Mastering the Art of Deception in Cybersecurity

Show Notes

In this episode, we dive deep into the world of cyber deception—from classic honeypots to canary tokens and more. Learn how deception isn't just a defense tactic, but a skill every aspiring cybersecurity analyst should master. 

We'll explore real-world stories, ethical considerations, and how strategic deception can give you the upper hand against attackers.

Episode Resources:

• Offensive Countermeasures Book
• Canary Tokens
• Honeyport - Powershell Script

Check out our new merch shop! https://the-cybersecurity-mentors-pod.myspreadshop.com

Chapters

• 0:00: Introduction to Honeypot Deception
• 5:42: Types of Honeypots Explained
• 10:20: Benefits of Active Defense Strategy
• 17:37: Real-World Honeypot Applications
• 21:59: Writing Your Own Honeypot Tools
• 31:17: Scammer Stories: Baiting the Baiters
• 42:46: Why Set Up Your Own Honeypot
• 45:29: Future of Honeypots and LLMs

Transcript

Steve: 0:03

Could you teach me First learn stand, then learn fly. Nature ruled on your son, not the mind. I know what you're trying to do.

John: 0:16

I'm trying to free your mind, neo, but I can only show you the door. You're the one that has to walk through it.

Steve: 0:24

What is the most inspiring thing I ever said to you Don't be an idiot Changed my life. Welcome back to the Cybersecurity Mentors Podcast. This is season three. We appreciate all of you for being here again. This is a show where we help you break into the world of cybersecurity, help you build your career and learn from experts who've been in the trenches. Today we're diving into one of the most fascinating and sometimes underestimated tools in cybersecurity honeypots. John, what can you tell me about honeypots?

John: 1:03

Yeah, it's one of those things that um have been around a long time. I'll start with the, the quote from sun tzu and the art of war that I've got a few quotes I'll throw in here. Um, some people say art of war. You know that's played out, but still good. Um, but the first quote I've got is all warfare is based on deception, right?

John: 1:27

So if you think about that, that means that means a lot, right? There's there's deception in everything. There's deception. You know with what they're, what offensive people are doing. Adversaries are doing what we're doing for defense, and if you aren't using deception, maybe you're missing out on something, Right? So so think about that as we think about how we defend our organizations as a defender, you know how do you utilize deception, and honeypots are key part of that. That strategy, it's not it's not the only piece of defense, but it is a key part of the strategy for for defending our networks, defending our systems, absolutely so, for someone who may not know or may be new to cyber security, what is a honeypot and how do they work?

John: 2:18

yeah, so there's different, you know types of honeypots. They're essentially just a bait. I guess you would say right. Another quote, just because it says the word baits that Sun Tzu says is hold out baits to entice the enemy, feign disorder and crush him. Yeah, yeah, so it's a bait. It's something that's enticing, that an adversary may find that looks interesting, that they want to connect to or interact with or try to hack in some way, and so essentially it could be a program, it could be a file that looks interesting. It could be a file that looks interesting. So imagine you had a file called passwordstext or passwordsxls, whatever, and it's sitting out there and a bad guy is in your network and looking for things to pillage and all of a sudden they come across this juicy target.

John: 3:19

And they think this is man, I found the mother load right, I'm ready to jump in. So, essentially, it's basically that it's out there, that is presented in a way that looks interesting, that you could then learn about the adversary, learn about what they're doing and get an early warning sign that something bad is happening, that somebody's trying to access your stuff, and or learn their techniques and tactics of how they, how they get access, how they might try to escalate privileges, how they try to move laterally, all those things. Instead of like waiting till you get hacked, you could use a honeypot to get some of that information. That could then educate how you defend. Oh, I learned that when they hacked my honeypot, they were using this new root kit, or they attempted to use this new root kit and nobody's heard about it before. Oh, let me go find out more and dig into that and find out how we can defend against it okay, there's there's a couple different ones too.

John: 4:20

So there's a. There's like a low interaction honeypot where there's very little going on. When somebody hits it, it's there's not a lot behind it, right? Maybe it's a an ssh session that they get into and they can't really interact, they can't do a lot of commands and things like that. Um, a high interaction honeypot, where it's really more like a real service, where it looks like ssh. I'm in there, I'm typing commands, it looks like I have full access to do what I want to do. Um, and then there's these, you know, honey tokens, or tokens that are out there, that are really just those bread crumbs that you can, you know, put out the debate. The more like debate. That's like oh, somebody touched my file, like the password, dot text, and they opened it. So those are more sprinkled throughout, wherever you put those. So there's kind of the main categories of honeypots and that's generally the summary of what they are okay, perfect.

