Outsiders ran rampant.
The 2013 Target breach cost hundreds of millions of dollars, and the CEO his job. But this wasn't a grab and run heist, the intruders spents weeks on the Target network carefully plotting their moves.
Target didn't know when it mattered.
Attackers remained in the shadows.
GCHQ had accomplished its objective. The agency had severely compromised Belgacom’s systems and could intercept encrypted and unencrypted private data passing through its networks. The hack would remain undetected for two years, until the spring of 2013.
Belgacom didn't know when it mattered.
Insider threats went undetected.
Edward Snowden traversed the length and breadth of the NSA's network in search of documents, each one an opportunity for an alert which never materialised.
The NSA didn't know when it mattered.
Long term reconnaissance paid off.
Prior to the very public defacement and destruction of Sony Picture systems, attackers were present for months collecting passwords, exploring the network and remaining in a position of power.
Sony Pictures didn't know when it mattered.
Would you know when it mattered?
Anti-virus, IDS, and intelligence feeds generate so much data that the signal is lost.
Canary let's you know when it matters.
What Others are Saying
Awesome product and customer service to match! Thanks :)— Random Guy (@rndmguy) July 20, 2017
I have to give a shout out to @ThinkstCanary for being awesome. They not only have a great product but also great people behind it. 🦅— Joe Parker @ ISSW 2018 (@joesparker) May 15, 2017
Like ❤ and Retweet 🔄 are insufficient! Rock on guys!— Nate (@heyandy889) January 7, 2017
The only thing more awesome than our Canaries: Our Customers 💕 pic.twitter.com/Yj0dkLfNUP— Thinkst Canary (@ThinkstCanary) November 16, 2016
Big fan of this tech. High signal, low noise. https://t.co/8ehznGLs8A— Asylas (@AsylasSecurity) March 6, 2017
Canary is great.— Mikko Hypponen (@mikko) June 12, 2016
Our customers are the best! pic.twitter.com/MCOB9JqdHX— Thinkst Canary (@ThinkstCanary) March 20, 2017
overall awesome product, though. Highly useful, and covers huge blindspots with minimal effort. A++ would recommend— Tim McG (@NotMedic) November 27, 2016
Just did quick and dirty Canary Token demo for a coworker. @haroonmeer the simplicity, flexibility, and power of this tool is inspiring.— Ean Meyer (@EanMeyer) August 22, 2016
The devices are great to use to ensure that firewalls/vlan isolation is configured properly. That alone has paid for the deployment.— Jim Schwar (@jimiDFIR) June 27, 2017
These are brilliant. If I were running an IT shop again, no question I'd have these. https://t.co/qhT2DgZx4t— it's chris plummer (@chrisplummer) November 30, 2016
Even if you don’t have budget get over to https://t.co/G1gCVjJBXh and use their amazing free service.— Joe Parker @ ISSW 2018 (@joesparker) May 15, 2017
https://t.co/BlDfDoeWe6 <-- This I like! Low friction honeypot devices.— Phil Huggins (orac) (@oracuk) June 18, 2015
I had some broken @ThinkstCanary's after a power outage and they RMA'ed new ones from South Africa in under 4 days. Amazing support!— Jerry Gamblin (@JGamblin) June 23, 2017
