Canary Files

What are these strange, random looking files I see?

Our Data Extortion Prevention software receives behavioral indicators from several engines before making a split-second decision whether an attack is at hand. One of the engines, the file monitoring engine, uses special files in several locations.

Those files you sometimes see, sometimes not, are there by Cyber Crucible. Depending on how an application may list files, you may see them. For example, a program that use File Explorer to list files to save or open, will now show you them.

We call those files canaries, like, “canary in the coal mine” (wiki).

embedded-image-jbjjn9lx.png

What is special about Cyber Crucible canary files?

Canary files have special data hidden in them, in the event they are ever stolen by an attacker. Cyber Crucible can trace the file back to the original owner.

The file names are mostly-random (called psuedo-random) in a way that attackers cannot identify them and avoid them. The names are created with a special Cyber Crucible math formula, that allows our software to recognize a file as a canary, even if the names are different from machine to machine or file to file.

The ability for Cyber Crucible software to recognize these files also means that there only needs to be one canary file per server, even if thousands of workstations are using the server.

Where do canary files files exist?

Canaries are found in various places in your file system.

Anytime a new source of files appears on your system, from any possible user, Cyber Crucible automatically checks to see if canaries have already been placed. That includes removable drives like USB sticks, network file sources, and cloud-based file storage.