Steve: 5:20

So it sounds like you have a lot of experience using said honeypots.

John: 5:25

Yes, I do, you know, and I love it. I love being able to get tipped off early on something that could be happening that we maybe would never get an alert for, right. So you get so many alerts all the time and you're filtering all those alerts down to something that's actionable, right, you get so much log data, just tons of information. But if somebody touches this passwordstxt or this service, that's not a real service, it is a true positive right away. Now, generally you might have somebody that's enterprising, that's on your network and, just like, accidentally hits that file or accidentally hits that service. But normally that's unusual, like normally, when something hits it it is worth investigating immediately and it tips you off that something, somebody is doing something unauthorized.

John: 6:20

So there's not many systems, alert systems that you can bake in, that you can rely on. That. You don't have to know. You know most systems like OK, well, that was, this system administrator ran this command that they don't normally run, or this. You know this other false positive. Those happen all the time and you kind of get worn down by the false positives. So this is a more I would call active defense or proactive defense. Right, where you are, um, you have this thing out there sitting and waiting, and when you get that alert, you better go look at it right now. So yeah, I really, I really think this is awesome yeah, no, that's great.

Steve: 6:57

So then, um so, and you kind of just answered my question because I was going to ask would having a honeypot be more of offense or a defensive move?

John: 7:09

yeah, generally I would say it is defensive and you could use it to inform offensive moves if you were able to. Depends on what you're doing. If you're doing like a king of the hill, capture the flag thing, then it's all hands on. You can go offensive. In a real world scenario. You're generally not authorized and it's illegal to hack back, as it would be called. But that doesn't mean you couldn't use this to frustrate an adversary or slow them down or bog them. To frustrate an adversary or slow them down or bog them or or, like I mentioned before, being able to glean as much information. You know that's more passive for sure. So it's kind of, I would say it's categorizes that active defense. Where there's something you know, you maybe you're able to kind of sidetrack them or frustrate them again where they may want to go. Okay, this is just, I'm gonna go do something. I'm gonna go with somebody else, I'm gonna go somewhere else so and just to recap, why are they important?

Steve: 8:14

so you mentioned, like, early threat detection, like being able to identify them or new attack patterns, or whatever may be earlier than you normally would, cause, you mentioned, normally you may not get any sort of alert for the type of activity that they're doing. You mentioned threat intelligence gathering, so, like, learn about the attacker, their methods, their tools, their behaviors. Obviously, it's a distraction and deception. So we're, we're we're having them focus elsewhere. Um, we're, I feel like you at that point, you'd kind of controlling the scenario. You're, you're controlling them, having them focus where you want them to look and not where where they should. And then, um, would you say that this could also help understand weaknesses in your organization.

John: 9:10

A good example would be if you put this say you had a honeypot and it's on the border, the Internet facing border, of your network, right? Well, one thing to note that about that is that you are putting something out there that is going to be attacked. So in some ways, you're kind of drawing some attention, but honestly, everything's attacked all the time. Right, if there's some open service, somebody is going to probe that service generally, I mean, it's going to happen all the time. So you might be.

John: 9:42

I don't know if it helps you determine what your weaknesses are per se, but it would help you detect. You know, are people paying attention to my internet facing services? How quickly is it happening? How often is it happening? What does that look like? Right, so it's more than intelligence gathering versus identifying weaknesses. If, um, if you have this happen internally, like say you have things internally, then yeah, if people are hitting that, then you have a bigger problem on a regular basis, because now you've got a lot of stuff, you've got a weakness where people are inside your network. That's a big weakness. Hopefully that's very rare.

Steve: 10:20

Yeah, absolutely. Yeah, All right, perfect. Now I've heard that you've actually written a honeypot.

