Detections are confirmed threats affecting your organization (think of them as realized risk). Each detection contains a wealth of information about:
- Endpoints and identities that were involved.
- ATT&CK techniques that were observed being used.
- Analytics, threat intelligence, and alerts that led to the identification of the threat.
- An annotated timeline highlighting the key endpoint activities involving the detection.
This information gives every one of your responders, whether seasoned IR professionals or your help desk, the exact information they need to remediate the threat.
Think of each detection as a “ticket” in a typical ticketing system: it is a unit of work that your team needs to act on and will stay “open” until completed.
Each alert is given an identifier (starting with THREAT-) that uniquely identifies the alert throughout Red Canary.
Where do detections come from?
Detections are the result of Red Canary detecting a potential threat to your organization, performing an investigation, and confirming it as threatening.
What false positive rate should I expect?
You should expect an incredibly low false positive rate from Red Canary because detections are the result of CIRT investigation.
How are confirmed threats classified?
Threats confirmed by Red Canary are assigned a high, medium, or low severity.
A detection marked as high severity indicates that there is an immediate, active threat. Prompt action should be taken.
A detection marked as medium severity indicates that urgent action should be taken, but doesn't require a "drop everything, all hands" response.
Detections marked as low severity indicate potential configuration or control gaps. These detections are used for applications that introduce risk.
This classification indicates the execution of malicious code or binaries, the use of built-in scripting platforms, or the use of other utilities, to achieve adversarial goals. This includes commodity malware, targeted attacks, ransomware, and lateral movement.
Malicious software detections can be assigned a high or medium severity.
Subclassifications include: Coinminer, Credential Theft, Dropper/Downloader, Lateral Movement, Post-Exploitation Tool, Ransomware, and Webshell.
This subclassification includes the delivery and execution of cryptocurrency miners without the user's knowledge or consent. Coinminers can have a negative impact on system performance and employee productivity. As coinminers have increased in popularity, adversaries have used them as a method to deliver malicious payloads. Examples of common coinminer threats include XMRig and Smominru.
This subclassification includes the execution of malicious code or binaries in a manner designed to capture user credentials, tokens, or other methods of authentication. This includes local and domain credentials, as well as usernames and passwords to sites and resources (internal or external). Examples of common tools include Mimikatz, PowerSploit, PWDump, and NTDSUtil.
This subclassification includes tools often used to perform the initial stages of a compromise by introducing additional malicious payloads to the target computer. The payload is either included within the original file (dropper) or is retrieved from a remote resource (downloader).
This subclassification includes activity consistent with signs of lateral movement in the environment. This activity typically involves accessing and controlling remote systems on the network, as adversaries often need to pivot to other systems to achieve their objectives. Adversaries may install their own remote access tools to traverse through the network, or use legitimate credentials with native network and system tools such as SMB shares, RDP, etc.
This subclassification includes activity from various frameworks, utilities, and tools. These are designed to execute malicious code or commands in a pseudo-standard fashion, and often utilize playbooks and automation. Examples of common post-exploitation tools include Metasploit, Cobalt Strike, Armitage, and PowerSploit.
This subclassification includes activity related to a type of malware that prevents access to and use of computers and files by using encryption, threats of infection, or other forms of extortion in order to get the victim to pay a fee. The victim is informed (typically via popup message or ransom note) that once they comply, the encryption will be removed, files returned, and any immediate threat of extortion disabled.
This subclassification includes activity related to a malicious, shell-like interface that allows a web server to be accessed and managed remotely by allowing arbitrary commands to be executed. A webshell can be uploaded to a web server to enable remote access to the server and its file system. Examples of common webshells include C99 and China Chopper.
This classification encompasses activity that is abnormal, but not directly attributable to a known threat or malware family. This includes suspicious chains of execution, unusual or unique binaries, and administrative efforts that are difficult to differentiate from adversary actions.
Suspicious Activity detections can be assigned a high or medium severity.
Subclassifications include: Adversary Emulation, Account, Dual-use, Network, Process, Reconnaissance, Remote Access, and Security Product Tampering.
This subclassification includes activity related to known adversary emulation tools. Adversary emulation tools are commonly utilized to test telemetry and detection coverage in enterprise environments.
This subclassification includes the creation or modification of an individual or service account, or of a security group. This also includes activity to modify or elevate permissions. Examples may include the creation of new user accounts with non-standard naming conventions or slight deviations from existing account or group names using intentional misspellings.
This subclassification includes activity consistent with utilities that are utilized for both internal testing and malicious activity. The use of these applications may indicate a security risk if they aren't executed by approved users. This includes Active Directory configuration, account management, network discovery, and security audits.
This subclassification includes abnormal patterns of network activity, connections to services or hosts in non-standard ways, and activity related to suspicious IP addresses or hosts. Examples include connections to unusual outside geographic destinations, dynamic DNS domains, and "paste" or other content-sharing sites.
This subclassification includes activity from a process exhibiting suspicious behaviors that are not directly attributable to malware or known threat profiles. The binary or process may be legitimate, but exhibits abnormal behavior. Examples include unusual process parent chain executions, or unexpected process command arguments.
This subclassification includes activity from a process exhibiting behaviors indicative of host, user, or network reconnaissance, and includes port scans, account queries, and network packet captures. The binary or process may be legitimate, but exhibits abnormal behavior.
This subclassification includes the presence or utilization of remote access tools, including console and terminal-based utilities, under unusual circumstances.
Security Product Tampering
This subclassification includes activity related to the tampering of security products. This includes service manipulation via an interactive session, a process being forcibly stopped, and data being removed from the data store.
Unwanted Software encompasses applications that, while not always malicious, may compromise system security or privacy.
Unwanted Software detections can be assigned a low severity.
Unwanted Software subclassifications include: Adware, Peer-to-Peer (P2P), and Riskware.
Adware is software that performs actions such as changing browser settings and home pages, redirecting search results, and displaying advertisements. These applications use deceptive installation techniques, to include masquerading as or bundling legitimate software.
P2P software is used to share digital content or computing resources in a decentralized manner. P2P software increases the risk of exposure to malware and/or illegal material, consumes network and computing resources, and may perform unauthorized sharing of controlled data.
Riskware is software that may be used to circumvent security policy or controls, including but not limited to: license or policy bypass, host-based proxies, and anonymization services. Riskware may have legitimate uses, but does introduce unique risk due to the functionality that this class of software provides.
What is the “scope” of a detection?
Each detection is scoped to a single endpoint. This is important because most teams forward Red Canary detections into ticketing systems, and it is essential that each affected endpoint is remediated and none are missed.
If Red Canary detects activity on a single endpoint with two classifications (for example, one Unwanted Software and the other Malicious Software), two detections will be published because your response should be different for each.
What happens when additional behavior shows up after the initial detection/investigation?
Until you record that a confirmed threat has been remediated (or intentionally not remediated), Red Canary will continue appending updated information to the original detection (as long as it appears to be similar behavior or is of the same classification).
This appended information may appear in the detection timeline and will be reflected by the Latest time threat was observed timeline entry.
If a detection has been marked as remediated or not remediated and additional activity is identified, a new detection will be published to clearly denote that additional response is required.
How do I ignore testing or red team activity?
You shouldn’t! Testing and red team exercises are an important way for you to functionally test your detection and response personnel, processes, and technologies. In most cases, the best approach is to let Red Canary detect and respond to the threat and record that the detection will not be remediated because it was a test.