Skip to content

Thinkst Canary

thinkst2

Thinkst Canary is a deception technology chosen by CYDERES to augment security programs with high fidelity detection points that can be spread across environments. Configure and deploy your Canaries throughout your network. (These can be hardware, virtual or cloud-based birds!)

Why Use a Thinkst Canary

Most companies discover they’ve been breached way too late. Thinkst Canary fixes this: just three minutes of setup; no ongoing overhead; nearly zero false positives, and you can detect attackers long before they dig in. Check out why our Physical, VM and Cloud Based Canaries are deployed and loved on all seven continents...

Scope and Sizing

Thinkst Canaries come in packs of five or more of either hardware, virtual or cloud-based deployments. There’s no limit on Canarytokens.

What Canaries Are

Canaries can be physical devices but they aren't just hardware devices. You can run virtualized Canaries inside your virtual infrastructure with the same features that a physical Canary brings.

Virtual Canary Requirements: All that's needed for a fully functioning bird:

  • A valid Canary license
  • Disk space larger than 10GB
  • 2GB memory
  • Single CPU core

What Canarytokens Are

As a Canary customer, Canarytokens is available to you completely free, and generated alerts will show up in your console like any other. Canarytokens are a simple way to tripwire things. An old concept, they can be super useful (and are trivial to use) but require some background infrastructure to get working. This infrastructure is provided so you can deploy tokens in seconds and get the benefit from them immediately.

thinkst3

You'll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests.

Imagine doing that, but for file reads, database queries, process executions or patterns in log files. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.

How Thinkst Canaries Work

Order, configure and deploy your Canaries throughout your network. (These can be hardware, virtual or cloud-based birds!) Make one a Windows file server, another a router, throw in a few Linux web servers while you're at it. Each one hosts realistic services and looks and acts like its namesake.

thinkst4

Then you wait. Your Thinkst Canaries run in the background, waiting for intruders. Attackers prowling a target network look for juicy content. They browse Active Directory for file servers and explore file shares looking for documents, try default passwords against network devices and web services, and scan for open services across the network. When they encounter a Thinkst Canary, the services on offer are designed to solicit further investigation, at which point they’ve betrayed themselves, and your Canary notifies you of the incident.

How Thinkst Canaries Communicate

Canaries are deployed inside your network and communicate with the hosted console through DNS. This means the only network access your Canary needs is to a DNS server that's capable of external queries, which is much less work than configuring border firewall rules for each device.

How Users Access the Canary Console

  • Log into CYDERES Okta using your email address and password.
  • Click on your Canary

Your Canary Console

Each customer gets their own hosted management console which allows you to configure settings, manage your Thinkst Canaries, and handle events.

Your Thinkst Canaries constantly report in, and provide an up-to-the-minute report on their status (but this is not another pane of glass that you need to constantly monitor). Even customers with hundreds of Canaries receive just a handful of events per year. When an incident occurs, we alert you via email, text message, slack notification, webhook or old-fashioned syslog. These alerts are also sent over to CYDERES for our Analyst to work as they are generated. The internal security team will be contacted about relevant alerts as well.

thinkst5

Canary Deployment

Thinkst Canaries can be deployed with a number of different "personalities" to emulate common services in an environment.

thinkst1

Connectivity Requirements

Destination Port Direction
*.cnr.io TCP/53 UDP/53 External Outbound

Also validate connectivity to any services the Canary will listening on.

Canary Use Cases

Here are some of our favorite deployments for your Canaries that can fit many situations:

Cisco 1921 Router

  • Canary type: Physical
  • Services: Telnet, SSH, Web Server
  • Location: DMZ, Data Center, Office Locations
  • Details: This canary can be placed on any network segment with other devices. Device name, description, and comments should resemble other devices in the segment.

Windows Server 2016 Web Server

  • Canary type: Virtual
  • Services: HTTP, IIS, VNC, Windows File Share
  • Location: DMZ, Data Center
  • Details: This canary should be placed alongside existing public facing website and be configured to match server settings as closely as possible.

Windows 10 Desktop Fileshare

  • Canary type: Physical
  • Services: Windows File Share
  • Location: Corporate or Remote Office
  • Details: The canary should be deployed embedded within the client segment at a remote office.

Standard Linux Server

  • Canary type: Virtual
  • Services: SSH, Telnet, VNC
  • Location: Data Center
  • Details: This canary should be placed alongside existing servers with similar configurations and service availability.

NAS File Server

  • Canary type: Physical
  • Services: NFS (Unix), SMB (Windows)
  • Location: Other Storage Devices or Remote Office
  • Details: Device should be placed within the storage environment. Device name, share name, description, and comments should resemble other storage devices in the segment.

Windows Server 2012 Office Fileshare

  • Canary type: Virtual
  • Services: Windows File Share
  • Location: File Sharing Segment
  • Details: This canary should be placed within the file sharing segment. Computer name, share name, description and comments should resemble other file shares in the segment.

SCADA Device

  • Canary type: Physical
  • Services: Modbus
  • Location: Similar Devices
  • Details: This canary should be placed alongside SCADA devices with similar configurations and service availability.

Linux Database

  • Canary type: Virtual
  • Services: MySQL
  • Location: DMZ
  • Details: This canary should be placed alongside an existing database server driving the public facing customer site. Alternative configurations should be considered if the platform is not currently running on MySQL.

Additional Resources

Canary Bird Guide

Thinkst Canary Knowledge Base

Virtual Canary Setup Guide

How to Reset a Canary