John: 10:31

Yep, that's true. So it's been a while. I don't remember when I first got the idea to write one and I had been inspired by others that had written Linux versions of little honey services honey ports, you call them where it emulates a port on a server, usually a Linux box, because it's easier to do. And imagine you're running a fake FTP service and somebody touches that service and it could notify you or or block them at the firewall, write an IP table rule that would block them. And so I was thinking well, you know, that's cool, why don't there's not a lot of that for windows without having to install python, which normally most windows boxes don't come with python. So I thought it would be cool to write a powershell version that um and this is also tied to, like ec and kind of king of the hill, you know, attack and defend scenarios, uh, where you're trying to keep bad guys out, and if somebody probes a port that's on your box it looks like it's open, you could auto shun them, block them. And so I thought it would be neat to write a PowerShell script that would do that, which was actually really fun and really helped me, give me a reason to play with PowerShell and learn Powerhell. Um. I'm not still an expert at it, but you know it was something that was really useful to give me a reason to learn. You know a scripting language, um, but yeah, so I wrote that a while back. It's on. It's on github. We'll link to it. I need to update it. I've been playing with updating it and, uh, and messing with. I need to modernize it to the the latest and greatest ways with powershell and new things to do with powershell. Um.

John: 12:20

But essentially what it would do which was cool is you would tell it what ports you want to to emulate. So, say you want to put 21 and 25, right. It'll ask you what ports you want to emulate. You hit enter. It creates a couple of background jobs that listen and just wait for something to connect. And if somebody connects to those ports say they do an in-map of your system then it will add a firewall rule on the Windows firewall and block those hosts. But then it will also write a Windows event log that I call like blue kit or something.

John: 12:57

Write a windows event log, um, that I call like blue kit or something that says, hey, this ip tried to to connect to this port and you know we blocked them right. So imagine you had this running on a bunch of windows servers throughout your network. This is kind of the idea, um, and normally nobody should really be in mapping your ports on a regular basis. You might be doing that with vulnerability scanning, but you could white list things. So that was the other thing that it does is it has a white list so that you don't block your important services or important servers, yeah, like dns and dhcp and things like that, which they normally wouldn't connect to those ports. But anyway, just to be safe, denial of service yourself.

John: 13:32

But you know, I call it blue kit because I was thinking about this whole kit of these tools that I could build out that were like active defense for window servers. That would kind of make it self-aware, almost of like hey, you know, somebody's trying to mess with me, turn this thing on. I really actually got the idea because in a collegiate cyber defense environment, you know you got a window server and it's super vulnerable, everything's exposed, it's got all these back doors. As I wouldn't be cool to have a script kit that you just download and deploy and it would lock everything down and then it would start doing active defense, like watching for the red team to start attacking you and start blocking them actively. So just in that scenario anyway. So yeah, it was cool, um, it was picked up in in a in a book or two.

John: 14:21

It's actually picked it up in two books, which is pretty cool. I thought very nice um. One of those is john strand's book and it's um what's it called offensive countermeasures, and and covered in the art of active defense. So he talks about all these different honeypots and ways you can use it to to do active defense. Shout out to john strand at black hills security. Very cool, um. And then it was. It's also in either. I think it's the second edition of the I've got one over here the blue team handbook.

John: 14:56

So I think it's like very nice second edition of that that they talk about honeypots and things like that. You know they just found the script out there and github and and liked it, which is cool, and referenced it in both of those books very nice, so we'll also put a link, you said in the description of this video.

Steve: 15:13

So people want to go check it out and you mentioned you are updating it, so definitely be on the lookout. So what are some real-world honeypot applications?

John: 15:24

So you know, really, I think you can play with the different interactive ones low interaction or high interaction, low, low interaction or high interaction. And I mentioned putting something on like your border and your dmz, right where it's out there. It's on the internet. You know it's going to get probed, but you'll see a lot of these where you could use this. Here's a real application. You have this honeypot out there and you know it's going to like, say, you have ssh running, maybe ftp, maybe rdp, that you know are emulating these services. They're not real necessarily, but when somebody hits you with that, you have that data piped back into a firewall block rule that just says all right, listen, if you're gonna, if you can't play nice on my network, you can't play right and um and it. It's one of those things that's kind of like a I used to call this the machine shunner instead of machine gunner or shunning, because you're shunning all the time, you're blocking on the firewall all the time, so it's a lot. But look, you know, maybe you just kind of it's noise that you're stopping, but it's something that somebody is actively probing you and you know what? What else could they find? Maybe there's a weakness that you don't know about and you and you're looking for this kind of activity and all of a sudden you're there, they're starting to probe you a lot. Then you just block them and okay, go away. Right now they could switch ips and do things, but still you've made yourself less of a target or more annoying of a target to attack. Really don't know that there's a new zero day or a very new vulnerability in a service, that all of a sudden you're getting really pounded by attackers trying to enumerate that service or get into that that service, and you don't know that there's something up. They know, right, because they're ahead of the game. But you now are getting some intelligence of wait a minute, maybe there's something going on here. We see this spike in activity in this web service. Right, is there something going on that we don't know about? Right, it's just kind of the early warning sign of of things that could be happening.

