Welcome to Red Canary’s 2020 Threat Detection Report. Based on in-depth analysis of tens of thousands of threats detected across our customers’ environments, this research arms security leaders and their teams with a unique understanding of the threats they’re facing.
We’ve leveraged the common language of MITRE ATT&CK to categorize confirmed threats, but our analysis focuses on providing a comprehensive view of adversary techniques that are most likely to occur in your environment. You’ll find unique intelligence to inform your thinking, help you prioritize investments, and educate your team on how to detect and shut down adversaries.
Talk with your team about how the ideas, recommendations, and priorities fit in with your environment
TAKE A GUIDED TOUR
Watch this on-demand webinar for a behind the scenes look at our 2020 Threat Detection Report. Learn how we uncovered the most prevalent ATT&CK techniques and how you can use the findings to your advantage.
Behind the data
Since 2013, Red Canary has delivered high-quality threat detection to organizations of all sizes. Our platform collects hundreds of terabytes of endpoint telemetry every day, surfacing evidence of threats that are analyzed by our Cyber Incident Response Team (CIRT). Confirmed threats are tied to corresponding ATT&CK techniques so that our customers clearly understand what is happening in their environments. This report is a summary of confirmed threats derived from this data.
The report excludes low-severity detection of unwanted software, such as adware. We’ve tagged each confirmed threat with corresponding ATT&CK technique(s) based on the logic used to identify the threat.
What's new in 2020
Last year’s inaugural report summarized all such data available across Red Canary’s entire history. This year’s report focuses on the more than 15,000 threats we detected between January and December 2019, comparing them to threats detected over the same period in the prior year.
ATT&CK techniques do not occur in isolation, so it is important to understand how adversaries leverage multiple techniques to accomplish their goals. This year’s report identifies ATT&CK techniques that are used in concert by adversaries and their tools.
Our threat rankings are determined entirely by detection volume. As a result, a sizable outbreak in one environment can have a disproportionate impact on our entire dataset. To combat that, we’ve included analysis on supplemental techniques that are outside the top 10 but affected many customers.
Each technique section includes detailed guidance on data sources security teams can use to observe related threats. We also provide specific telemetry patterns that are useful for detecting threats, as well as those that are prone to false positives.
Meet the Authors
CHIEF SECURITY OFFICER & CO-FOUNDER
DIRECTOR OF INTELLIGENCE
It takes an army to produce a research piece of this magnitude. Thanks to the detection engineers, data analysts, editors, designers, developers, and project managers who invested countless hours in this report. And a huge thanks to the MITRE ATT&CK team, whose framework has helped the community take a giant leap forward in understanding and tracking adversary behaviors.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.