Honeypots are tools which helps in informing the owner of an asset if his private / confidential property is being snooped / intruded upon by an attacker. Honeypots are aimed at luring the perpetrator who got unauthorized access to the property – Email, Online Storage, Personal Laptop, Server, Network, etc – to interact with the honeypot, thereby triggering an alert to the owner.
Traditionally, the setup of honeypots have been limited to devices in the network that were setup purely as honeypots and were expensive. But with the advent of Honeytokens, they offer a much easier and cheaper way of detecting intrusion to your private / confidential property.
Honeytokens are honeypots that are not computer systems. Honeytokens can exist in almost any form, from a dead, fake account to a database entry that would only be selected by malicious queries, making the concept ideally suited to ensuring data integrity—any use of them is inherently suspicious if not necessarily malicious.
Honeytokens can be embedded in folders, files, URL links, Database Tables, Email, DNS, etc. Any interaction with these items would trigger an alert to the administrator.
Canarytokens, provided by Canarytokens.org are honeytokens intended for easy use by the masses. The site lets users easily create honeytokens intended for a particular property and trigger an alert to the users’ custom provided email address.
Any interaction with the token would trigger a connection to the Canarytokens domain, from where an alert would be then triggered to the users’ custom set email address informing users of the breach.
Recommended places to put Canarytokens are:
- Google Drive
- Confidential directory and files in your personal computer
- Server directory and files
- Your customer mailing list
Canarytokens may fail if the perpetrator manages to block traffic to Canarytokens domain. To overcome this, the user can make use of Dockerized Canarytokens and install them in a the user’s custom internet facing domain.