Honeypots and Canary Tokens for Early Threat Detection
How to deploy honey tokens and canary files that alert you the moment an attacker accesses them — cheap, effective, high-signal detection.
Honeypots and canary tokens are deception-based security controls that alert you when an attacker interacts with them. They have an extremely low false-positive rate (legitimate users should never touch them) and can detect threats that bypass all other security controls. They're cheap, easy to deploy, and remarkably effective.
What Are Canary Tokens?
A canary token is a tripwire — a file, URL, credential, or other artifact that has no legitimate use. When someone accesses it, you know something is wrong. Examples:
Canary files: Place a file named "passwords.xlsx" or "client-list.csv" in a file share. Legitimate users know it's not real. An attacker browsing the file share will open it. When they do, you get an alert.
Canary credentials: Create a fake admin account (like "svc_backup_admin") in Active Directory with an attractive name but no actual access. If someone attempts to authenticate with these credentials, it's a clear indicator of credential stuffing or lateral movement.
Canary URLs: Embed a tracking URL in a document stored on the network. If the document is exfiltrated and opened outside your network, the URL is resolved and you get an alert with the opener's IP address.
Canary DNS records: Create DNS records that have no legitimate use. If they're resolved, someone is performing DNS enumeration — a common reconnaissance technique.
Why They're So Effective
Most security controls try to distinguish good from bad activity. This is hard because attackers use the same tools and techniques as legitimate users. Canary tokens sidestep this problem entirely: there is NO legitimate reason to interact with them. Any interaction is suspicious by definition. This gives you near-zero false positives — the holy grail of threat detection.
Deployment for MSPs
Deploy canary tokens across every client environment: 2-3 canary files on key file shares, 1-2 canary credentials in Active Directory, canary URLs in sensitive documents. This takes 30 minutes per client to set up and provides high-signal detection that complements your SIEM and EDR. When a canary fires, treat it as a confirmed compromise indicator and activate your incident response playbook.