Detections are confirmed threats affecting your organization (think of them as realized risk). Each detection contains a wealth of information about:
- Endpoints and identities that were involved.
- ATT&CK techniques that were observed being used.
- Analytics, threat intelligence, and alerts that led to the identification of the threat.
- An annotated timeline highlighting the key endpoint activities involving the detection.
This information gives every one of your responders, whether seasoned IR professionals or your help desk, the exact information they need to remediate the threat.
Think of each detection as a “ticket” in a typical ticketing system: it is a unit of work that your team needs to act on and will stay “open” until completed.
Each alert is given an identifier (starting with THREAT-) that uniquely identifies the alert throughout Red Canary.
Where do detections come from?
Detections are the result of Red Canary detecting a potential threat to your organization, performing an investigation, and confirming it as threatening.
What false positive rate should I expect?
You should expect an incredibly low (< 0.1%) false positive rate from Red Canary because detections are the result of CIRT investigation.
How are confirmed threats classified?
Threats confirmed by Red Canary are assigned a high, medium, or low severity.
Each threat also carries a classification and may carry a more specific subclassification. While root classifications are well established, subclassifications may be numerous and are subject to change. Thus, not all subclassifications are listed.
Malicious Software
Malicious Software is the general term for programs that perform unwanted actions on your systems. This can include stealing your personal information, locking your PC until you pay a ransom, using your systems to send spam, or downloading other malicious software.
Malicious software detections can be assigned a high or medium severity.
Subclassifications include: Backdoor, Credential Theft, Crimeware, Dropper/Downloader, Exploit, Exploit Kit, Hacking Tool, Ransomware, Rogue Security Software, Trojan, and Worm.
Suspicious Activity
Suspicious Activity alerts are indicative of activity that is abnormal but not attributable to any known threat or malware family.
Suspicious Activity detections can be assigned a high or medium severity.
Subclassifications include: Account, Network, Process, Reconnaissance, Remote Access, and Sensor Tampering.
Unwanted Software
Unwanted Software encompasses applications that, while not always malicious, may compromise system security or privacy.
Unwanted Software detections can be assigned a low severity.
Unwanted Software subclassifications include: Adware, Peer-to-Peer (P2P), and Riskware.
Adware
Adware is software that performs actions such as changing browser settings and home pages, redirecting search results, and displaying advertisements. These applications use deceptive installation techniques, to include masquerading as or bundling legitimate software.
Peer-to-Peer (P2P)
P2P software is used to share digital content or computing resources in a decentralized manner. P2P software increases the risk of exposure to malware and/or illegal material, consumes network and computing resources, and may perform unauthorized sharing of controlled data.
Riskware
Riskware is software that may be used to circumvent security policy or controls, including but not limited to: license or policy bypass, host-based proxies, and anonymization services. Riskware may have legitimate uses, but does introduce unique risk due to the functionality that this class of software provides.
What is the “scope” of a detection?
Each detection is scoped to a single endpoint. This is important because most teams forward Red Canary detections into ticketing systems, and it is essential that each affected endpoint is remediated and none are missed.
If Red Canary detects activity on a single endpoint with two classifications (for example, one Unwanted Software and the other Malicious Software), two detections will be published because your response should be different for each.
What happens when additional behavior shows up after the initial detection/investigation?
Until you record that a confirmed threat has been remediated (or intentionally not remediated), Red Canary will continue appending updated information to the original detection (as long as it appears to be similar behavior or is of the same classification).
This appended information may appear in the detection timeline and will be reflected by the Latest time threat was observed timeline entry.
If a detection has been marked as remediated or not remediated and additional activity is identified, a new detection will be published to clearly denote that additional response is required.
How do I ignore testing or red team activity?
You shouldn’t! Testing and red team exercises are an important way for you to functionally test your detection and response personnel, processes, and technologies. In most cases, the best approach is to let Red Canary detect and respond to the threat and record that the detection will not be remediated because it was a test.