Subscribe

Thinkst unveils honeypot tool

Jon Tullett
By Jon Tullett, Editor: News analysis
Johannesburg, 27 May 2015
Thinkst's concept is based on the principle of detecting the first signs of lateral movement an attacker might take, says founder Haroon Meer.
Thinkst's concept is based on the principle of detecting the first signs of lateral movement an attacker might take, says founder Haroon Meer.

Thinkst Applied Research has released an intrusion detection sensor intended to provide quick and effective detection of malicious activity on a network.

The Canary product is a customised honeypot that can mimic a genuine network resource, like a fileserver or router, waiting for signs that an intruder is looking for vulnerable targets. It then alerts operators, thus avoiding the need to filter logs looking for warning signs.

The concept is based on the principle of detecting the first signs of lateral movement an attacker might take, Thinkst founder Haroon Meer told ITWeb.

After establishing an initial foothold, frequently through social engineering or phishing, an attacker must move through the network, seeking valuable information and additional vulnerable systems. Honeypots are often deployed to detect external attackers, but rarely internal ones, because they simply add to the volume of security log data the IT team must filter and process.

Meer wanted to short-circuit that problem, offering a self-contained, automated unit that would do nothing more than sound the alarm at the first sign of trouble. The result is Thinkst's Canary, a customised Linux stack, initially available as a compact Raspberry Pi-based unit deployable in just two-and-a-half minutes. "We spent months nailing down every obstacle to getting the Canary up and running with the minimum of configuration and effort," Meer said.

Out-of-the-box bird

Out of the box, the system can be configured to mimic several permutations of hardware, operating system and service, from network routers or fileservers to Web servers and storage devices. "In the future, we'd like to make an open source version which allows the community to contribute new profiles," Meer said.

Although the device is as thoroughly camouflaged as possible, an attacker could conceivably unmask its true nature, or even attack it directly. But "all it needs to do is get off a single alert to do its job", Meer noted.

Deploying several sensors in various configurations allows the customer to detect patterns of behaviour too, Meer said. "If a user looks at a potentially sensitive document on a Canary pretending to be a fileserver, that's interesting, but he might just be curious. But, if the same user scans a Canary pretending to be a Web server, he definitely deserves investigation."

The Canary package offers a management console to set up devices and manage alerts, but it is deliberately simple, Meer said.

"We have a simple console, but we don't want customers to look at it. When something happens, you'll get an SMS or e-mail. Until then, you should be able to safely ignore it." The console may look simple, but it is also a key part of the product: to conceal its real nature, the Canary hides its telemetry within normal-looking network behaviour.

The initial Canary package will be priced at $5 000, including two sensors, the management console, and two annual licences for updates, support and maintenance. More information will be available at www.thinkst.com shortly.

Share