Canary Tokens – How To Booby Trap Your Network

It’s all about prevention

So you’ve spent a fortune on resources to prevent cyber attacks. You’ve got firewalls, intrusion prevention systems, endpoint protection, patch management and every other security bell and whistle known to mankind. So what next? You just sit back and relax – right?

Well, it depends upon how much you enjoy having a job.

In our endless pursuit of prevention we’ve almost lost sight of the importance of proper detection. We’re collectively spending a large proportion of our annual budgets on preventing attacks – but aren’t able to reliably determine whether we have actually been successful in doing so.

You’re missing the target ..

So you’re telling me that we’re spending our time and money on preventing attacks – yet we have no reliable way to measure whether it’s actually working? Yes. Correcto. Imagine cyber security is like shooting a target with a gun. You’re doing it blindfolded, in the dark, upside down, drunk. Oh, and the target is moving – attackers don’t like to stay in one place much.

The reality is cyber attacks are like aggressive diseases – the earlier you catch them, the better. Without regular check-ups you may not realise the extent of your problem until it’s too late. At this stage the best security products in the world won’t be able to save you, and the damage to your organisation will have already been done.


Being able to detect attacks early on is critical – and without a solid detection capability you are seriously undermining your strategy for prevention. There are many traditional tools and techniques that can be used to improve this detection capability, and many of these revolve around Security Incident & Event Monitoring (SIEM).

These solutions are a collection of network sensors that deliver aggregate data to a centralised reporting platform for event correlation and analysis. SIEM solutions are a great tool – but today I’d like to introduce one of my newest toys for detection, and one that you may have never used – canary tokens.

Canary Tokens

Canary tokens are essentially URLs that contain a unique string which is generated by a server and then stored in a database. Whenever a GET request is issued to that server containing the unique string it automatically triggers an alert to let you know that the token has been activated.

Using canary tokens we can set traps within file reads, database queries, process executions, log files or even websites such as Linkedin to detect profile views. Canary tokens do all this and more, allowing you to set booby traps in your production systems rather than setting up separate honeypots.

Why should you care?

Network breaches happen. From mega-corps, to governments. From unsuspecting grandmas to well known security pros. This is (kinda) excusable. What isn’t excusable, is only finding out about it, months or years later. Canary tokens are a free, quick, painless way to help defenders discover they’ve been breached.

Think of them almost like network claymores. In fact, it’s our job to be the Kevin McCallister’s of the security world and use our environment to our advantage. If we can’t stop the attackers from coming in – we can sure as hell make them aware of our presence and make their lives more difficult.

Email Trap

A great example would be to generate a token and embed it into an email as a 1px X 1px image. You could send this email to yourself and pin it to the top of your email list with an enticing subject line – e.g. “Credit Card Statement – Transaction History”.

Anybody breaching your email account will notice the luring subject and click on the email which would render the image and trigger an immediate alert to let you know that your email account has been compromised – giving you enough time reset your credentials and investigate before any damage is done.