Recently, our BlueTeam has been heavily engaged with a client that focuses on preventing breaches and possible intrusions. But our question that came up time and time again was
But, what if you have already been breached? and you dont know it yet? Should we not utilise some resources to focus on detection? Should we not use the approach of “assume breach”?
The client was abit taken back from their normal CISSP/CISM approach, and asked us to clarify what we meant. Netscylla will start a series of blog posts describing different approaches an organisation can take.
Out first will be Canary’s….
On average an organisation takes 276 days to detect a breach, the longer it takes to identify, the higher the cost of response and remediation countered against the economic loss from the business and possible greater loss from customers. It’s a lose-lose situation.
By putting in advanced detection capability we hope we can speed the detection time from days to hours or possibly minutes!
What are Canaries
The idea or principle is not unique. But basically we want to embed an object or a link to an object that can cross network boundaries and when opened, said object will trigger an alert in out alerting dashboard. Ofcourse, the methodology will change from filetype and application, so having a fundamental knowledge of the inner-workings of many filetypes is a good place to start.
Note:There are several specialist firms, that make the management of canaries extremely easy. Sometimes, for organisations its easier to use a 3rd party due to the demands of increased admin and support required to manage said canaries. These specialist firms may also offer a free tier, but once you start using their product, managing tens or hundreds of canaries is much easier to administrate and support canaries through their own interface.
Why use Canaries
Canaries once you have the support (either in-house or via a 3rd Party) are incredibly easy to setup and manage. Tag your documents and other intellectual property, or make honey-documents and honey-media, and sprinkle these files into various folders, fileshares and web folders within your organisation.
We normally advise not to put canaries in marketing or popluar public facing documents /images due to this not being necessary!
It’s always wise to have an initial dry-run test the canaries and your detection alerting system, debug any networking or reporting issues. Before relaxing, and eagerly awaiting the first legitimate canary alert.
Assuming your up and running.
If an attacker successfully breaches your organisation or if a rather suspicious/curious user starts mining and opening these honey-documents or canaried intellectual property files. You should recieve an alert in your SIEM or mailbox.
The process of the canaries callback is approximately:
- When the user/attack opens said document on their system, the application will parse the contents of the binary/text-based file before rendering a marvellously beautiful file in an office application, web browser or pdf-reader.
- The application will hit upon our canary token, and through its normal document/image parsing procedures execute our canary code.
- The application will then issue a network request, or attempt to link to our externally referenced token.
The destination of this network request will reside on a server and/or service (we can access and manage), that will monitor for these specific incoming connections. As such we can gleam the following information from the opening of a honey-document or canaried intelletual property file:
- Users/Attackers IP address
- Approximate Geo-location from the IP
- Application Version
- Operation System Type and Version
- Time and Date the token was triggered
Such information can be useful to pinpoint an attacker, a suspicious user? or possibly even an entity conducting espionage?
Ofcourse from the redteam perspective, we do not want to be triggering canaries on a customer site; the principle being to try and remain undetected for as long as possible. Then, with the go-ahead and authorisation we will start triggering canaries if the clients blueteam are struggling to keep up with our activites.
So as a redteam how do we detect canaries. Like we mentioned at the start of this post, it comes down to understanding filetypes, their meta-data and how their applications function. We can easy disable canaries if we know where to find them? But usually, we like to make a record of them, so we can start triggering canaries in later scenarios.
After, downloading a folder / respoitory belonging to a client, we can use this simple script to check for canaries.
E.g. Quickly scanning for documents with canaries
python ./canary_checker.py -d exfiltrated_docs python ./check.py -d exfiltrated_docs exfiltrated_docs/Notes.docx: Clean! exfiltrated_docs/Marketing.docx: Canary Found! exfiltrated_docs/0pp8n4ud6j6c3uatu8rrfj2ig.xlsx: Canary Found! exfiltrated_docs/Customer solutions.pdf: Canary Found!
python ./check.py -v -d exfiltrated_docs exfiltrated_docs/Notes.docx: Clean! exfiltrated_docs/Marketing.docx: Canary Found! http://******.com/feedback/89vrmxgym7v1c0hkan7rx35pv/contact.php" \ exfiltrated_docs/Marketing.docx: Canary Found! http://******.com/feedback/89vrmxgym7v1c0hkan7rx35pv/contact.php" TargetMode="External"/></Relationships>\ exfiltrated_docs/0pp8n4ud6j6c3uatu8rrfj2ig.xlsx: Canary Found! http://******.com/traffic/static/0pp8n4ud6j6c3uatu8rrfj2ig/contact.php" exfiltrated_docs/Customer solutions.pdf: Canary Found! http://8042pfcilm14yig4mrzc4rryc.******.net/DSRGQWENUCBEMWGACCTWGPMPXEVGDTWVAL
Using the above Proof-of-Concept script, we can easy navigate around canary documents, and store canary URL’s for a later time, should the need arise to purposfully trigger them.