How do you define “threat”? Is it a group or malware?
We define “threat” broadly as anything with intent, opportunity, and capability to cause harm. For the Red Canary Intelligence Team, a threat may be a group (either named by Red Canary or another team), a malware family, or a tool.
'Why is there not much information in some of the profiles?
Our approach is to iteratively add information to profiles as we find it, meaning that we have documented more information about some threats than others. We want to be transparent, and that means being transparent about how much information we have on threats.
I don’t see a profile for a threat I care about. What should I do?
Please reach out to your Incident Handler to request a profile. As you do this, please include as much context as possible about why the threat is important to you and any specific questions you have about it, as this will help the Intelligence Team best respond.
How can I make contributions or suggest edits?
We would appreciate any contributions to our profiles! Improving our knowledge of threats lets us better protect all of our customers. If you have additions, edits, or questions, please reach out to your Incident Handler.
How are detections associated with profiles?
Detections are associated with profiles both automatically and manually. When Red Canary knows that a particular attribute (such as a unique command line) is specific to a certain known threat with a high level of confidence, we will automatically associate detections to profiles. To supplement this automatic approach, analysts also manually review detections to try to associate them to known threats. Since profile-to-detection associations are based on human assessments, they may change over time in response to new information.
Why are not all detections associated with threats?
Whenever we can, the Red Canary Intelligence Team associates detections to known threats. We make these associations when we assess that a detection likely corresponds with a named threat. Each of these associations is a human assessment based on evidence. Sometimes we know that a behavior is malicious or suspicious but we can’t tie it to a known threat. Identifying a threat is sometimes easy (based on a known string, TTP, or indicator), but sometimes it takes many months or years—or requires visibility into larger context that we simply do not have.
Why do I see a detection associated with a threat after it’s already been published?
We want to get information to you about malicious or suspicious activity as soon as possible, so you can take action. Trying to associate detections with threats in real time might slow this down, so we go back and review detections after they are published to follow up and try to associate detections to threats to help inform you on your response.
Why are most of the profiles on malware families rather than groups?
Clustering activity into groups takes time, analysis, and a significant volume of data. For this reason, many detections are associated with malware families initially. Over time, the Intelligence Team may identify a new cluster of activity and create a new group based on that analysis. (For example, we did this with Blue Mockingbird.)
Why is there no attribution to countries in the profiles?
Attributing activity to the person behind the keyboard is difficult and requires novel and varied collection sources. Because attribution to the “who” behind the keyboard is not a requirement for many of our customers, the Red Canary Intelligence Team does not definitively attribute any threats to a specific person, company, or country. Instead, we focus on clustering similar activity and using that context to inform decisions. Some other companies and teams take a different approach and attribute directly to the person or country behind the keyboard. (For example, CrowdStrike uses the term BEAR for Russian threats.) When Red Canary uses those group names, we assess there is overlap in activity with what another team has attributed under that group name, but we make no assessment on the validity of their attribution to a specific person, company, or country.