How to Use Canary Tokens for Threat Hunting
You may not be familiar with web beacons, but chances are you interact with them every day and don’t even know it. Web beacons are transparent files embedded on web pages or emails that trigger a GET request from the user that interacts with them. This allows marketing and analytics companies to track user activity by knowing when that file was clicked on or used.
Canary tokens use this old concept of web beaconing for threat hunting. Whereby tokens are regular, everyday files like Word or PDFs with hidden web beacons embedded inside. When the file gets opened, a GET request from the user alerts you that somebody has accessed your file.
When Canary tokens get spread across systems in your networks, they act as traps that would-be attackers can get tripped. In this article, we’ll cover Canary tokens in detail and demonstrate how you can set these up on your network to start threat hunting.
Canary Tokens are decoys that can take on many different forms, including Word files, a folder, PDFs, URLs, images, and many more.
The idea is to make them look like something an attacker would try to access and place them on various devices throughout our network, like a client’s laptop, NAS drive, or web server. When a breach occurs, an attacker will typically transfer the targeted data on the device in the least intrusive way. When they open the file with the embedded Canary token – a web beacon goes off, alerting you of the source IP, token name, and when the file got accessed. By setting up unique tokens for the different devices or segments in your network, you’ll immediately know what part of your network is compromised so you can begin your threat response.
Unlike honeypots, which are virtual systems that attract would-be attackers into interaction with a fake production system- Canary tokens are files that are placed on real systems strategically throughout the network. The essential advantage here is that you can monitor real systems for breaches, essentially turning your entire network into a huge honeypot. Let’s set up a few canary tokens and watch them in action.
We’ll start off by generating a new token from canarytokens.org. The first thing you’ll do is select the kind of token you want to generate. For our first example, we’re going to generating a Canary token as a Word document. Next, we can enter the email address that will get notified whenever the Word document is accessed.
For advanced users, we can also use a webhook to generate an API call. This can allow us to tie our existing security devices and automatically block IP and quarantine breached devices. For now, we’ll enter an email address to receive a notification. The last section allows us to enter a note that we can use to identify this particular token. When our canary token is accessed, the notification for the specific token will include this note to help us identify the token. I’m just going to enter a generic note for now.
And the last thing is to click ‘Create my Canary token.’ We now have a Word file with our unique, embedded web beacon that we can download and place in our network. The file itself can get renamed and placed in various strategic locations that we know an attacker would look through. I will rename this file to make it more appealing and place it in multiple parts of this PC, like the document folder and the desktop.
I’m also going to generate a second Canary token; this time. Then I’ll make a folder – and I’ll enter my email and put a note to identify this token. And I’ll finish by clicking the button to create this new canary token. For this token, which looks like a folder, I’ll place it on my network drive with the label ‘Personal Files’ to make it appealing enough for a would-be attacker to try and open.
Now – I will try and open this file from another device to simulate a would-be attacker. So from the attacker’s perspective, I’m going to copy these files from the PC and the network drive. I’ll open these files up – and nothing happens from the attacker’s viewpoint. To them, it’s an empty file. However, an alert has already gone off, notifying me of the token name, memo, and, more importantly, the source IP that the attacker used to came in.
Because we’ve tracked these two tokens down and know that our network drive and client PC are compromised, we can now work towards getting those two resources offline, block the attacking IP and begin our investigation.
So let’s talk about some good uses for placing these traps around our network. This is where you can get creative and start thinking about what an attacker would be interested in and where the possible breaches are coming from. Some common entry points are clients and internet-facing servers, like a web server. Once an attacker has gained access, what is the next thing they are likely to do?
A typical scenario in a client-side breach is an attacker retrieving files or folders on the victim’s machine. They’ll start by looking for documents, PDFs, and folders with intriguing names. This is where we want to place our canary tokens where they’re likely to get accessed by an attacker. So we can place a Word or PDF canary token with an enticing name like ‘Taxes 2019’. When that file is accessed anywhere in the world, the web beacon from our canary token goes off and alerts us of the accessed file with the user IP and timestamp.
Another common entry point is an internet-facing server, like a web server. An attacker that gains access is likely to browse the file directory to see what he has access. Our root file directory is an excellent location to drop a canary token labeled ‘password.doc’ – which, again, is too enticing for an attacker to pass up. My personal favorite is to use a canary token as an embedded image that you place in your admin or manage page. An attacker that gains access will trip the canary token when the page with the image is loaded. Alerting you that someone other than you has accessed your admin page.
There are too many canary token use cases to go through in this article. Here are some of my favorites:
Using a Canary token as a URL tracks anyone who has visited the specific URL, allowing you to embed canary tokens into different portions of your web server.
You can also use a canary token in a SQL server to notify you when an SQL query is performed on a specified DB.
If you have a private key repository, I highly recommend using the AWS API key canary token. By dropping this in with your other keys, you’ll know when someone has tried to access your keys when they use the decoy.
Canary tokens are simple and free, making them a fantastic complement to our existing detection and response tools. Generating and managing Canary tokens are all done from Canarytokens.org. Also, make sure you store your Canary token ID somewhere – because it’s the only way to log in and manage it later.