Skip to main content
Red Canary help

Understand threats in Red Canary

  • Updated .

When Red Canary detects a threat, we receive and log a variety of information, such as: 

  • The endpoints and identities that were involved.
  • Any MITRE ATT&CK® techniques that were used.
  • Analytics, threat intelligence, and alerts that led to the identification of the threat.
  • An annotated timeline highlighting key endpoint activities involving the threat.

This information gives your responders, whether seasoned incident handlers or your IT help desk, the exact information they need to remediate the threat.

Think of each threat as a “ticket” in a typical ticketing system: it is a unit of work that your team needs to act on and will stay “open” until completed.

Each threat is given an identifier (starting with THREAT-) that uniquely identifies the threat throughout Red Canary.

How does Red Canary detect a threat?

Red Canary uses telemetry from your integrated security stack to detect suspicious activity. This allows us to perform a deeper investigation and confirm if the activity is considered threatening to your organization.

What false positive rate should I expect?

Because threats are investigated by a member of Red Canary’s Cyber Incident Response Team before being escalated to you, you should expect a low false positive rate. 

How are threats classified?

Severity

Threats confirmed by Red Canary are assigned a high, medium, or low severity. These severity rates should be used to assess how quickly you should respond to the threat:

  • High: This is an active threat. You should respond immediately. 
  • Medium: This is a threat that doesn’t need an emergency response, but urgent action should be taken.
  • Low: This isn’t an urgent threat and is most likely a potential configuration or control gap issue. An application that introduces risk to a user is an example of a low severity threat.

Malicious Software

Malicious software may execute malicious code or binaries, use built-in scripting platforms, or use other utilities to achieve adversarial goals. This includes commodity malware, targeted attacks, ransomware, and lateral movement.

Malicious software detections can be assigned a high or medium severity.

Subclassification

Description

Coinminer

Delivers and executes cryptocurrency miners without the user's knowledge or consent. Coinminers can negatively impact system performance and employee productivity. As coinminers have increased in popularity, they may be used to deliver malicious payloads. Examples of common coinminer threats include XMRig and Smominru.

Credential Theft

Executes malicious code or binaries designed to capture user credentials, tokens, or other methods of authentication.  This includes local and domain credentials as well as usernames and passwords to sites and resources (internal or external). Examples of common tools include Mimikatz, PowerSploit, PWDump, and NTDSUtil.

Dropper/Downloader

Introduces malicious payloads to the target computer. The payload is either included within the original file (dropper) or is retrieved from a remote resource (downloader). 

Lateral Movement

Produces activity consistent with signs of lateral movement in the environment, such as accessing and controlling remote systems on the network. Adversaries may install their own remote access tools to traverse through the network or use legitimate credentials with native network and system tools, such as SMB shares, RDP, etc. 

Post-Exploitation Tool

Executes malicious code or commands in a pseudo-standard fashion, and often uses playbooks and automation. Examples of common post-exploitation tools include Metasploit, Cobalt Strike, Armitage, and PowerSploit.

Ransomware

Prevents access to and use of computers and files by using encryption, threats of infection, or other forms of extortion in order to get the victim to pay a fee. The victim is informed, typically via popup message or ransom note, that once the victim complies, the encryption will be removed, files returned, and any immediate threat of extortion disabled.

Web shell

Includes activity related to a malicious, shell-like interface that allows a web server to be accessed and managed remotely by allowing arbitrary commands to be executed. A web shell can be uploaded to a web server to enable remote access to the server and its file system. Examples of common web shells include C99 and China Chopper.

Suspicious Activity

This classification encompasses activity that is abnormal, but not directly attributable to a known threat or malware family. This includes suspicious chains of execution, unusual or unique binaries, and administrative efforts that are difficult to differentiate from adversary actions.

Suspicious Activity can be assigned a high or medium severity.

Subclassification

Description

Adversary Emulation

Uses adversary emulation tools to test telemetry and detection coverage in enterprise environments.

Account

Includes the creation or modification of an individual or service account, or of a security group. Also includes activity to modify or elevate permissions. Examples include the creation of new user accounts with non-standard naming conventions or slight deviations from existing account or group names using intentional misspellings.

Dual-use

Includes activity consistent with utilities that are used for both internal testing and malicious activity. The use of these applications may indicate a security risk if they aren't executed by approved users. Examples include Active Directory configuration, account management, network discovery, and security audits.

Network

Includes abnormal patterns of network activity, connections to services or hosts in non-standard ways, and activity related to suspicious IP addresses or hosts. Examples include connections to unusual outside geographic destinations, dynamic DNS domains, and "paste" or other content-sharing sites.

Process

Includes activity from a process exhibiting suspicious behaviors that are not directly attributable to malware or known threat profiles. The binary or process may be legitimate, but exhibits abnormal behavior. Examples include unusual process parent chain executions, or unexpected process command arguments.

Reconnaissance

Includes activity from a process exhibiting behaviors indicative of host, user, or network reconnaissance, and includes port scans, account queries, and network packet captures. The binary or process may be legitimate, but exhibits abnormal behavior.

Remote Access

Includes the presence or use of remote access tools, including console and terminal-based utilities, under unusual circumstances.

Security Product Tampering

Includes activity related to the tampering of security products. Examples include  service manipulation via an interactive session, a process being forcibly stopped, and data being removed from the data store.

Unwanted Software

Unwanted Software encompasses applications that, while not always malicious, may compromise system security or privacy. 

Unwanted Software detections can be assigned a low severity.

Subclassification

Description

Adware

Performs actions such as changing browser settings and home pages, redirecting search results, and displaying advertisements. These applications use deceptive installation techniques that include masquerading as or bundling legitimate software.

Peer-to-Peer (P2P)

Shares digital content or computing resources in a decentralized manner. P2P software increases the risk of exposure to malware or illegal material, consumes network and computing resources, and may perform unauthorized sharing of controlled data.

Riskware

Circumvents security policy or controls, including but not limited to: license or policy bypass, host-based proxies, and anonymization services. Riskware may have legitimate uses, but does introduce unique risk due to the functionality that this class of software provides.

What is the “scope” of a threat?

Every threat is scoped to a single endpoint. This is important because most teams forward Red Canary threats into ticketing systems, and it is essential that each affected endpoint is remediated and none are missed.

If Red Canary detects activity on a single endpoint with two classifications (for example, one Unwanted Software and the other Malicious Software), two threats will be published because the response should be different for each.

What happens when additional behavior shows up after the initial detection/investigation?

Until you record that a threat has been remediated (or intentionally not remediated), Red Canary will continue appending updated information to the original threat (as long as it appears to be similar behavior or is of the same classification).

Note: Recording a threat as remediated (this was testing) will still result in similar behavior being appended to the original threat. 

This appended information may appear in the threat timeline and will be reflected by the Latest time threat was observed timeline entry.

If a threat has been marked as remediated or not remediated and additional activity is identified, a new threat will be published to clearly denote that an additional response is required.

How do I ignore testing or red team activity?

You shouldn’t! Testing and red team exercises are an important way for you to functionally test your detection and response personnel, processes, and technologies. In most cases, the best approach is to let Red Canary detect and respond to the threat and record that it will not be remediated because it was a test.

Comments

0 comments

Please sign in to leave a comment.