We live in a world where cyber threats are everywhere, growing both in number and complexity. As technologies spread, the number of opportunities and entry doors for hackers doesn’t stop increasing. We only have to look back to illustrate this point. The number of cyber attacks increased 50% in 2021 compared to 2020.
One of the most notorious cyber attacks is the one carried out on Twitter in 2020. What if Twitter’s security team had noticed faster the unauthorized access for 24 hours of the 17-year-old boy who impersonated Elon Musk, Barack Obama and other famous accounts for a few hours? What would have changed if Belgacom (the largest telecommunications company in Belgium now called Proximus) had realized that they had suffered a breach, and that the attackers were still inside the company rather than noticing it two years later? And what about all the companies that struggle handling their insider threats every day?
Have you ever heard about canary tokens? They are nothing new and were, in fact, presented for the first time at the BlackHat Conference in 2015.
Put simply, they are digital markers like word documents, folders, PDFs, images, URLs that will act as a digital trip wire when opened or accessed. They will alert the creator that they are being used and let the organization (or individual) know immediately what part of his network has been comprised so it can begin its incident response. We could see them as a kind of clever traps, for bad guys only.
Technically speaking, we can define them as unique identifiers that can be embedded in different places. As soon as they are touched, an alert is triggered.
Here are a few use cases of when canary tokens can be useful:
- Linked into a DNS entry to detect DNS enumeration against your domain
- Embedded into applications to help in reverse-engineering detection
- To run a red teaming scenario. Consider for example creating a word document showing your CV and sending it over to the HR department. When the recipient open the file, the token is triggered and will return the domain and username of the “victim.”
- To detect when someone triggers the canary by activating the token, for example via a “target file” dropped in a private folder. When this file is accessed by an unauthorized user, an alert is generated.
It is a simple and quick approach that allows defenders to not only discover that they have been breached, but also gain information on who or what triggered the token, as well as tracking its activity.
That is very good question. You might be thinking “Why use canary tokens and not a SIEM?” Well, there are a few reasons. The canary tokens project is open source and available on Github. Therefore, making it very cheap and easily available for everyone to install and use.
Another question could be “Why use canary tokens when I already have a SIEM?” The answer is to this is quite short: sometimes, simple is better. It is very likely that Twitter has a SIEM and plenty of people working on it. A SIEM, like all the other alarm systems (honeypots included) generate an enormous amount of alerts that are sometimes easily ignored, including when they really matter. Canary tokens are simple and error-proof, the efforts you put in to set them up are not remotely close to the long and strenuous process of configuring and maintaining a SIEM.
10Guards can help you set up your tokens based on the various possible use cases and features that they provide, and place your tokens strategically throughout your network, as well as create a personalized console for managing them. Additionally, we can support you in making the best use of the tool, including simulations of red teaming scenarios and many more.
More information about a Canary here: https://canary-tools.com.ua/en