2. AGENDA
I N T R O D U C T I O N
W H A T A R E C A N A R Y T O K E N S ?
A L T E R N A T I V E ?
C A N A R Y P R O B L E M S ?
2
3. HONEYTOKENS
L O O K I N G A H E A D
3
A honey token is data that looks attractive to cyber
criminals but in reality, is useless to them.
“honey” asset is a fake IT resource created and
positioned in a system or network to get cyber
criminals to attack it. In this way, honey tokens are
similar to honeypots.
However, while honeypots can be fake servers or other types of
resources, honey tokens hold data that an attacker takes with them,
unknowingly revealing information that helps IT teams prevent future
attacks or go after the attacker.
4. TYPES OF HONEY
TOKENS
Fake Email Addresses
Fake Database Data
Fake Executable Files
Browser Cookies
Canary Traps
Amazon Web Services
Web Beacons
4
5. 5
CANARY TOKENS
D e f i n i t i o n
We are living in a world where terms such as data breach,
vulnerability and cyberattack have been headlines. The
number of problems are on the rise due to the fast
growth of technology and the number of devices
connected to the Internet.
5
6. 6
C a n a r y t o k e n s
6
Detect when someone triggers the canary by
activating the token (for example, via a “target file”
especially dropped in a private folder. When this
file is accessed by an unauthorized user, an alert is
generated)
INTRODUCTION
Canary tokens, also known as honeytokens, are not new but can be useful
as a source of information. They can be understood as unique identifiers
that can be embedded in different places. If they are touched, an alert is
triggered.
7. HOW TO USE
CANARY TOKENS
7
Setting up the tokens is very easier. All we need to do this is enter an email address and a description, set the type of
token that we want and generate it.
The uses cases presented in this article are:
i. Get an alert when a PDF document is accessed
ii. Get an alert when a Windows folder in browsed in Windows Explorer
iii. Trigger an alert when a website is cloned
iv. Obtain an alert when an application is reversed
8. CANARY/HONEY TOKENS ALREADY
USED IN LOT OF PLACES?
C A N A R Y T O K E N S
8
Honeypot/honeynet → scan or login will trigger alarm
Database row with trigger → read whole database will trigger
alarm
User account with (no privileges) weak password → login will
trigger
Canarytokens.org → open doc calls home and triggers alarm
10. 10
ARE HONEY TOKENS EFFECTIVE IN IDENTIFYING
CYBER-ATTACKERS?
• Honey tokens can be a very effective tool in identifying cyber-attackers
because they send you specific information about the attacker that you would
not otherwise be able to glean. For example, if a malware attack successfully
penetrates your system, it may be impossible—and at the very least,
difficult—to figure out the IP address of the attacker.
• With a honey token, once the attacker opens the file with the token inside,
you are instantly given their IP address. For this reason, the European Union
Agency for Cybersecurity (ENISA) has specifically recommended the use of
honeypots and honey tokens to trap or ensnare cyber criminals.
• However, honey tokens alone are not sufficient to protect your organization's
infrastructure. While they can help you identify attackers and reveal
vulnerabilities in your system, they cannot prevent attacks without the help of
other security tools, such as next-generation firewalls (NGFWs) or secure web
gateways (SWGs).
10
11. AVOIDING DETECTION
(ATTACKER’S VIEW)
11
Hiding your actions is hard to impossible
○ Don’t search, only use specific search engine,
only look at results and don’t visit result page
○ Non-web-based tokens make this hard (e.g.,
API-endpoint canary or credential canary)
Hide origin of search (VPN, Tor, etc..)
○ Easy, likely done but you can get lucky
12. P R O B L E M S
You probably use and rely on software made by someone else
○ ● You would be negatively impacted if that software is targeted
○ ● You could create 3rd-party RE-canaries for that software to get notified if
somebody is looking at it very closely
BUILDING RE-CANARIES FOR 3RD-PARTY SOFTWARE
13. THANK YOU
M u h a m m a d U s m a n
R a n a
+ 9 2 * * * * * * * * * * * U s m a n . a m i r 9 0 @ g m a i l . c o m
U s m a n . a m i r 9 0 @ g m a i l . c o m