First Look: 2020 Threat Detection Report

Join us for a behind the scenes look at our 2020 Threat Detection Report. Learn how we uncovered the most prevalent ATT&CK® techniques and how you can use the findings to your advantage.

See the report

02:49 Panelist Introduction

04:20 Why we produce the Threat Detection Report

06:50 “We are day in and day out doing security operations work with our customers” -Keith

07:55 “How do you get started with all of these different techniques? Prioritizing. Prioritizing based on what real threats are doing and we have that visibility at Red Canary so why not share that?” -Katie

08:12 Webinar Agenda

09:11 What data we use to create the report

09:52 “Throughout 2019, on average, we were parsing roughly 200 billion pieces of end point telemetry per day. To put it another way, we were ingesting about 115 terabytes of telemetry on a daily basis. That all gets forwarded into our platform. Our platform also has a variety of detection criteria built into it that is developed by our detection engineering team. It’s roughly 1,500 or so behavioral analytics that parse through this endpoint data and looks for matches.” -Brian

11:28 “We attempt to map all of these behaviors back to a MITRE ATT&CK technique. Each of those 1,500 confirmed threat detections will include one or more ATT&CK techniques that are associated with them.” -Brian

12:20 What’s in the report

13:24 “Threats don’t occur in isolation, threats are generally parts of attacks, and attacks are parts of campaigns. Even at the bottom level, any given threat is going to be made up of many different behaviors” -Brian

16:05 Reviewing the top ATT&CK techniques

16:44 The top ATT&CK techniques by industry

16:44 Overview of Industries: Finance, Education, Healthcare, Retail, Manufacturing, Services, Technology, Energy, and Transportation.

17:13 The top ATT&CK technique – Process Injection

21:32 Understanding the trends we are seeing

23:20 “None of these tactics occur in isolation. Even one piece of malware is going to exhibit a number of these behaviors. The top 10 doesn’t appear out of thin air. It is the product of a lot of adversary tactics they are trying. They are seeing what sticks, and the things that stick, we can expect to see more of. Last year’s data was a great exemplification of the phenomenon.” -Keith

24:30 “No matter what the threat was, it followed a relatively similar pattern based on three overarching phases: how they get in, how they get around, and how they get paid.” -Tony

25:09 “Where an adversary starts on a network is not the place they are going to end up.” -Tony

26:15 “Our data in this report is shaped in no small way by Trickbot engagements. The behaviors that Trickbot uses in its infections are very prevalent in our top 10.” -Brian

32:39 “The biggest trend we saw in the last year was lateral movement was pretty much automatic. It happened in a variety of ways. Trickbot, Emotet, and several other malware threats can use SMB exploitation to get around, but why burn an exploit when you can just use legitimate credentials? In many cases, we saw legitimate credentials were cracked, stolen, or guessed from various malware families. Those were used to get around automatically.” -Tony

37:54 “There is a tight correlation between requested access codes and particular pieces of malware or particular behaviors going and accessing credentials. That can lead to really successful detection, and that understanding is really valuable for implementing preventative controls.” -Keith

42:20 “The last two years have been dominated by the trend of get a foothold, move laterally, and then lock up an entire enterprise.” -Keith

45:19 Commands we have seen for different techniques

48:29 How you can put this information into action

48:59 For Analysts

49:47 “This whole report is about assessing priorities. Are you spending too much time on threats that aren’t relevant to you? Do you know what you are likely to face? The most important part of all of this is learning what to look for. Understand what malicious looks like in your environment in the telemetry.” -Brian

50:40 “Every organization is going to have different threats. They’re not going to be distributed equally.” -Katie

51:48 For Architects

52:35 “The best intelligence you can have in your organization comes from the inside. The first thing you want to do is go talk to your analysts and your IT people and figure out what threats they are worried about. Take the threats they are worried about and compare them to the report.” -Tony

54:30 For Leaders

56:52 “No matter what type of team you lead, you take all of the stuff we talked about and tie it up in a nice bow for the people you lead and work with directly. No matter the level, everyone is getting better.” -Keith

57:20 Key Takeaways

57:45 “Take a look at what we have and then apply that to where your visibility gaps are and where you need to improve your detection.” -Katie

59:00 Questions & Answers

59:08 Question 1: Any observations on Cobalt Strike usage during our response engagement and what we are seeing this year?

01:00:15 “Where Cobalt Strike has made things interesting this year is that we have seen multiple adversaries in the same environment.” -Tony

01:01:50 Question 2: How do we detect bad use of good tools?

01:05:09 “The best thing you can do to get started on this is to focus 80% of effort on what has been publicly documented. Don’t worry about chasing all the hypothetical uses until after you get that 80% done.” -Tony

Keith McCammon
Brian Donohue
Security Analyst
Tony Lambert
Detection Engineer
Moderated by Katie Nickels
Principal Intelligence Analyst
  • March 26, 2020

2020 Threat Detection Report: the conversation continues

  • March 25, 2020

Q&A: Insights from the Red Canary 2020 Threat Detection Report

  • March 18, 2020

Worms shape the narrative in Red Canary’s 2020 Threat Detection Report

  • March 11, 2020

What F1 racing can teach us about telemetry