When asked to describe the potential threats that Red Canary detects and confirms, we tend to frame the discussion around several big buckets:
- Bad things – the most obvious: malware and unwanted software, primarily.
- Good things gone bad – legitimate applications and services leveraged by a malicious actor . . . think PowerShell, WMIC, MSHTA, etc.
- Unusual things – why does your CEO appear to be on two continents at the same time, and why is he executing an application that we’ve never seen him execute in the past?
- New things – that’s what we’re here to talk about today. No spoilers.
To learn more about the types of threats Red Canary detects, read our three-part blog series, What Red Canary Detects.
What’s in the “New Things” Bucket?
To Red Canary’s Threat Detection Engine and our analysts, the “new things” bucket is used to describe activities or artifacts that are either absolutely new or are new relative to other activities or artifacts.
Several examples of “absolutely new” activity or artifacts we look for include:
- New applications and binaries that neither we nor our information sources have seen before.
- Newly signed binaries that were signed near to the first observed execution.
- Network connections to newly observed domains.
- New endpoints within an organization.
- New user accounts within an organization.
The above are extraordinarily useful but not particularly novel (though it is more novel to do the above efficiently at a very large scale).
Things get interesting when you start looking relative to other observations:
- New endpoint-user combinations where a user is using an endpoint that doesn’t fit past usage patterns.
- New user or endpoint activity based on a time period when the entity in question is not normally active.
- Users executing an application for the first time, a common observation in cases where we identify stolen or shared credentials.
- Existing domains with new resolution patterns, particularly domains that have been involved in prior attacks and are adapting by changing IP addresses, platforms or providers.
As is the case with many broad brush detection techniques, some of these criteria may produce high false positive rates. The key to successful and scalable operations is a combination of effective data enrichment, qualified human analysis, and a platform that can take artifact-specific feedback from analysts and use this information to more effectively filter or weight future events of the same type.
Looking at all of this “new” activity is a great way to supplement and backstop more focused behavioral detection capabilities. Focus on what is new in your organization. You’ll quickly understand how your organization is changing and be in a position to determine if those changes are legitimate.
Remember: Attackers are almost always introducing or doing something new. Be watchful and you increase your ability to detect them.