August 22, 2023

In large metropolitan areas, tourists are often easy to spot because they’re far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like data theft and ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior.

In a blog post published last month, Cisco Talos said it was seeing a worrisome “increase in the rate of high-sophistication attacks on network infrastructure.” Cisco’s warning comes amid a flurry of successful data ransom and state-sponsored cyber espionage attacks targeting some of the most well-defended networks on the planet.

But despite their increasing complexity, a great many initial intrusions that lead to data theft could be nipped in the bud if more organizations started looking for the telltale signs of newly-arrived cybercriminals behaving like network tourists, Cisco says.

“One of the most important things to talk about here is that in each of the cases we’ve seen, the threat actors are taking the type of ‘first steps’ that someone who wants to understand (and control) your environment would take,” Cisco’s Hazel Burton wrote. “Examples we have observed include threat actors performing a ‘show config,’ ‘show interface,’ ‘show route,’ ‘show arp table’ and a ‘show CDP neighbor.’ All these actions give the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have.”

Cisco’s alert concerned espionage attacks from China and Russia that abused vulnerabilities in aging, end-of-life network routers. But at a very important level, it doesn’t matter how or why the attackers got that initial foothold on your network.

It might be zero-day vulnerabilities in your network firewall or file-transfer appliance. Your more immediate and primary concern has to be: How quickly can you detect and detach that initial foothold?

The same tourist behavior that Cisco described attackers exhibiting vis-a-vis older routers is also incredibly common early on in ransomware and data ransom attacks — which often unfurl in secret over days or weeks as attackers methodically identify and compromise a victim’s key network assets.

These virtual hostage situations usually begin with the intruders purchasing access to the target’s network from dark web brokers who resell access to stolen credentials and compromised computers. As a result, when those stolen resources first get used by would-be data thieves, almost invariably the attackers will run a series of basic commands asking the local system to confirm exactly who and where they are on the victim’s network.

This fundamental reality about modern cyberattacks — that cybercriminals almost always orient themselves by “looking up” who and where they are upon entering a foreign network for the first time — forms the business model of an innovative security company called Thinkst, which gives away easy-to-use tripwires or “canaries” that can fire off an alert whenever all sorts of suspicious activity is witnessed.

“Many people have pointed out that there are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage),” the Thinkst website explains. “Reliably alerting when a user on your code-sign server runs whoami.exe can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN.”

These canaries — or “canary tokens” — are meant to be embedded inside regular files, acting much like a web beacon or web bug that tracks when someone opens an email.

The Canary Tokens website from Thinkst Canary lists nearly two-dozen free customizable canaries.

“Imagine doing that, but for file reads, database queries, process executions or patterns in log files,” the Canary Tokens documentation explains. “Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.”

Thinkst operates alongside a burgeoning industry offering so-called “deception” or “honeypot” services — those designed to confuse, disrupt and entangle network intruders. But in an interview with KrebsOnSecurity, Thinkst founder and CEO Haroon Meer said most deception techniques involve some degree of hubris.

“Meaning, you’ll have deception teams in your network playing spy versus spy with people trying to break in, and it becomes this whole counterintelligence thing,” Meer said. “Nobody really has time for that. Instead, we are saying literally the opposite: That you’ve probably got all these [security improvement] projects that are going to take forever. But while you’re doing all that, just drop these 10 canaries, because everything else is going to take a long time to do.”

The idea here is to lay traps in sensitive areas of your network or web applications where few authorized users should ever trod. Importantly, the canary tokens themselves are useless to an attacker. For example, that AWS canary token sure looks like the digital keys to your cloud, but the token itself offers no access. It’s just a lure for the bad guys, and you get an alert when and if it is ever touched.

One nice thing about canary tokens is that Thinkst gives them away for free. Head over to canarytokens.org, and choose from a drop-down menu of available tokens, including:

-a web bug / URL token, designed to alert when a particular URL is visited;
-a DNS token, which alerts when a hostname is requested;
-an AWS token, which alerts when a specific Amazon Web Services key is used;
-a “custom exe” token, to alert when a specific Windows executable file or DLL is run;
-a “sensitive command” token, to alert when a suspicious Windows command is run.
-a Microsoft Excel/Word token, which alerts when a specific Excel or Word file is accessed.

Much like a “wet paint” sign often encourages people to touch a freshly painted surface anyway, attackers often can’t help themselves when they enter a foreign network and stumble upon what appear to be key digital assets, Meer says.

“If an attacker lands on your server and finds a key to your cloud environment, it’s really hard for them not to try it once,” Meer said. “Also, when these sorts of actors do land in a network, they have to orient themselves, and while doing that they are going to trip canaries.”

Meer says canary tokens are as likely to trip up attackers as they are “red teams,” security experts hired or employed by companies seeking to continuously probe their own computer systems and networks for security weaknesses.