John: 17:49

Um, as I mentioned the using those tokens throughout the network. Right there, I think this one and I'll shout out um, canary tokens, because I think it is the easiest and most applicable use case world real world use case that's out there is because number one they're. You can go play with them. Right now you can go to Canary Token's website and they're awesome. I really like playing with them. I've used them often and you don't have to have a service, you don't have to have a server.

John: 18:26

Some of these honeypots are a headache to get stood up and get going. You don't have to have any of that stuff. You really could just have a file or an image or a PDF or you know all these different breadcrumbs, even a website token that you have inside of a website. There are some. I clones that website or copies that website. You will get an early warning that something. Somebody has cloned it.

John: 18:58

Now, what's a good use case for that? Maybe it's your login page that phishers are going to use to capture your page, download your whole page and then host it on their site that they've compromised and they're going to now phish you with that site and you wouldn't have known that. But you could embed a canary token in that page that's hidden. That starts pinging you and saying, hey, your login page is now hosted here and it's not hosted at your domain, it's hosted somewhere else. Something's up right. What could you do with that? Well, you could go ahead and block any in that whole domain, that whole URL, and say, look, if somebody sends a phishing email with that link in it, don't let anybody click on it. Right, and you would not. You would never know that until you got that email, that now it's got the link in there and now you're reactive versus proactive of the alert, letting you know that somebody's trying to stage for that phishing attack. So that one is awesome and uh and super legit of how you can do that.

John: 20:02

Other things, like I said, sprinkling files that are interesting throughout your network that you can. Somebody just happens to come across it maybe. But really how could people that are trying, that are in that maybe you don't know about and they're starting to enumerate and look for those really interesting files that could give them more access or escalate their privileges? Canary Tokens is awesome. The website is awesome.

John: 20:27

They updated it recently to add just the different things. They keep updating it and this company is a really, really cool company. They have all kinds of cloud versions. They even have I saw this recently they have a fake alert, a fake app sorry, that you could put on a phone that if somebody were to play with it or try to you access that application, you can even pick the icon of what the app looks like. And if somebody were to mess with it, like, say, you put a good example, say your phone was stolen, they got into it somehow and you had a password manager app, fake app on your phone and somebody's going to try to get into it, well, it will call back and let you know the location and the IP address and more information about who and where it is. If that were to happen Now, that's a bad deal, but it's still cool.

Steve: 21:24

That's pretty cool.

John: 21:25

Yeah, it's still cool. So yeah, those are some real-world examples of how you can use Honeypot.

Steve: 21:34

That's awesome. Those are awesome stories because, yes, we do um use honey pots uh at our organization and they have been very, very, very useful to us and helped us tremendously. So we're we're definitely um gonna promote those for sure. So how um tell us a?

John: 21:56

couple. I got a couple of stories about.

Steve: 21:58

I was going to say tell us a story.

John: 22:01

Okay, well, I'll kind of combine it, cause this is very similar story that I recently just. This happened last week, this week. This really happened recently. Um, where we get people that are you know they'll send us phishing or scam people all the time. Um, specifically at a university, students are targeted a lot and they're scamming people and they're trying to get money from them. So how is this happening? Some will. Someone will send out an email to a bunch of students and say hey, I've got a research opportunity for you, work remote. I'm going to pay you 300 bucks a week and you're going to make a lot of money and you really don't have to do a lot of work. So it sounds too good to be true. Usually it is. So the student will and they pick a real professor. They will pick somebody that's not just some random professor. They pick a real one and then they'll send these emails.

Steve: 22:54

So students aren't paying attention, they'll impersonate the professor, right?

John: 22:58

Yeah, sorry They'll impersonate and the students will get this email and they don't look at the sender, they just see the display name. They don't actually look at the real sending email address and they'll say, hey, all you got to do is send this message and or, sorry, reply to this message if you're interested. Well, a lot of them now they're trying to. They'll get out of our system so we can't detect the conversation or see the whole conversation. They'll want you to get to texting as soon as possible, so we've had. Well, let me keep going to how this works. Right, so they will.

John: 23:33

They'll ask you to fill out um, an application, maybe, or they'll just say send us your resume, um, and then they will say, all right, great, do you have mobile checking? Do you have a mobile app on your phone and and can you deposit checks through that? And most people say, yeah, I think so. I'd never done it before and they will send you a check. That's for. It's essentially kind of like your first paycheck, but also to buy some equipment. But in order to buy that equipment, we're going to send you the money and then you have to send that money to somebody else to buy the, your laptop and your printer and things like it doesn't make a lot of sense, but they're very pushy about getting you to to deposit this check.

