Canarytokens are a simple way to tripwire things. An old concept, they can be super useful (and are trivial to use) but require some background infrastructure to get working. We provide this infrastructure for you, so you can deploy tokens in seconds and get the benefit from them immediately.
For example, you may be familiar with tracking pixels; transparent 1x1 images embedded in emails that track a user upon opening. These work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests.
Imagine doing that, but for file reads, database queries, process executions or patterns in log files. Canarytokens do all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.
As a Canary customer, Canarytokens are available to you completely free, and generated alerts will show up in your console like any other:
Why does this matter?
Network breaches happen. From mom and pop stores to mega-corps, and even governments. From unsuspecting grandmas to well known security pros. This sucks because it's commonly only found out about, months or years later.
Canarytokens are a free, quick, painless way to help defenders discover they've been breached (by having attackers announce themselves.)
How do Canarytokens work?
Go to your Console and select your Canarytoken; (supply a reminder that reminds you which Canarytoken this is and where you put it.)
Place the generated Canarytoken somewhere special. Refer to the tokens listed below for examples:
- Web Bug
- DNS
- AWS API Key
- Azure Login Certificate
- Microsoft Word, Excel and Macro enabled tokens
- Sensitive Command
- WireGuard VPN
- Cloned Website
- QR Code
- Acrobat PDF
- Slack API Key
- Windows Folder
- Custom Exe/Binary
- AWS S3 Bucket
- Custom Web Image
- Office 365 Mail Bug
- Slow/Fast Redirect
- Google Docs/Sheets
- Gmail
If an attacker ever trips over a Canarytoken somehow, you'll get an alert letting you know that it has happened.
How do attackers trip over a Canarytoken?
A typical token is a unique URL and/or hostname. The URL component is pretty flexible. This means that if your token is:
http://45e51129ec7e.o3n.io/images/o63277vnjf6nfobn3cbey69fh/spacer.gif
then someone visiting any of these:
http://45e51129ec7e.o3n.io/images/o63277vnjf6nfobn3cbey69fh/admin.asp
http://45e51129ec7e.o3n.io/images/o63277vnjf6nfobn3cbey69fh/secrets.docx
http://45e51129ec7e.o3n.io/images/o63277vnjf6nfobn3cbey69fh/passwords.zip
http://45e51129ec7e.o3n.io/images/o63277vnjf6nfobn3cbey69fh/anything-really
Would still activate your token. This gives us the simplest use-case for a token, an old fashioned web-bug.
For example, you could send yourself an email with a link to the token plus some lure text:
Simply keep it in your inbox unread since you know not to touch it. An attacker who has grabbed your mail-spool doesn't. So if your emails are stolen, then an attacker reading them should be attracted to the mail and visits the link – and while your week is about to get worse, at least you know.
If you like, you could even use the same token as an embedded image. This way it works like the classic 1x1 transparent GIF. Now an attacker reading your inbox could trip over it just because his mail client renders remote images. (In this way you can use free Canarytokens as a classic web/mail-bug, to receive a notification when an email you send has been read.)
What memo should I use?
Over time, if you are using Canarytokens correctly, you will deploy thousands of them all over the place. Make sure that your Reminder is descriptive, and will be self-describing. Nothing sucks more than having a token fire an alert that reads “test" - and not knowing where you placed it.
An example of creating a descriptive reminder can be found here.
Production usage
Canarytokens can be used as simple web-bugs, but they are incredibly flexible as we'll see.
You may have a fancy SIEM that lets you know when stuff happens, but you'll find that with a little creativity, there's a bunch of places that you could get wins from a token (that can be deployed in seconds) that you couldn't easily get to otherwise.
Do you trust the admins/support at DropBox to leave your files alone? (or Office365? or Microsoft Teams?) Simply generate a token and drop it in your folder, or mention it in your Microsoft Teams channel. If some admin is browsing contents in their spare time (or is being coerced to do so by a 3rd party) they will trip over your URL and you'll be notified.
Once you've familiarised with creating Canarytokens on the Console, you may ask yourself "How would I deploy this at scale?". We provide some examples and guidance here.