Atomic Red Team Testing

Red Canary Introduces Atomic Red Team, a New Testing Framework for Defenders

Casey Smith

How do you know your security solutions are tuned and ready to face actual adversaries? Are you testing new or existing products to provide assurances for detections? If you’re like many teams, you may lack the internal resources or expertise to simulate a specific adversary tactic or technique. That is why we recently created Atomic Red Team, a testing framework … Read More

How to Quickly Automate a Response Playbook With Carbon Black

Keith McCammon, Chief Security Officer

Outwardly, Red Canary appears to focus heavily on the “Detection” in Endpoint Detection and Response. Much of what we share addresses the need to understand the platforms that we defend, and techniques that can be applied to detect threats to those platforms in a manner that lends to both accuracy and scale. But this is not to say that we … Read More

“What’s Your SitRep?” How Practitioners Can Use EDR Data to Understand Their Environments

Frank McClain

If you watch any “tactical” shows about special operations (“SpecOps”) groups—whether military, government, or law enforcement—you have come across the use of jargon. In fact, the concept has bled over quite thoroughly into security operations (“SecOps”) as well. In this case, we’re talking about the request for a “SitRep,” or Situational Report. This is the equivalent of someone asking, “Hey, … Read More

3 Practical Ways for Lean Security Teams to Boost Their Defenses

Casey Smith

“Fundamentally, if somebody wants to get in, they’re getting in…. What we tell clients is, ‘Number one, you’re in the fight, whether you thought you were or not. Number two, you almost certainly are penetrated. Number three, take heart: There are other lines of defense that you can and should rely on to minimize damage.’”  —Michael Hayden, former director of … Read More

Carbon Black Splunk threat hunting

Operationalizing Data With the Carbon Black and Splunk Integration (Part 1)

Michael Haag

Over the last 5 years I have grown very close to Splunk. The product has evolved so much over the years, but the core architecture has always been easy to deploy and understand. Splunk is known for the speed at which it can search for data, the reliability of its architecture, and the ability to spin up multiple indexers and … Read More

right-to-left-override unicode attacks

“semaG dna nuF” with Right-to-Left Override Unicode Characters

Red Canary

Our Security Operations team loves to share insights on TTPs when we see them in the wild. Today we’re focusing on an oldie but a goodie: right-to-left override attacks. First, a Refresher on Right-to-Left (RLO) Overrides. Unicode contains several characters designed to allow right to left (RTL) characters to be inserted inside text that is normally left to right. One … Read More

Continuous Monitoring

Why the Philosophy of Continuous Monitoring Is Powerful

Phil Hagen

Continuous Monitoring is a methodology by which evidence collection is “baked into” the network. Critical observations are made and recorded continuously and quickly available when needed. The idea is to pre-collect evidence that will support your investigative processes. The power of continuous monitoring is significant, and I encourage all businesses and organizations to adopt the notion of an investigable network—one that … Read More