Canary in the security coalmine

A local security specialist is making waves with a new take on an old concept: the humble honeypot.

Paul Furber
By Paul Furber, ITWeb contributor
Johannesburg, 11 Dec 2015
High-profile breach In 2013, hackers used phishing attacks to gain access to the network of US retail giant Target.
High-profile breach In 2013, hackers used phishing attacks to gain access to the network of US retail giant Target.

It's a truism that the defender has to monitor the entire perimeter for flaws to be secure, while the attacker needs only one to get inside. In retail giant Target's high-profile breach in 2013, attackers went after a business partner first and used phishing attacks to gain access to Target's network, bypassing several hundred infosec employees and millions of dollars' worth of prevention. Instead of grabbing the gold and running, the intruders took their time, trawling around inside Target for weeks before leaving with the loot. The attack was hugely damaging both financially and in terms of reputation.

"If you look at the Target breach, the hackers got in and hung around for two months before pillaging and leaving," says Haroon Meer, founder of Thinkst. "So Target was unaware for two months that they had been compromised. Take almost every big breach and you'll see the same thing. In Edward Snowden's case, he, a trusted insider, spent six months taking data from the NSA."

This pattern is all too common. RSA, Ashley Madison, the NSA and Belgacom were all breached by attackers, internal and external, who took their time before striking. Verizon's Data Breach Investigations Report says that a worrying 92 percent of holes in enterprises are reported by third parties: internal staff members don't know. Meer says he has the answer for these breaches: a new twist on the old idea of a honeypot.

"Our product is so deceptively simple that your initial reaction is, 'Surely it exists already'. The idea is an old throwback: the honeypot. You drop a box on your network in the HR department and call it HR-2. And on it are enticing files called something like financial-projections.xls and salaries.doc. You don't tell anyone in the organisation about it, and you just watch if anyone goes to it. Honeypots have been talked about for a very long time, but why doesn't anyone use them? For the millions that Target spent on their security, why didn't they know? Their problem is maintaining 1 000 servers. You don't want to give them an extra server to manage - everyone's job is hard enough without giving them another thing to worry about. And unfortunately, honeypots are great ideas that fail because the administration overhead always puts them at the bottom of the list of things to prioritise."

Early warning

Thinkst's product, the Canary, is an unobtrusive device not much bigger than a credit card. On the network, it looks like a legitimate target, but will send e-mail or SMS notifications if accessed by anyone.

"You can deploy your Canaries throughout your network," says Meer. "Make one a Windows file server, another a router, throw in a few Linux webservers while you're at it. Each one hosts realistic services and looks and acts like its namesake. We've done some kernel development to make sure the deception works properly. You plug it into your network and press a button. You can configure it to be a Windows 2000 server, a Cisco router or whatever else you want. And in a dropdown, you say it should have these three files - salaries, projections or bonuses - and then you walk away. You can forget about it until someone logs in and accesses one of those files. We simply wait until someone lands on it and then we tell you that bad things are happening. The main thing we're going for is that you find out that you've been breached."

Hear more from Haroon Meer, Thinkst Applied Research about how you can avoid cyber threats and secure your organisation from within, at the eleventh Security Summit May 2016.

Early versions of the Canary used Ethernet to configure, but the shipping device now uses Bluetooth. Meer says the configuration process literally takes a couple of minutes. "We did a lot of work to make sure that the configuration was as easy and painless as possible," he says. The Canary also doesn't need to compromise existing network controls: it reports skulduggery over DNS.

"It's not necessary to punch holes in your firewalls just to use Canary. All you need to do is make sure it can talk to a DNS server inside your network. All of its communications thereafter are via encrypted DNS."

Meer says the Canary has had considerable interest both locally and internationally.

"We were fortunate to get some good coverage during our launch, and many of our early beta-testers gave us good word-of-mouth marketing. This means that we have Canaries running in most of the big South African banks, and, internationally, are installed on networks from Iceland to Australia. At least one billiondollar Silicon Valley company has reported that their Canaries have already caught an internal attack."

Honeypots have been talked about for a very long time, but why doesn't anyone use them?

Haroon Meer, Thinkst

It's theoretically possible that an attacker could recognise the Canary for what it really is and knock it out, but "all it needs to do is get off a single alert and you are better off for having it," concludes Meer.

This article was first published in Brainstorm magazine. Click here to read the complete article at the Brainstorm website.