How to Quickly Automate a Response Playbook With Carbon Black

Keith McCammon, Chief Security Officer

Outwardly, Red Canary appears to focus heavily on the “Detection” in Endpoint Detection and Response. Much of what we share addresses the need to understand the platforms that we defend, and techniques that can be applied to detect threats to those platforms in a manner that lends to both accuracy and scale. But this is not to say that we … Read More

“What’s Your SitRep?” How Practitioners Can Use EDR Data to Understand Their Environments

Frank McClain

If you watch any “tactical” shows about special operations (“SpecOps”) groups—whether military, government, or law enforcement—you have come across the use of jargon. In fact, the concept has bled over quite thoroughly into security operations (“SecOps”) as well. In this case, we’re talking about the request for a “SitRep,” or Situational Report. This is the equivalent of someone asking, “Hey, … Read More

Carbon Black Splunk threat hunting

Operationalizing Data With the Carbon Black and Splunk Integration (Part 1)

Michael Haag

Over the last 5 years I have grown very close to Splunk. The product has evolved so much over the years, but the core architecture has always been easy to deploy and understand. Splunk is known for the speed at which it can search for data, the reliability of its architecture, and the ability to spin up multiple indexers and … Read More

right-to-left-override unicode attacks

“semaG dna nuF” with Right-to-Left Override Unicode Characters

Red Canary

Our Security Operations team loves to share insights on TTPs when we see them in the wild. Today we’re focusing on an oldie but a goodie: right-to-left override attacks. First, a Refresher on Right-to-Left (RLO) Overrides. Unicode contains several characters designed to allow right to left (RTL) characters to be inserted inside text that is normally left to right. One … Read More

Improving Threat Detection

Improve Your Threat Detection: Inspect All of the New Everythings

Keith McCammon, Chief Security Officer

When asked to describe the potential threats that Red Canary detects and confirms, we tend to frame the discussion around several big buckets: Bad things – the most obvious: malware and unwanted software, primarily. Good things gone bad – legitimate applications and services leveraged by a malicious actor . . . think PowerShell, WMIC, MSHTA, etc. Unusual things – why does your CEO … Read More

Threat Investigation 5207

Shutting Down a Hands-on Keyboard Attack: Two Joes vs One Threat Actor

Suzanne Moore

It was a Friday afternoon when the alert came in. One of Red Canary’s customers had experienced a breach. The compromise occurred on an unsecured endpoint—an isolation development box that was used for testing. The customer had deployed Red Canary Managed Endpoint Detection & Response (MEDR) across its most critical endpoints: domain controllers, front-facing web server, executive endpoints, databases, and … Read More

Alert Fatigue

Alert Fatigue: How to Tune Out the Noise and Reclaim Your Hours

Keshia LeVan

As an analyst, reviewing events generally takes up a pretty good chunk of your day. And as much as there is a lot of hype about moving away from “signature-based detection,” many detection solutions are at their core just based on a rule (or set of rules) with some Boolean logic and pattern matching. That’s not to say they aren’t … Read More