Canary Token is a great idea for early detection of possible intrusion in your system.
But be careful when you are using the free service from Thinkst Canary (https://canarytokens.org/generate) to generate Canary AWS tokens. You shouldn’t use it for real life production.
A threat actor may notice a common pattern in the AWS access key id (generated from Thinkst Canary) and avoid triggering your honeypot detection.
AWS Access Key ID Format
Aidan Steele wrote an in-depth article on AWS Access Key ID format. Highly recommend to read it.
Things to note from Aidan’s article:
- The first 4 chars of the AWS Access Key will be indicate the resource types (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
- The next 8 chars of the access key will be mapped to a specific AWS account.
We can get the AWS account id from the access key by using the
$ aws sts get-access-key-info --access-key-id <<ACCESS_KEY_ID>> --query Account --no-cli-pager xxxxxxxxxxxxxxxxxxxxxxxxxxx
Flaws from the free service
Let’s generate a few Canary tokens from https://canarytokens.org/generate
[default] aws_access_key_id = AKIAYVP4CIPPxxxxxxxU aws_secret_access_key = xxxxxxxx output = json region = us-east-2
[default] aws_access_key_id = AKIAYVP4CIPPxxxxxxxW aws_secret_access_key = xxxxxxxxx output = json region = us-east-2
As you can see from the two generated Canary token, the four chars of the access key id show that this is an access key. Then the next crucial pattern (next 8 chars) will expose the information that this access key belongs to the AWS account from the free Canary token service.
A smart threat actor will detect this pattern and avoid using it. As a result, your Canary Token honeypot will likely to fail.
- Avoid using Canary Token services which provide predictable access key pattern. A threat actor can identify the pattern and avoid triggering the canary token.
- Canary Token is one of the detectors that we should use, but beware of confirmation biases (Canary token not triggered does not mean there is no intrusion).