Canary Cyber Security Definition
What is a Canary in Cybersecurity?
The term “canary” in cybersecurity is derived from the phrase “canary in a coal mine”. In the past, coal miners would bring a canary down into a mine with them. If the canary started having trouble breathing, then the miners knew that there was bad air in the mind, and they should evacuate.
In the cybersecurity world, a canary is something used to help detect tampering or the presence of an attacker in the system. Often, canaries are designed to be enticing to an attacker, making it likely that they will be a preferred target and providing early warning of the attack.
How Canaries are Used in Cybersecurity
Canary is a general term in cybersecurity used to describe something that is monitored to grant early warning of an attack. Some examples of canaries in cybersecurity include:
- Stack Canaries: The stack is one of the places where an application can store data, and buffer overflows designed to achieve code execution will often try to rewrite a function’s return address on the stack. This would cause the program to jump to an attacker-selected location where they have placed malicious code. A stack canary is a random value placed in front of the return address that a program checks to see if it has been changed before trusting and using that return address.
- Canary Files: A canary can also be a file saved on a computer and intended to be bait for hackers or malware. If an attacker modifies the file or it is encrypted by ransomware, the security team is notified that a threat is present within its systems.
- Canary URLs: An organization may have specific URls within its website that are designed to send an alert if someone attempts to visit them. This can help an organization to identify web scraping or other automated exploration of its website.
- Honeypots: A honeypot is a computer system designed to look enticing but is fake. These canaries are designed to trick the attacker into wasting time and revealing their tools and techniques so that the organization can detect or block them in real-world systems.
- Canary Accounts: Canary accounts are user accounts designed to have an enticingly high level of access and permissions. If these accounts are accessed, the organization knows that an attacker has gained access to its environment.
- Canary Services: An organization may set up fake services such as databases or SSH servers. Attempts to access these services indicate a network scan or other attack against the organization.
Canaries can also be used in other areas of software development beyond security. For example, developers may send a subset of users to a system testing a new version of a piece of software (also called a canary), enabling them to find and fix potential problems before rolling it out to all users.
Benefits of Canaries
Companies implement canaries for a few different reasons, including:
- Early Warning: Canaries can provide early warning of threats because they are designed to be enticing, making them likely to be an attacker’s first target.
- Distraction: Canaries are deliberately designed to be enticing to an attacker. This can help to lure them away from real systems or data in the organization’s environment.
- Threat Intelligence: Canaries can help security analysts to observe an attacker’s tools and tactics since any interaction with them is malicious by default. For example, an application that modifies a canary is likely malware and can be added to blocklists.
Conclusion
Canaries are designed to act as a early warning signal of a cyberattack. They can be used in various contexts and can range from values stored in an application’s memory to files to entire fake systems.