“The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal,” wrote Shubham Shah, a penetration tester and co-founder of the security firm Assetnote. “If the aim is to increase the time taken for attackers, canary tokens work well.”

Thinkst makes money by selling Canary Tools, which are honeypots that emulate full blown systems like Windows servers or IBM mainframes. They deploy in minutes and include a personalized, private Canarytoken server.

“If you’ve got a sophisticated defense team, you can start putting these things in really interesting places,” Meer said. “Everyone says their stuff is simple, but we obsess over it. It’s really got to be so simple that people can’t mess it up. And if it works, it’s the best bang for your security buck you’re going to get.”

Further reading:

Dark Reading: Credential Canaries Create Minefield for Attackers
NCC Group: Extending a Thinkst Canary to Become an Interactive Honeypot
Cruise Automation’s experience deploying canary tokens


36 thoughts on “Tourists Give Themselves Away by Looking Up. So Do Most Network Intruders.

  1. David Aubke

    These Canarytokens send their alerts through canarytokens.org’s (or some other third party) servers, right? I’m sure they’re OK but it I’ll want to understand more about what they’re sending out into the world before putting them to use.

    1. Jokerstein

      Also, when Thinkst goes bust, you have a useless service/server.

      This is nothing new, btw. I and several of m colleagues published a few patents on using canary data/hardware/etc. to detect intruders a few years back. Assignee was Amazon, and one of the inventors was Jesper Johansen (sp? not me!)

      1. mealy

        Of course tripwires are nothing “new” – the novelty is the simplicity of the package.
        “It’s really got to be so simple that people can’t mess it up.” Can’t be overstated.
        I’m sure you can configure where the alerts get sent.

        1. mealy

          Thansk fo eating so many subrate sundwiches as to make a bank account for it relevant?

          1. Fr00tL00ps

            I think you meant spam sandwiches … Or scam sandwiches, even. 😉

  2. Billy Jack

    There are some really good ideas there.

    I have considered creating a hundred or more accounts on the server with no login access and restricting all home directories to access by that username only.

    Then, if an attacker should get into the server, I assume that one thing they would do is to see what other accounts are there by looking at /home. And then possibly try to log in to those accounts, thus leaving records in /var/log/authlog.

    And, of course, there would be no reason to have the same blocked accounts on other servers. Use a different set of accounts on each server, keep track of which accounts are on which server. Then, if login attempts are detected to those accounts on one server, one would know which server the attacker got the accounts from.

    1. Enrique

      How does one scale such in a datacenter of 1,000s of servers?

      1. Billy Jack

        It should be not too difficult to automate the creating and adding of bogus accounts.

        You can download lists of men’s first names, women’s first names, and last names from the US Census. These lists include every name that appears at least 100 times in the census. They also give the percentage of time (to three decimal places) in which they occur. From those lists, you could randomly select a first name and a last name weighted by the frequency in which they occur.

        You might also want to make the accounts look active. So instead of making them nologin, you might create a random password with something like “openssl rand -base64 40” for each account. Add a key to ~/.ssh/authorized_keys to allow you to log in from some computer at your location and log in occasionally so that there would be last login data if the attacker should do a finger or check the /var/log/lastlogin file.

        But, yeah, 1000’s of servers would present some interesting issues. I only have a handful of servers to worry about.

  3. Howard

    I’ve always loved the idea of having traps in an environment. An interesting one that I don’t hear talked about often is file traps. You just monitor a file for read and write access. I’m not an expert but I believe kernel code can bypass a lot of these mechanisms because they rely on windows function hooking in order to be detected.

  4. Highly Regarded

    “Nobody really has time for that” is exactly why it is such a big problem.

  5. Enrique

    Opening a corporate network to and relying upon a third-party’s notices that your network is compromised sounds like an inversion of network security.
    Then again, these days much of the world seems to be operating on a clown world-like inversion of reality.

  6. Jim Faley

    I try to keep up your articles but this one has me baffled. I get the gist of the article, went to the canarytokens site, did not understand a word of it. As much as I want to stay ahead of the thieves out there, the average person would have no idea how to facilitate any of this. If this type of security needs to be implemented at the individual level, there isn’t much hope that it’s going to happen.

    1. BrianKrebs Post author

      Jim, this advice is for enterprises, businesses, etc., not necessarily for end users. However, if you run your own website or network, you could take advantage of these tools by reading their documentation.

    2. mealy

      It’s a package of little checks to see if anyone is doing “X”-activity on the LAN and sends alerts.
      Have a look at the dashboard for the tripwire platform. It’s actually quite UX-intuitive in function.
      It’s not for “average” users of course – but that’s such a low bar it’s almost not worth evaluation.