Traps, tarpits, and honey tokens just plain work - now available for free at https://t.co/eHXJt2dAD5— Robr (@sweepthatleg) May 14, 2017
Just realized the magic of https://t.co/ZzKm4tSn8W. Splendid work. Thanks for the info mate— Muhammad Ather (@MuhammadAther88) March 15, 2017
1. BeyondCorp: Not easy, or for everyone, but I love the idea.— Adrian Sanabria (@sawaba) August 11, 2017
2. Canaries https://t.co/SD023OF9y3
The @ThinkstCanary device is a thing of beautiful uncomplicated simplicity. Thoroughly enjoying putting it through its paces— Roshan Harneker (@roogle) August 2, 2017
Set aside an hour to setup my new @ThinkstCanary ... not sure what I'm going to do with the other 55 minutes.— 𝕭𝖎𝖌𝖌𝖎𝖊 𝕾𝖒𝖆𝖑𝖑𝖘 (@bigendiansmalls) March 4, 2018
Im not sure. Never really thought about or tried this angle as a larger industry initiative. I mostly just recommend https://t.co/dsnqFvwAvi— Jeremiah Grossman (@jeremiahg) September 19, 2017
CanaryTokens FTW!— Steve Lodin (@stevelodin) March 4, 2018
Just watched the whole 19mins webinar. Give us a call on +44 1224 516181. We are interested. Thank you.— TheTechForce (@TheTechForceUK) October 28, 2017
Super excited about deploying a few Canaries around the network next year. @ThinkstCanary— Evan Wathington (@ewathington) December 22, 2016
There's a good reason that smart security-folk rate Thinkst Canary highly. If you are in Vegas for BH/DC & want to know more, drop us a note pic.twitter.com/ojiTy25o9I— Thinkst Canary (@ThinkstCanary) July 23, 2017
I’ve seen it and use it, it’s fantastic. The canary, though, as a drop in hardware device for corp/other networks is pretty fantastic, one of the best/easiest configurationsI’ve ever seen.— 𝕭𝖎𝖌𝖌𝖎𝖊 𝕾𝖒𝖆𝖑𝖑𝖘 (@bigendiansmalls) March 4, 2018
Great feature.— Sakhi Louw (@sakhi_louw) January 29, 2018
Oh, of course @ThinkstCanary for exactly the same reason.— Jeremiah Grossman (@jeremiahg) September 29, 2017
Love them too. And tokens! Tons of tokens is key.— John Woods (@zenbanjoman) September 26, 2017
someone who makes solving hard problems easy for the end-user— caseyjohnellis (@caseyjohnellis) September 29, 2017
wow @ThinkstCanary tokens are cool, especially signed binaries. very sneaky technique :D— InfoSec Spy ❆ (@InfoSecSpy) February 27, 2017
As a current customer I highly recommend the @ThinkstCanary. You won’t initially think it’s doing much of anything until it does and uncovers a quagmire of a situation you didn’t know you had (speaking from experience here)— Roshan Harneker (@roogle) February 18, 2018
Really enjoy @ThinkstCanary - they work hard to do a lot with very little!— BuildItBenjamin (@liddy_io) October 18, 2017
Hearing a lot about @ThinkstCanary lately. Have been considering giving them a call for a couple of our projects. We already work with Duo, strong reco to see them side by side from @thegrugq. https://t.co/rPdRGLqlbF— Jenn Shaw (@JenniferVShaw) February 14, 2018
btw, @ThinkstCanary support is as awesome as their product. unfortunately i had to test it, and have been extremely impressed.— randy bush (@enoclue) March 3, 2018
and i sure sleep better at night with a bird on the wire.
