What Red Canary Detects, Part I: Overview & Malicious Software

Keith McCammon

Share this Project

We want every detection that we produce to result in action. Actions are organization-specific and may include remediation, investigation, or simply a discussion related to configuration management. In this series we examine what Red Canary detects in the context of the classifications used to describe and group these threats for our customers. The primary purpose osf these classifications is to expedite the process of taking appropriate action.

A number of metadata elements accompany each detection, but the primary element is one of three classifications:

  • Malicious Software
  • Suspicious Activity
  • Unwanted Software

Being the first article in this series, we will examine the most familiar of the three: Malicious Software. Malicious software is software that is not only doing bad things, but also has no legitimate application. There are a multitude of subclassifications that we may apply to help customers better understand the nature of these threats. They include worms, ransomware, crimeware, droppers and many more.

Malicious software is perceived to be the least novel of our classifications because everyone is intimately familiar with malicious software detection products and services. However, our engine and methodology allow us to find this rapidly evolving class of threat in very reliable ways.

The traditional approach to identifying malicious software is one-dimensional in most cases and two-dimensional in an increasing number, but rarely comprehensive enough.

The one-dimensional approach involves reliance on traditional antivirus products for identification through signatures or narrow heuristics. However, antivirus products are reactive. Vendors must obtain samples, perform tests and then deploy engine or signature updates to mitigate the new threat. As a result, the combination of new techniques and narrow payload tweaks continue to yield a meaningful rate of infection.

A second dimension can be added in binary analysis tooling. This tooling looks in depth at binary instruction sets and/or detonates each binary within a sandbox for purposes of identifying hostile behaviors or attributes. Again, this is an improvement but by no means a solution. Crimeware and ransomware authors in particular are prolific and continue to rapidly deploy new and clever means of evading dynamic engines in particular.

So, what are we to do? First, we do all of the above. Hashes and other metadata are checked against threat intelligence sources to include resources like VirusTotal. In theory, this process should find all known threats and known threats should be detectable by customers’ endpoint antivirus solutions. In practice, we know that this is not the case.

Then, knowing that a small number of delivery methods–including email, browser-based attacks and removable media—represent the overwhelming majority of infections, we prioritize any process and its binary when derived from these types of sources. We also look for  behaviors indicative of early stage infections: use of persistence mechanisms, processes that write and spawn instances of binaries, suspicious relationships between processes and more.

Finally, we backstop all of this by passing every new binary on every customer endpoint through the best available analysis tools, and subject every process to our expansive battery of behavioral detectors. The results of this entire process are reviewed by our analysts to remove false positives, add rich context and attach the appropriate classification.

Note that this very briefly describes our engine and methodology, which demands another series of articles altogether. I’ve outlined it here for purposes of explaining how we attack the decades old, but still challenging problem of malicious software detection.

In the next article we’ll examine my personal favorite, Suspicious Activity. Until then . . .