Red Canary's detection is designed to detect as many different forms of threats as possible that adversaries may deploy against your organization. This broad approach generates a large number of false positives for the Red Canary team to investigate, but it delivers the best results.
If Red Canary discovers threat intelligence or analytics that correspond to your endpoint data or security products, it generates a potentially threatening "event" that is reported to our Cyber Security Incident Response Team (CIRT) for investigation.
Learn more about potentially threatening events and how to list, filter, and review specific events.
What analytics do you use to detect threats?
Red Canary’s detection process uses two primary classes of analytics:
- Every piece of telemetry is tested to determine if it matches a compromise indicator that we’ve seen or heard adversaries use. These are brittle and often short-lived analytics, but if an adversary is foolish enough to reuse infrastructure or tools, they are easy to catch.
- Behavioral detectors identify sequences of system activity that match techniques used by adversaries. These could be as simple as running PowerShell with an encoded command line, or a highly complex chain of behavior over a long period of time. We map every detector to MITRE ATT&CK® techniques so you can quantify your detection coverage.
How long does it take to onboard and tune threats?
Red Canary, unlike other security products, does not require you to define your own detection rules and indicators of compromise in order to achieve extremely effective results. From day one, you get the benefits of years of Red Canary detection engineering.
How can I review and understand your threat coverage?
Understanding how Red Canary fits into your security stack requires transparency. You need to know where we provide coverage and where we do not, and we strive to make that information easily accessible.
Red Canary’s threat coverage is most easily viewed in a MITRE ATT&CK heatmap. From there, you can drill into a specific technique and learn whether Red Canary has coverage for it.
What standards or frameworks do you map to?
The MITRE ATT&CK taxonomy of behavioral techniques best fits Red Canary’s internal classification, so we've switched to using MITRE ATT&CK exclusively (supplemented by our own techniques when appropriate, which we contribute back to MITRE ATT&CK).
Every Red Canary analytic is mapped to one or more MITRE ATT&CK techniques making it easy to understand what Red Canary can and cannot detect.
Can I suggest or create a new analytic/threat?
Absolutely! Please submit a support case and let us know what behavior you’re looking to detect or share threat intelligence you think we should use.
If you believe Red Canary failed to detect adversary behavior, please let us know about these false negatives.