2017 was a big year for the Red Canary blog! We wrote dozens of articles and added a roster of outstanding contributors—ranging from security analysts, threat researchers, technical account managers, and incident responders to C-level security experts both inside and outside of Red Canary.
A few articles really caught the attention of the security community in 2017, so we wanted to highlight them again to wrap up the year. Enjoy!
By Ben Downing, Security Analyst
The Windows API is a large, complex topic with decades of development history and design behind it. Although it is far too vast to cover in a single article, even a cursory knowledge is enough to improve event analysis and basic malware analysis skills. Understanding how Windows works can help defenders to better understand and defend against threats, know where attackers might be hiding, and identify improvements to limit attackers’ abilities.
This Windows technical deep dive provides an overview of what the Windows API is, how and why executables use the API, and how to apply that knowledge to improve defenses.
By Casey Smith, Director of Applied Research
We often use the warfare analogy when talking cyber security. It is a model that works well to articulate the landscape and posture organizations need to take when thinking about securing their environments. As Michael Hayden famously said: “You are in the fight, whether you thought you were or not.” While you don’t get to choose the time and place the attacker may show up, you certainly can choose how you prepare and train for the fight.
This article walks through 3 practical steps to help prepare organizations to face modern threats with constrained resources.
By Casey Smith, Director of Applied Research, and Michael Haag, Director of Advanced Threat Detection & Research
Many security teams lack the internal resources or expertise to simulate a specific adversary tactic or technique. That’s why Red Canary’s Applied Research Team created Atomic Red Team, an open-source testing framework that enables defenders to test their detections against a broad spectrum of attacks. The framework is comprised of small, highly portable detection tests mapped to the MITRE ATT&CK Framework. Each test is designed to map back to a particular tactic.
This article walks through how to use the Atomic Red Team framework and includes a short “how-to” video.
By Michael Haag, Director of Advanced Threat Detection & Research
Security professionals often ask: “What is the best product to prevent ransomware?” But there is not a single product to solve all the problems. Your strategy to defend against ransomware needs to go beyond the standard backups and “up-to-date” anti-virus definitions. A defense-in-depth, holistic security program is required to prevent ransomware, and more importantly to detect it.
Whether you have dealt with ransomware or are preparing for it, this article provides helpful guidance by sharing practical techniques and technical controls that you can use to detect and prevent ransomware.
By Joe Moles, Director of Detection Operations
Threat hunting, like most market buzz terms, started with a concept or an idea, and then got overused and misused by every vendor, blogger, and Twitter account with an opinion. This has led to a lot of confusion for security teams that want to build a threat hunting capability. So what is threat hunting and how do you do it? This article breaks through the myths and shares a systemic approach.
By Keshia LeVan, Security Analyst
There are some pretty cool PowerShell frameworks out there, which means it’s relatively common to see PowerShell doing nefarious things. This post walks through several common methods that attackers use, including a relatively novel way to bypass UAC in order to elevate commands to run with Administrative privileges via Wscript and a file written to an ADS, illustrated using data derived from the Carbon Black Response Endpoint Detection and Response (EDR) platform.
By Kyle Rainey, Security Analyst
Tabletop simulations provide a great vehicle for organizational awareness and training for inevitable security incidents. They allow a team to come together in a low-stress environment and assess their procedures and plans. Yet for most organizations, these exercises are conducted once a year as a compliance requirement or to spend unused retainer hours from an incident response services provider. So how do we better design and deliver a simulation that drives our security program toward a state of continuous improvement?
Looking Ahead to 2018: A Note From the Editor
As Red Canary grows, so does our roster of contributors. This is a truly unique quality. Our analysts, researchers, technical account managers, and security strategists have a variety of backgrounds and skillsets. They come from all parts of the country. But they share one common mission: make security better for organizations of all sizes.
Looking back at the articles we published this year reminded me of the quote: “The whole is greater than the sum of its parts.” Individually, our writers represent some of the industry’s best and brightest minds. Together, we are a team of experts with the potential to truly make security better.
The Red Canary blog will continue to bring security professionals new ideas, hands-on techniques, and educational resources for improving their security programs. Here’s to another year of great security—and great blogs!
Have an idea for a blog post? Want to join our team of contributors? We’re always on the lookout for new talent and ideas. Pitch your ideas to: firstname.lastname@example.org.