What is Canary?
The name Canary originates from the 20th century coal miner’s practice of bringing a canary in a cage down the mines with them. The canary would act as an early-warning signal for toxic gases, notifying the miners of danger and allowing them to react before any harm befalls them.
Similarly to this practice, a Canary will warn of malicious activity detected in your network. Like the toxic gases encountered by miners, network attacks and compromises are often hard to detect. According to this 2015 Threat Report by FireEye’s Mandiant Forensic Services, the median amount of time that threat groups were present on a victim’s network before detection is 205 days, with the breach being detected internally 31% of the time, and by an external entity 69% of the time.
By presenting itself as an apparently benign and legitimate service(s), the canary draws the attention of unwanted activity. When someone trips one of the Canary’s triggers, an alert is sent to notify the responsible parties so that action can be taken before valuable systems in your network are compromised.
How it Works
Order, configure and deploy your Canaries throughout your network. Make one a Windows file server, another a router, throw in a few Linux webservers while you’re at it. Each one hosts realistic services and look and acts like its namesake. Then you wait. Your Canaries run in the background, waiting for intruders.
Attackers prowling a target network look for juicy content. They browse Active Directory for file servers and explore file shares looking for documents, try default passwords against network devices and web services, and scan for open services across the network. When they encounter a Canary, the services on offer are designed to solicit further investigation, at which point your Canary notifies you of the incident. Each customer gets their own management console, on which alerts can be reviewed, notifications configured and Canaries managed. Your Canaries constantly report in, and provide an up to the minute report on their status.
Isn’t this just a Honeypot?
Honeypots are a great idea. Everyone knows this, so why is almost nobody running them on internal networks? Simple: because with all the network problems we have, nobody needs one more machine to administer and worry about. We know the benefits that honeypots can bring but the cost and effort of deployment always drops honeypots to the bottom of the list of things to do.
Canary changes this. Canaries can be deployed in minutes (even on complex networks), giving you all of the benefits without the admin downsides.
Ask us for a fast, customised quotation for some tweeting goodness…we’ll even set them up for you and monitor them for/with you;
Canary Tokens – Quick, Free Detection for the Masses
Head over to https://canarytokens.org/generate to see a marvellous free service offered by our partner Thinkst (makers of Canary Tools). You’ll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page’s image tag, and monitoring incoming GET requests. Imagine doing that, but for file reads, database queries, process executions, patterns in log files, Bitcoin transactions or even Linkedin Profile views. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots. Canarytokens is available for free at http://canarytokens.org, or you can download and run your own installation (source and Docker images are available.)