      The “average” user is beyond the realm or hope of being secured on pretty much any level,
      and they’re ok with that beyond the vague fear of technology in the back of their throats.

      This is for IT who wants to know what visitors are doing and catch them doing it in realtime
      when they fit a profile of activity associated with network mapping / vulnerability scouting.
      It’s not being implemented at an “individual” level, it’s implemented as a configurable package
      of LAN monitoring that would otherwise need custom tripwires written to achieve them.
      You can imagine how much more expertise and time would be needed to do it “individually”…

  7. Andy

    The fixed use of the canarytokens.com domain seems a bit of a weakness on the web tokens. If I was an attacker, wouldn’t I just block all traffic to that domain?

  8. Andrew

    I’m concerned that Brian is promoting an individual vendor in a crowded commercial software space. Was he compensated for this article? This seems unbecoming for Brian.

    1. BrianKrebs Post author

      I was not compensated. I interviewed Mr. Meer last year because I kept hearing good things about it and I wanted to understand it more. After our interview, I thought it would make a decent blog post, but set it aside until recently.

      1. ASF

        I have used Canary Tokens in the wild for many years for many of my clients. They are great. Thinkst keeps on adding new interesting ideas on where to implement them. You are limited only by your imagination at this point.

  9. Jeff

    This insightful statement draws an interesting parallel between the behavior of tourists and that of network intruders. Just as tourists often reveal themselves by looking up and admiring the unfamiliar surroundings, network intruders can inadvertently expose their presence by engaging in behaviors that stand out within a digital environment.

  10. Gabriel Baleanu

    it just seem like to me that at some point with all these canaries and trip wires it just complicates and crouds the whole system it should not be that complicated.

  11. Charlotte Frye

    I am new to learning about security. I’m in classes now. I found this article to be quite interesting…luring the thief to a trap but my thoughts are wouldn’t these canaries be identifiable in some way and secondly, if there is a third party involved, wouldn’t it be possible to access the information before the hack? Apologies if I am not being clear. I am working hard to get my head around so much of this.

    1. Fr00tL00ps

      It’s great that you wish to broaden you’re knowledge on this topic but this thread is possibly not the best forum to get the answers you are looking for. No disrespect to Brian but there are better locations to immerse yourself as a newcomer into the world of IT security.

      If you have a Discord account, might I suggest going to johnhammond[dot]org[slash]discord for an invite to a large community that is both well resourced, well moderated and respectful to members of all skill levels.

      Happy Hunting.

  12. Direct

    I have recently took the classes for Security, Thanks for the Info, it’s very useful to me.

  13. Telkom Jakarta

    Why is an organization so susceptible to data theft? What security needs to be improved?

  14. Paul D. Bain

    I searched the entire article and all of the comments for this term: “intrusion detect,” as in, “Intrusion detection system” (IDS). I found nothing. IOW, no one in this discussion mentioned the term, “Intrusion detection system,” e.g., Tripwire or LIDS (Linux intrusion detection system). Hence, I suspect that essentially nobody who has commented on this article has ever heard of IDSs. Thus, I was able to save myself considerable time. I did not have to read the article in order to know that doing so would likely be a waste of my time.

    1. BrianKrebs Post author

      Always love readers who state up front that they’re commenting without having read the article, just to say that they’re saving time by not reading the article.

  15. Fr00tL00ps

    “I did not have to read the article in order to know that doing so would likely be a waste of my time.”

    Interpreted as; “I know everything and you can’t teach me anything and I’m going to tell the world.” I mean, why else would anyone visit the public forum of a website that is so obviously below them and make such a statement, rather than add constructively to the conversation. I hope that anybody who has the misfortune of being an analyst/researcher employed on a security team lead by you would soon see the error in their decision. Seriously.

    The majority of security team leaders today would already be aware of canaries and similar post-detection techniques, they are not new. However, IDS solutions aren’t perfect. Any well experienced security team would know and this implement a layered approach, using any and all resources in their toolkit, of which canary tokens are just one of many. The question and awareness Brian’s article brings to bare, is what to do next, if malicious actors do breach your system. Defined as “active defence”, these techniques are designed to tie up time and resources of those that which would do you harm and by automating them they free up your time and resources to batten down the hatches, gather intelligence and counter attack … But then you already knew this /s.

    Are you really this ignorant or just a narcissistic dick? … I’ll let future readers answer that question.

  16. Ian

    Great article Brian. Thinkst makes some incredibly useful products between the Canary and Canary Tokens. They are one of the best controls a business can implement to get qualify detection in an environment. They are easy to deploy and provide a very high signal to noise ratio. Many security tools overload security teams with alerts but Thinkst has done a lot of work to make sure this is not the case with their technology. Their sensitive commands tokens are especially effective and I highly recommend all security teams check them out. I do not work for Thinkst but I use their technology.

Comments are closed.