit. And then like deploying a breadcrumb is going to give you a small improvement in the discoverability of that honeypot.
So we think it adds to the product, but we don't think it's central to it. And so it's the thing that we've currently got internally. We'll be taking it to beta shortly. And so customers can keep an eye out for that. Right, right. And so would you get the sort of feedback from deployments of, you know, an attacker actually stumbled across a breadcrumb and then went directly to a honeypot? Do you have that kind of telemetry or will you know whether they work? Yeah.
Look, our general approach is to try and limit telemetry as much as possible because we get deployed in pretty sensitive environments. And so folks generally don't want us exporting data out of their environment. And that's a commitment we make. So we actually try not to collect that sort of telemetry, to be honest. And so we wouldn't have that. I mean, you'd know that the breadcrumb was deployed on some particular host. And if you saw a connection from that host to one of the honeypots, you might draw an inference to say they probably...
came across the breadcrumb, but that would be the limit of the inference that we could draw there. So that seems like an interesting idea. I'm wondering how can people get in touch with you? Will you be at RSA this week? Yep. So we're at RSA this week. So we're in North Expo Hall. We're at Bootham.
at booth 6445 6445 a bunch of us will be there we've got a bunch of swag we'll you know we're doing demos and all the rest of that stuff um so feel free to stop past and have a chat with us marcos laviero cto thinks thanks a lot tom thank you very much
