In large cities, tourists are often seen gazing upward at the towering skyscrapers, a behavior that distinguishes them from the locals. Interestingly, this same behavior can be observed in cybercriminals who carry out devastating attacks such as data theft and ransomware. Security experts are calling for more organizations to set up virtual tripwires that can detect when authorized users and devices exhibit this tourist-like behavior.
Cisco Talos, a prominent cybersecurity firm, recently published a blog post warning about the increasing rate of high-sophistication attacks on network infrastructure. The company has observed a concerning trend of cybercriminals taking the initial steps to understand and control a network environment. These steps include performing basic commands to gather information about the network, such as its configuration, interface, routes, and neighbors. By doing so, attackers gain a foothold and a better understanding of the network.
Cisco’s alert focused on state-sponsored cyber espionage attacks from China and Russia that exploit vulnerabilities in aging network routers. However, the method of initial intrusion is not the primary concern for organizations. Rather, the main issue is how quickly they can detect and detach these attackers from their network. Whether it is through zero-day vulnerabilities or compromised credentials, organizations need to be vigilant in identifying and responding to cybercriminals’ first steps.
This tourist-like behavior is also commonly observed in ransomware and data ransom attacks. Attackers often purchase access to a target’s network from dark web brokers, who sell stolen credentials and compromised computers. When these resources are first used by the attackers, they typically run basic commands to determine their location and identity within the victim’s network. Recognizing this pattern can help organizations nip these attacks in the bud.
Thinkst, a security company, has developed a unique approach to address this issue. They offer tripwires called “canary tokens” that can be embedded in regular files and act as alerts when suspicious activity is detected. These tokens can be customized and implanted in various parts of a network or web application to lure attackers. When the token is accessed or triggered, an alert is sent to the organization, notifying them of the potential breach.
Canary tokens are designed to be useless to attackers, serving only as decoys. For example, an AWS canary token may resemble the digital keys to a cloud environment, but it offers no actual access. Instead, it acts as a bait to attract attackers, and organizations receive an alert when the token is touched. Thinkst provides these canary tokens for free, offering organizations a simple and effective method to detect and deter cybercriminals.
Deception and honeypot services have long been used in the cybersecurity industry to confuse and disrupt attackers. However, Thinkst believes that many organizations do not have the time or resources to engage in counterintelligence activities. Instead, they advocate for the use of canary tokens, which can be quickly deployed to lay traps in sensitive areas of a network or application.
Canary tokens can not only trip up cybercriminals but also “red teams,” security experts hired to identify vulnerabilities in a company’s systems. These tokens have made even experienced penetration testers hesitant to use credentials gained during engagements. By increasing the time it takes for attackers to navigate a network, canary tokens are proving to be an effective tool in the fight against cybercrime.
Thinkst makes money by selling Canary Tools, a paid version of their product that includes a small hardware device. This device serves as a canary token server and can be installed on the local network. With a sophisticated defense team, organizations can strategically place these devices in key locations, ensuring optimal coverage.
Ultimately, the idea behind canary tokens is simplicity and cost-effectiveness. They provide a significant return on investment and can be easily deployed while larger security improvement projects are underway. By employing these virtual tripwires, organizations can detect and respond to cyber intrusions more rapidly, preventing potential data theft and ransomware attacks.