Use Canary Tokens For Threat Hunting

Image by digital designer from Pixabay

What is a Canary token?

A Canary token is a file, URL, API key, or other resource that is monitored for access. Once the resource has been accessed, an alert is triggered notifying the object owner of said access.

In other words, it’s a trap for the bad guys. If a bad guy opens the file, you will get an email notification about it.

It’s pretty simple. You place your canary token (a file you generate) on your computer, server, NAS, or cloud storage. You put the file in a location that no one should be accessing and if someone opens it, you will get an email about it. It’s a cool way of detecting unauthorized access.

Create a Canary token

  1. Go to https://canarytokens.org/ to generate a token.
    1. Select the type of token you want to crate (I am using a Excel document in this example)
    2. Enter your email address (this is where you will get the notification)
    3. Enter a note describing the token (this will be included in the email notification)
    4. Click the green button “Create my Canary token”
  2. After you have the downloaded file, rename it to something tempting to open. Like “passwords.xlsx” or “private.xlsx”
  3. Copy or move this file into a folder that no one should be accessing.

Types of Canary tokens

There are many types of tokens you can create. Below are the currently available types:

  • Web bug / URL token – Alert when a URL is visited
  • DNS Token – Alert when a hostname is requested
  • Unique email address – Alert when an email is sent to a unique address
  • Custom Image Web bug – Alert when an image you uploaded is viewed
  • Microsoft Word Document – Get alerted when a document is opened in Microsoft Word
  • Microsoft Excel Document – Get alerted when a document is opened in Microsoft Excel
  • Acrobat Reader PDF Document – Get alerted when a PDF document is opened in Acrobat Reader
  • Windows Folder – Be notified when a Windows Folder is browsed in Windows Explorer
  • Custom exe / binary – Fire an alert when an EXE or DLL is executed
  • Cloned Website – Trigger an alert when your website is cloned
  • SQL Server – Get alerted when MS SQL Server databases are accessed
  • QR Code – Generate a QR code for physical tokens
  • SVN – Alert when someone check out an SVN repository
  • AWS keys – Alert when AWS key is used
  • Fast Redirect – Alert when a URL is visited, User is redirected
  • Slow Redirect – Alert when a URL is visited, User is redirected (More info is grabbed!)

Are Canary tokens Safe

Canary tokens were developed by Thinkst, a cyber security company. From base architectural choices to individual feature implementations, defensive thinking has been baked into Canary at multiple layers.

They’ve also had a crystal-box assessment performed of both the Canaries and the Console by one of the leading app-sec teams in the business. A copy of their report is available on request, but their pertinent, summarising snippet is:

The device platform and its software stack (outside of the base OS) has been designed and implemented by a team at Thinkst with a history in code product assessments and penetration testing (a worthy opponent one might argue), and this shows in the positive results from our evaluation.Overall, Thinkst have done a good job and shown they are invested in producing not only a security product but also a secure product.

How Much Do Canary tokens Cost

The canary token project is open source. Canarytokens is available for free at http://canarytokens.org, or you can download and run your own installation (source and Docker images are available.)

For a cost, you can also purchase a subscription where Thinkst Canary will host a management console, canary server, and provide updates, support, and maintenance.

Conclusion

Data breaches, hacks, and cyberattacks are on the rise. Most breaches happen weeks or months before we realize something bad has happened. Having a tool like this is a great threat detection tool.

Canary tokens are a free, quick, painless way to help defenders discover they’ve been breached (by having attackers announce themselves.)

Share your love