Top threats

The following chart illustrates the specific threats Red Canary detected most frequently across our customer environments in 2021. We ranked these threats by the percentage of customer organizations affected to prevent a single, major malware outbreak from skewing the metrics.

As discussed in our Methodology section, we chose to define “threats” broadly as malware, tools, threat groups, or activity clusters. Eight of our top 10 threats are malware families or tools, while one (TA551) is a threat group named by another team (Proofpoint) and another an activity cluster created by Red Canary (Yellow Cockatoo). This is expected because distinct malware families and tools are often more straightforward to identify, while associating activity to threat groups or activity clusters requires longer-term analysis that may extend beyond the year.

This was our second year tracking top threats. When compared to the top threats in 2020, the overall percentage of customers affected by each threat was down. For example, in 2020, 15.5 percent of customers were affected by TA551, compared to 10.2 percent of customers in 2021. While it’s unclear whether this is anything more than a natural ebb and flow of activity, we suspect one factor is the overall increase in detection volume we observed in 2021.

Note: We analyzed each of the top 10 threats in last year’s Threat Detection Report. However, since there is significant overlap between the top threats for 2021 and 2022, we opted only to analyze new entrants to the top 10 or reanalyze existing top 10 threats that have changed significantly.

How to use our analysis

These are the most prevalent threats occurring in our customer environments, so we can assume they are prevalent elsewhere. We include advice for responding to each threat and offer detection opportunities so you can better defend your organization. Some defenders may be able to take our detection guidance and apply it directly, while others may not. Regardless, defenders without a detection engineering function can still make use of the actionable analysis of each threat written by our Intelligence team experts.