Threat Detection 1157

Lateral Movement Using WinRM and WMI

Tony Lambert

Many organizations invest millions of dollars to bolster their systems and prevent attackers from gaining entry. Much less attention is given to the concept of lateral movement within an organization. Yet we’ve seen time and time again that once an adversary breaks through the crunchy outer layer of the network, the gooey center quickly becomes trivial to move about. Stopping … Read More

Atomic Red Team Training Session

Research in Action: How to Test Your Defenses With Atomic Red Team

Casey Smith, Michael Haag

In the weeks since we launched the Atomic Red Team testing framework, we’ve been blown away (no pun intended) by the security community’s response. Yesterday we had a hands-on training session, and it was even more exciting to hear directly from teams that are beginning to use the framework to improve their detections. We had so many great questions from attendees, … Read More

Carbon Black and Splunk

Operationalizing Carbon Black Response with Splunk (Part 2): Advanced Data Analysis

Michael Haag

Data analysis (or as some call it, Threat Hunting) can be cumbersome and overwhelming at any scale. However, Splunk has the ability to greatly reduce this complexity. In the first part of our Carbon Black Response and Splunk series, we focused on retrieving your data from Carbon Black Response and getting it into Splunk. Now it’s time to take a … Read More

Gaining Visibility

The Scariest Threats? The Ones We Cannot See

Casey Smith

It’s Halloween—my favorite time of year. If you think about most scary movies, what is it that scares us most? I propose that the scary things, the really scary things, are the ones we can’t see. From the popular (and awesome) show Stranger Things to classics like Paranormal Activity, Predator, and Aliens, the evils we cannot see are often the most terrifying. … Read More

Atomic Red Team Testing

Red Canary Introduces Atomic Red Team, a New Testing Framework for Defenders

Casey Smith

How do you know your security solutions are tuned and ready to face actual adversaries? Are you testing new or existing products to provide assurances for detections? If you’re like many teams, you may lack the internal resources or expertise to simulate a specific adversary tactic or technique. That is why we recently created Atomic Red Team, a testing framework … Read More

How to Quickly Automate a Response Playbook With Carbon Black

Keith McCammon, Chief Security Officer

Outwardly, Red Canary appears to focus heavily on the “Detection” in Endpoint Detection and Response. Much of what we share addresses the need to understand the platforms that we defend, and techniques that can be applied to detect threats to those platforms in a manner that lends to both accuracy and scale. But this is not to say that we … Read More

“What’s Your SitRep?” How Practitioners Can Use EDR Data to Understand Their Environments

Frank McClain

If you watch any “tactical” shows about special operations (“SpecOps”) groups—whether military, government, or law enforcement—you have come across the use of jargon. In fact, the concept has bled over quite thoroughly into security operations (“SecOps”) as well. In this case, we’re talking about the request for a “SitRep,” or Situational Report. This is the equivalent of someone asking, “Hey, … Read More