Detection Profile: Silent Periodic Activity

One hallmark for many malware events is the regular periodic behavior they present when rallying for and checking in with their command and control servers.  The check-in interval can be a very useful metadata point in hunting an adversary.  However, the constant state of change that attackers can use for their own infrastructure makes this […]

20 CIS Critical Security Controls – How Red Canary Stacks Up

The 20 CIS Critical Security Controls are widely viewed as the “Gold Standard” framework for building and evaluating an organization’s security program. In this article, we will look at several of these controls and how Red Canary helps our clients improve their security posture in meaningful ways. (Full disclosure: I am a SANS Certified Instructor, […]

What Red Canary Detects, Part I: Overview & Malicious Software

We want every detection that we produce to result in action. Actions are organization-specific and may include remediation, investigation, or simply a discussion related to configuration management. In this series we examine what Red Canary detects in the context of the classifications used to describe and group these threats for our customers. The primary purpose of […]

“Operation Cleaver” Blade Dulled

“Operation Cleaver” is an attack campaign Cylance details in a new report.  They contend an Iran-based attack group has compromised hundreds of targets in multiple countries and industries.  Regardless of the claims of attribution, the message is clear: well-financed, strategically focused attack groups continue to digitally plunder their targets.  As a community, our decades-old approach to […]

Are Rogue Code Signing Keys in Your Environment?

Although this specific example has been exposed as part of a joke, the threat is real – code signing keys are often targeted by advanced attackers.  Keys stolen during other breach operations have been used to sign malicious software. Perhaps this was inevitable – it appears the attackers behind the Sony breach are using stolen code signing keys […]

Detecting CVE-2014-1776: Internet Explorer Zero-Day

Red Canary is actively detecting CVE-2014-1776, the latest “Internet Explorer zero-day,” on the endpoint by leveraging our global network of managed Bit9+Carbon Black sensors. This post provides some insight into how you can do the same. We know this exploit targets Internet Explorer (iexplore.exe), requires VGX.dll be loaded by the targeted iexplore.exe process, and is […]