John: 24:17

You take a picture with your phone I don't, I don't know why this is a good idea, but anyways, take a picture with your phone. You deposit this money it might be two thousand dollars and now you need to send that money to somebody else that's also them that you will send maybe 1500 bucks or something, maybe all of it, and then that check will eventually bounce and now the student or whoever is out that money and your bank is really pounding on your door because you're, you know, you you've deposited a fake check. Basically, you know, students are poor anyways, right, they don't have a lot of money, and now their bank, their check, their bank might close their checking account. So this is happening, right. And I noticed this happening and one day I was just like, look, okay, I'm going to mess with these people. I want to find out more about these people and know where to mess with them. So I submitted and said, hey, you know, I'm a student, I'm interested in this position. You know, please let me know I'm very interested and I'm interested in this position. You know, please let me know, I'm very, I'm very interested. And so they said, oh, great, great, you know, they've got, I got a live one right. And so they reply back and they say you know, send us your resume.

John: 25:26

So I essentially mostly use Canary tokens for this. So I created a resume, create a word document that had an hidden, a hidden embedded Canary token which would essentially email me and notify me when somebody opens it. And I called it resume. It was empty. There wasn't anything even in it, and I was like here's my resume. I didn't even take the time to make a fake one. I could have, but I didn't. But what I learned was they didn't even look at it because I sent it to them and I got no responses back. I was like, shoot, they didn't.

John: 25:57

Okay, I got to keep going here because I thought this was going to help me catch them or at least notify me where they were. So that didn't work. And then they said, okay, great, do the research on this, this, your computer, the printer and some other office equipment. And it's like google, this right, get a price for these things to get an estimate. So did that, put it in a spreadsheet. An excel spreadsheet created another canary token with this data in it had a hidden thing in it and said oh, here's the, here's the spreadsheet.

John: 26:28

And I had to kind of get tricky with it, because google doesn't like it when you send documents with scripts in it and it will actually stop you from sending it. So I had to zip it and keep it. I don't know if I had it even encrypted I may have had to encrypt it but I zipped it and I said hey, here's the email, here's the thing, unzip it. And they didn't open that either. They didn't even look at that either. So I was like oh my gosh, that's not working.

Steve: 26:56

Um, but you didn't give up.

John: 26:59

I didn't give up. Right, I didn't give up. So then they're interacting, Great, Great. You know we, we got this check and here's we want you to deposit. Do you have a mobile? Do you have mobile checking, mobile deposit? I said yes, what's your bank and what's your maximum amount? I just looked up something, I Googled a bank and what their maximum amount was. It was like $2,000, something like that. So I told them that and they're excited by this point, and so they send me a check, a picture of a check, and it looked okay.

John: 27:32

Since then, I've seen some that look really legit. There's actually services out there to make these checks, which is they're legit checks, but still not for legit purposes. You got to have the money behind it. But they sent me this picture of a check and they said take a picture of this, deposit this into your mobile app and let us know as soon as you do that. And I was like, shoot, you know what am I going to do here to keep them on the line? And I kind of gave it. I kind of gave it a day to think about this and, like I said earlier, I was interacting with them actually two different ways one through Gmail and one through texts, and I was using a fake text number.

Steve: 28:15

Sorry, Greg, and it was the same group, or the same people. We believe yeah, same people.

John: 28:20

So I was connecting back and forth. They would interactively message me through text messages, but at the same time, I was sending them stuff through email, through a offline email. They wanted me to get out of my university email. They wanted me to stick with the Google email, whatever it was I was using. So it hit me. I was like you know what? It's really difficult? It's it's easier to impersonate where you're coming from through email, right, you could go use a VPN, use a maybe a pivot point, use tour or whatever makes it harder to track you down. But it's not so easy to do that if you're doing this through text messages, right? So if I'm on, if I'm on my phone and you're sending me a text message and I opened up something.

