Canary Token

What is Canary Token?

A canary token is a deceptive digital artifact that is designed to look like a real digital asset, such as a file, URL, e-mail message, or document. It serves as an early warning system or ‘motion detector’ for cyber-attacks. When an attacker attempts to access or use a canary token, an alert is triggered for the security team.

The concept of using deception to trap attackers or to capture prey has origins in the world of espionage and in nature. In the context of cybersecurity, the first description of honeypots (a canary token is a type of honeypot) can be found in a book, The Cuckoo’s Egg by Clifford Stoll. While working as a system administrator at the Lawrence Berkeley Laboratory computer center, Stoll trapped a prominent hacker by creating fake records for a non-existent military project that the hacker attempted to access.

What is the difference between canary tokens and honeytokens?

• Scope: Canary tokens are light, single-use, and simple deceptions designed to trigger an alert when accessed. A honeytoken is a part of a more sophisticated deceptive system that is designed to blend in with the enterprise network, lure and engage an attacker, while deflecting them away from real network assets. Honeytokens can support simple as well as complex deception scenarios and are inherently designed to deal with the more sophisticated cyber-attacks seen these days.
•  Scale: Canary tokens are very easy to deploy, but deployment at scale is limited. There are limited ways, using scripts, to deploy them at the scale or complexity required by an enterprise network. There is usually no way to update or refresh them to keep them current. Deception-based systems that use honeytokens can automate deception deployment and can easily scale up deception deployment across diverse environments. They can also perform automated deception refresh cycles to keep honeytokens fresh and realistic to attackers.
• Additional Threat Information: When triggered, a canary token provides an alert for the security team. It usually does not provide any additional information about the attacker, or threat intelligence, including TTPs. Systems that use honeytokens can generate incidents that provide a processed, analyzed, and triaged view of individual deception events.
•  Response: Canary tokens stop at triggering alerts for the security team. Honeytoken-based deception systems can integrate with the wider enterprise security system to automate response actions such as quarantining the compromised system.
• Environments: Canary tokens are mainly designed for IT environments, while honeytokens can be designed and deployed at scale for IT, OT, and Cloud environments.

How do canary tokens work, how do attackers find canary tokens?

Canary tokens can be created and distributed at various places on an enterprise network. Since they are not real network assets or usable files, legitimate users should have no reason to access a canary token. Any access will be a strong indicator of malicious activity.

Canary tokens can be designed to look like high value targets for attackers. For example, a file or document with a name that indicates financial records. When an attacker attempts to open the file, the canary token sends an alert to the security team. The alert could include the IP address of the attacker or the location. The security team uses this information to track and stop the attack.

Canary token examples

• Documents: Different file types and formats (.doc, .xlsx, .pdf) can be used as canary tokens. They can be named in a way that will appear as a high value target to an attacker. For example, a Microsoft Excel file that appears to have financial information, or a Word document that appears to contain sales proposals or bids.
• URLs: A URL canary token could be an embedded tracking link or a DNS request that triggers an alert when an attacker accesses it.
• E-mail Addresses: An e-mail address could serve as a canary token, triggering an alert when an attacker attempts to send an e-mail to that address for a phishing attempt.
• API Keys: A canary token could be a decoy API key embedded in a configuration file.
• Credentials: Fake credentials that are not associated with a real system or application can trigger an alert when an attempt is made to use them to gain access.
• Network Shares: A canary token can be placed on a shared network drive and will be triggered if an unauthorized user attempts to access it.
• Cloud Artifacts: Like other types, a cloud artifact canary token is a deliberately placed file, object, or other cloud-based resource designed to trigger an alert when it is accessed.

Pros and Cons of Canary Tokens

Pros

• Early Detection: Canary tokens can provide an early indication of a cyberattack. Since they are not real network assets or usable files, legitimate users should have no reason to access a canary token. Any access will be a strong indicator of malicious activity.
• Cost-Effectiveness: Canary tokens are usually single deceptive files or artifacts that can be generated easily and deployed manually at a low cost.
• Ease of Use: Since canary tokens are single artifacts, they can be easily deployed without the need for additional resources.
• Minimal Impact: Canary tokens can be deployed in existing network locations without the need for shutting down production systems or taking them offline during deployment.

Cons

• Limited Scope and Scalability: Canary tokens are very easy to deploy, but deployment at scale is limited. Deployment is usually manual and there are few ways to automate deployment at the scale required to effectively protect a large enterprise network. Their adaptability to detect evolving sophisticated threats is also limited.
• False Positives: While most legitimate users will have no reason to access a canary token, there is still the chance of employees stumbling on a canary token and triggering alerts. Unlike in the case of systems using honeytokens, since there is no system to track these canary tokens, legitimate network scans can also trigger alerts during routine scan or network discovery processes. The volume of non-high fidelity alerts places an additional burden on already stretched security teams.
• Maintenance and Refresh: Since canary tokens are usually static, there is usually no way to update or refresh them to keep them current. As the enterprise network changes over time, old canary tokens can easily stand out as obvious deceptions.
• Integrations: Canary tokens are limited to alerts and offer few integration options with the wider security infrastructure of an organization, for example, with threat response systems.

Implementation Best Practices

Canary tokens should be deployed at different locations in the enterprise network. They must be designed to mimic real assets and should appear attractive to attackers. They need to blend into the enterprise network, otherwise they risk alerting attackers. Periodic evaluation of the kinds of canary tokens deployed is essential to ensure that they are still blending into the network.

To offer effective protection, they must be deployed at scale. Since deployment is usually manual, this is usually the biggest impediment to the effective operationalization and utilization of canary tokens.

Why are canary tokens important for your business?

Deception is the most effective form of cyber defense and essential to combat the increasing number of evolving and sophisticated cyber-attacks today. Canary tokens as a form of cyber deception can provide an early warning of a cyberattack. They are a good measure to uncover both latent threats, where attackers lie dormant after gaining access to the network, and insider threats involving malicious users.

Sophisticated deception-based systems that use honeytokens represent an advancement over simple canary tokens. They overcome the limitations of canary tokens, automate deployment and offer several other benefits.

Frequently Asked Questions