Intelligence Profiles offer users a unique perspective into frontline intelligence, best practices for top threats, and adversary research directly within their subdomain. These profiles are a unique differentiator for Red Canary since many of our direct competitors do not have this capability built out.
For details on a specific Intelligence Profile, click on the profile name.
A window opens with details about the profile.
- Title: The profile title is the name Red Canary uses to identify the named threat. We choose this profile name based on various factors, including what the community commonly uses.
Note: The usage of a specific company's name does not imply that Red Canary endorses that company.
Tool, Group or Campaign Details:
- Description: A summary of the named threat that is detailed in the profile.
Note that each profile has a type, including Tool, Group, or Campaign.
- Associated Names: The Red Canary Intelligence Team identifies a list of “alternate” names that substantially overlap with the threat covered in the profile. For example, CrowdStrike uses the name FANCY BEAR to describe a group that has significant overlap with a group that FireEye calls APT28, so those would be listed under Associated Names. We do not refer to these as aliases because they don’t represent exact overlaps.
- Related Profiles: A list of other threats that are somehow related to the profile. This section may include other malware families often seen with the malware discussed in the profile.
- Affected Platforms: A list of platforms affected by the threat observed by Red Canary or determined from open-source reporting. This list may include operating systems, Cloud, and SaaS platforms. “Any” indicates a threat is known to affect any platform, typically operating systems:
- Linux, MacOS, Windows
- Azure, AWS, GCP, office365
- Affected Industries: This field is currently under development and, once in production, will identify industries that have been affected by the group, tool, or campaign detailed in the profile.
- In My Environment: These are published threats from your environment that Red Canary has assessed to be consistent with a specific Intelligence Profile.
- Detection Coverage: This is a count of the total number of detectors that fall into two categories:
- Broad Coverage: The number of Red Canary analytics designed to detect behaviors associated with this profile.
- Specific Coverage: The number of Red Canary analytic(s) uniquely designed to detect behavior specific to this profile.
- Executive Summary: This section summarizes the threat, including significant background, notable activity, the threat’s objectives, and information on related threats.
- Tactical Notes: A summary of tactical behaviors and observables for this profile. It includes tactical details often appearing in a published threat and explains why Red Canary associates a specific profile with a detection. This section may begin with the Red Canary classification and sub-classification for this profile. For more information, see Understand threats in Red Canary.
Tactics, Techniques, and Procedures (TTPs) and Recommendations
The TTP section includes a detailed breakdown of Tactics, Techniques, and Procedures mapped to MITRE ATT&CK. This section may only be in certain profiles due to the level of detail required. Each of the below sub-sections is only present when there is relevant information.
- Primary Tactic: The primary MITRE ATT&CK tactic that is represented by one or more procedures.
For example, some procedures may primarily be for Execution but also fall under Defense Evasion so that Execution would be the Primary Tactic and Defense Evasion would be an Additional Tactic.
- Observables: Specific observables for a procedure that can include command line or other telemetry.
- Techniques: The MITRE ATT&CK technique(s) and sub-technique(s) that demonstrate how the threat’s actions were conducted.
- Additional Remediation Guidance: Any remediation recommendations that are specific to the TTPs of this profile.
This section covers detector(s) likely to fire on the given procedure or observable. We also note if the detectors are specific to this threat or not with the Targeted to this profile? category. If a detector specifically identifies a single threat the Targeted to this profile? category will be Yes.
The References section covers the external references used in the creation of the profile. Our references include evaluated blog posts, tweets, and other sources.