A common language is essential when communicating between different security teams. When Red Canary uses a behavioral analytic to hunt for adversary behavior, or confirms threatening activity in your environment, it is important that you quickly understand what we’re communicating.

We found that the MITRE ATT&CK taxonomy of behavioral techniques best fits our philosophy, so we exclusively use MITRE ATT&CK throughout Red Canary (supplemented by our own techniques when appropriate, which we contribute back to MITRE ATT&CK).

How does Red Canary use MITRE ATT&CK?

Many Red Canary objects are mapped to MITRE ATT&CK to aid your understanding and response: 

• Each detection analytic (detector) is mapped to one or more MITRE ATT&CK techniques the analytic identifies.
• A coverage heatmap allows you to understand the total technique coverage that Red Canary contributes to your security program.
• Potentially threatening events resulting from detection analytics show the set of MITRE ATT&CK techniques used to identify the event.
• Confirmed threats (detections) published following the investigation of potentially threatening events show the set of MITRE ATT&CK techniques compiled from the underlying events.

Many reports and summary evaluations include MITRE ATT&CK as a dimension to help you understand what techniques are used in your environment (including a heatmap of techniques involved in confirmed threats).

What if Red Canary identifies a technique that is not in MITRE ATT&CK?

If Red Canary identifies an adversary technique that isn’t yet included in MITRE ATT&CK, we create a new technique identifier prefixed with RC (instead of the typical T prefix). We then submit that technique to the MITRE ATT&CK team. Once it is added to MITRE ATT&CK, we remove the RC prefix and replace it with the new identifier.

How can I see what MITRE ATT&CK techniques Red Canary detects?

We provide a MITRE ATT&CK matrix heatmap that shows the technique coverage Red Canary contributes to your security program.

Learn more about using MITRE ATT&CK heatmaps to understand Red Canary's threat coverage.

Does Red Canary support MITRE ATT&CK sub-techniques?

Red Canary has collaborated with the MITRE ATT&CK team throughout the definition of sub-techniques and is very excited about how they improve MITRE ATT&CK usage.