Red Canary's Response Plans started as a simple orchestration layer atop Carbon Black Response's extremely flexible Live Response capabilities. What was 10 commands in Live Response became two clicks in Red Canary, and Response Plans became the cornerstone of many Red Canary users cutting their mean time to response.
Armed with years of usage data about how Response Plans are used, we're taking it one step further. We know that your typical response to a Red Canary confirmed detection is:
- Kill any processes that are indicators of compromise and ban them from running across your enterprise
- Delete the files associated with any indicators of compromise, whether they be binaries that executed, modules loaded, or file modifications
- Remove any registry keys marked as indicators of compromise
- Ban the domains of any network connections marked as indicators of compromise (more on this soon!)
When you click Respond to any detection, these actions will be automatically selected.
Finally, we added additional clarity to the Response Plan execution workflow. You'll now see separate sections for actions that affect your entire enterprise (banning binaries and domains) and actions that affect only the affected endpoint.