HoneyDocs

17th May 2021

a HoneyPot is a server or IP address that logs traffic that attempts to logon to it. It is generally deployed on a private network and it’s visibility is limited to that network. It works well enough but does generate some alerts whenever an inventory/vulnerability scan runs.

a HoneyDoc works in a similar manner to Advertising Trackers. A document can reference an external image, when the document is opened the external image is automatically fetched. Advertisers use this to know how many people are watching their Ad. Security professionals use this to track what public IP address is opening a document.

HoneyDoc’s are free and easy to create and we will see how a service, like CanaryTokens.org, makes it easy to track our HoneyDocs without having to setup our own public webserver.

https://canarytokens.org/generate#

Choose a Word Document token and put an Email address in the Blue box. I like to put the Company Name in the Reminder box as I look after security for a number of different clients.

After filling in all the boxes you will be able to click Generate, and download your document

record the serial numbers of these tokens in your password manager so you can get to the webpage to change the email address or see the token history.

When anyone opens the document you will get an alert like this

If you like this kind of CyberDeception tool take a look at Minerva, Javelin, Symmetria, TrapX