Red Canary's Intelligence Team researches and writes Intelligence Insights to provide you with timely information about trending security threats and cybersecurity news.
Read about emerging trends and threats in cybersecurity by clicking Intelligence and then Insights in the navigation menu.
There are two types of Intelligence Insights:
- Monthly insights provide a retrospective look at top threats over the past month and any trends.
- Ad hoc insights provide time-sensitive intelligence about threats on a specific topic
You can filter for intelligence insights by an intelligence insight’s name or text found within the intelligence insight. The most recent threats will display along with the most important information from the note.
Red Canary Intelligence has developed a library of Intelligence Profiles that summarize behaviors related to threats. These profiles are associated with potentially threatening events, confirmed threats, and other data found throughout Red Canary. When we identify a threat that is of significant concern to customers, we create a profile based on our internal and external sources, and iteratively add to it over time. Since Intelligence Profiles are under active development, you should expect changes to both the structure and the content of the profiles over time. This additional information will provide you with a broader understanding of the given threat.
In addition, we consume external sources (such as blog posts, Twitter, and VirusTotal samples) and keep track of threats that others are observing. Transparency is a core value at Red Canary, and as such, we are open about what we know—and don’t know—about threats.
To access Profiles, click Intelligence and then Profiles in the navigation menu.
Inside a Threat Profile
For details on a specific threat profile, click on the threat’s name.
A new window opens with details about the profile. Following are the fields you’ll see and what each field covers:
- Title: The profile title is the name Red Canary uses to identify a threat actor. We choose this profile name based on various factors, including what the community commonly uses.
Note: The use of particular company’s names does not mean that Red Canary endorses those companies.
- Related Profiles: A list of other threats that are somehow related to the profile. This section may include other malware families that are often seen with the malware discussed in the profile. Related Threats are explained in the Executive Summary.
- Associated Names: The Red Canary Intelligence Team identifies a list of “alternate” names that have substantial overlap with the threat covered in the profile. For example, CrowdStrike uses the name FANCY BEAR to describe a group that has significant overlap with a group that FireEye calls APT28, so those would be listed under Associated Names. We do not refer to these as aliases, because they don’t represent exact overlaps.
- Detection Notes: A brief summary of tactical behaviors and observables for this profile. It includes items you will directly see in your threat, and will often give a sense of why Red Canary associates a specific profile to a detection. This section may begin with the Red Canary classification and sub-classification for this profile (explained here). Profiles may not include these if they vary based on the specific threat.
- Executive Summary: A concise summary of the threat, including significant background, notable activity, the threat’s objectives, and information on related threats.
- Tactics, Techniques, and Procedures: A detailed breakdown of Tactics, Techniques, and Procedures mapped to MITRE ATT&CK. This section may not be in all profiles due to the level of detail required. Each of the below sub-sections is only present when there is relevant information.
- Primary Tactic: The primary MITRE ATT&CK tactic represented by one or more procedures. For example, some procedures may primarily be for Execution but also fall under Defense Evasion, so Execution would be the Primary Tactic and Defense Evasion would be an Additional Tactic.
- Observables: Specific observables for a procedure that can include command line options.
- Techniques: The MITRE ATT&CK technique(s) and sub-technique(s) that demonstrate how the threat’s actions were conducted.
- Remediation: Any remediation recommendations that are specific to this profile.
- References: Any specific external references used to support the specific procedure. If no reference is listed, this means the procedure was based solely on Red Canary analysis.
- Detection Coverage Summary: Detector(s) that are likely to fire on the given procedure or observable. We also note if they are specific to this threat or not with the “Targeted to this profile?” field. If a detector specifically identifies a single threat, “Targeted to this profile?” will be “Yes.”
- References: All external references used in the creation of the profile. Our references include evaluated blog posts, tweets, and other sources.
- Related Threats: These are threats that use behavior associated with the specific intelligence profile.