Detect. Halt | Breaches. Insider Threats. Zero-Days
One of the consistent features of recent global hacks is attackers are able to move around victims networks to find systems with interesting or valuable data without being detected. From one point of entry—a compromised Web server or user endpoint, —hackers perform what is termed lateral movement; accessing other systems on the same network, discovering new sets of user credentials to pivot further inside looking for valuable information to steal.
This behavior usually goes undetected, giving attackers weeks & months to learn about their victims and exfiltrate vast quantities of sensitive data. It is this lateral movement that a honeypot is designed to detect by presenting the hackers with a fake target that will sound an alarm whenever it is accessed.
CFC was registered in early 2004 inspired by our founder's [Gilbert Mwambu] application of honeypots in his final year Engineering Project at University. Up to now however, they are not commonly used since the process of creating and maintaining a honeypot that looks authentic, and is able to reliably report intrusion attempts, is quite difficult, and so most organizations just don't bother.
Intrusion detection systems on the other hand, which heuristically monitor network traffic and use big data mining techniques to discover anomalies are common, and typically expensive. They however, are pretty ineffective when it comes to detecting insider threats, zero-day exploit based attacks, as well as sophisticated & evolving threats such as crypto-malware & well-funded APT type attacks. They also tend to be noisy, inundating administrators with alerts, many of which are spurious and false positives.
A honeypot system is much less susceptible to false alerts, since any access should, by definition, be suspicious. These are known to be one of the most cost-effective techniques for detecting intrusions since hackers will inevitably explore honeypot systems, unknowingly alerting their victims.
[Introducing --] The Canary
Developed by our partners Thinkst, the Canary device eliminates ALL the above problems by offering the reliable reporting of a honeypot, whilst eliminating the complex setup, configuration & maintenance steps. A canary is a high quality mixed interaction honeypot. It's a small device that you plug into your network which is then able to imitate a large range of machines (a printer/ your CEO's laptop / a file server etc.).
Configuring a Canary takes only a few (less than 5) minutes. An administrator simply connects to the device & chooses a preconfigured personality: It can masquerade as, for example, a Windows 2012 Server, Linux box, NAS and much more. It can also be configured to run a host of services such as SSH, telnet, a database or windows file sharing. A fake server can for example publish shared volumes or folders and host enticing files such as "salaries.xls," or "top-secret-project.docx," "keys.txt", "account-numbers.pdf" or whatever else is desired.
After setup the device is then left unattended and will thereafter immediately report any attempts to access it; When anyone interacts with these fake hosts and fake services, you get an alert and a high quality signal that you should cancel your weekend plans 🙂 e.g. if someone port scans it, tries to connect to its network services, attempts to login in, opens or copies files from it, it will immediately send an alert via email, SMS or voice call depending on the configured reporting mechanism with details such as the operation, source IP, login credentials used etc. for further investigation.
This simple device provides an extremely effective Early Warning System for detecting unauthorized network access, insider threats as well as perimeter breaches that would otherwise have gone undetected. And best of all, it comes with ZERO maintenance cost as it isn't prone to false positives