John: 29:13

Most people aren't spoofing that or emulating that somewhere that's going to pop up somewhere else, right? So I thought, hmm, what if I could get them to open something through the text messages that will then ping back their location and details about their device and stuff, and that's one of the things that the canary token does. So, knowing how interested they were in getting the money, I said, hey, I tried to deposit the money but I got this error message right, and here's the error message. And so in text I said I gave him a PDF that had a document that you know it was just fake, whatever, but in there was a canary token that would ping back, just like the other ones, but they didn't open those. So when I said I have tried to deposit the money, I knew that was going to be I'm social engineering, the, the hackers, right, they're gonna like they're, they're like man, I gotta get figure out why I can't get this money. Um, they opened it like within seconds in the text messaging. Now I say they because I got two pings right away one ping from a location in chicago and I got another ping from a location in in europe, like back to back. Boom, boom, two different ip addresses popped up.

John: 30:24

So that told me one thing. One, there's multiple people involved. Two, there's people in the us involved and people in in other countries, which is kind of typical for what we see. But they're all connected, they're working together. You know to try to scheme and scam people, and it gave me information about their devices, what the user agents. You know to try to scheme and scam people, and it gave me information about their devices, what the user agents were, you know things like that, what kind of device they were. Now that's really kind of where that one ended.

John: 30:54

But I did. I talked to the FBI and I said, hey, you know, I don't know if you guys track this. This is a big problem because all universities are getting hit with the same attack. There's a lot of money being lost by this, you know. If you add it all up across, you know, I bet it's. I don't know how much it would be, but it's a lot.

John: 31:13

And so I just I gave them this information. I said, hey, here's some information. Here's the location, here's, you know, here's their. All the that Canary Token gave me about their devices. Here's the IP addresses, here's the phone numbers, or the phone number right and just pass that on. Now what do they do with it? You don't know right, they kind of they're the black hole when you give them that kind of information. They don't tell you oh yeah, you know, we use this and we bust in the door, we got them right. Yeah, um, you, you can envision, you hope that's what happens, but that's not always what happens.

John: 31:52

But recently I had a very similar thing happen I'll make this one shorter, um where somebody hit me up with an account that I use sometimes for fake kind of messing with these almost like canary tokens or honey tokens, where I I fake logged into a phishing form with this account and with a fake password and they hit me. They sent me a message. I said hey, do my, my, my Google voice number that I use for sometimes this stuff. And and it said, hey, did you submit this form? That said you wanted your make sure your account did not get deactivated and was like probably, you know, I knew this was a scam and so I said yeah, of course I, you know. I said yes, please, and then they replied back and said oh, okay, good, you know. Well, we just want to make sure you know your account doesn't get deactivated.

John: 32:35

And I was like, okay, well, I don't have that link anymore, can you share with me the link that I used to submit it? And they didn't have that, so they had. But they did have my the user and password that I used, which was a fake email and and a password that was just a bogus password. And I was like, oh, okay, well, that password's old now. I didn't want them to think that they had a real account or to try it. I said, oh, no, no, that's, that's old now. Let me give you. I need to submit a new one and they wanted me to put this in the chat. They didn't want me to to to have to resubmit it through a link. Again I said no, no, no, I feel more secure if I would submit this to the form you gave you gave me last time.

John: 33:20

So they made up some form or it's like one of those sites that you can create forms for and it's actually terrible looking form, looks fishy, but, um, so I submitted. Well, no, I didn't submit. I said, oh, um, I tried to submit but I kept getting this error message, kind of similar to the. I tried to deposit this check. I got an error message and here's the link. Here's the image of what it looked like. Now, again, with canary tokens, I could use this to submit something that has a callback in it. Um, if they visited it and try to view it. Now you can't just let me give you some practical information. You can't. I don't recommend just using the link that canary token gives you, because it says in there.

John: 34:03

Canary token dot org. Right, and it tells you the whole URL. So if you're looking at the URL, you'd be like I'm not clicking on that, right? So I'm trying to get them to open it or click it and I just use like a URL shortener, like OK, you know, and these people are not that smart. They seem smart, that's another thing. This is intelligence gathering. They seem very smart because of what they're doing and how they're scamming people, but they're not really that technical ability, technically savvy.

Steve: 34:34

Would you say that most of the time they're just following a playbook? Like people have instructions of what to do next like steps.

John: 34:42

Okay, do this first and then do that, and then do that yeah, and I'm not gonna say they're not intelligent, they're just not technically savvy, right, but they're fishing, they're just trying. They're just trying for people that are the low-hanging fruit they're trying to go after your grandma yes, they're not. They don't realize when they've got a shark on the other end of the line, right, they're just thinking I got grandma.

