CANARIES & HONEYPOTS
In the 19th century, miners brought canaries into coal mines as an early-warning signal for toxic gases. The birds, being more sensitive to carbon monoxide, would become sick before the miners, who would then have a chance to escape.
Fast forward a hundred years and the concept of early warning signals is one of the fundamental aspects of defence in depth. Canaries and honeypots on a computer network are like the canary birds in a mine - an early warning of danger; an isolated and monitored object that detects, deflects and alerts network defenders when targeted.
Canary tokens; honey accounts, honey pots, hashes or nets appear to store the important data or services that an attacker would look for. When setting up these beacons, however, remember that their primary purpose is to defend your systems and gather Intel, not encourage entrapment - which is ethically suspect.
You should also take the time to read and understand the documentation that comes with these software downloads. Misconfiguring a honeypot can actually expose your system to online attackers rather than protect them!
A CANARY FILE
Create a Microsoft Word document and fill it with fake usernames and passwords. Save the file with a name like ‘password.doc’ and visit this site to create the alert. As soon as the file is opened, you will be sent an email telling you that something is afoot.
A HONEY ACCOUNT
If an attacker is already in your network, they may attempt to log into other people's accounts, using a few common passwords. This technique (known as password spraying) avoids triggering an account lockout, but can yield valid credentials. To detect these malicious hacking attempts, create an account that will immediately alert the security team if a logon is attempted.
This is a computer that offers a legitimate-looking service for users. For example, you could create a fake file server with a realistic name that suggests it stores sensitive data. As soon as an attacker attempts to access this computer, an alert is generated. For further information see Binary Defence, Cowrie and WebLayrinth.
Is a username and password inserted into the memory of a running system - usually an entry point computer exposed to the internet. Attackers use specialised tools to tap into this memory and steal these passwords. As soon as the attacker try’s to use this however, an alert is sent to the administrator, see here for further guidance.
A honey network is multiple honey pots set up to study an attacker's activities and methods. The Modern Honey Network (MHN) is an easy way to deploy, manage and monitor multiple beacons on your network and is definitely worth a peekie-boo.
See something not quite right? Email: EMSOUCyberProtect@leicestershire.pnn.police.uk