Tourists supply Themselves Away by Looking Up. So Do Most Network Intruders.

In large metropolitan areas, tourists are often easy to spot because they’re far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like data theft and ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior.

In a blog post published last month, Cisco Talos said it was seeing a worrisome “increase in the rate of high-sophistication attacks on network infrastructure.” Cisco’s warning comes amid a flurry of successful data ransom and state-sponsored cyber espionage attacks targeting some of the most well-defended networks on the planet.

But despite their increasing complexity, a great many initial intrusions that lead to data theft could be nipped in the bud if more organizations started looking for the telltale signs of newly-arrived cybercriminals behaving like network tourists, Cisco says.

“One of the most important things to talk about here is that in each of the cases we’ve seen, the threat actors are taking the type of ‘first steps’ that someone who wants to understand (and control) your environment would take,” Cisco’s Hazel Burton wrote. “Examples they have observed include threat actors performing a ‘show config,’ ‘show interface,’ ‘show route,’ ‘show arp table’ and a ‘show CDP neighbor.’ All these actions supply the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have.”

Cisco’s alert concerned espionage attacks from China and Russia that abused vulnerabilities in aging, end-of-life network routers. But at a very important level, it doesn’t matter how or why the attackers got that initial foothold on your network.

It might be zero-day vulnerabilities in your network firewall or file-transfer appliance. Your more immediate and primary concern has to be: How quickly can you detect and detach that initial foothold?

The same tourist behavior that Cisco described attackers exhibiting vis-a-vis older routers is also incredibly common early on in ransomware and data ransom attacks — which often unfurl in secret over days or weeks as attackers methodically identify and compromise a victim’s key network assets.

These virtual hostage situations usually begin with the intruders purchasing access to the target’s network from dark web brokers who resell access to stolen credentials and compromised computers. As a result, when those stolen resources first get used by would-be data thieves, almost invariably the attackers will run a series of basic commands asking the local system to confirm exactly who and where they are on the victim’s network.

This fundamental reality about modern cyberattacks — that cybercriminals almost always orient themselves by “looking up” who and where they are upon entering a foreign network for the first time — forms the business model of an innovative security company called Thinkst, which gives away easy-to-use tripwires or “canaries” that can fire off an alert whenever all sorts of suspicious activity is witnessed.

“Many people have pointed out that there are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage),” the Thinkst website explains. “Reliably alerting when a user on your code-sign server runs whoami.exe can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN.”

These canaries — or “canary tokens” — are meant to be embedded inside regular files, acting much like a web beacon or web bug that tracks when someone opens an email.

The Canary Tokens website from Thinkst Canary lists nearly two-dozen free customizable canaries.

“Imagine doing that, but for file reads, database queries, process executions or patterns in log files,” the Canary Tokens documentation explains. “Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.”

Thinkst operates alongside a burgeoning industry offering so-called “deception” or “honeypot” services — those designed to confuse, disrupt and entangle network intruders. But in an interview with KrebsOnSecurity, Thinkst founder and CEO Haroon Meer said most deception techniques involve some degree of hubris.

“Meaning, you’ll have deception teams in your network playing spy versus spy with people trying to break in, and it becomes this whole counterintelligence thing,” Meer said. “Nobody really has time for that. Instead, they are saying literally the opposite: That you’ve probably got all these [security improvement] projects that are going to take forever. But while you’re doing all that, just drop these 10 canaries, because everything else is going to take a long time to do.”

The idea here is to lay traps in sensitive areas of your network or web applications where few authorized users should ever trod. Importantly, the canary tokens themselves are useless to an attacker. For example, that AWS canary token sure looks like the digital keys to your cloud, but the token itself offers no access. It’s just a lure for the bad guys, and you get an alert when and if it is ever touched.

One nice thing about canary tokens is that Thinkst gives them away for free. Head over to canarytokens.org, and choose from a drop-down menu of available tokens, including:

-a web bug / URL token, designed to alert when a particular URL is visited;-a DNS token, which alerts when a hostname is requested;-an AWS token, which alerts when a specific Amazon Web Services key is used;-a “custom exe” token, to alert when a specific Windows executable file or DLL is run;-a “sensitive command” token, to alert when a suspicious Windows command is run.-a Microsoft Excel/Word token, which alerts when a specific Excel or Word file is accessed.

