TLDR: Canary tokens are not new but can help give you some Intel into your attackers, be it insider or external .
If you’re not familiar with the idea of a canary as an early warning system, its origins lie in coal mining. Miners would carry a small bird (typically a canary) in a cage. If the mine filled with dangerous gases the canary would die giving them time to escape with an early warning.
A canary token can be hidden in many places to give you an early warning of impending doom, or just someone snooping around #insiderthreat.
If your company is like most, one of your security challenges is the protection of unstructured data. Almost every company has at least one file share, mapped network drive, SharePoint site, or other location where sensitive files are shared. These files might be documents, spreadsheets, presentations, technical diagrams, backups of other computers, or scanned document images.
Whatever they are, you have probably done your best to protect them through strong security and good access management – limiting who has access to the files. This is a good security baseline, but how would you know if someone used a privileged account like a Domain Admin account to access those files?
This is where a free service called CanaryTokens provided by Thinkst comes into play.
These token can be used in so many places and you can get really creative with them.
- Honeypot/honeynet → scan or login will trigger alarm
- Database row with trigger → read whole database will trigger alarm
- User account with (no privileges) weak password → login will trigger
- Canarytokens.org → open exfiled doc calls home and triggers alarm
- URL token
- DNS token
- Web bug (aka 1×1 pixel image)
Why should you care?
Network breaches happen. From mega-corps, to governments. From unsuspecting grandmas to well known security pros. This is (kinda) excusable. What isn’t excusable, is only finding out about it, months or years later.
Canary tokens are a free, quick, painless way to help defenders discover they’ve been breached (by having attackers announce themselves.)
Tokens consist of a unique identifier (which can be embedded in either HTTP URLs or in hostnames.) Whenever that URL is requested, or the hostname is resolved, we send a notification email to the address tied to the token. You can get one in seconds, using just your browser.
To obtain a token:
Enter your email address. (It’s only used to notify you when the token is triggered, mails are not used for any other purpose.)
Enter a comment which describes where you’re using the token. If the token is triggered in six months time, a comment will help you remember where you placed the token. Be specific (e.g. “file watch on 192.168.100.2:/repos/repo3/README.txt” or “Password lure email in [email protected] inbox”. You probably will have a few tokens, so a good description is necessary.
Click “Generate Token” to obtain your token.
Copy the token and drop it somewhere it will be stumbled over.
You will get an alert similar to something like this:
desktop.ini share + zip-files
Before any other engagement, you have the internal domain name and a username, which can give you an idea of the naming convention. Ready to spark up your cobalt strike and send over a nice phishing campaign .