Do You Have a Canary on Your Network?

In the heyday of mining it was common practice to take up to three canaries into the mineshaft to test the purity of the air. If any one bird showed signs of distress, it likely indicated that something was amiss and dangerous levels of carbon monoxide existed.
So what does this have to do with computer security? Well, given our experience with companies that were directly impacted by Operation Aurora, it has become clear that companies that have adopted the modern day “canary” were significantly better able to detect and respond to Aurora as well as the daily barrage of malware they encounter.
So what it is this modern day canary? Essentially, the “canary” is a collection of dark network addresses within a company’s internal network. Savvy and security conscious companies typically run Internet proxies to control access and monitor Internet activity. Legitimate Internet traffic routes through a unique network address that serves as a gateway for the environment behind a proxy. As a by product of running a proxy, network routing tables can be configured with default routes that lead to a collection of dark addresses (unused addresses, much like empty houses in a neighborhood) that have no legitimate use other than to wait for illegitimate visitors.
While more sophisticated pieces of malware are proxy aware, injecting (continue reading...)