A common language is essential when communicating between different security teams. When Red Canary uses a behavioral analytic to hunt for adversary behavior, or confirms threatening activity in your environment, it is important that you quickly understand what we’re communicating.
We found that the MITRE ATT&CK taxonomy of behavioral techniques best fits our philosophy, so we exclusively use MITRE ATT&CK throughout Red Canary (supplemented by our own techniques when appropriate, which we contribute back to MITRE ATT&CK).
How does Red Canary use MITRE ATT&CK?
Many Red Canary objects are mapped to MITRE ATT&CK to aid your understanding and response:
- Each detection analytic (detector) is mapped to one or more MITRE ATT&CK techniques the analytic identifies.
- A coverage heatmap allows you to understand the total technique coverage that Red Canary contributes to your security program.
- Potentially threatening events resulting from detection analytics show the set of MITRE ATT&CK techniques used to identify the event.
- Confirmed threats (detections) published following the investigation of potentially threatening events show the set of MITRE ATT&CK techniques compiled from the underlying events.
Many reports and summary evaluations include MITRE ATT&CK as a dimension to help you understand what techniques are used in your environment (including a heatmap of techniques involved in confirmed threats).
What if Red Canary identifies a technique that is not in MITRE ATT&CK?
If Red Canary identifies an adversary technique that isn’t yet included in MITRE ATT&CK, we create a new technique identifier prefixed with RC (instead of the typical T prefix). We then submit that technique to the MITRE ATT&CK team. Once it is added to MITRE ATT&CK, we remove the RC prefix and replace it with the new identifier.
How can I see what MITRE ATT&CK techniques Red Canary detects?
We provide a MITRE ATT&CK matrix heatmap that shows the technique coverage Red Canary contributes to your security program.
Learn more about using MITRE ATT&CK heatmaps to understand Red Canary's threat coverage.
Does Red Canary support MITRE ATT&CK sub-techniques?
Red Canary has collaborated with the MITRE ATT&CK team throughout the definition of sub-techniques and is very excited about how they improve MITRE ATT&CK usage.