The Security Canary Maturity Model | Tracebit

Honeypots have been around a long time¹. Nowadays, canaries are a standard component of a mature security program. This was highlighted recently by the NCSC guidance around mitigating SVR threat actors.

We’ve previously shared our thoughts on Honeypots for Intrusion Detection and our vision for Canary Infrastructure. We wanted to build on this vision, and have asked our friend Rami McCarthy to develop the industry’s first Maturity Model for Security Canaries.

The Why and How of a Maturity Model

What is the point of a maturity model?

I’m a big fan of maturity models. Security is a relatively immature industry, built on top of rapid technological change. As an industry, we are prolific in distributing information publicly, but often informally. In the forty year history of honeypots, there have been books and blog posts, write ups in newsgroups and email distros, conference talks and research papers.

A maturity model is a way of systematizing existing knowledge, and creating a centralized source to operationalize a program in this category.

How can I use this maturity model?

From an education perspective, this maturity model offers you a map of the landscape around canaries. Read through it, search everything you don’t know, and a hundred browser tabs later you’ll have a good baseline understanding of what a canary deployment looks like across various levels of sophistication.

On the corporate side, there are a few ways to apply a maturity model to your security program.

Removing unknown-unknowns: The maturity model offers a cheat sheet across the universe of canary capabilities. At a minimum, it allows you to survey the landscape and ensure you’re aware of your options for reducing risk, whether or not you choose to align to the model overall.
Benchmarking/Diagnostics: If you choose to align to the model, you can use it to assess your current maturity. This is an opportunity to consider whether your current use of canaries matches your desired level of security maturity.
Roadmapping: When navigating the planning process, this model offers a view on “what could we do next,” in an iterative and compounding structure.

Overall, I’d encourage you to view this maturity model as a spider chart, and not a checklist. You don’t need to be doing everything listed to crest into a maturity level, nor should you limit your investments to meet all “Managed” criteria if it better suits to spike into “Optimize” across certain categories.

In developing this model, I crystallized on four categories (Coverage, Management, Impact, and Program) that form a MECE set of relevant capabilities, controls, and practices. Maturity is then measured across these categories, rolling up into three maturity levels: Defined, Managed, and Optimized.

Coverage

Coverage considers the idea of detection coverage as applied to canaries. In our case, Coverage is a matter of Diversity and Distribution. Diverse canaries provide more opportunities for detecting a variety of attacks, avoiding honeypot identification by attackers, and introducing sludge.

Defined	Managed	Optimized
A few static honeytokens (a.k.a canary credentials) are present	Many unique honeytokens are distributed, with meaningful correlation of their locations with attack paths Initial non-honeytoken canary infrastructure is in place Canaries cover a majority of the CDM Technologies (Devices, Applications, Networks, Data, Users) in production Canaries have realistic metadata (i.e., believable names, tags, resource types)	Broad and diverse canary infrastructure is deployed Environmental architecture and nudges lead attackers towards interacting with canary infrastructure Canary data is introduced to new resources by default Canaries are present not only in production, but across other high leverage areas like Source Code, CI/CD, and Staging Canaries have environment-specific, camouflaging metadata

Impact

Maturing your canary deployments means increasing the impact of both in general and for each canary asset. Generally, there are two vectors for canary impact. First, you generate signal on attackers, which may be a simple alert in the base case. Second, you can impose additional cost on attackers. Your ceiling for impact can be coupled to the interactivity of your canaries. The higher the interaction, the more data attackers generate from which you can discern useful signals.

Defined	Managed	Optimized
Low interactivity A basic log of interaction (such as an alert) is generated	Medium interactivity A rich audit log of interaction is generated, including an IP address but also session, user, role, user agent and more Canary alerting has varied severity, with higher signal the more manual the discovery technique	High interactivity, designed to generate additional useful intelligence on attackers Canaries designed to waste attacker time, such as through tarpitting² Canaries leverage backstopping for detection - such as the use of the IAM Credential Report An automated process is in place to reduce false positives caused by security and other internal scanning tools

Management

Low maturity canary programs often fail due to a lack of ongoing management of the infrastructure. A honeytoken, in place for two years, is challenging to investigate once leaked due to the long exposure window. The same is true of a piece of canary infrastructure that has multiple attack paths that could compromise it. Management is focused on both Deployment of canaries, and also its ongoing maintenance.

Defined	Managed	Optimized
Manual deployment No rotation	Automated deployment Periodic manual rotation	Short lived and/or frequently rotated canaries Simulated traffic and burn-in to ensure canaries remain indistinguishable from authentic infrastructure

Program

The final category of our security canary maturity model looks at the program and policies that surround the technical implementation. This involves elements of Discoverability, Publicity, and Response Planning. Discoverability is related to improving the odds attackers stumble on canaries in their normal process. Publicity dissects the approach you use in communicating your program internally and externally. Response planning ensures you’re prepared when a canary does go off.

Defined	Managed	Optimized
Security team aware of canaries Basic response playbook in place	Internal awareness of canaries and procedure Canaries are periodically tested Response playbook has been tested, and supporting tooling is established	External awareness of use of canaries Canaries are tested automatically on an ongoing basis Tabletop response is conducted periodically, under a variety of scenarios Response process includes attempts to out tools and attackers, imposing cost by burning infrastructure

Adding Canaries to your Security Program

No matter the maturity level of your overall program, there is room for canaries.

Ready to invest in your canary infrastructure?

Book a demo with our founders, and we’d be happy to talk with you about your current maturity and how you can easily Optimize your program using Tracebit

If you’re just starting out, a Defined program can be an early, easy win - offering trip wires for high impact compromise before you have a broader threat detection program in place. Once your program is established and scaling, maturing to a Managed state can paper over gaps in your other detection infrastructure, at an affordable cost. Already at scale? Optimized, your canaries can be customized to offer threat intelligence, defense in depth, and higher signal than other controls.

‍