John: 35:06

I'm like, okay, you're about to get eaten so yeah, so um I send them that link and the first they wouldn't click on it. I was like, come on, this is why you gotta use the social engineering skills. I was like listen, um, they use this word. This is what's interesting too, and you'll see these in phishing emails. They'll say kindly open this thing, kindly open it, would you kindly? And this is like a reference to my head back to the video game bioshock, where this whole thing about would you kindly was like a mind, uh, you know, manipulation keyword.

John: 35:41

When somebody would say you kindly, you would like follow whatever command, they said yeah, well, I don't know if that's what they use it for. I don't have. I think it's a translation thing. I think they learn this in school because they don't speak English as their first language of like using kindly as oh, that's the way you are very polite and they'll see. I see this all the time. Now it stands out a lot.

John: 36:04

So they said it twice and they were like kindly, they wanted me to put the password that I had in the text message. I was like no, no, I'm not doing that. I told them back. I said would you kindly look at my error message, right, I'm trying to trick them back right and it worked. It worked. So I thought they going to not do it because they were getting fed up with me and stressed with me. But, um, but then I got a ping on the second image I sent them and it showed me where they were they were in California, showed me their IP address, show me the that they had an iPhone, showed me the user agent.

John: 36:38

Now, if I was a bad guy, that I could do a lot more and do things differently. I'm not, but at least now I know more information. And the other thing that I learned in this was the URLs they were using. We could take that information and block those domains. Right, they were not legit domains, so I wouldn't have known that if I hadn't done that Right, if I haven't had the interaction, and it's also, it's also fun, it's also interesting. But I'm going to make sure to put a warning there beware, be careful. Right, you know only trained professionals only, but you really do. You got to be careful because you never know who, who you could be interacting with, that are technically savvy, that could pick up on this and to escalate things, and you want to make sure you're doing good operational security. You don't want to use your real phone. You don't want to use your real email.

John: 37:29

You know you don't want to use anything real that they could potentially track back to you or to your organization. So that caveat there.

Steve: 37:38

So basically, you heard it here first, john says create an alter ego, have someone, have a second version of yourself that you use specifically for this type of work. So that's right, there you go, I do it.

Steve: 37:52

All right, awesome. So you know this has been a lot of awesome information. You know you and I, john, we are familiar with with honeypots. We use it in the day to day. You definitely are. I would consider an expert just with the back and forth and your experiences that you've had. But for those listening and those trying to get into the world of cyber, why should they set up their own honeypot? What do they get out of that? What will they get if they follow and set up their own honeypot? Like what will they get if they kind of follow and set?

John: 38:22

up their own honeypot. Yeah, I think one of the biggest things is and I think about this all the time is offense informs defense and understanding what that means. Understanding that deception is part of the game and part of the skill set that you need to have. But also, like, even when I built the one that I wrote, I learned a lot. I learned a ton. I learned how to use PowerShell. I had help from others to help me update it and make it better but I learned a ton about how would I work with something that I'm trying to write that interacts on the network and it has something that's probing it and things like that.

John: 39:04

So I think it's an awesome opportunity to pick something right there. This is a space that I think needs more attention, right, this is a way to set yourself apart from others. I love and John Strand. I mean, like this book, he's written two of these, you know, additions. He, he's a believer and I'm a believer with him, and I think that this, if you came in and this is something you had done and you'd written something or put together something on your resume, it's going to. I'm going to ask you questions about it, right, I want to know, what do you know about this and and why did you do, did you do this and what did you learn from this? So I think it is a thing that there should be more of. I think that there's not that many that are out there that are enterprise ready right, because there's some headaches with setting these up, but I'm hopeful and there's actually some of the future, of what the future looks like but I'm hopeful that this is going to be a thing that gives you better detection, better response because of the true positives that you normally get right.

John: 40:10

I love it when we get a hit, that's a true hit, that somebody hit one of these because they don't know that we know, that's the other thing. They don't know that we know right, that's the other thing. They don't know that we know right, and so I think it's. It is a. I mean think about. There's probably not many classes out there or courses that teach honeypots there. There are, there are some out there, but there's not many.

John: 40:35

But I think the kind of this active deception, it really stands apart as a skill, as something you can play with. Again, take my example write a script that does this, just to learn how it works. You can start super small with like one little program. It runs. It just says hey, if something touches this, I'm gonna write a log, I'm gonna write an error, I'm gonna write something right, um, and then just kind of play with it more and more so. I think it's just something that um will set you apart more than anything, because a lot of people aren't and have not really played with it, because I think the reason why is because people think this is one of those things that they're nice to have and they're fun, but they're not real. And I would say, well, let me tell you, you know this, this is real, is?

