What do “canaries” have to do with cyber security?
Staying ahead of potential threats and breaches is a constant battle. One innovative solution is the use of “canaries” to detect attempted intrusions. Canary assets are one clever way to detect intruders in your network.
What are canaries?
For centuries, canaries – the bird – have been used in coal mining as a “sentinel species”. The idea is that a canary is sensitive to toxic gases, especially carbon monoxide. A canary becomes sick before human miners do, acting as an “early warning system” and allowing human beings to escape or put on protective gear.
In the context of information security, canaries are decoy systems, folders, databases, data values, or other assets strategically placed within a network or system. These are sometimes referred to as “honeypots” or “honeytokens”. These decoy systems are designed to mimic real assets, but are entirely fake or empty. The idea is simple: if a malicious actor gains unauthorized access to your network or system, they will encounter these canaries, triggering an alert.
What are the benefits of canaries?
By placing them strategically across your network, you can detect potential intrusions in their early stages. When an attacker interacts with a canary, it generates an alert, giving your security team a head start in responding to the threat before it causes significant damage. Because canaries contain fake or empty data that never has a legitimate need to be accessed, they provide extremely high fidelity alerts. This saves time on investigation, especially for security teams with limited resources.
Canaries aren’t only effective against external threats; they can identify insider threats from authorized users attempting to access any data available to them. An employee triggering a canary may prompt additional investigation and response.
How do we implement canaries?
To effectively implement canaries in your information security strategy, follow these key steps:
Identify Critical Assets: Determine which assets and systems are most critical to your organization’s operations and security. These are the areas where canaries can be most beneficial.
Create Realistic Decoys: Develop decoy assets that mimic other assets on your systems. They should be convincing enough to trick potential intruders.
Distribute Canaries Strategically: Place canaries across your network, focusing on areas with a higher risk of intrusion. This could include entry points, sensitive databases, or key servers.
Monitor and Alert: Set up robust monitoring systems to detect interactions with canaries. Since canaries are high-fidelity alerts, they should be investigated immediately.
Regularly Update and Maintain: Canaries are useful only as long as they are managed! Keep your canaries up to date, mirroring changes in your network and systems. This ensures that they remain effective and relevant over time.
Many organizations can use pre-existing security technologies to alert on canaries. For example, a canary can be included in a custom rule in EDR, a web application firewall, perimeter firewall, etc. Some security technologies even have canary features built in.
A canary is not a specific type of data; nearly any type of asset can be deployed, as long as it’s possible to alert on interaction with it. Here are some ideas for canaries:
|Canary asset||Alert on|
|User account||Successful & unsuccessful authentication attempts|
|Web server directory or URL||HTTP/S request to the target|
|File directory (e.g., on a share or in the drive root)||Access, new / deleted / modified files|
|Open port or service on a server||Network requests to the port/service|
|Server (for example, in a guest wireless vlan)||Interaction with any service on the server|
|Database value||Export, the value network perimeters|
|Hidden values or metadata in documents||Document access, search engine alerts|
Even though canaries contain worthless values, they are still part of your network. An attacker could potentially use these assets to move laterally if they are carelessly deployed. When developing canary assets, carefully consider:
- Is it purposely vulnerable, like an unpatched server or a user account with a weak password? If so, isolate it from access to legitimate resources.
- How will your organization manage, patch, and move or offboard the canary asset?
- Where is the canary asset on the network, and what other resources does it have access to?
- What interaction should this canary alert on? It’s possible some automated processes may “touch” a canary. In this case, a monitor-only period may help minimize false positives across canary assets while giving analysts time to tune alerts.
In the ever-evolving landscape of information security, organizations must adapt to defend against emerging threats. Canaries offer early threat detection, enhancing overall security posture. By strategically placing decoy assets throughout your network, you can turn potential attackers into unwitting informants.