ShadowTrackr

Log in >
RSS feed

Why you will like Canary Tokens

17 October 2017
Ever heard of Canary tokens? These are the digital equivalent of the canaries that were used to detect gas in coal mines. The coal mine canary dies of the gas before miners do and give the miners time to save themselves. Similarly, the canary tokens you plant in your systems can give you a heads up that a hacker is snooping around. This is typically in the reconnaissance fase and you might even have a chance to prevent lateral movement or exfiltration.

As with the real life canary, you can have a really low false positive rate. Given the huge amounts of false positives leading to "alert fatigue" in security teams this is really welcome. The trick of course is that you set up your canaries in such a way that no regular user is likely to trigger them. If you have a word document named "vulnerability report" in your home directory, nobody other than you should open it. And you of course no that opening this fake document sets of a trap and you leave it alone. If you're using the same trick to find snoopers in group directories, you better make sure that everyone in the group knows about the trap. If you're exclusively looking for evil hackers and not for internal leaks you could also consider having the directory hidden from normal users.

There are lots of different types of canaries available: fake documents, URL, trigger, DNS triggers SQL Server triggers, AWS triggers and more. You can easily expand on these with any action that you can translate in one of the existing triggers. An example is the SQL Server trigger, where a certain SQL statement will cause the database server to do a DNS lookup that in turn triggers the trap.

You can easily setup a canary token on canarytokens.org. The server running there seems to be running a bit behind on the github project, and we're thinking of running an instance at ShadowTrackr.com or another domain that might be a bit less of a giveway for those that monitor dns traffic. You can use ShadowTrackr to turn the webhooks that canarytokens call into push messages on your phone and log them to have an audit trail for post mortems. See this use case for an example.
Older posts >

Resources
API
Blog
Documentation
Integrations
Shodan
OpenCTI