Setting the Bait for Hackers
Many years ago, miners carried canaries into coal mines to test for dangerous gasses. Since they’re more sensitive to gases than humans, the miners knew to leave the mine if the canaries died.
Connecting to the internet is like climbing into a dark, uncharted mine—nearly invisible dangers lurking, waiting to attack unprotected machines. Think of canary objects as the bait for ransomware.
Canary objects are designed so that ransomware will likely attack them first, minimizing the number of your files affected. Suppose a process tries to access one or more canary files. In that case, the EDR knows immediately that the process is likely to be ransomware and can automatically suspend the process and generate an alert before the attack damages the system.
What Are Canary Files, Folders, and Objects?
Canary files and canary folders, combined, are known as canary objects.
Typically, canary objects are installed in root folder locations (C:\, D:\, etc.) and/or the main directory (C:\Users) for the machine, as well as in locations specific to any user logged in at the time of deployment/redeployment by the endpoint detection and response (EDR) platform.
Each canary folder contains several canary files. Usually, Canary objects are not present on external hard drives (ex. USB devices) or on network drives. Most cybersecurity companies redeploy canary objects periodically to maximize protection.
What Do Canary Objects Look Like?
Remember, canary objects are essentially bait for hackers and ransomware. Like an angler’s lure is designed to attract fish by looking like bait, canary objects essentially look like regular folders and files to the human eye. Canary folders and files can use a combination of random characters or random common English words and come in a variety of common file types.
Depending on the deployment type, you may or may not be able to see canary objects. Some canary objects are deployed visible while others are hidden. There’s a balance you need to maintain with canary objects—if canary objects are visible, they can be alarming to users who don’t understand what they are or why they’re there. It’s important to share information about canary objects; however, it should also be noted that unnecessarily sharing too much information about canary objects can be a security risk. The less that attackers know about canary objects and how they work in your specific IT ecosystem, the more likely it is that these files will be able to successfully protect against an actual ransomware attack.
Technical Details: Canary Object FAQs
How Are Canary Objects Managed?
Canary files and folders are typically managed as part of an Endpoint Detection and Response (EDR) solution. The EDR will deploy canary objects as needed to maintain an adequate level of cybersecurity.
How Much Space do Canary Objects Require?
The amount of space required depends on your specific setup. On average, expect canary objects to use around 4MB per root directory and 8MB per logged-in user.
What Happens If I Don’t Have Enough Space On My Drive to Deploy Canary Objects?
If a drive doesn’t have available space, the EDR platform won’t deploy the objects and issues a log message for the System Administrator. The EDR platform will continue deploying canary objects on other drives.
Are There User Requirements for Canary Objects?
Users must be physically logged in to a machine at the time of deployment or redeployment for canary objects to be deployed into the user folder. Canary objects are not deployed to user folders for users who are not logged in at the time of deployment or redeployment.
We Help Keep Your Business Safe.
As a technology partner, we help organizations stay protected with cybersecurity solutions that include canary files and folders, like Advanced Endpoint Detection and Response (EDR). Contact us today to learn more about building a cybersecurity solution for your business.