Building a SOC

Security Operations Lessons: What My Team Learned Building and Maturing a SOC

Scott Worden, Security Engineer

Building and maturing a Security Operations Center (SOC) is different for every organization. In this guest post, a security engineer at an insurance company in the Midwest shares what he learned as part of a three-person security team charged with implementing a SOC. The following views are his own and not those of his organization or team. Someone once said … Read More

Lateral Movement and Cryptomining

Tried-and-True Tactics: How an Adversary Mixed Lateral Movement and Cryptomining

Tony Lambert

Cryptomining continues to be a hot topic as the values of cryptocurrencies fluctuate, and adversaries use mining as an easy way to make money without needing escalated privileges. In my last detection post, I wrote about mining as the objective of exploitation against Oracle WebLogic systems. In this detection, we’ll look at how one adversary supplemented operations with a little … Read More

Red Canary Threat Response

How an IT Service Provider and Red Canary Stopped a Malware Outbreak

Eric Groce

A technical account manager recounts how Red Canary partnered with an IT service provider to help one of their customers stop a rapidly spreading network worm. The article goes behind the scenes of the incident response effort and shares best practices to avoid a breach. Most IT service providers can relate to the following scenario: It’s an idle Thursday. You … Read More

When Web Servers Go Cryptocurrency Mining

Tony Lambert

Miners and canaries have had a long and storied history, but Red Canaries aren’t too fond of miners. Cryptocurrency miners, that is. Recent booms in cryptocurrency values have made cryptocurrency mining an attractive way for anyone with a computer to earn some extra money. The trouble is, the average user would spend more money performing mining activities and paying for … Read More

Threat Hunting With Entropy

Using Entropy in Threat Hunting: a Mathematical Search for the Unknown

Ben Downing

“Antivirus is dead” is a common refrain in the information security space, but if you look below the surface, what it really means is “atomic indicators are dead.” While there is value in static indicators, they are the bare minimum standard for detection these days and suffer from numerous drawbacks. Behavioral indicators are the next level, which use knowledge of … Read More

Credential Access

Damage from Malicious Admins and Credential Access

Tony Lambert

Good security sometimes requires us to get back to basics on a number of things, including how we use and secure administrative credentials. Admin accounts enable us to configure all sorts of technologies, from software installations and Windows network controls to WordPress servers. If you can administer it, odds are good that there’s a special account for it. Because these … Read More

Detecting Application Shimming: A Story About Continuous Improvement

Frank McClain

A long time ago, in a land far away, there lived a shim detector. The shim detector monitored data coming from Endpoint Detection and Response (EDR) platforms, watching for modifications to certain registry paths. It did its job well, but unfortunately it made so much noise that analysts didn’t want to listen to what it had to say. So What’s … Read More