Network breaches happen.. from mega-corps, to governments to unsuspecting users, to well known security pros.. what isn't excusable, is finding out months or years later
Most organizations invest heavily in expensive and sophisticated technology focused on one thing – keeping the bad guys out. We install firewalls, configure Intrusion Detection Systems all while hoping no one will notice us but if they did our perimeter defenses will stand.
Africa is a soft target compared to the rest of the world, because of the mistaken belief that our defenses are effective against determined attackers. Our level of investment in IT Security compared to other countries is comparatively low. There are organizations worldwide whose investment in IT Security is many more times the total investment of the continent taken as a whole, and yet they still suffer network breaches.
In this age where data is the new oil, we are up against extremely sophisticated threats, bugs in software are discovered every day – the market for zero day exploits has risen exponentially, some bounties going for just under 2 million dollars. There are now well-funded groups active in security research coming up with new ways of breaking into systems with the aim of stealing data or even more recently to take advantage of idle computing resources to surreptitiously mine virtual currency.
With all these constantly evolving threats we need to figure out better ways of detecting when there’s been a breach in our networks.
IDSs use heuristics and complex machine learning algorithms based on behavioral modelling to make intelligent guesses. The problem is these AI systems need to continuously analyze vast quantities of data and require a lot of time to be trained as they get better at detecting patterns with time.
Current IDS technologies are known to be ineffective against well-funded APT threats, zero-day (completely unknown exploit) attacks and insider threats - employees or contractors with legitimate network access.
To make matters worse, the erratic behavior of humans - we’re constantly on the move changing things, plugging machines in and out, reconfiguring stuff, hiring, retiring and firing, updating, redesigning, revamping – makes IDS systems prone to producing a lot of false positive alerts, which in the end increases administrative overhead, fatigue & bad decisions result such as turning off features the security team feels may not be useful.
A honeypot is a well suited technology that can be applied as an extra line of defense essentially deterring attackers from discovering mission critical systems, and buying time for the security team to contain a breach.
Attackers will usually lurk around networks undetected, for weeks & months learning about their victims and exfiltrating vast quantities of sensitive data. It is this "lateral movement" that a honeypot is designed to detect by presenting hackers with a fake target that will sound an alarm whenever it is accessed.
Honeypots have been in existence for more than 15 years now and are now a mature technology thanks to the Canary device. A Canary brings the cumbersome process of configuring a honeypot down to less than 5 minutes. It’s a plug-and-go device that lets an administrator choose a fake personality from a list of pre-configured system images or services, or easily customize one. It can masquerade as, for example, a Windows 2012 Server, Linux box, NAS and much more. It can also be configured to run a host of services such as SSH, telnet, any database or windows file sharing. A fake server can for example publish shared volumes or folders and host enticing files such as "salaries.xls," or "top-secret-project.docx," "keys.txt", "account-numbers.pdf" or whatever else is desired.
After quick setup the device is left unattended, masquerading as a mission critical system or important service waiting for an unsuspecting attacker to connect. On access, the device will send a high quality alarm via SMS, or email or voice call to the security and incident response teams indicating the possibility of an attack – which could be a perimeter breach, malware attack or a nefarious insider. It will also provide useful information on the source, nature and level of sophistication of the attack.
The Canary carries no administrative overhead, there is no lead time before it becomes useful, no complex AI training process required, no false positives, no heuristics needed, no updates or signatures need to be periodically added when new threats become known, no maintenance etc.
Any access to it should be deemed suspicious. A Canary will alert when its ports are scanned, anyone attempts to log into it, files are viewed or copied and much more.
Aside from ease of setup and configuration, a Canary enables network and security admins to easily adopt dynamic network architectures with the aim of fooling would be attackers or insiders as to where critical systems lie. Admins can change the device personality easily and at will in a matter of minutes.
Attackers usually employ anti-IDS detection and evasion techniques for fear of tripping off alarms, but will most certainly access systems and services that either are or lead to repositories of useful and sensitive information such as web servers, file servers, network shares, databases, remote backup & storage devices and so on - all of which can be configured from a Canary.
Cost effective, Quick & Hassle-free way to help network defenders discover when there's a Problem (breach)
-- by having attackers announce themselves