Thinkst Canary's Deception Feature Not Deployed Due to Risks
/ 1 min read
🦸♂️ Thinkst Canary explores a potential deception feature that ultimately didn’t make the cut. The article discusses a research effort to create a “Ghost Server” in Active Directory that would attract attackers by appearing to have Unconstrained Kerberos Delegation, while actually redirecting them to a Canary honeypot. Although this approach could enhance security by misleading attackers, it posed risks, particularly in complex environments where permissions could be mismanaged. Ultimately, the feature was deemed too risky for general deployment, emphasizing the importance of careful consideration in product design. The authors encourage blue teams to explore the technique cautiously, providing an open-source script for those interested in implementing it safely.