Canary is one of the most useful tools ever— Shane (@Shane_in_SC) January 8, 2018
Their product is not only beautiful in its simplicity/use - but they treat customers and do things as a business with the utmost integrity— nj (@sec_nj) September 30, 2017
It’s tough to beat Authentic feedback.— Thinkst Canary (@ThinkstCanary) December 7, 2017
Even during PoC’s, Canaries wreck Intruders. pic.twitter.com/GnZZajD8fN
Check out the free Canary Tokens too, we probably all have ways of using these: https://t.co/e0ZFC4LV7N— Troy Hunt (@troyhunt) April 21, 2016
IMHO, Thinkst is the hottest little security company and technology you’ve never heard of. https://t.co/DdkCZcUtoM— Jeremiah Grossman (@jeremiahg) September 25, 2017
Someone asked me what sports team the @ThinkstCanary beanie I was wearing represented. I replied, "Not exactly a sports team, but they kick ass at defensive strategies all the same."— Thoave (@Hogosec) December 2, 2017
Also, early detection as a huge plus, but yeah, canary tokens are pretty good for defence.— shubs (@infosec_au) January 4, 2018
Canary - a honeypot service for your company, that's actually pretty cool! https://t.co/GvsafwFE7V— David Wong (@cryptodavidw) November 8, 2017
Upgrading from @ThinkstCanary V1 to V2 is almost the easiest upgrade you will ever have to do.— Joey Pistone (@daguy666) September 12, 2017
I love what @ThinkstCanary is doing. Such a simple and inexpensive tool that’s surprisingly disruptive.— Chad Loder (@chadloder) February 22, 2018
There is so much truth in that post, And I couldn't agree more.— Joey Pistone (@daguy666) July 27, 2017
Not everything is APT and not every APT is sophisticated. Focus on practicing basic IT governance — asset management, patching, network segmentation, least privilege, 2FA, logging... drop in some @ThinkstCanary. Make them work to earn their pay https://t.co/jyh03VNNqY— the grugq (@thegrugq) January 8, 2018
It’s time to start accepting that your NSM infrastructure is incomplete if you aren’t leveraging honeypots for detection. #DFIR— Chris Sanders (@chrissanders88) August 17, 2016
Yeah those canaries are great. I talk about them a little too much. It’s because this kind of stuff works.— ./tmp/RENEGADE (@mosesrenegade) September 26, 2017
How many other "security products" are positively evaluated when anyone with a clue looks at them? https://t.co/eswEUT4KG6— halvarflake (@halvarflake) March 28, 2018
For those in China using Apple iCloud, i highly recommend using some canary tokens in icloud documents now that GCBD is operating the storage and maintaining of your data.— Bʀʏᴀɴ (@bry_campbell) March 16, 2018
The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal. If the aim is to increase the time taken for attackers, canary tokens work well.— shubs (@infosec_au) January 4, 2018
Don’t think, just get them ;). I was a former customer (changed roles). What will you get from them?— Mickey P (@MickeyPerre) February 15, 2018
The best support, easy interface, great price and the most accurate alert in your environment. #canarylove
I actually used canary tokens to determine that someone was snooping on a private email exchange between lovers. Wasn't able to figure out who, but did get their geolocation. #TrueStory Thanks, CanaryTokens! https://t.co/VuhDuOKIZb— David Holmes (@dholmesf5) March 27, 2018
The two spends I’d do to increase resilience for less than one blinkenlights magic bullet cybersecurity solution?— the grugq (@thegrugq) February 13, 2018
- @duosec 2FA all the things
- @ThinkstCanary gain visibility on when you get penetrated
Lots more I’d do w/ Canary Tokens, but that’s custom work email@example.com 😄
https://t.co/dVe2CEG07k is a really cool product. Simple and straightforward. Get to know first when your line of defense fails.— Matt Suiche (@msuiche) October 3, 2017
If you haven't discovered canary tokens yet, why not start today? And then spend the rest of the day planting tripwires all over your network. https://t.co/SLhVtxUQrK— Robert Pritchard (@TheCyberSecExp) December 19, 2017
Similar to a honeypot, but easier to setup and virtually zero false positives, get Canary for your office network: https://t.co/eOWIqTa5uv— 0lmy (@custodietipsos) November 22, 2017
Come for the product, stay for the customer service— mimeframe (@mimeframe) August 18, 2017
+1. We ❤️ our Canaries. https://t.co/Qde8vF9W2v— (((Jonathan Levine))) (@JonMLevine) September 25, 2017
Part of the problem here is that Canary is run by smart, forward thinking people who want to build demonstrable long term customer value. Thankfully this madness is rare in our industry.— I didnt choose the bug life, the bug life chose me (@stevelord) March 28, 2018
How it works?
Order, configure and deploy your Canaries throughout your network. Make one a Windows file server, another a router, throw in a few Linux webservers while you're at it. Each one hosts realistic services and look and acts like its namesake.
Then you wait. Your Canaries run in the background, waiting for intruders.
