Red Canary ATT&CK Demo

Integrating MITRE ATT&CK™ into Red Canary detections

Mapping adversarial behaviors to ATT&CK techniques lets us communicate with our customers in a common, consistent language, while also enabling them to quantify their detection ability and measure improvement.

 

The Red Canary engine parses vast amounts of endpoint telemetry on a daily basis, discarding normal activity and raising potentially malicious behaviors to our cyber incident response team (CIRT) for human analysis. When our analysts confirm that a behavior is in fact malicious, suspicious, or otherwise unwanted, they send a detection containing detailed information about the confirmed threat to the affected customer.

Each includes a list of MITRE ATT&CK techniques that correspond with the behaviors in the detection. Mapping adversarial behaviors to ATT&CK techniques lets us communicate with our customers in a common, consistent language, while also enabling them to quantify their detection ability and measure improvement.

 

Four tools to consider if you’re adopting ATT&CK

 

Testing the Top MITRE ATT&CK Techniques: PowerShell, Scripting, Regsvr32

 

Getting Started with ATT&CK? New Report Suggests Prioritizing PowerShell

 

ATT&CK™ Is Only as Good as Its Implementation: Avoiding Five Common Pitfalls

 

Using MITRE ATT&CK™ When Researching Attacker Behavior and Running Unit Tests

 

Q & A: How to Use the MITRE ATT&CK™ Framework to Mature Your Threat Hunting Program

 

Red Canary ATT&CKs (Part 2): Designing ATT&CK Interfaces in Red Canary

 

Red Canary ATT&CKs (Part 1): Why We’re Using ATT&CK Across Red Canary