Amidst AI, disinformation, and bots.. can you spot the human?
Some attackers are sentient, some are not. None of the humans above exist. They are all AI generated. Separating the signal from the noise is hard.
There are critical parts of your systems/apps that no external entities should have access to. Tripped honeytokens reveal not just the presence of but the intent of attackers.
By using honeytokens per pull request (on a deploy branch), you get high fidelity, and high cardinality breach signal.
7 months of dwell time is far too long, especially for the last five years. https://t.co/wEt5N9rB8H— Richard Bejtlich (@taosecurity) January 31, 2020
A year ago, VPN giant Citrix said hackers had broken into its corporate network, but details about the breach remained sparse. Now, Citrix says the intrusion lasted 5 months, and exposed personal/financial data on current/former employees and dependents. https://t.co/1EzfR4sYut pic.twitter.com/0OJK6mrDPf— briankrebs (@briankrebs) February 19, 2020
Deloitte : compromised for months & didn't know;— haroon meer (@haroonmeer) September 25, 2017
SEC : ditto;
Equifax : ditto
Canarytokens are free
Oh heck yah. Reducing dwell time is a major way to reduce financial business impact. If we can’t stop the breach, we can stop the loss!— Jeremiah Grossman (@jeremiahg) September 20, 2019
PanSift installs as a Github App on a chosen repository. It honeytokens with Thinkst canarytokens out-of-the-box!
It is inevitable that attackers will exploit a vulnerability and get some level of initial access to your infrastructure, systems, or apps. They don't sit still and continue to penetrate deeper, move laterally, and attempt to escalate privileges to gather data. They harvest access credentials, API keys, and hostnames related to key accounts or systems.
A honeytoken is a digital lure or tripwire. They can be pseudo-valid usernames/passwords, an API key, a hostname, a PDF file, or other digital asset. They are designed so that once they are accessed or used, they alert your security team (like a canary in a coal mine!). A good example is a set of AWS client/secret keys left in a configuration file that no one but trusted staff should have access to. Once used or accessed, the honeytoken is tripped, and it's time to react to this high-fidelity signal of intrusion.
PanSift empowers your defenders and developers to gain the upper hand by amplifying their situational awareness, enabling rapid incident response, and increasing peace of mind! Embrace a new form of continuous determinstic security and don't leave your organisation or customer data exposed for months!
PanSift does not need nor request access to your code. PanSift automatically honeytokens a specific file per Pull Request. You can leave a honeytoken there or move it to other parts of your build during deploys (dress them up as you see fit)! Use PanSift across private repositories/branches that are deployed anywhere where there is risk of exploit, attack, or compromise such as Internet facing SaaS, cloud infrastructure, or restricted internal systems or apps.
Read more about Deception Tech