Attackers prowling a target network look for juicy content. They browse Active Directory for file servers and explore file shares looking for documents, try default passwords against network devices and web services, and scan for open services across the network.
When they encounter a Canary, the services on offer are designed to solicit further investigation, at which point your Canary notifies you of the incident.
Each customer gets their own management console, on which alerts can be reviewed, notifications configured and Canaries managed.
Your Canaries constantly report in, and provide an up to the minute report on their status.
Canary Incident: Shared File Opened. Source: 22.214.171.124 Target: dc 104 (10.122.34.5) File: “2016-Tender-Summary.pdf” User: Guest
When an incident occurs, we alert you via email or text message as you prefer.
Manage your alerts in the console, where you can get more information on what triggered the incident.
Canary pricing allows you to start immediately, with tiny upfront costs. For under $10k, you get 5 Canaries, a dedicated console, and 5 licences for alerts, support and maintenance.
Got different requirements? Get in touch and we can help with additional Canaries.
Canary is simple, brilliant & effective
Yes and No.
Honeypots are a great idea. Everyone knows this, so why is almost nobody running them on internal networks? Simple: because with all the network problems we have, nobody needs one more machine to administer and worry about. We know the benefits that honeypots can bring but the cost and effort of deployment always drops honeypots to the bottom of the list of things to do.
Canary changes this. Canaries can be deployed in minutes (even on complex networks), giving you all of the benefits without the admin downsides.
It usually takes less than 5 minutes from unboxing your Canary, to having it ready for action on your network. With just a few clicks, you'll have a high interaction honeypot, and be able to track who’s browsing shares for PDF documents, trying to log into a NAS, or portscanning your network.
Canaries are deployed inside your network and communicate with the hosted console through DNS. This means the only network access your Canary needs is to a DNS server that's capable of external queries, which is much less work than configuring border firewall rules for each device.
Simply choose a profile for the Canary device (such as a Window box, brandname router, or Linux server). If you want, you can further tweak the services your Canary runs. Perhaps you need a specific IIS server version or OpenSSH, or a Windows file share with real files constructed according to your own naming scheme (say, 2016-tenders.xls). Lastly, register your Canary with our hosted console for monitoring and notifications.
Then you wait. Attackers who have breached your network, malicious insiders and other adversaries make themselves known by accessing your Canary. There's little room for doubt. If someone browses a fileshare and opened a sensitive-looking document on your Canary (\\fin_srv_02\Planning\2016_forecasts.xls) you'll immediately be alerted to the problem.
You possibly already do have a problem, you might just not know it. Canary changes that.
No. Canary doesn't do anomaly detection (with machine learning or otherwise) by learning to detect malicious behaviour in day-to-day activity. The Canary triggers are incontrovertibly simple: if someone is accessing your lure-files, or brute-forcing your fake internal ssh server, then you have a problem. Canary uses deceptively simple, but high quality markers of trouble on your network.
You could certainly setup honeypots but, the truth is, most haven't. Why? Two reasons as far as we can tell: most projects have limited protocol support meaning you have to run multiple honeypots to cover a range of common protocols, and monitoring and notifications across multiple honeypots quickly becomes tricky especially if you want to have many honeypots scattered around your network.
Canary makes this easy; we have multiple protocols supported out-of-the-box, and our hosted console gives you effortless monitoring and notifications.
We have a console, and we think it's pretty, but we really don't want you to spend much time on it. After you setup your Canaries you forget about the whole thing completely. When one of your Canaries chirp, only then do you attend to the problem.
If your Canary can get off just one alert (and it really should) then your console far away is going to log and alert on this. Whatever happens to the Canary after that won't matter since it stores nothing of value.
Identification will require active interrogation of the devices, and we detect common methods for fingerprinting then alert. After that, even if the attacker correctly identifies a Canary, you know they're looking and can investigate further.
Thinkst Canary is a unique product. Our name, however, is not related to any of the following trademarks: