Canary Tokens

What Are They?

It is widely accepted in cybersecurity that no system or architecture is 100% secure. An enterprise can be reasonably sure that, at some point, bad actors are going to find their way in.

The second-best thing to stopping an attacker from getting in is finding out about it as soon as possible.

Enter the canary token – a digital tripwire that triggers and alerts the security team when a resource that shouldn't be interacted with is accessed.

They can take numerous forms, including:

• Documents (PDFs, Word files, spreadsheets)

• DNS entries

• Email addresses

• API keys

• Cloud credentials

Security teams often give them enticing names, such as "Valuable Personal Data" or "Executive Salaries". Perhaps not something quite that obvious, but you get the picture.

How Do They Work?

When an attacker interacts with the resource, the token silently alerts the defender. Since no one should be interacting with that resource, the defender can be fairly confident that the system has been compromised.

Advantages

The benefits of this tool are quite impressive.

• Very low cost: Canary tokens can be free and require minimal infrastructure.

• Easy to deploy: Simply place the file or token in a strategic location.

• Strong signal-to-noise ratio: Legitimate users are unlikely to interact with decoy assets regularly.

• Early detection: Canary tokens can reveal unauthorised access before attackers can move through the environment and achieve their objectives.

Final Thoughts

While not a replacement for threat detection tools, SIEM platforms, or other security controls, canary tokens are a cheap, lightweight addition to a security team's defensive arsenal. They provide an effective early-warning mechanism that can help defenders detect compromises before significant damage is done.