Digital Age: The Power of Canary Tokens and Deception Technology in Cybersecurity

In the pantheon of security systems few things are as under-rated as deception systems. NIST is only now getting around to including these vital systems in their recommendations. This is unfortunate because few things are as simple and inexpensive to deploy while providing so much benefit. If you have the means to monitor them (and if you have any kind of detection and response capability, you do) they are something you should absolutely be using. Few things will give you such reliable indication that your network is under attack.

So what are Deception Systems, and how do they help?

Deception systems are systems (hosts), files, credentials, code, and any other target that is designed to attract attention to itself while providing no benefit to the attacker. At the least they waste an attacker’s valuable time, but at best they waste the attacker’s valuable time while also alerting the defensive team to the attacker’s presence (and in some cases, identity). Thinkst is the gold standard for deception systems and one of our favorite options for Recon's customers, but it is possible to create deception systems yourself. A few examples:

1. Honeypot systems - these are entire computer images that run on your network, either as virtual machines or as a small footprint system (such as a Raspberry Pi). While holding no data and performing no function, they can be closely monitored for scanning or other reconnaissance activity. Because you know that they are not used on your network any attempt to log in or utilize the “services” provided by the system is being performed by someone not familiar with your network, i.e., likely an attacker.

2. Canary tokens - these are generally documents (e.g. PDF files, Word files, or Excel files) provided by a service such as Thinkst that implement a signal any time they are opened. If you place a tempting target on an internal share (domain_admins.xlsx anyone?) and it gets opened, you have good information that an unwelcome someone is on your network, or someone is getting into files they shouldn’t. If it gets opened outside of your network you have not only proof that some data has been exfiltrated, but also the IP address of the person who is holding the file.

3. API honeytokens - these are API credentials (think AWS or Slack) that you can place in private areas that nobody should be looking.. Such as private code repositories or secrets managers. Perhaps they could be placed in a storage location that holds other private technical information. As soon as an attacker attempts to authenticate one of these tokens you will get notification that they have done so, their IP address, and certainty that someone has been inside wherever those credentials were stored.

4. Cloned website domain - this is a special token, and one of the most useful. You include this as a small snippet of code on your own website (usually, the login page). If someone, in preparation for a phishing campaign, clones your website they will pick up this small snippet of code. While it is totally innocuous on your own website, when it executes from an unfamiliar server it will immediately notify your defensive team so that the systems can be taken down before the phishing even begins.

Whew, and that was only a subset of what can be done. The horizons are vast for this type of defense, and these things are simple to deploy and monitor while providing the highest quality threat intelligence.

Deception systems and insider threats

So far we’ve talked about how these deception systems can be used to thwart attackers, inferring that these attackers are always of the ransomware/financially motivated variety. While that’s a great use case, Canary Tokens can also make a fantastic insider threat detection tool. For example, consider that you have a concern that someone at a director level in your organization has been leaking information, perhaps to the press, perhaps to a competitor, or even just to their buddies for insider trading purposes. You can create a Canary document with press release information or sensitive financial information and then observe who opens it, when, and from where. Or, in an effort to “watch the watchers”, you develop a Canary with a very personal bent to it, e.g. “2022 tax forms.docx” or “test results.docx”. You can then drop this file in the home directory of a former (or even current) employee and have a reliable indicator if any of your administration team are abusing their access for personal reasons.

The importance of monitoring and response

Deception systems are great at detecting threats of all kinds, they can be the single best source of threat intelligence in your toolbox. But as powerful as they are, the thing they can’t do is respond to an event. When using deception systems of any kind, no matter how much attacker time they waste, if you aren’t closely monitoring them (and by close I mean 24x7) and responding when they alert, you will most likely find yourself with a compromised network and possibly some moderately useful forensic information after the event. Just as with any detective control or any source of telemetry, you need to react quickly and accurately when it triggers. If you don’t have a detection and response capability built in your organization, that is the horse you need to put first, before you start building your deception system cart.