![]() ![]() We need more open source solutions like that one. In all seriousness, thanks to neo and everyone else who contributes their time to ClamAV. Not a big surprise, it didn’t detect anything:Īs an aside, while I was getting updated signatures for ClamAV, I noticed this: Today I generated tokens for a couple different purposes, and decided to do some analysis on the MS Word Document form of the token.įirst I downloaded the generated payload file, and ran it through ClamAV to see what it would pick up. I have been meaning to set up and test Canary Tokens for literally years without getting around to it. For more sensitive implementations, they offer a commercial version of the service, and there are self-hosted DIY solutions out there, too. Of course, since it’s free, Thinkst gets analytics data from the platform they can analyze and likely share. Simply choose the type of token you want, enter the notification email, and a note to remind you what the token was used for, click a button, and you are good to go. This makes getting started with such tokens a breeze. They also handle the signal receiving (via HTTP request to their Canary Token server infrastructure), and alerting (bundled with the same). Thinkst handles all of the infrastructure around token creation (of various types). Ideally, you also keep track of some meta data around each unique token, to make sure you can recall where it was implemented. ![]() A notification mechanism to alert the appropriate individual(s) that the token has been activated (e.g., sending an email, or generating an event in a security event manager).A receiving mechanism of some kind that will receive a signal if the token is activated (e.g., Active Directory, or a file access monitoring system, or a web server).The token itself (e.g., a username, or document, or URL).In short, there are three components needed: This requires a little bit of infrastructure, of course, but it isn’t that complicated. This will indicate that somebody is doing things they shouldn’t, since you (the data owner/steward) would have no reason to ever touch the token after you originally create it. Set it up in such a way that if the bogus data is ever accessed, you receive an alert (the “canary”). In short, canary tokens are a really simple concept: seed some bogus data (a “token”) somewhere within your real data. Others have written about these and their merits, but today I had some fun going down a bit of a coal mine, so to speak, all thanks to these tricky little tokens. Thinkst offers Canary tokens for free, and their offering really has grown a lot, in the last couple years, both in terms of features and ease of use. There are a few free services online for generating and alerting based on their use, and there are also free DIY packages for setting them up without relying on a third party. The more generic name for them was Honeytokens. Canary tokens are a concept that has been around for a while. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |