Should be mentioned that this is not a bullet-proof solution (obviously), for some services the canary tokens can be bypassed, see e.g. https://trufflesecurity.com/blog/canaries ("TruffleHog Now Detects AWS Canaries without setting them off")
a lot of security tools and "platforms" (don't get me started) have deception features now which includes stuff like this.
https://learn.microsoft.com/en-us/defender-xdr/deception-ove...
But in my opinion, deception tech is best implemented in-house. Nothing wrong with using externally developed tools, especially for high signal-to-noise things like honeypots but the actual monitoring and alerting data flow should be ideally be environment specific.
By the way, simple honeypot on Linux using auditd: just set a rule like `-w /etc/secret-file -p rxwa -k some.tag` and use your mechanism of choice to watch logs/journal for the occurrence of `some.tag` string.
`-p rxwa` causes logging of any read, exec, write or attributes change on that file. More in `man auditctl`.
Among others, this has a benefit that, in principle, such honeypot triggers immediately and not only after someone decides to try using some actual credentials/data.
Obviously needs some work to make this robust (logs monitoring plus alerting), but it's a nice building block worth knowing and, if you care, then you probably already have those additional pieces in place anyway.
The project documentation is ... slightly ... more useful to generate discussion, though it's pretty lacking in details:
I’ve used this to see if my employer was spying on my email. They were.
Been a big fan of CanaryTokens since it was just 3-4 different types.
Super easy to configure via webhooks into a siem or any kind of alerting platform.
Previous discussion from 28 Dec 2022 (59 comments): <https://news.ycombinator.com/item?id=34157751>
How do they detect MS Word docs being opened?
I don't understand how they can keep such a feature-rich service free forever?
I wonder whether eBPF allows for increased deception capabilities.
The next step is to actually use underprivileged canary tokens on the client for your day-to-day work, intercept them with a proxy, and replace them with the real deal in a more isolated setting.
For example, an application-specific HTTP proxy for your GITHUB_TOKEN. You can use a canary token for the internal user-facing auth. https://github.com/legobeat/git-auth-proxy [0].
That piece is being used here[1] in order to make it transparent for the user and I intend to add more features there for credentials- and secrets compartmentalization. Been keeping it fairly structured so you could also use it as a reference if you ever do similar stuff and want some inspiration or copypasta for your personal hacking.
[0]: Caveat: The proxy repo is a fork and the documentation is still more reflective of the previous owners intentions. I ripped out all the Azure/k8s integrations.
[1]: https://github.com/legobeat/l7-devenv/