Cybersecurity for startups – deploy canary tokens
Preparing for a security breach is critical for your startup, especially when detecting response tools are not always sufficient in identifying who intruded your systems and how it happened. Sometimes, threat actors can move laterally throughout your system for several months or even years while remaining undetected. To avoid this, your startup can utilize canary tokens for threat hunting or identifying threat actors in your startup’s systems, even if they are under the radar. Canary tokens are a phenomenal complement to existing detecting response tools and are a clever, unique way to boost cybersecurity for startups.
!This is the last article in our series with best security practices for startups. The previous one describes secure containerization.
What is a canary token?
A canary token is a honeytoken that is a decoy coming in various formats, such as email addresses, PDFs, URLs, Word docs, Windows folders, images, QR codes, AWS keys, etc., and are strategically placed on legitimate systems throughout the network to lure threat actors like a trap for the purpose of tracking them and gathering information on them. Once threat actors open the files and access them, they will trigger the canary tokens, and you will be alerted.
How do canary tokens work?
Canary tokens use an old concept of web beaconing for threat hunting. Web beacons are transparent files embedded on web pages or emails that trigger an HTTP GET request from a user interacting with them. Marketing and analytics companies usually place web beacons on a website to track user activity, so they can know which file was clicked on or used the most to gather data on user behavior and customers.
Triggering tokens
Instead of placing web beacons on a web page or email for the purpose of gathering data for marketing and analytics purposes, an embedded canary token that appears as a regular Word document, PDF file, image, folder, etc., will send off a web beacon from the threat actor as soon as they open it. This will trigger the canary token and alert you in real-time via email of the threat actor’s source IP address, the token name, and the date/time they accessed the file without authorization.
Canary tokens vs. honeypots
More than one canary token can get placed on various devices throughout your startup’s network, such as a client desktop, a NAS drive, or a web server. When you disperse canary tokens throughout systems on your network, they act like traps for threat actors. Although they are similar to a honeypot, they are not the same because honeypots are virtual systems that attract threat actors into interacting with a fake production system. Canary tokens, on the other hand, are strategically placed on legitimate systems throughout the network.
But in order for canary tokens to work at all, you must generate them first.
How to Generate and Use a Canary Token
Creating a canary token is very simple and easy to do. All you have to do is generate a canary token on canarytokens.org, then input your email address or web hook (advanced users only) where you want alerts sent to, and write a note as your reminder to read once you receive an alert that the embedded canary token you created was opened and accessed by a threat actor.
You can generate a canary token on Canary Tokens in any of the formats:
- Unique email address
- Web bug / URL token
- DNS token
- AWS keys
- PDF Doc
- Word Doc
- Excel Doc
- Kubeconfig token
- WireGuard VPN
- Cloned Website
- QR Code
- MySQL Dump
- Windows Folder
- Log4Shell
- Fast Redirect
- Slow Redirect
- Custom Image Web bug
- Custom exe / binary
- SQL Server
- SVN
💡Tip: You may want to generate a canary token and rename it to an enticing name like ‘Passwords’ or ‘Secret’ and then place it in a folder in your system somewhere you know threat actors may want to go Easter egg hunting. You can also rename the folder to something like ‘Usernames’ to bait threat actors. Or simply get creative by putting yourself in their shoes and thinking how they would think.
Here are the steps for generating a canary token you want to begin using.
Step 1. Go to canarytokens.org here. Select your token.
Step 2. Provide an email address or web hook URL where you want alerts to be sent to. For advanced users, a web hook is used to generate an API call. Tip: Use an email address that is only for notifications. That way notifications are not overlooked.
Step 3. Write a reminder note for you to read when an alert is triggered. It can say something like ‘this canary token was saved in my hidden folder under User ABC’ for example.
It should look similar to the figure above.
Step 4. After selecting ‘Create my canary token’ you can download your file and rename it to anything you want to, including placing it anywhere on a client desktop, a NAS drive, or a web server.
Remember to choose file names that are enticing to threat actors. Get creative!
Canary Token Tools
- Canary Tokens (Free Canary Token Generator)
- Canary.Tools by Thinkst (For commercial use)
- Open Canary by Thinkst (GitHub) (Lets you receive email alerts as soon as potential threats are detected, highlighting the threat source IP address and where the breach may have taken place.)
