On the Night Shift

Slaying Evil Around the Clock with Red Canary’s Cyber Incident Response Team

Keya Horiuchi

Red Canary’s Cyber Incident Response Team (CIRT) is comprised of two groups: detection engineers and incident handlers. Our blog posts often focus on threats we detect, but it’s rare to get a glimpse of our incident handlers in action. This article will walk through a recent threat in a customer’s environment, from the initial discovery to the incident handling team’s … Read More

Carbon Black and Splunk

Operationalizing Carbon Black Response with Splunk (Part 2): Advanced Data Analysis

Michael Haag

Data analysis (or as some call it, Threat Hunting) can be cumbersome and overwhelming at any scale. However, Splunk has the ability to greatly reduce this complexity. In the first part of our Carbon Black Response and Splunk series, we focused on retrieving your data from Carbon Black Response and getting it into Splunk. Now it’s time to take a … Read More

Gaining Visibility

The Scariest Threats? The Ones We Cannot See

Casey Smith

It’s Halloween—my favorite time of year. If you think about most scary movies, what is it that scares us most? I propose that the scary things, the really scary things, are the ones we can’t see. From the popular (and awesome) show Stranger Things to classics like Paranormal Activity, Predator, and Aliens, the evils we cannot see are often the most terrifying. … Read More

How to Quickly Automate a Response Playbook With Carbon Black

Keith McCammon, Chief Security Officer

Outwardly, Red Canary appears to focus heavily on the “Detection” in Endpoint Detection and Response. Much of what we share addresses the need to understand the platforms that we defend, and techniques that can be applied to detect threats to those platforms in a manner that lends to both accuracy and scale. But this is not to say that we … Read More

“What’s Your SitRep?” How Practitioners Can Use EDR Data to Understand Their Environments

Frank McClain

If you watch any “tactical” shows about special operations (“SpecOps”) groups—whether military, government, or law enforcement—you have come across the use of jargon. In fact, the concept has bled over quite thoroughly into security operations (“SecOps”) as well. In this case, we’re talking about the request for a “SitRep,” or Situational Report. This is the equivalent of someone asking, “Hey, … Read More

Carbon Black Splunk threat hunting

Operationalizing Data With the Carbon Black and Splunk Integration (Part 1)

Michael Haag

Over the last 5 years I have grown very close to Splunk. The product has evolved so much over the years, but the core architecture has always been easy to deploy and understand. Splunk is known for the speed at which it can search for data, the reliability of its architecture, and the ability to spin up multiple indexers and … Read More

right-to-left-override unicode attacks

“semaG dna nuF” with Right-to-Left Override Unicode Characters

Red Canary

Our Security Operations team loves to share insights on TTPs when we see them in the wild. Today we’re focusing on an oldie but a goodie: right-to-left override attacks. First, a Refresher on Right-to-Left (RLO) Overrides. Unicode contains several characters designed to allow right to left (RTL) characters to be inserted inside text that is normally left to right. One … Read More