But basically they would embed a remote image inside the file so it would call out to a web server upon loading the image. It also had the added benefit from a LEO perspective that if the users main defence was running TOR browser that it would bypass that and provide the users true IP address.
However, as I mentioned in another comment here, I actually think those particular kinds of honeypots are kind of dumb in that they only catch stupid adversaries.
Opening those files on your own machine as an attacker while connected to the net is one of those do not pass go, do not collect $200 go directly to jail moves.
It's enough to catch one guy, one time. Then you follow his physical or digital traces.
If you embed a URL in emails then a lot of corporate email gateways will blindly follow the link, trying to check it for malware.
This may or may not be a useful security measure but it has many issues. One of which is that it could look like spying.
If someone receives an email coming from your employer's domain with a virus or a child porn video attached, your employer had better be able to identify the sender account through logs & audit trails.
For example, an application-specific HTTP proxy for your GITHUB_TOKEN. You can use a canary token for the internal user-facing auth. https://github.com/legobeat/git-auth-proxy [0].
That piece is being used here[1] in order to make it transparent for the user and I intend to add more features there for credentials- and secrets compartmentalization. Been keeping it fairly structured so you could also use it as a reference if you ever do similar stuff and want some inspiration or copypasta for your personal hacking.
[0]: Caveat: The proxy repo is a fork and the documentation is still more reflective of the previous owners intentions. I ripped out all the Azure/k8s integrations.
As opposed to something which can be smuggled out and reused offsite.
I'm also thinking that by centralizing (still locally) the configuration, we can get better key rotation hygiene habits without needing to compromise on credential granularity .
Just like there are security benefits in using a secured HSM instead of a world-readable private-key file stored in your unencrypted home directory, even if, yes, the HSM can be abused by a locally privileged attacker.
(I'm definitely not saying I have a silver bullet though, and I don't think one exists. Like any realistic solution, it should be part of a defense-in-depth strategy. Things like hardware keys make for incremental gains, etc)
https://learn.microsoft.com/en-us/defender-xdr/deception-ove...
But in my opinion, deception tech is best implemented in-house. Nothing wrong with using externally developed tools, especially for high signal-to-noise things like honeypots but the actual monitoring and alerting data flow should be ideally be environment specific.
If your company is making deception software, then you already know that Microsoft, Google and similar companies are your competition if your strategy is to do what they do, but I'm sure you've already strategized around all this.
I also have a lot of security knowledge (mostly from books rather than practical experience) from non infosec case studies like intel agency operations, insurgent groups, law enforcement, military, organised crime and other scenarios where the consequences of making bad decisions is incredibly high and probably involves some level of violence at a minimum.
I always thought that this XKCD comic (https://xkcd.com/538/) summed it up nicely precisely how that factor can actually change your threat model fairly significantly in a way that I don’t generally see turn up in the field of cyber security specifically.
But more than that I just generally found that to be an invaluable resource for when it comes to how to think about what actually makes these things work in the real world and what you can actually do in order to really make life very miserable for an adversary long before they even realise what’s going on.
It’s probably been the most fun thing I’ve built in 20 years.
They get your foot in the door, and (particularly techniques) eyeballs looking at ads for their hardware. Looking at their site[0], the minimum you can buy is 2, at a price of $5k total
`-p rxwa` causes logging of any read, exec, write or attributes change on that file. More in `man auditctl`.
Among others, this has a benefit that, in principle, such honeypot triggers immediately and not only after someone decides to try using some actual credentials/data.
Obviously needs some work to make this robust (logs monitoring plus alerting), but it's a nice building block worth knowing and, if you care, then you probably already have those additional pieces in place anyway.
Super easy to configure via webhooks into a siem or any kind of alerting platform.
