Biz & IT —

Canary box aims to lure hackers into honeypots before they make headlines

Developers hope that new gizmo will bring an old idea back into fashion.

The Canary box. The red light means that it's currently offline, because it doesn't have its Ethernet cable attached.
The Canary box. The red light means that it's currently offline, because it doesn't have its Ethernet cable attached.

South African security firm Thinkst is hoping to give new life to an old idea—the honeypot—in a bid to help organizations detect security breaches and intruders in their private networks. Thinkst's Canary is a simple network appliance and corresponding online monitoring service that makes it easy to set up juicy-looking targets on the corporate LAN that will sound the alarm if any attempt is made to access them.

One of the consistent features of large hacks, such as the late 2013 Target breach, is that attackers have been able to move around their victims' networks to find systems with interesting or valuable data without being detected. From one point of entry—a compromised Web server, say—the hackers perform what's called "lateral movement;" accessing other systems and computers on the same network, discovering new sets of user credentials to gain further access to their victims, and finding valuable information to steal.

This behavior appears to go undetected, giving the attackers weeks or months to learn about their victims and steal vast quantities of sensitive data. It's this lateral movement that Canary is designed to detect by presenting the hackers with a juicy target that will ring the alarm bell whenever they access it.

Security honeypots—systems that look like they contain valuable data and are ripe targets for attack, but which are really traps—are a well-known technique for detecting intrusions. Hackers will inevitably discover and explore the honeypot systems, unwittingly alerting their victims to their intrusion. However, they're not commonly used. Creating and maintaining a honeypot that looks authentic, but is reliably able to report intrusion attempts, isn't easy, and most organizations don't bother.

Which is not to say that they do not look for intrusions at all; intrusion detection systems that heuristically monitor network traffic and use big data mining techniques to discover anomalies are common, and typically expensive. But these systems tend to be noisy, inundating administrators with alerts, many of which are spurious or incorrect.

Target appears to fall into this very category: it had malware and intrusion detection systems from FireEye, but according to a report by Bloomberg some alerts that would have detected the hack were disabled. Reuters reported that these alerts were often disabled, because they produced so much noise.

A honeypot system should be much less susceptible to false alerts, since almost any access to a honeypot system should, by definition, be suspicious.

The Canary box aims to tackle this problem, offering the reliable reporting of a honeypot, but without the complex configuration. In fact, Thinkst says that configuring Canary should only take a few minutes. A hardware button is used to put the Canary into "configuration" mode. An administrator then connects to the Canary with Bluetooth and chooses the personality it should use: it can masquerade as, for example, Windows Server 2008, Linux, and ReadyNAS—and the services it offers. A fake Windows server can offer Windows shares, host some exciting looking files such as "salaries.xls," or "top-secret-project.docx," or whatever else is chosen.

After that initial configuration, the device can then be left alone. The Canary will report attempts to access it through an online management console; if someone port scans it, tries to connect to its network services, or opens files from it, it'll immediately send an alert.

Canary won't catch every intruder—one that knows exactly what they're looking for probably won't be tempted to look for the tempting treats on the honeypot—but it should nonetheless provide an easy way of finding unauthorized network access that isn't prone to false positives. Compared to many enterprise-oriented security offerings, it's also affordable: $5,000 a year for two Canary devices and management through the online console.

Haroon Meer at Thinkst told us that Canary boxes were deployed at a number of sites during their development. During this time, a Canary did detect an intrusion of sorts at a media company that was testing it. It turns out that it wasn't actually a hacker: unknown to the InfoSec team that was evaluating the Canary, a penetration test had been scheduled. The pentesters scanned the Canary during their examination of the company's network, triggering its alerts—just as would happen with a real hack.

Channel Ars Technica