Canary Token
Author: Stefan Waldvogel
Canary Tokens are an easy way to detect data collection in your network
Overview
Canary tokens are Honey Tokens and an exciting idea to detect lateral movement/data collection. An attacker (or a pentester) follows specific steps, and one part is looking for exciting things like passwords.
With Canary Token, you can generate such documents, websites, databases, folders, and much more. One example: A document with passwords.doc in a hidden or regular folder looks promising, and many attackers will touch such files.
If he or she does, this triggers an alarm, and you as a security professional know something is going on.
Set up:
It is straightforward and free. Generate a wanted file, document, folder, and more here: canarytokens.org/generate#
Rename the file, save it, and now you wait for a click or visit. Now, you get an email.
Canary tokens are Honey Tokens and an exciting idea to detect lateral movement/data collection. An attacker (or a pentester) follows specific steps, and one part is looking for exciting things like passwords.
With Canary Token, you can generate such documents, websites, databases, folders, and much more. One example: A document with passwords.doc in a hidden or regular folder looks promising, and many attackers will touch such files.
If he or she does, this triggers an alarm, and you as a security professional know something is going on.
Set up:
It is straightforward and free. Generate a wanted file, document, folder, and more here: canarytokens.org/generate#
Rename the file, save it, and now you wait for a click or visit. Now, you get an email.
Disadvantages:
- Word documents and other items will not work if you open documents on a Linux machine.
- In a Company you should use the professional and paid version of it, but you have a tool to organize your tokens. (canary.tools/canarytokens)
- If you use Honey Tokens in a company, think about potential risks. A click opens an outgoing connection. Does this trigger other alarms? Can it be abused?
Advantages:
- You can set up about 15 different Canary Tokens and this gives you a wide range of possibilities.
- It is very simple, free and in many cases effective.
- You can use Honey Tokens in your home network and forget the small file. If someone is snooping around and opens your files or hidden folders, you get an alert via email.
What happens if an attacker opens your file on his computer?
On Windows a security warning will pop up and of course, an attacker will not accept the connection. It does not really matter if you additionally use fake folders and other Canaries.
A file will alarm the attacker and sometimes this is wanted.
Fake folders are more effective and an access cannot be easily blocked by the attacker.
- Word documents and other items will not work if you open documents on a Linux machine.
- In a Company you should use the professional and paid version of it, but you have a tool to organize your tokens. (canary.tools/canarytokens)
- If you use Honey Tokens in a company, think about potential risks. A click opens an outgoing connection. Does this trigger other alarms? Can it be abused?
Advantages:
- You can set up about 15 different Canary Tokens and this gives you a wide range of possibilities.
- It is very simple, free and in many cases effective.
- You can use Honey Tokens in your home network and forget the small file. If someone is snooping around and opens your files or hidden folders, you get an alert via email.
What happens if an attacker opens your file on his computer?
On Windows a security warning will pop up and of course, an attacker will not accept the connection. It does not really matter if you additionally use fake folders and other Canaries.
A file will alarm the attacker and sometimes this is wanted.
Fake folders are more effective and an access cannot be easily blocked by the attacker.
If it works, you get a nice email:
You can use the details to learn more about the time and date. I tried multiple things including a dropbox canary folder and it works. Dropbox is not a good place for a canary folder, because Dropbox itself tries to indexing the folder. -> you get a huge list of IPs and locations.
© 2021. This work is licensed under a CC BY-SA 4.0 license