This week we are super excited to release the latest addition to our lineup of Thinkst Canary platforms: Tailscale. Background We’ve always made sure that deploying Canaries is absurdly quick and painless. It’s why you can add a hardware Canary to your network just by plugging it in and why most customers end up re-thinking their detection roadmaps: https://twitter.com/bigendiansmalls/status/970342360923033601 We adore Tailscale: They have a first-rate team and their product is also widely loved for being startlingly simple to deploy. …
Author: thinkstcanary
INTRODUCTION Continually refining our security operations is part and parcel of what we do at Thinkst Canary to stay current with attacker behaviours. We’ve previously written about how we think about product security (where we referenced earlier pieces on custom nginx allow-listing, sandboxing, or our fleet-wide auditd monitoring). Recently we examined our exposure to API key leakage, and the results were unexpected. THIRD PARTY API KEYs Like most companies, we use a handful of third-party providers for ancillary services. And, …
In March we moved from Groove to Zendesk – with this migration our Knowledge Base (KB) moved also. The challenge we faced was name-spacing – KB articles hosted on Groove were in the name-space http://help.canary.tools/knowledge_base/topics/, but the namespace /knowledge* is reserved on Zendesk and is not available for our use. This forced us to migrate all KB pages to new URLs and update the cross-references between articles. This addressed the user experience when one lands at our KB portal by …
InfoSec superstar (and long-time Canary fan) theGrugq recently mused on twitter about generating alerts when certain binaries are run on your hosts. We definitely think it has its uses, and we figured it would be worth discussing a quick way to make this happen (using the existing http://canarytokens.org) TL;DR: You can pass arbitrary data to a web-token allowing you to use it as a reliable, generic alerter of sorts. We often refer to our Web and DNS Canarytokens as our …
Canaries and Canarytokens are tripwires that can alert you to intrusions. When alerts trigger, we want to make sure you get them where you need them. While our Slack integration is cool, you might prefer to send alerts through your SIEM. Or to a security automation tool. Maybe you want to leverage our API to integrate Canary alerts into a custom SOC tool. Want to turn a smart light bulb red and play the Imperial March? You could do that …
If you force people to jump through hoops to handle alerts, they’ll soon stop doing it 🤯 Canary optimizes for fewer alerts but we also ensure that you can handle alerts easily without us. So it takes just 4 minutes to setup a Canary but far less to pull our alerts into Slack. By default, your console will send you alerts via email or SMS, but there are a few other tricks up its sleeve. It is trivial to also …
…what if someone finds out? Do attackers care if there are canaries in my network? People wonder if they need to hide the defensive tech used on their networks. Like all interesting dilemmas, the answer is nuanced. In defense of obscurity In any discussion about obscurity you will almost certainly have someone shout about “security through obscurity” being bad. As a security strategy, obscurity is a terrible plan. As an opportunity to slow down or confuse attackers, it’s an easy …
We’ve got hundreds of servers and thousands of Canaries deployed in the world. Keeping them healthy is a large part of what we do, and why customers sign up for Canary. Monitoring plays a big role in supporting our flocks and keeping the infrastructure humming along. A pretty common sight in operations are dashboards covered with graphs, charts, widgets, and gizmos, all designed to give you insight into the status of your systems. We are generally against doing things “just …
Shared passwords, sensitive documents: mailboxes are great targets for attackers. Would you know they were targeted? We’ve got your back! Our Office 365 token deploys to thousands of mailboxes in minutes and alerts you when someone is snooping around. Why an Office 365 Mail token? Enterprises have been flocking (ha) to Office 365 for years now and a large number of Thinkst customers are using it. The Canaries will detect attackers on their networks, but nothing lets them know if …
Recently, I was faced with a career dilemma. Go back to the enterprise and be a CISO Take a gig that would be part research, part bizdev A research and writing gig Consulting/Advisory work Join another vendor SPOILER: I chose the last one… but why? Why Thinkst? Thinkst Applied Research is the company behind the popular Canary product. Though they started off as more of a research firm that would build various products, the Canary product took off and has …