Red Canary’s 2021 Threat Detection Report is hot off the presses, offering detection guidance and other actionable intelligence for security professionals of all stripes. This year we added some new features to complement our usual top 10 MITRE ATT&CK techniques, including a list of the top 10 threats we observed in 2020 and an accompanying playlist to get you hyped.
The Threat Detection Report helps you answer the following questions:
- How do I get started with MITRE ATT&CK?
- What threats and techniques are most prevalent?
- Which data sources are most useful?
- How can I detect those threats and techniques?
- What does “malicious” look like?
You can read the report in full, watch the recording of our launch event, or view the clips below for highlights.
After taking in our analysis, here are five things you can do right now to apply it:
1. Determine your unique detection priorities.
Review the top 10 threats and MITRE ATT&CK techniques with your colleagues and start a conversation about what applies to your environment and what doesn’t. Try to determine where you’ve got strong security controls and where you don’t. Take stock of your IT infrastructure, especially legitimate tools known to be co-opted by bad guys. Where do you expect to see PowerShell? Should it ever be encoded or making network connections? How often do your admins schedule tasks? What are the contents of those scheduled tasks? Context is key.
Watch the Threat Detection Report authors break down the two top 10 lists and give insight into Red Canary’s visibility and approach:
2. Jump on our detection opportunities.
Valuable intel doesn’t just tell a story—it informs decisions. Each of our top 10 threats is paired with detection opportunities that you can immediately implement to get ahead of certain telltale behaviors. The majority of our top 10 threats are known ransomware precursors (i.e., they are trojans known to deliver ransomware payloads), meaning that our detection logic could help you stop a ransomware infection in its tracks.
Katie Nickels and Aaron Didier walk through opportunities for detecting TA551 and Qbot:
3. Sharpen your visibility by curating your data sources.
You can’t detect what you can’t see. But with an ever-growing supply of telemetry data sources, where does one start? The Threat Detection Report includes recommended collection sources for each of the top 10 ATT&CK techniques. For enterprises that rely on endpoint detection and response (EDR), we’ve found that process and command-line monitoring are extremely effective data sources for observing and detecting malicious behaviors.
Brian Donohue and Shane Welcher highlight why process and command-line monitoring are particularly effective collection sources:
4. Test and validate with Atomic Red Team.
So you’ve tuned your detection logic, now what? Adversary emulation tools like Atomic Red Team can help you generate telemetry and verify your detection capabilities. We’ve included an atomic test for each of the top 10 ATT&CK techniques in the Threat Detection Report, with step-by-step instructions to get started.
Adam Mashinchi and Matt Graeber closed out the launch event with a live demo of an atomic test for Scheduled Task (T1053.005):
5. Join the conversation!
We know… the Threat Detection Report is a lot (the PDF version is 122 pages!). We would love to hear your questions and any insight into the ways your team is using this data. Chime in by emailing blog@redcanary.com, joining the Atomic Red Team Slack channel, or connecting with us on Twitter.
Related Articles
The Trainman’s Guide to overlooked entry points in Microsoft Azure