Canary Honeypot – What is it?

In concept, Canary is simple.  It sits on your network imitating an interesting device with interesting information and then we wait for attackers or insiders to strike.

When attackers have breached your network, one of the first actions they will take is to passively fingerprint the network to see what might be good to exfiltrate or encrypt.  When we detect any activity with the Canary or it’s associated files, we will be alerted therefore enabling further investigation by our analysts and, if we find it to be a true positive, we will let you know.

Canary is also an effective counter-measure for insider threat activity.  A common disgruntled-employee or insider threat tactic is to search around for business-critical documents such as HR/ payroll details or customer databases and either take and sell them to competitors or threat actors or delete crucial information.  If deployed, we can detect this by presenting seemingly important documents that are actually fully audited and monitored files which, when opened, will instantly alert our Security Operations Centre(SOC).

We can also provision up to 5 ‘tokens’.  These are custom-generated files which you can deploy around your network.  You don’t even have to host these on the Canary; you can put them on your live fileserver or even the desktop of interesting workstations!  The concept is the same whereby, if the files are interacted with, our SOC will be alerted to enable further investigation.

How does it work?

We preconfigure then Canary to imitate something interesting that you might have deployed on your network, whether it’s a Windows File Server, Apache Web Server or even a brand-name router.  We then open specific ports, turn on specific services such as SSH or SMB, give it a custom hostname and MAC address and even generate dummy files that fit in with your own name scheme.  You then receive the preconfigured device, plug it in and that’s it!

We then monitor for any reconnaissance activity or active interrogation of the Canary or the dummy files and, when something is detected, the Invinsec SOC will be alerted to enable further investigation.

Can’t I do this with open source tools?

Technically, yes you can – but why haven’t you already?

Many open source honeypot projects have limited support in both the protocol and device type as well as from a monitoring perspective.  Customers are responsible for the building, maintaining and alerting of their own honeypots and, even then, most are easily identifiable for attackers.

We make it simple by asking a few questions and then configuring it for you and then monitoring it 24/7/365 through our SOC.

No configuration.  No Fuss.  We can deliver them as physical, virtual or cloud devices too.

Leave a Reply