- Alisha Carmichael
Canaries Provide Simple, Effective Cybersecurity
Canaries and Canary Tokens are a “Set It and Forget It” cybersecurity tool
When a Canary is triggered, you know immediately that you have a problem.
Canaries are among the most cost effective security tools you can buy
It still takes most businesses way too long to discover breaches. Various annual surveys go into depth on the average time to detect a breach, and results often indicate somewhere between days and months to identify breached systems. In cybersecurity, incidents become more damaging the longer they go unnoticed. Time is of the essence.
What if there was a simple and effective way to know something bad was about to happen in your network environment before it actually happened?
This proposition is not hypothetical. Canaries introduce a game-changing level of detection of probable malicious activity before they become breaches.
What is a Canary and a Canary Token?
A Canary is a virtual or physical device that can imitate almost any other kind of device commonly found within a network environment. Through some simple configuration steps, you can set up a canary to masquerade as a Windows server, Linux Server, cloud instance, Active Directory server, or even a virtual machine. When a hacker accesses the canary, you are immediately notified thru a console, text or email.
A Canary Token is a smaller decoy file, like a Word doc or XLS, or it can be an API, QR code or Email. Just like a full Canary, when a hacker accesses it you are immediately notified.
The beauty of Canaries and Canary Tokens? No one touches them…except for hackers. If someone does, it’s very likely a problem.
This sounds like a honeypot
If you’ve been in security for a while, you might wonder how exactly the concept of a canary differs from a honeypot. The first account of a honeypot emerged in Clifford Stoll’s classic book The Cuckoo’s Egg when he detailed how he put a bunch of fake government data on a computer system to lure a KGB hacker into revealing his identity. Like a canary, a honeypot is a decoy system or server that appears legitimate and entices hackers to poke around on them, revealing their malicious intentions and enable businesses to detect and reflect hacking efforts.
The problem with honeypots is they are real systems on your network. Honeypots are servers with OS’s, have data, and applications that mimic the behaviors of a legitimate network system. In other words, you must set up and maintain honeypots, just like you do with your real production systems. In fact, honeypots can be harder to setup and maintain than regular servers because they are so unusual.
Canaries, on the other hand, function like a honeypot, but without the overhead and complexity of deployment. The reality of traditional honeypots is that only large enterprises with the necessary resources typically use them. Canaries make the idea of honeypots available and affordable for businesses of all sizes. Canary tokens sit on legitimate systems as enticing trap, rather than actually being a separate system.
How to Use Canaries
Here are some suggested ways to use Canaries and Canary Tokens in your environment.
Put Canaries on Important Network Segments
Place a couple of canaries on your most important network segments where hackers are most likely to get duped into accessing them. Think about your stores of sensitive or valuable data or user identities, and get a canary server set up where hackers are most likely to go roaming.
Deploy Canary Tokens All Over Your Network
Canary tokens are small and easy to deploy. These tokens sit silently in your environment with resource footprint. They prove their value as soon as someone clicks on them. Being so trivial to deploy, there is no reason not to consider using dozens of tokens.
Better Threat Hunting
Canary tokens placed strategically throughout your network are great for threat hunting. You or your managed services provider can use canary token alerts to hunt malicious, suspicious, or risky activities. From an intruder’s perspective, opening a file or folder that’s actually a token doesn’t look at all different or suspicious.
Test your Pentesters
When hiring penetration testers or conducting red team exercises, part of their skillset involves getting into your environment and remaining there undetected. By using a couple of canaries and a bunch of canary tokens, you can provide an extra challenge to your pentesters and see how good they really are at staying undetected. Since the methods used in pen tests and red team exercises often approximate real-world conditions, you’ll also gauge how likely your canaries and tokens are to detect breaches.
Identify Rogue Employees
Creatively using canaries and canary tokens can also help you identify rogue employees likely to attempt data exfiltration or other malicious activities. One survey found that 67% of organizations experienced one or more insider attacks within the previous 12 months, which highlights how prevalent insider threats are. Think of what juicy details an employee might want for nefarious purposes, then give it to them…in the form of a canary token.
Industry Use Cases
Some industries in which canaries have proven their worth include:
Education—school and higher-ed networks are very open environments; your users change constantly; and your users are curious and possibly hostile. Canaries and Canary Tokens can help detect malicious behaviors before it becomes a serious problem.
Healthcare—healthcare data is among the most valuable in the hacker world. Yet, because lives are at stake, networks are often very open. These two factors make healthcare networks ripe for attack…and perfect for Canaries and Canary Tokens.
Law Firms—internal or external parties may have motivations to access the diverse range of sensitive documents found in law networks. Strategically placed token files can uncover these malicious intentions.
Critical Infrastructure – energy companies, financial services, telcos, etc. are under constant attack. “Time to Detect” drops with well-named canaries and canary tokens.
Pharmaceutical—intellectual property and tampering with trials can kill a biopharma business. Canaries and tokens can identify theft and mistakes before they really happen.
Manufacturing –Canaries and Canary Tokens can identify malintent from vendors, customers, and robots that you allow on your network before they find something of real value.
Department Use Cases
Most departments can benefit from Canaries and Canary Tokens. Here are some ideas:
Human Resources – setup a Canary for insurance, or a “Q1 2022 Executive Bonus.xls” Canary Token file and see if anyone is snooping around.
Accounting – a Canary for vendor management, or a Canary Token for “Competitor X Acquisition Diligence.doc” will likely tell you if someone is on that network segment.
Sales – worried about salespeople taking customer information before going to a competitor? A well named Canary Token left in a corner of the file system may tip you off.
Executive Department – criminals know executives are privy to all sorts of sensitive data. A Canary that mimics an AWS server could be just the ticket to root out bad actors.
Big Outcomes When Using Canaries
The real power of canaries is in dramatically reducing the time to detect possible breaches. Through a simple and effective technology solution, you can know something is about to happen before it does. Canaries empower your business to act faster whether you’re the target of an external threat actor or malicious insider.
Bear in mind that canaries and tokens sit passively in your environment and only become active when accessed. Once deployed, there is nothing else to do. It’s precisely the act of accessing Canaries and Canary Tokens that tells you there’s a problem that you need to address.
Canaries are cheep cheep
Sorry about that. But, our Canaries and Canary Tokens do provide incredibly high value for the money. They are easy to buy and take minutes to deploy. Plus, we will even manage and monitor it for you.