Extending our capabilities across the cloud and critical infrastructure

Part of our mission at Red Canary is to detect threats that matter before they matter. Execution requires delivering MDR everywhere—across your endpoints, network, identities, cloud and beyond—to detect adversaries as early as possible.

In line with that mission, we’re excited to announce new integrations and capabilities that broaden the scope of Red Canary MDR.

Amazon GuardDuty

Red Canary now integrates with Amazon GuardDuty, a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. More specifically, Amazon GuardDuty analyzes S3 buckets, container workloads, instance workloads, and your AWS accounts and users. The solution sends you alerts whenever it detects suspicious activity.

We now analyze all of your Amazon GuardDuty alerts. Our software standardizes, correlates, and enriches those alerts, and our detection engineers determine which alerts are likely benign or indicative of a threat.

We’ve already discerned suspicious activity from GuardDuty alerts and notified our customers. In one recent example, we reviewed an alert describing unblocked communications between an EC2 instance and an IP address, and that IP address appeared on a customer’s threat list. We designated this as suspicious activity so the customer could focus attention on a threat that mattered, not noise.

Dragos Platform

Red Canary now integrates with the Dragos Platform. Dragos is an industrial control system (ICS) cybersecurity technology that rapidly pinpoints threats through intelligence-driven analytics, identifies and prioritizes vulnerabilities, and provides best-practice playbooks to guide teams as they investigate and respond to threats before they cause significant impacts to your operations, processes, or people. The Dragos Platform ensures your security team is armed with the most up-to-date technology and intelligence to combat the world’s most sophisticated industrial adversaries.

We now analyze all of your Dragos alerts and have already helped customers distill signals from noise. For example, a customer recently received alerts from Dragos that indicated possible DoublePulsar backdoor and EternalBlue exploit activity. We know that this backdoor and exploit have been used together to spread Wannacry ransomware. Seeing different alerts come in simultaneously related to EternalBlue and DoublePulsar makes it very unlikely that these were false positives. Given the severity of possible pre-Wannacry activity, our Incident Handling team contacted the customer to raise the issue to their attention and guide them through response and remediation as necessary.

Detecting email account compromise in Office 365

Business Email Compromise (BEC) is an extremely common and costly scam: according to the FBI Internet Crime Complaint Center (IC3), dollar losses from BEC increased by 65% between July 2019 and December 2021, with overall losses between June 2016 and December 2021 totaling $43B.

This integration is significant because we not only analyze alerts from Office 365, but we also ingest raw telemetry. We now apply our own Red Canary detections to Microsoft Unified Audit Logs to detect email account compromise–a type of BEC in which a threat actor gains access to a user’s legitimate email credentials and uses them to attempt fraud. Detecting email account compromise early is critical, as fraudulent requests for money or credentials are even more difficult to discern if they’re coming from a legitimate, known email account.

An early approach we take to combatting email account compromise is detecting suspicious email forwarding rule creation. Check out this detailed blog post by Red Canary researchers and detection engineers to learn more about how we analyze email forwarding rules as well as more generally how to use O365 telemetry to detect BEC.