For fun and excitement over my staycation I’m testing out OpenCanary. Like many people I’ve been instructed to find ways to cut costs while maintaining or improve the level of security at work. One of the tools in my toolkit has been our Thinkst Canary device. I wanted to roll more of them out, and probably will in the future, but for now there’s no budget for that. The Canary devices are essentially just listening devices. They act as one or more legitimate service that no one should ever attempt to contact. If someone does contact them, you know something is up. It’s a nice addition to your blue team tool bag.
Ideally I’ll be putting one of these at each of our locations. Found a useful video here which I’m following to get this thing up and running. I have several Pi’s laying around so I’ll set this up on a R Pi 3 B+ and see how it works.
Ideally, I’d like to set this thing up to catch smb,nfs,rdp,ssh,and telnet. If it gets a hit it should open a ticket with our service desk and send an alert to the cyber security Teams channel.
Here’s a direct link to the github page with the instructions. Apt couldn’t find python-pip or python-virtualenv, I had to use python3-pip and python3-virtualenv. This happened several more times with different commands. Basically, if you try something and it doesn’t work remember you probably need python3. After running through the instructions I was able to get it running without much effort, though a bit of experience with Linux will be very helpful here. I would not say this is a beginner project.
Right off the rip I can see one pretty significant difference between the paid service and the open source project. It doesn’t appear the open source project has a GUI. At all. I can work with that, but it does make me appreciate the white glove treatment we get from the paid implementation.
Once I’m done testing out OpenCanary I’ll post a follow up and report back how it works.