Canary in the Real Coal Mine: Beginning in 1911 and all the way through 1986, coal miners would bring a small bird, usually a canary, into the mine with them. During the blasting, the miners could be exposed to carbon monoxide or other poisonous gases. The canaries were brought down into the mine as an early detection device. Because the canary is much more vulnerable to airborne gases, the canary would die upon the first detection of poison. If the miners found a dead canary, danger was in the air and it was time to get out.
Canary Tokens in the Cyber Coal Mine: In the cyber world, “canary tokens” or canary files are used in a similar manner – to see if danger is in the air. A canary token is a digital file that contains a tracker and a trigger. The idea is to put these files throughout your file system with enticing names like “passwords” or “HR Salary List” or something similar. If an attacker would access the system and open the file, the trigger would go off and the tracker would be able to annotate the general location of the hacker to you via email. The general idea is that you now know if someone is snooping around on your device and you can protect yourself from the intrusion.
Try It: You can try this on your home or work computers for free. https://canarytokens.org/ provides different types of canary tokens for your use. You select the type of file, provide your email for notification, and a reminder where you will be putting the token. I recently tested this and the site was able to pinpoint my location as accurately as to my neighborhood, not just the city.
Deception: This is one aspect of an active (or proactive) cyber defense called deception. Deception, as the name implies, is looking to deceive or fool the attacker causing the attacker to make noise as to be detected, and subsequently allowing the user to protect the assets.
Some Honey: In some organizations, IT departments may put out a fake server on the network called a “honeypot.” The server would not have any of the usual security protections thus purposefully making it an easy target for the hackers. The server would be full of fake files and a labyrinth of directories to traverse. No one in the organization has a reason to be on the server, so the only reasons to be on the server are mischievous or nefarious. This gives the cybersecurity department an insight into the tactics and procedures that they need to defend against. It also wastes the hacker’s time. If the hacker is busy in the honeypot, he is not attacking your real assets.
A “honeynet” is similar to a honeypot, except that it is an entire network of honeypots. Larger organizations with critical assets may employ a honeynet to distract the hackers and cause them to make noise on the network. Setting the traps throughout the network allows for the early detection the organization desired.
Just like the coal miners of the twentieth century, the cyber world needs the early detection of danger that the canary provides to stay safe.