Steve: 41:23

real right.

John: 41:23

We use this in real world and the real example and maybe that's you know it can help detect and defend better than what you do traditionally. So, um, and it's just cool. So there you go, it's got the cool factor. You're right, you put this on your resume, you put this as a thing you've written about, put it on your GitHub. Then it's definitely a good topic for conversation.

Steve: 41:46

Absolutely, I agree, and you'd be surprised how many, potentially, how many organizations may have honeypots on their list, as would like to have, but maybe the funding, maybe the manpower, the knowledge is not there for them to actually follow through. And if you come in your resume and you already have some level of hands on experience, even attempting to set up honeypots, that already can look really good on your resume. So, john mentioned some hands on learning, practical experience, help understand cyber threat attack patterns right, because you're seeing things in real time Obviously a great resume builder, job interview, uh topic to discuss in job interviews and even if they don't bring it up, you should like, if you are uh, uh, can actually set something up, uh, test it, have it kind of work out, um, it would. That would make a good story for you to share in your interview as well. All right, john. So what's the future of honeypots?

John: 42:54

What I've seen. There's some white papers out there that we can link to that. It looks like interesting, based off of combining LLMs right, based off of combining LLMs right, large language language models and GPTs to make honeypots more interactive, more deceptive. You know, kind of have. Imagine you have, as you know, those services and SSH service, a terminal service is running Somebody connects to, and the ones that are out there are good, but there's limitations to how interactive they can be. Right, they may not.

John: 43:28

People are manipulating and trying to do things like this is not right and they get out because now they're worried that they've been detected. But imagine that. But then there's chat gpt on the back end or agpt, and it's working with you as if it's a real service and interacting and giving you results. Because it's got all this data behind and you don't and you really can't tell that it's a fake service, that's a fake terminal service. How much more maybe you could get out of that intercept, interaction and deception to be able to learn even more than you could just by some initial access. So I think that is very interesting. Um, I was actually just asking around, asking chat gpt, things like how would I build my own um, honeypot llm. What does that look like? And and it gave me some good advice I think it'd be worth playing with. There you go if you want to. That's a good. I'm just giving you a free, a freebie right there. Right, go build.

John: 44:26

Go build something like this put it on on github and man, that's cool top, a cool topic, a cool talk topic too, um, but um, yeah, so like I think that really is interesting, I don't know how much horsepower you have to have to run it and have it out there, but I am curious to see that more GPT-like interactivity that you could add to a honeypot. That makes it even better, absolutely.

Steve: 44:55

Awesome. Well, any other thoughts around honeypots? This has been very informative, for sure. Yeah.

John: 45:02

No, I'll just. I'll end with probably the most famous line from Sun Tzu that everybody's probably heard before, but it's still applicable Know your enemy and know yourself, and you will not be imperiled in a hundred battles, right? So how do you know the enemy? How do you learn about the enemy? This is one way that you can learn more about their tactics and techniques Awesome.

Steve: 45:29

Thank you, john. So again, just a quick recap. We learned today about honeypots what they are, how they can be used, the different kinds. We learned about real-world honeypot applications different kinds. We learned about real world honeypot applications. John shared some stories of ways he has used honeypots to go after the bad guys fight back. We talked about why honeypots are important, not just in cybersecurity, but for you, someone starting or even someone already in cybersecurity to get some experience with them. Them and, you know, help you with your, your cybersecurity journey. We talked a little bit about the future. You know, it seems like there's a lot that can be done, especially with AI, tying all that in together. And John shared a book. Go check it out. Go check out his script on, on, on, get on github. But yes, sir, I think that is a wrap yeah, no, thank you.

John: 46:28

Hope it was useful for everybody. Um go forth and deceive go forth and deceive another. Another t-shirt right there, I know, I know another t-shirt write that one down I like it all. All right Thanks everybody.

Steve: 46:41

Thank you Until next time.

John: 46:43

See you.

Steve: 46:44

Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast.

John: 46:49

Remember to subscribe to our podcast on your favorite platform so you get all the episodes. Join us next time as we continue to unlock the secrets of cybersecurity mentorship.

Steve: 46:59

Do you have questions or topics you'd like us to cover, or do you want to share your journey? Join us on discord at cybersecurity mentors podcast and follow us on LinkedIn. We'd love to hear from you. Until next time, I'm John Hoyt and I'm Steve Higuretta.

John: 47:16

Thank you for listening.