Skip to main content
Red Canary help

How Red Canary uses Mitre ATT&CK

  • Updated .

A common language is essential when communicating between different security teams. When Red Canary uses a behavioral analytic to hunt for adversary behavior, or confirms threatening activity in your environment, it is important that you quickly understand what we’re communicating.

We found that the MITRE ATT&CK® taxonomy of behavioral techniques best fits our philosophy, so we exclusively use ATT&CK throughout Red Canary (supplemented by our own techniques when appropriate, which we contribute back to ATT&CK).

How does Red Canary use ATT&CK?

Many Red Canary objects are mapped to ATT&CK to aid your understanding and response: 

  • Each detection analytic (detector) is mapped to one or more ATT&CK techniques the analytic identifies.
  • A coverage heatmap allows you to understand the total technique coverage that Red Canary contributes to your security program.
  • Potentially threatening events resulting from detection analytics show the set of ATT&CK techniques that led to the identification of the event.
  • Confirmed threats (detections) published following the investigation of potentially threatening events show the set of ATT&CK techniques compiled from the underlying events.

Many reports and summary reviews also incorporate ATT&CK as a dimension to further your understanding of what techniques are being used in your environment (including a heatmap of techniques involved in confirmed threats).

What if Red Canary identifies a technique that is not in ATT&CK?

If Red Canary identifies an adversary technique that isn’t yet included in ATT&CK, we create a new technique identifier prefixed with RC (instead of the typical T prefix). We then submit that technique to the ATT&CK team. Once it is added to ATT&CK, we remove the RC prefix and replace it with the new identifier.

How can I see what ATT&CK techniques Red Canary detects?

We provide an ATT&CK matrix heatmap that shows the technique coverage Red Canary contributes to your security program.

Learn more about using ATT&CK heatmaps to understand Red Canary's detection coverage.

Does Red Canary support ATT&CK subtechniques?

Red Canary has worked with the ATT&CK team throughout their definition of subtechniques and are very excited about how they improve the usability of ATT&CK. Subtechniques will be supported throughout Red Canary as soon as MITRE completes their release.