Events

Miner’s Canary Revival in IT Security

canary_credit_to_javier_bano

What is a Miner’s Canary?

Well, it’s a canary (these cute yellow songbirds some people have as a pet), and its main feature is that it dies before you will.

What the hack [pun intended]? And by the way… what has this to do with IT Security? Well… let me first quote Wikipedia on the birds:

“Canaries were once regularly used in coal mining as an early warning system. Toxic gases such as carbon monoxide, methane or carbon dioxide in the mine would kill the bird before affecting the miners. Signs of distress from the bird indicated to the miners that conditions were unsafe.” Source: https://en.wikipedia.org/wiki/Domestic_canary#Miner.27s_canary

And now let me bridge the gap towards IT Security: Our friends from Thinkst released a complete palette of “canary” products, services and tools at this year’s BlackHat USA conference. Canary.tools is their take on how to effectively use honeypots in a network.

Think of a canary bird (= honeypot) in your network, which ideally will be hacked before you get completely owned. The difference between the miner’s canary and your honeypot: While the miner’s bird just dies, your canary honeypot will actively alert you (while it’s being triggered/hacked).

haroon_marco

With their typical brilliance Haroon Meer and Marco Slaviero ran the Vegas audience down a crazy amount of slides and demos. Instead of pitching their commercial product (which is Canary.tools), they explained their motivation behind the project (= “what’s wrong with existing honeypots?”) and focused on the free and open source version (which is OpenCanary) in a very detailed fashion. Classy and enjoyable to watch!

So what is the difference between Thinkst Canary and other honeypots?

3 words: EASE OF USE. Their main development target, to drive wide-spread adoption among IT Sec guys, was to make it so dead simple and painless (setup is said to take less than 3 minutes), that the better questions would be: Why wouldn’t you use it? Sounds cliché, right?

After seeing their presentation I still believe in it. You may have all those legitimate questions, like “How are countless of canaries managed without adding more pain to your workload?” [Answer: by a correlator and a slick console], “What kind of honeypots are preconfigured?” [Answer: Plenty, more to come!] or “Are there any smart triggers which go beyond the usual ‘let’s pretend to be a Windows Server’ capabilities?” [Answer: YES! You can even get alerted if somebody stalks for your faked network admin’s LinkedIn page!].

If further interested I would recommend to watch the full talk (luckily it got published publicly) or dive right into one of the many resources linked below:

Commercial Canary vs. OpenCanary?

One thing I personally like, is when great people not only do awesome technical work, but also understand the business necessities of it. So I was more than happy, when Haroon explicitly stated, that they don’t plan the Canary tool suite to be yet another discontinued honeypot project (at 52:00):

“[…] we’re making money out of our [AN: commercial] canary stuff. So we’re heavily incentivized to keep on development. OpenCanary is not going to go away anytime soon. We need it, it’s important to us. We’re giving it to you guys for free. You should use it.”

So, there’s free and open source for everybody (which actually acts as a test-range for early implementations of new plugins and honeypot styles). And a commercial version which will ensure continuous revenue streams to pay for the development. The main difference between paid and free is a more polished user experience with ready to go Carnarie boxes (see below), a hosted console, DNS-enabled communication (between your boxes and the remote backend) and the usual support service.

While the original miner’s canaries retired sometime around 1987 and got replaced by higher-tech measuring devices, I could see a revival of canaries in IT Security. How about you? Let us know what you think and whether or not you use honeypots in your environments.

Thanks for reading – Florian

PS: Credit where credit is due: Big hand of applause to Azhar Desai from Thinkst. Haroon & Marco told me at DEFCON that much of the heavy-lifting of the Canary tools were done by him. We hope to have you all back with us at an upcoming TROOPERS!

Additional Links:

OpenCanary: http://opencanary.org 
OpenCanary is a daemon that runs canary services, which trigger alerts when (ab)used. The alerts can be sent to a variety of sources, including syslog, emails and a companion daemon opencanary-correlator.

opencanary-correlator (part of OpenCanary): The Correlator coalesces multiple related events (eg. individual brute-force login attempts) into a single alert sent via email or SMS.

CanaryTokens: http://canarytokens.org
Webapp to generate custom canary tokens! To learn more about some really cool ways to implement additional honeypot traps go and checkout their blogpost: http://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html

Canary.tools:  https://canary.tools
Commercial version, which comes with preinstalled canary boxes. Plug, play and get them hacked 😉