Getting Started
Welcome to Red Canary’s 2021 Threat Detection Report. Based on in-depth analysis of roughly 20,000 confirmed threats detected across our customers’ environments, this research arms security leaders and their teams with actionable insight into the malicious activity and techniques we observe most frequently.
Using the MITRE ATT&CK® framework as scaffolding, our analysis offers a bird’s eye view of the malicious behaviors that you’re most likely to encounter—and empowers you to address those threats head on with detailed detection strategies that you can implement immediately. Whether you’re a CSO weighing next year’s infosec budget, an intel analyst on the tails of a specific threat actor, or an engineer looking to tune your detection logic, the Threat Detection Report has insight for security professionals of all stripes.
How to use the report:
- Start perusing the most prevalent techniques and threats to see what we’ve observed in our customers’ environments
- Explore how to detect and mitigate specific threats and techniques with ideas and recommendations from our detection engineers, researchers, and intelligence analysts
- Talk with your team about how the ideas, recommendations, and priorities fit into your security controls and strategy
What’s new in 2021
More granular analysis
MITRE ATT&CK’s adoption of sub-techniques transformed the overall structure of the report as well as the scope of Red Canary’s technique analysis.
Intel-fortified
Our Intelligence Team compiled the top 10 most prevalent threats we encountered in 2020, putting the top 10 techniques in context with malware and other activity that leverages them.
The return of the PDF
You asked, we listened! By popular demand, this year’s report is available not only in web format, but also in PDF format so you can annotate it to your heart’s content.
Behind the data
The Threat Detection Report is derived from all of the confirmed threats Red Canary detects across our customer base for a given year. To understand the report, you have to understand the data upon which it’s based.
On average, we gathered 400 billion pieces of telemetry from our customers’ endpoints on a daily basis in 2020. That telemetry was continually parsed against a library of thousands of detection analytics, and it ultimately surfaced 14 million investigative leads for our detection engineers to investigate potential suspicious or malicious activity throughout the year.
Excluding detections associated with potentially unwanted programs like adware, we detected 20,000 confirmed threats in 2020. Each of those threats can be mapped to one or more MITRE ATT&CK techniques and many of them are associated with specific threats. This report is an analysis of the adversary techniques we detected most often by a measure of total threat volume and the threats we detected most often by a measure of customers affected.
You can learn more about the data and methodologies behind the report in the methodologies section.
Acknowledgments
It takes an army to produce a research piece of this magnitude. Thanks to the detection engineers, researchers, intelligence analysts, writers, editors, designers, developers, and project managers who invested countless hours in this report—and the operational work it’s derived from. And a huge thanks to the MITRE ATT&CK team, whose framework has helped the community take a giant leap forward in understanding and tracking adversary behaviors.