There is a long list of security products that aim to help secure your organization against cyber-attacks. These products may use a slew of buzzwords and industry terms such as cloud, AI, encryption, zero-day, ransomware, firewall, botnet, and next-generation to capture your attention and persuade you that these products will solve your problems. The endless list of available options can make navigating the cyber-security product market overwhelming and misleading which reduces efficiency, effectiveness and ultimately negatively impacts overall security.
Preventing breaches and intrusions is a top priority of many security programs, however; what happens once an intrusion occurs? On average, it takes organizations six months to detect a breach, the longer it takes to identify the breach, the higher the cost of remediation and the greater the loss of business. One product, that significantly increases the detection of malicious actors inside an environment, is the Thinkst Canary.
What is a Canary?
Canaries in IT Security often allude to the concept of the canary in a coal mine where the birds were an early warning sign that danger was near. If the canaries in the mine died, it served as an indication that the miners need to immediately exit because the canaries were more sensitive to dangerous gases than humans. This concept of early detection mirrors that of a Thinkst Canary.
A Canary is a physical or virtual device that is capable of mimicking nearly any type of device in any configuration. It acts very similarly to a honey pot. Canaries are designed to alert the admin user(s) of intruders and reduce the time required to identify a breach. Canaries can pose as Windows file servers, a cisco switch, Linux web servers, mainframes, workstations, and many more. Canaries sit in your network much like a canary in a coal mine; if a mine were filled with poisonous gases miners would have an early warning system. If an intruder is on your network, once the attacker interacts with the Canary, it will generate alerts through email, text messages, slack notifications, or integrate through other systems.
In addition to Canary devices, there are also Canary Tokens. These tokens serve as tripwires that take on many forms such as PDF and Office documents, email addresses/accounts, credentials, API keys, AWS keys, URLs and more that can be strategically placed throughout a network or organization. If an attacker opens a Canary Token document, uses token credentials, API keys or visit the Canary URL, alerts will fire just like the Canary honeypot devices. Admins, analysts and incident responders can investigate alerts with little worry for false positives.
Insight from the Founder
One of the things we love about Canary is how accessible their founder is. Haroon Meer frequently jumps into customer discussions and sheds light on their products. We asked Haroon how his experience in penetration testing helped in the development of the Canary. His response is included below:
Our pen-testing background is deeply tied to Canary on several levels:
1) Lots and lots of our design and architecture choices are rooted in our red-team backgrounds. We won’t span VLANS. We run in managed languages and use a sandbox to limit the possible blast radius of attacks. We make sure that our security device is a pretty secure device too.
2) We built Canary because with years and years of breaking into networks, it was only a rare handful of times that we were discovered before handing in the report. Something had to change that.
3) We have worked really hard to simplify Canary because one of the un-mentioned problems we saw pen-testing, was that defenders often had plans to deploy detection, plans to maximize SIEM usage, plans to… that were never completed and were always ongoing. Canaries deploy in 4 minutes and are immediately useful.
Haroon Meer, Founder, Thinkst
How does a Canary help me?
Canaries are easy to deploy, require no maintenance and take less than 5 minutes from unboxing to initial configuration and deployment. Pre-configured profiles allow for rapid deployment. Fine-grained options allow for specific tuning in order to blend into your network and appear as a legitimate system. Once deployed, the device is at work protecting your network and will provide an early warning of suspicious activity. Attackers will prowl around a network looking for systems that may have vulnerabilities, misconfigurations or contain high-value information. When an attacker performs a port scan, a brute force attack, downloads files from the file share, accesses a fake website or interacts with the device, it will generate alerts.
Alerts generated are high-value because of the simplistic nature of the Canary. With a Canary, there is no need for fancy machine learning, Artificial Intelligence, anomaly detection or other buzzwords. It has no real purpose for users or devices to interact with it. Alerts can be fine-tuned to avoid alerts from VA scanners, asset management tools, or other network services and agents. If there is an interaction with a Canary, alerts will be generated, and an investigation is required. A centralized console allows for viewing, monitoring of alerts, device status and configuration.
The Thinkst Canary is a rare security product that seeks to achieve its purpose of identifying intruders and reducing detection time by requiring the least monitoring, maintenance, configuration and overhead by IT and security staff. Many products and tools require on-going monitoring, constant configuration, tuning and investigation. The Canary is doing its job well if you don’t think it’s working or forget it’s even there. While Canaries are a great option for detecting intruders, it is always ideal to prevent an intrusion in the first place.
Preventing a Breach
At Packetlabs, we specialize in preventing attackers from successfully breaching client systems. Our experience team of ethical-hackers are highly skilled in the discovery, identification and exploitation of vulnerabilities in your organization’s networks, web applications and mobile applications. Once vulnerabilities are identified, an organization can then use this information to remediate vulnerabilities, reduce attack surface and mitigate risk.