What is a Canary in Cybersecurity?

Up until the late 20th century, canaries were used by miners to detect dangerously high levels of toxic gases like carbon monoxide to protect them from inhaling dangerous substances. In cybersecurity, a canary refers to a virtual or physical device, developed by the cybersecurity company Thinkst, that can imitate almost any kind of device in a wide variety of configurations. Canaries can pretend to be anything from a Cisco switch to Windows file servers to mainframes or workstations.

In this way, canary devices are honeypots. A canary honeypot mimics a system that may be attractive to an attacker. Once the attacker penetrates the honeypot, administrators can study their behavior. Canary tokens are significantly different in that they are embedded in files and designed to trigger alerts when an attacker accesses them.

If an attacker attempts to penetrate your system and engages with a canary device, a message is automatically sent to whomever you choose, typically through a text message, email, or another notification system. At that point, admins or other users become aware of the attack and can take precautions or mitigation measures as needed.

With a canary token, if an attacker opens the file or Uniform Resource Locator (URL) with the token embedded, information about the attacker and the token automatically gets transmitted to your network’s defenders. Canary tokens and devices can therefore provide incident responders with valuable information regarding the methodology and identities of the attackers.

How Does a Canary Help?

Like the canaries used to protect miners, the canaries deployed to protect networks provide advanced alerts to users, informing them of potential dangers. When a canary inhaled poisonous gases in a mine, its demise alerted workers and overseers to the dangers in the mine. Similarly, canaries in your network send messages to admins or others when they encounter a threat.  

Canaries can be deployed easily, and they do not need a lot of time-consuming maintenance. They are a cost-effective method of gathering information about threats, empowering IT staff to respond quickly and appropriately. Users can preconfigure them so they can be deployed and ready to strengthen security within minutes.

One of the primary ways canaries help IT teams is they can provide information about the attacker’s methodologies. They help admins pinpoint a hacker’s attack surface of choice. For example, if an attacker prefers to target Windows file servers, a canary posing as one will likely become a “victim.” An alert is then generated and sent to a console. Now, admins know that Windows file servers are in attackers’ crosshairs and can take appropriate measures to secure the real ones on the network.

A canary also serves as an ongoing threat monitoring system. When positioned strategically throughout the network, canaries can alert admins as to when and how attackers try to penetrate the system. Information regarding the types of attacks and their timing can provide valuable insights to system administrators.

Canary tokens act like LoJack, a stolen vehicle recovery system, for network defenders. Once an attacker has a file containing a canary token, information about the attacker, including their location—via their Internet Protocol (IP) address—and when they opened the file is transmitted back to admins. In a sense, a canary token allows an organization to “hack back” by embedding canary spy tech within legitimate-looking files. 

While a canary token stops short of accessing sensitive personal data like traditional spyware, it does transmit data about the attacker without their knowledge. This helps admins understand attackers and their techniques more fully.

Canary Tokens and Honeypots—Are They the Same?

Canary tokens and honeypots have similar goals, but they use different approaches. A honeypot pretends to be an attractive target for a cyber criminal. When the attacker falls for the bait, IT admins can study their behavior and gather key intelligence about the nature of the threat.

But what is a canary token? A canary token can be used to track the behavior of cyber criminals. They are implanted in regular files, and when the user accesses the file or executes a process, a message is sent to the person who implanted the token. When cyber criminals open the token, you get their IP address and the token name, as well as the time the file was accessed. In short, a honeypot provides a place for attackers to play, while a canary token gives them a toy to play with. With both solutions, once attackers fall for the trap, you can gather valuable information about them. 

How Effective Are Canary Tokens at Preventing a Breach?

When an attacker opens a file that contains a canary token, you are instantly given details you can use to prevent their next move from being successful. This can give you an advantage as you defend against a number of different types of attacks. Also, because a file with a canary token inside it is a dummy target with little to no value for the attacker, the canary defense methodology is similar to that of a honeypot because it wastes an attacker’s time and resources while you gather information about them.

Deploying canary tokens must be done with precision. If the file or URL is not accessed by an attacker, you do not get any valuable insights. Also, an attacker can enter your system without accessing the file with the canary token. Therefore, a series of canary tokens, on their own, is insufficient to provide an adequate defense against breaches.