Much like a “wet paint” sign often encourages people to touch a freshly painted surface anyway, attackers often can’t help themselves when they enter a foreign network and stumble upon what appear to be key digital assets, Meer says.

“If an attacker lands on your server and finds a key to your cloud environment, it’s really hard for them not to try it once,” Meer said. “Also, when these sorts of actors do land in a network, they have to orient themselves, and while doing that they are going to trip canaries.”

Meer says canary tokens are as likely to trip up attackers as they are “red teams,” security experts hired or employed by companies seeking to continuously probe their own computer systems and networks for security weaknesses.

“The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal,” wrote Shubham Shah, a penetration tester and co-founder of the security firm Assetnote. “If the aim is to increase the time taken for attackers, canary tokens work well.”

Thinkst makes money by selling Canary Tools, which are honeypots that emulate full blown systems like Windows servers or IBM mainframes. They deploy in minutes and include a personalized, private Canarytoken server.

“If you’ve got a sophisticated defense team, you can start putting these things in really interesting places,” Meer said. “Everyone says their stuff is simple, but they obsess over it. It’s really got to be so simple that people can’t mess it up. And if it works, it’s the best bang for your security buck you’re going to get.”

Further reading:

Dark Reading: Credential Canaries Create Minefield for AttackersNCC Group: Extending a Thinkst Canary to Become an Interactive HoneypotCruise Automation’s experience deploying canary tokens

Industrial IoT Gateways and Routers Market Expands Rapidly

According to new ARC Advisory Group research, the Industrial IoT Gateways and Routers landscape is evolving as edge technologies refine, potential use cases expand and pilot projects begin to scale.

Aug. 16, 2023 - According to new ARC Advisory Group research, the Industrial IoT Gateways and Routers landscape is evolving as edge technologies refine, potential use cases expand and pilot projects begin to scale. Intensive edge compute applications such as AI as well as growing connectivity and security standards are renewing the emphasis on hardware capability. The continued buildout of 5G and private wireless networks will contribute to the diversity of edge networking devices, along with an increased demand for remote access and autonomous networking solutions. The widespread adoption of container environments will make deploying and managing edge applications simpler and more scalable. "Industrial IoT gateways and routers are critical enablers of digital transformation, empowering industries to leverage the potential of edge computing, software innovation and advanced connectivity for increased efficiency, productivity, and operational excellence. Intensive edge compute applications such as AI powered by dedicated graphics processors are renewing the emphasis on hardware capability," according to Chantal Polsonetti, vice president of Research and key author of ARC's Industrial IoT Gateways and Routers Market Research. 

In addition to providing detailed competitive market share data, the research also addresses key market trends as follows:

In addition to providing specific market data and industry trends, this ARC market research also identifies and positions the leading suppliers to this market and provides and summarizes their relevant offerings. An alphabetical list of key suppliers covered in this analysis includes: Advantech, Cisco, Moxa, Siemens, Sierra Wireless. 

The Industrial IoT Gateways and Routers research explores the current and future market performance and related technology and business trends and identifies leading technology suppliers. This new research is based on ARC’s industry-leading market research database, extensive primary and secondary research, and proprietary economic modelling techniques. The research includes competitive analysis, five-year market forecasts, and 5 years of historical analysis. The report segmentation includes Revenue Category, Sales Channel, World Region, Industry, Customer Type, Installation Type, Hardware by Network Type, Hardware by CPU Type, Hardware by Operating System, Hardware by Edge Computing Use, Hardware by Form Factor, Hardware by Environmental Rating, Overall Scope, Hardware by Execution Environment, Hardware by IEC 61850-3, Hardware by EN 50155, Hardware by Class 1 Division 2, Hardware by ATEX. This new research is available in a variety of formats to meet the specific research and budgetary requirements of a wide variety of organizations. These include:

For more information on this and other available ARC market research, please visit their Market Analysis Services.

ARC Advisory Group is the leading market research and advisory firm for industry, infrastructure, and cities.  ARC analysts have the industry knowledge and firsthand experience to help clients find the best answers.

Check out their free e-newsletters to read more great articles..