Know. When it matters
Why Canary
#CanaryDetecting
You can detect attackers long before they dig in
#CanaryEasyToDeploy
It takes less than 5 minutes from unboxing to get it ready for action on your network.
#CanaryAffordable
No additional costs for administrative and support staff, infrastructure
#CanaryCorrect
Nearly 0 false positives
#CanaryInTime
One alert. When it matters.
#КанаркаScalable
Фізичне, хмарне та віртуальне розгортання
How it works
It's quite simple
Step 1
Order, configure and deploy your Canaries throughout your network. These can be hardware, virtual or cloud-based "birds." Make one a Windows file server, another a router, throw in a few Linux webservers while you're at it. Each one hosts realistic services and looks and acts like its namesake.
Step 2
Just wait. Your Canaries run in the background, waiting for intruders.
Step 3
When attackers start raving after your network, they encounter a Canary. Trying to obtain information from them, intruders will betray themselves (their IP address or even the the user's password stolen before.) Canary will immediately notify you of the incident.
Console
Each customer gets their own hosted management console which allows you to configure settings, manage your Canaries and handle events..
Your Canaries constantly report in, and provide an up-to-the-minute report on their status, but you don't need to constantly monitor them. Even customers with hundreds of Canaries receive just a handful of events per year. When an incident occurs, we alert you via email, text message, slack notification, webhook or old-fashioned syslog.
Canary + messengers
Many customers rarely visit their consoles after setup. You can be notified in a convenient way and on time. And this is important. More and more users prefer to get notifications on Slack, Microsoft Teams or Telegram.
Integration with Slack, Hipchat or Microsoft Teams is as easy as a few clicks via user's console. There is a special Telegram bot, which can help you with integration to receive instant messages.
FAQ
Isn't this just a honeypot?
Yes and No.
Honeypots are a great idea. Everyone knows this, so why is almost nobody running them on internal networks? Simple: because with all the network problems we have, nobody needs one more machine to administer and worry about. We know the benefits that honeypots can bring but the cost and effort of deployment always drops honeypots to the bottom of the list of things to do.
Canary changes this. Canaries can be deployed in minutes (even on complex networks), giving you all of the benefits without the admin downsides.How easily can they be deployed?
It usually takes less than 5 minutes from unboxing your Canary, to have it ready for action on your network. With just a few clicks, you'll have a high interaction honeypot, and be able to track who’s browsing shares for PDF documents, trying to log into a NAS, or port scanning your network.
How do they communicate with the console?
Canaries are deployed inside your network and communicate with the hosted console through DNS. This means the only network access your Canary needs is to a DNS server that's capable of external queries, which is much less work than configuring border firewall rules for each device.
So Canaries are sensors. Do you use them to do machine learning for anomaly detection?
No. Canary doesn't do anomaly detection (with machine learning or otherwise) by learning to detect malicious behavior in day-to-day activity. The Canary triggers are incontrovertibly simple: if someone is accessing your lure-files, or brute-forcing your fake internal ssh server, then you have a problem. Canary uses deceptively simple, but high-quality markers of trouble on your network.
Can I do this on my own using open source projects?
You can certainly setup honeypots but, the truth is, most people don't need. Why? Two reasons as far as we can tell: most projects have limited protocol support meaning you have to run multiple honeypots to cover a range of common protocols, and monitoring and notifications across multiple honeypots quickly becomes tricky especially if you want to have many honeypots scattered around your network.
Canary makes this easy; we have multiple protocols supported out-of-the-box, and our hosted console gives you effortless monitoring and notifications.What if an attacker DoS'es the device or compromises it?
If your Canary can get off just one alert (and it really should) then your console far away is going to log and alert on this. Whatever happens to the Canary after that won't matter since it stores nothing of value.
What if an attacker identifies the device as a Canary? Won't they simply avoid it?
Identification will require active interrogation of the devices, and we detect common methods for fingerprinting then alert. After that, even if the attacker correctly identifies a Canary, you know they're looking and can investigate further.
How to prevent the device from disrupting the network and is there any possibility that it can be used for misdeeds? What about warrantee on hardware devices?
Canary is delivered as SaaS. The company providing the service is liable under the law. For Ukrainian clients 10Guards is a party to the agreement. The hardware device got certified in Ukraine and registered by the National Commission for the State Regulation of electronic communications. Defective devices are replaced with new ones without extra payments.
What are Canarytokens?
Last month an attacker compromised one of your users, and has been reading the company chat. Since then, she’s been searching for keywords and embarrassing data. Would you know?
Your lead developer was targeted and compromised at the local Starbucks. Would you notice?
You could, with Canary tokens. Drop our fake AWS-API keys on every enterprise laptop. Attackers compromising your users _have_ to use them, and when they do, they tip their hand…
Canary tokens are tiny tripwires that you can drop into hundreds of places.
Canary geography
Up until the late 20th century, canaries were used by miners to detect dangerously high levels of toxic gases like carbon monoxide to protect them from inhaling dangerous substances. In cybersecurity, a Canary refers to a virtual or physical device, developed by the cybersecurity company Thinkst.
Thinkst released a complete palette of Canary products, services and tools to effectively use honeypots in a network. The difference between the miner’s canary and a honeypot: While the miner’s bird just dies, your canary honeypot will actively alert you while it’s being triggered/hacked.
Hardware, VM and Cloud-based Canaries are deployed and loved on all 7 continents from the networks of billion dollar Silicon Valley darlings to the networks of Nuclear Research Agencies.
In Ukraine Canary is represented by 10Guards.
Customers' love
I have to give a shout out to
@ThinkstCanary
for being awesome. They not only have a great product but also great people behind it. 🦅
Joe Parker
@joesparker
Their on-prem canary is one of the only things that caught me right away in post-exploitation without my knowing I was burned. Solid concept and product.
Vlad Ionescu
@ucsenoi
IMHO, Thinkst is the hottest little security company and technology you’ve never heard of.
Jeremiah Grossman
@jeremiahg
If you have networks, and you care about protecting them, go give @haroonmeer some coins for a bag of @ThinkstCanary. They’re ace.
Bea Hughes
@beajammingh
btw, @ThinkstCanary support is as awesome as their product. unfortunately i had to test it, and have been extremely impressed. and i sure sleep better at night with a bird on the wire.
randy bush
@enoclue
Don’t think, just get them ;). I was a former customer (changed roles). What will you get from them?
The best support, easy interface, great price and the most accurate alert in your environment. #canarylove
Mickey P
@MickeyPerre