OpenCanary attack detection
Canary in a Coal Mine
The idea of using honeypots to let attackers penetrate specially prepared systems in an effort to learn more about the attackers themselves and the methods they use is long established. The aim is to uncloak the perpetrators' actions and, in particular, how they move around the network (lateral movement) or what information they access.
Honeypots are also deployed to capture email spam. Email accounts created especially for this purpose are published in non-visible areas of websites. The assumption is that bots collect these addresses and use them to spread spam. The incoming email is bound to be spam and can therefore help improve the filter.
OpenCanary [1] lets you set up network services quickly, and it notifies you when they are accessed. You have many options. On the one hand, you can run OpenCanary on public addresses that are not used for other purposes. Neighboring IP addresses of publicly available services, but also neighboring or unused ports on these machines, are often a good choice. If you are running a web server, it usually responds to requests on ports 80 and 443. Nowadays these requests are often forwarded to internal services with the web server as a proxy. Attackers try to access poorly secured or vulnerable servers or internal information over ports 8001, 8080, 8443, or 9000, for example.
If you run a honeypot with a public IP address, you will quickly notice that an incredible number of requests are addressed there. Most are probably just scans, often triggered by (mostly) legitimate systems, such as vulnerability scanners like Shodan [2] or security researchers around the world. If you generate an alert for each event, you will miss the actual attacks in the mess of data.
OpenCanary offers genuine added value if you run it on your internal network. Once an attacker has penetrated a corporate network, they will
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Security analysis with Security Onion
Security Onion offers a comprehensive security suite for intrusion detection that involves surprisingly little work. -
Centralized monitoring and intrusion detection
Security Onion bundles numerous individual Linux tools that help you monitor networks or fend off attacks to create a standardized platform for securing IT environments. -
Tricking Intruders with HoneypotMe
A honeypot is a specialized security tool that pretends to be an ordinary system to attract and identify attackers. Experienced intruders, however, are not so easily fooled. An experimental new technology known as HoneypotMe moves honeypot functionality to real systems on the production network.
-
Targeted attacks on companies
Watering hole and spear phishing targeted attacks offer the greatest rewards to cybercriminals. Here's how to protect your company from these types of attacks. -
Solving the security problems of encrypted DNS
DNS encryption offers WiFi users good protection in public spaces; however, in the enterprise, it prevents the evaluation and filtering of name resolution.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
