tl;dr: You can now create breadcrumbs to lure attackers to your Canaries with just a few clicks.
Canaries and (their) Discoverability
Our thesis with Canary has always been simple: Attackers who land in your infrastructure need to situate themselves and they do this by looking around. They run commands and touch systems that regular users never need to. By being selective about which services Canaries offer we can find the sweet-spot of services that are super-trivial to deploy, super likely to be touched by attackers, and super likely to be ignored by regular users. We work hard for this trifecta and empirically, it works.
The good thing about well- designed Canaries is that attackers following their TTPs will interact with the Canaries when they find them. It’s why they are there…
But sometimes, defenders want to tip the scales. They want to leave a RDP session file on the backup server desktop that points to a Canary. They want to create an entry in an SSH config file that points to a Canary. Canary will now generate these for you with just a click.
Breadcrumbs are created based on the services your bird is running. So the crumbs for a Canary running SSH will be different to a Canary running RDP. But both should be dead simple to use.
Take it for a spin.. We think you will like it.