Thinkst, a South African security firm, looks to breathe life into an idea – a honeypot – that will assist organizations in the uncovering of intruders and security breaches within their private networks.
What is Canary? It’s a simple network appliance that has a corresponding online monitoring service, which allows for easy set upon a corporate LAN that sounds an alarm when someone tries to access it.
How hackers get ahold of company information
One of the commonly seen aspects of large hacks, like the one in 2013 on Target, is that the hackers was able to get out the company’s networks and exploit systems that had important information on it without so much as a detection of it happening.
When there is a web server that’s been compromised, it allows the hackers to do a lateral movement, enabling them to get into other computers and systems located on that network. They find out new sets of user credentials to attain additional access to their victims and locate important information they want to steal.
Since it’s done so stealthily, the attackers can get information for weeks or months, learning all about their victims and getting ahold of tons of sensitive information. Canary has been developed to detect the lateral movement by giving hackers a juicy target that sounds an alarm whenever it’s been accessed.
Security honeypots are actually traps, and is a highly recognizable method to detect invasions. The systems appear to have valuable information, ripe for the taking but, lo and behold, it’s all a trap. Hackers will find these honeypot systems, unsuspectingly alerting their victims to the intrusion.
The only issue is that honeypots are not widely used. The creation and maintenance of honeypots to look real and be reliable to detect intrusions isn’t that easy, which is why the majority of them don’t even try.
Yes, they still look for intrusions. They do employ intrusion detection systems that monitor the network traffic and use large information mining methods to find any anomalies. These also tend to be quite costly, noisy and alert administrators with false or incorrect alarms.
It appears Target falls in this category. Yes, it had intrusion and malware detection systems from FireEye. However, according to a Bloomberg report, some alerts that could have warned them of the hacks were disabled… and that’s because they were noisy.
The goal of a honeypot system is to be less vulnerable to false alarms, since any access that hits the honeypot system needs to be regarded as apprehensive.
How Canary can address this problem
The goal behind the Canary is to address the issue, providing reliable information on a honeypot without all the complicated configuration. Thinkst says Canary configuration should take mere minutes. A hardware button puts into the configuration mode. The administrator will connect Canary to Bluetooth and picks the personality it needs to be used. For instance, it can hide itself as Linux, ReadyNAS or Windows Server 2008 and their offered services. The fraudulent Windows server can hot an array of enticing files like top-secret project.docx or salaries.xls.
After Canary has been configured, that’s all there is to it. The Canary box will provide you information on the attempts using the online management console. If someone tries to scan and connect to the network services or even opens files, an alert is immediately sent out.
Canary isn’t perfect. After all, if a person knows exactly what they’re after, they’re less likely to be tempted by the honeypot. However, it does give companies an easy way to locate the unauthorized network access that doesn’t give false positives.
Affordability of Canary
When it comes to the affordability of Canary, it costs $5,000 per year for the online management console and two Canary devices.
Haroon Meer, from Thinkst, said Canary boxes have been set up on numerous places during the development stage. During this stage, the device noted all kinds of intrusions at the company testing it. It wasn’t an actual hacker, but rather an InfoSec team that was checking out the Canary. The “intruders” checked the Canary our while looking at the business’ network, which set off its alarm – similar to what would happen during an actual hack.