The use of deception in network and system compromise is a way to get an early alert for when your defenses fail.

• Go to canarytokens.org

• Select your token – in this example, we’re going to create a Word document called Passwords.doc that will have a list of fake usernames and passwords… something that would be enticing for either an intruder or an insider who’s poking around a little more than they should.

• Enter the email address where you want to be notified and a reminder for which token has been triggered. If you’re doing a single token this isn’t such a big deal, but these are so easy you’ll probably end up deploying several different types of tokens in nooks and crannies across your network.

• Click “Create my Canarytoken”

  

• Next, download your HoneyDoc and place it somewhere – a network share, on your harddrive, in an email with a tempting subject line, etc.

Boom. That’s it. Once the file is opened, it will send an automated email to the account you entered in step 3. If you want to tweak the document and add fake usernames and pass, have at it.

Additional types of Canarytokens include tokens for alerts…

• when a specific URL is visited
• when a DNS hostname is requested
• when an email is sent to a specific address
• when an uploaded image is viewed
• when a PDF is opened
• when a Windows Folder is browsed in Windows Explorer