Would your rather observe an eclipse through a pair of new Ray-Bans, or a used Shade 12 welding helmet? Undoubtably the Aviators are more fashionable, but the permanent retinal damage sucks. Fetch the trusty welding helmet. We’ve made a number of security choices when building Canary that have held us in pretty good stead. These choices are interesting in that they don’t involve the purchase of security products, they don’t get lots of discussion in security engineering threads, and they …
Year: 2024
Refreshing Canarytokens.org: a new interface, new functionality, and our security assessment results
Today, we’re excited to announce the launch of the revamped Canarytokens.org, our free Canarytokens service. When you visit the updated site, you’ll notice several key enhancements. First, the user interface has undergone a significant refresh. At Thinkst, we view code as a craft, and this philosophy guided us as we meticulously rebuilt the interface piece by piece. The result is an experience that is not only more intuitive but also more enjoyable to use. Second, we’ve expanded the management functionality …
At Thinkst Canary, we make the world’s easiest to deploy and manage honeypots. The high-level architecture for each customer is a web-based management dashboard (called the Console), plus the honeypots that the customer has deployed into their networks. We run the dashboard, customers run the honeypots. Our Console fleet is thousands of machines at this time, and this blogpost describes how we recently upgraded our fleet without any customer-noticeable downtime. Background: Canary Consoles Customers manage their honeypots, configure alerting, and …
This is the second post in an ongoing series that examines documented/public breaches with a special focus on Canary and Canarytoken deployment. The posts do not intend to imply that we would have been a silver bullet and prevented the breach; rather, our approach has been to help detect breaches. These posts are primarily intended to give our customers and users ideas for possible deployment options. In this 2nd blog post, we’ll look at: Why do attackers like file shares? …
Any Thinksters who have been in physical or virtual proximity to me over the last year have likely suffered at least one whinge session about “the Glorifier”. The especially fortunate have suffered several. I’m relieved to say that, at long last, the whinges are over. In this post, I’m going to walk through the travails of producing the Glorifier mostly as a cathartic exercise but extracting a few lessons from the experience. Our story is told in seven parts: Let’s …
This is the first post in an ongoing series that aims to examine documented/public breaches with a special focus on Canary and Canarytoken deployment. The posts do not intend to imply that we would have been a silver bullet and prevented the breach; rather, our approach has been to help detect breaches. These posts are primarily intended to give our customers and users ideas for possible deployment options. We love the work done by the team at the DFIR report …
Front matter In a previous post, Casey talked about our Cloned Website Canarytoken and how it fares against modern phishing attacks. Today, we are releasing two new versions of the token which alert you when an attacker is using an Adversary-in-the-Middle (AitM) attack against one of your sites. An added bonus is that the new tokens can be deployed on properties you only have limited administrative access to (like your Azure tenant login portal or hosted blog). In this post …
Recently friend-of-Thinkst (and CTO of NCSC) Ollie Whitehouse tweeted this interesting tidbit: We’re always looking for new types of Canarytokens, so it would be cool if we used this method to create video file Canarytokens. Quick background explainer We build Canaries that act as entire machines, require almost no configuration and boot as various Operating Systems. The logic is that it takes you less than a minute to set it up, and when an attacker lands on your network, they …
You can do complex things with Canaries but you don’t need to. Even though Canaries will happily pose as SCADA equipment or Mainframes, a Windows personality, with a well-named fileshare, has caught attackers all over the world. Can it be that easy? Won’t really good attackers be suspicious? The answer is slightly counter-intuitive: Attackers who land on your network have to situate themselves. They have to poke around. But won’t they ignore a server that looks suspiciously unguarded? Almost never. …
tl;dr: You can now create breadcrumbs to lure attackers to your Canaries with just a few clicks. Canaries and (their) Discoverability Our thesis with Canary has always been simple: Attackers who land in your infrastructure need to situate themselves and they do this by looking around. They run commands and touch systems that regular users never need to. By being selective about which services Canaries offer we can find the sweet-spot of services that are super-trivial to deploy, super likely …