Ransomware – Canary Tokens

We thought we would round off our series on Ransomware with something a little more off-piste and discuss an opensource product called CanaryTokens.  This novel technology provides an interesting capability and is great for encouraging unconventional thinking in the infosec space.  To begin, let’s break down the premise of this product.

What are CanaryTokens? 

CanaryTokens get their name from the canaries that were employed in the coal mining industry as a mechanism to provide early detection of toxic gases in the mines.  Much like their namesake, the job of the canary token is to provide an early alert to the presence of an unwanted third party in your environment.  Whilst the movies portray cyber attacks as these fast-paced smash and grab activities, more often than not an attacker will sit on a network for days, weeks or months before they have the resource or privilege to cripple a business.  This lead time gives rise to a plethora of security products that aim to detect the presence of an attacker, such as intrusion detections systems taking a feed from the network or honey pots which are designed to bait the attacker and alert when targeted.  Canary tokens extend this honey pot / IDS capability to the distributed workforce by adding beacons to all manner of things, from applications to Word documents.  Oh, and they’re free for both a self-hosted on-premise installation or cloud-hosted SaaS!


Beaconing Word documents. 

So how does this work?  The free service provides a blank Word .DOCX file and, as promised, every time you open it the alert is triggered.  That alert can be an email or webhook, depending on how you configured your token, and you can get a history of triggers via the website or API.  The incident map is useful for immediately seeing those unusual geolocations accessing the file.

Under the hood, the implementation is simple.  A tiny white square is included in the footer of the document, but only as a reference.  To display the image, Microsoft Word fires off a request the CanaryToken server to download the image and CanaryToken server dutifully logs it.  That is it!

Taking it further. 

Hopefully, the value in this concept is jumping out at you!  How do we extend the capability to make it ubiquitous across the network and to deliver real value?  CanaryTokens, out of the box without any modification, supports webhook alerts rather than email and this means you can receive notifications to your own receiving server.  From here you can process, store, and analyse the data to drive that extra value out, such as alerting based on geographical region or if there are sudden spikes in activity.  CanaryToken also supports programmatic access, meaning we can leverage the REST API to generate tokens and embed them within files programmatically to remove the burden from the end-user.  You could crawl a Sharepoint site, windows file share or code repository for Word files and then automatically inject unique tokens.  By adding metadata tags to your files, you could automatically apply alerting rules based on the detected location or author.  We can also consider the points of egress to a network as great pinch points to inject canary tokens, such as injecting them into email attachments as they flow through the existing email infrastructure.

But how easy are CanaryTokens to spot? 

In short, quite easy.

We generated a file using the cloud-hosted free service and the CanaryToken URL stands out like a sore thumb in the footer component.   Of course, using your own CanaryToken server will allow you to use a domain name of your choosing.  The footer component is also compressed, so a simple string search will not find the token.

There is also a growing school of thought that getting caught being sneaky isn’t a bad thing.  Attackers and insiders will certainly think twice before ransacking your servers if they realise that some of these files contain beacons and traps that may trip them up.  We see this all the time, from the classic chilli in the chocolate game to the deployment of mobile speed cameras.  The police do not need to speed trap every public road, they just need to allow the speeding to motorist to think that they could be lurking around that bend. Maybe its time you considered deploying deception into your networks.

What can SQA do for you?

SQA can help you weaponise these concepts and build a defence in depth architecture that works for you.

Looking for a vendor-agnostic Cyber Security partner that you can trust? Contact SQA Consulting for further information on:

  • Reducing the likelihood of an attack
  • Mitigating the impact of a successful attack
  • Significantly reducing the time to recovery
  • Attack simulation and defence-in-depth evaluation

Get In Touch

Technology Consulting Partners