I read about canarytokens recently and I have to say I'm really impressed with how well this concept was explained and executed. The blog post gives several real-world examples on how these can be used for agent-less monitoring and how file honeypots can\should be used as an intrusion detection technique.
I wanted to see if I could think of some new ways to use these capabilities. I only came up with 2 so far and they are:
Idea 1: submit rigged documents to online submission systems and map internal systems (or partners and researchers)
Idea 2: hide a canary in your online resume so you know when someone reads it.
Running with my first idea I decided to submit a canarytoken url to virustotal to see what systems "call out" to my canary. I submitted the URL 4 days ago and so far I've gotten 6 hits.
Channel: HTTP
Time : 2015-09-18 15:37:58.487687
Memo : VirusTotal?
Source IP : 107.178.195.202
User-agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) AppEngine-Google; (+http://code.google.com/appengine; appid: s~virustotalcloud)
Channel: HTTP
Time : 2015-09-18 15:48:10.843181
Memo : VirusTotal?
Source IP : 5.39.93.201
User-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2)
Channel: HTTP
Time : 2015-09-18 15:52:39.060050
Memo : VirusTotal?
Source IP : 46.166.190.155
User-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Channel: HTTP
Time : 2015-09-18 16:23:16.014606
Memo : VirusTotal?
Source IP : 178.43.119.74
User-agent: Mozilla/4.2 (compatible; MSIE 7.0; Windows NT 5.2; en-US)
Channel: HTTP
Time : 2015-09-18 19:56:00.069800
Memo : VirusTotal?
Source IP : 64.69.91.210
User-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Channel: HTTP
Time : 2015-09-19 01:48:47.152568
Memo : VirusTotal?
Source IP : 91.121.83.118
User-agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
At this point I don’t know if these are internal systems that virustotal passes off to, partners, or people who scan virustotal for new samples (I guess we’ll call these people researches?) but either way it’s an interesting idea to play with.
Who or Where are these people located?
[ 107.178.195.202 ]
Mountain View, United States
202.195.178.107.gae.googleusercontent.com
Google Inc. / GOOGLE-CLOUD
[ 178.43.119.74 ]
Krak?w, Poland
agep74.neoplus.adsl.tpnet.pl
neostrada / TPNET / NEOSTRADA-ADSL
[ 46.166.190.155 ]
Netherlands
VPN services from Private Internet Access / MNT-NFORCE / LONDON_TRUST_MEDIA
[ 5.39.93.201 ]
France
ns3280114.ovh.net
OVH SAS / OVH-MNT / OVH
[ 64.69.91.210 ]
New York, United States
Peer 1 Network (USA) Inc. / PEER1-GVLAN-01
[ 91.121.83.118 ]
France
ns352473.ovh.net
OVH SAS / OVH-MNT / OVH
Not an idea I came up with, but I came across a blog post that details how to set up a custom CNAME record using Route 53 on the AWS Gun for Hire blog. This technique can be used to create more realistic looking links, increasing the likelihood of it being clicked. You can read the blog post here --> http://awsgunforhire.com/all-articles/2015/9/16/using-route53-with-canarytokensorg-to-better-disguise-your-honeypot
In the same vain, you can always use a link shortner to help conceal the canarytokens url.
Let me know if you think of any other interesting uses for Canary Tokens in the comments section or on twitter!