- Canary Utils by Thinkst (GitHub) (Helpful scripts created for Thinkst Canary customers)
Canary Tokens in Action
There are multiple use cases for placing canary tokens as traps to bait threat actors. A few common entry points are client desktops or laptops, and internet-facing devices like web servers or SQL databases. You can even get creative by placing a canary token as an embedded image file on your Admin portal.
Here are the following ways you can leverage those common entry points to bait threat actors.
Client Desktops or Laptops
Threat actors who gain access to client desktops or laptops usually search for files and folders they believe may have useful information they can utilize for more leverage, such as accounts, passwords, usernames, and more. A common scenario involves a threat actor retrieving files or folders off a victim’s machine. These files or folders can be embedded canary tokens with enticing names like ‘Passwords’ or ‘Secret’ and other file names that would attract threat actors.
Web Servers or SQL Databases
Because threat actors will browse file directories, a root file directory in a web server is an excellent location to drop a canary token, especially if it is labeled as ‘Passwords.’ Similarly, dropping a canary token as a file named ‘Employees’ or ‘Users’ in a SQL server may be very appealing to threat actors. Once a threat actor performs a SQL query on the SQL database where you dropped a canary token, you will receive a notification alert.
Admin Portal
You can trick threat actors to click on an embedded image file on your Admin portal as soon as they gain access to it. Little will they know, it’s actually a canary token that’s alerting you in real-time via email that someone other than yourself has accessed the Admin portal.
Other Use Cases
Canary tokens are excellent for startups because there are various ways to utilize them, and you can have fun getting creative with them too. Other ways they can be used are for URLs and AWS keys. You can even set traps in interesting places like Slack or underneath your phone battery with a QR code.
URLs
Using a canary token as a URL can distract a user who has visited a specific URL, which allows you to embed canary tokens into different parts of your startup’s web server. You can even place a canary token as a URL in your Slack and look for a conversation several months old where you say, “Good morning team,” and just change the conversation to “Here’s the link to the password file,” and once that Slack is compromised and a threat actor searches for the word ‘password’ in the Slack search – you will know.
AWS Keys
A canary token for AWS API keys is highly recommended, especially if you have a private key repository. By dropping a canary token as an AWS API key and placing it with your other keys, you’ll know when a threat actor has tried to access your legitimate keys along with your decoy AWS API key.
Website Clones
Because cybercriminals often create fake web pages to lure unsuspecting victims to enter their login credentials or payment information, you can drop a canary token code into your website coding. That way, when a threat actor tries to clone your website, they will include JavaScript and once they run it, they’ll unknowingly trigger an alert that notifies you.
WireGuard VPN
Adding a “fake” WireGuard VPN endpoint on your device as a canary token is useful at moments when traveling with devices used for your startup, such as at national border crossings when devices can be seized and inspected out of sight. If your device is compromised, a knowledgeable attacker is likely to enumerate VPN configurations and try to connect to them. When this happens, you will receive an alert.
QR Code Token
You can encode a URL as a QR code as a canary token. When the QR code is scanned and the URL is loaded, the token sends an alert. A few ideas for use include: putting the code on containers in secure locations; on your desk; or underneath your phone battery when going through customs traveling internationally.
There are plenty of unique cases that canary tokens can be used for your startup and team.
Summary
Canary tokens help your startup’s team identify threat actors and where lateral movement and activity is taking place in a timely manner, allowing the team to take necessary actions and perform the proper remediations during a security breach. By setting up unique canary tokens for different devices or segments on your networks, your startup’s team can immediately know what part of your network has been compromised so you can begin your incident response. Best of all, it is free and easy-to-use, and you can get creative with it. As an added bonus, it’s a fun way to catch unsuspecting cybercriminals. After all, how will they know what files are canary tokens? On the contrary, the more threat actors learn about canary tokens, the less likely they will want to snoop around on your systems. In summary, canary tokens have great advantages for startups.
!The above article describes how canary tokens work and how to use them to improve startup security. If you want to learn other ways to boost your organization’s cybersecurity, check out our other articles in the series.
Sources:
- https://cisoperspective.com/index.php/2021/05/07/how-to-use-canary-tokens
- https://hackercombat.com/how-to-use-canary-tokens-for-threat-detection
- https://securityzines.com/flyers/canary.html
Let’s talk about securing your startup
Book a chat with a cybersecurity expert
Is this article helpful to you? Share it with your friends.