Honeypots have been around a long time1. Nowadays, canaries are a standard component of a mature security program. This was highlighted recently by the NCSC guidance around mitigating SVR threat actors.
We’ve previously shared our thoughts on Honeypots for Intrusion Detection and our vision for Canary Infrastructure. We wanted to build on this vision, and have asked our friend Rami McCarthy to develop the industry’s first Maturity Model for Security Canaries.
The Why and How of a Maturity Model
What is the point of a maturity model?
I’m a big fan of maturity models. Security is a relatively immature industry, built on top of rapid technological change. As an industry, we are prolific in distributing information publicly, but often informally. In the forty year history of honeypots, there have been books and blog posts, write ups in newsgroups and email distros, conference talks and research papers.
A maturity model is a way of systematizing existing knowledge, and creating a centralized source to operationalize a program in this category.
How can I use this maturity model?
From an education perspective, this maturity model offers you a map of the landscape around canaries. Read through it, search everything you don’t know, and a hundred browser tabs later you’ll have a good baseline understanding of what a canary deployment looks like across various levels of sophistication.
On the corporate side, there are a few ways to apply a maturity model to your security program.
- Removing unknown-unknowns: The maturity model offers a cheat sheet across the universe of canary capabilities. At a minimum, it allows you to survey the landscape and ensure you’re aware of your options for reducing risk, whether or not you choose to align to the model overall.
- Benchmarking/Diagnostics: If you choose to align to the model, you can use it to assess your current maturity. This is an opportunity to consider whether your current use of canaries matches your desired level of security maturity.
- Roadmapping: When navigating the planning process, this model offers a view on “what could we do next,” in an iterative and compounding structure.
Overall, I’d encourage you to view this maturity model as a spider chart, and not a checklist. You don’t need to be doing everything listed to crest into a maturity level, nor should you limit your investments to meet all “Managed” criteria if it better suits to spike into “Optimize” across certain categories.
The Security Canary Maturity Model
In developing this model, I crystallized on four categories (Coverage, Management, Impact, and Program) that form a MECE set of relevant capabilities, controls, and practices. Maturity is then measured across these categories, rolling up into three maturity levels: Defined, Managed, and Optimized.
Coverage
Coverage considers the idea of detection coverage as applied to canaries. In our case, Coverage is a matter of Diversity and Distribution. Diverse canaries provide more opportunities for detecting a variety of attacks, avoiding honeypot identification by attackers, and introducing sludge.
Impact
Maturing your canary deployments means increasing the impact of both in general and for each canary asset. Generally, there are two vectors for canary impact. First, you generate signal on attackers, which may be a simple alert in the base case. Second, you can impose additional cost on attackers. Your ceiling for impact can be coupled to the interactivity of your canaries. The higher the interaction, the more data attackers generate from which you can discern useful signals.
Management
Low maturity canary programs often fail due to a lack on ongoing management of the infrastructure. A honeytoken, in place for two years, is challenging to investigate once leaked due to the long exposure window. The same is true of a piece of canary infrastructure that has multiple attack paths that could compromise it. Management is focused on both Deployment of canaries, and also its ongoing maintenance.
Program
The final category of our security canary maturity model looks at the program and policies that surround the technical implementation. This involves elements of Discoverability, Publicity, and Response Planning. Discoverability is related to improving the odds attackers stumble on canaries in their normal process. Publicity dissects the approach you use in communicating your program internally and externally. Response planning ensures you’re prepared when a canary does go off.
Adding Canaries to your Security Program
No matter the maturity level of your overall program, there is room for canaries.
If you’re just starting out, a Defined program can be an early, easy win - offering trip wires for high impact compromise before you have a broader threat detection program in place. Once your program is established and scaling, maturing to a Managed state can paper over gaps in your other detection infrastructure, at an affordable cost. Already at scale? Optimized, your canaries can be customized to offer threat intelligence, defense in depth, and higher signal than other controls.
