Triage Planning & an Emotet Outbreak: What Can Security Teams Learn from First Responders?

Triage Planning: What Can Security Teams Learn From First Responders?

Andy Rothman

This post offers a glimpse into how our Cyber Incident Response Team (CIRT) fought a flare-up in Emotet infections by taking a step back from the mass of alerts to devise a proactive strategy for automation. Our hope is that it sparks some ideas for you when something similar happens in your environment.

On the Night Shift

Slaying Evil Around the Clock with Red Canary’s Cyber Incident Response Team

Keya Horiuchi

Red Canary’s Cyber Incident Response Team (CIRT) is comprised of two groups: detection engineers and incident handlers. Our blog posts often focus on threats we detect, but it’s rare to get a glimpse of our incident handlers in action. This article will walk through a recent threat in a customer’s environment, from the initial discovery to the incident handling team’s … Read More

Red Canary Threat Response

How an IT Service Provider and Red Canary Stopped a Malware Outbreak

Eric Groce

A technical account manager recounts how Red Canary partnered with an IT service provider to help one of their customers stop a rapidly spreading network worm. The article goes behind the scenes of the incident response effort and shares best practices to avoid a breach. Most IT service providers can relate to the following scenario: It’s an idle Thursday. You … Read More

How to Quickly Automate a Response Playbook With Carbon Black

Keith McCammon, Chief Security Officer

Outwardly, Red Canary appears to focus heavily on the “Detection” in Endpoint Detection and Response. Much of what we share addresses the need to understand the platforms that we defend, and techniques that can be applied to detect threats to those platforms in a manner that lends to both accuracy and scale. But this is not to say that we … Read More

Continuous Monitoring

Why the Philosophy of Continuous Monitoring Is Powerful

Phil Hagen

Continuous Monitoring is a methodology by which evidence collection is “baked into” the network. Critical observations are made and recorded continuously and quickly available when needed. The idea is to pre-collect evidence that will support your investigative processes. The power of continuous monitoring is significant, and I encourage all businesses and organizations to adopt the notion of an investigable network—one that … Read More

Threat Investigation 5207

Shutting Down a Hands-on Keyboard Attack: Two Joes vs One Threat Actor

Suzanne Moore

It was a Friday afternoon when the alert came in. One of Red Canary’s customers had experienced a breach. The compromise occurred on an unsecured endpoint—an isolation development box that was used for testing. The customer had deployed Red Canary across its most critical endpoints: domain controllers, front-facing web server, executive endpoints, databases, and other endpoints where a compromise could … Read More

Incident Response Retainers

An Analyst’s Tale of Incident Response Retainers: “It’s All About the Benjamins”

Frank McClain

Once upon a time there lived a boy named Benjamin. Benjamin was very smart, and grew up with a passion for Information Security. As an adult he became part of the InfoSec team at “WidgetCo,” whose highly-prized widgets made their network and computing infrastructure a constant target. Benjamin was constantly making recommendations to help the organization defend against a barrage … Read More