Intelligence FAQ

How do you define profile?

We define profile broadly as anything with intent, opportunity, and capability to cause harm. For the Red Canary Intelligence Team, a profile may be a group (either named by Red Canary or another team), a tool, or a campaign.

Why isn’t there much information in some of the profiles?

Our approach is to iteratively add information to profiles as we find it, meaning that we have documented more information about some threats than others. We aim to be transparent, and that means being transparent about how much information we have on threats.

If I don’t see a profile for a threat I care about, what should I do?

Please reach out to your threat hunter to request a profile. Describe the threat's importance to you and the questions you have about it as best you can so that the Intelligence Team can help you.

How can I make contributions or suggest edits?

We appreciate any contributions to our profiles. The more we know about threats, the better equipped we are to protect our customers. If you have additions, edits, or questions, please contact your threat hunter.

How are threats associated with profiles?

Threats are associated with profiles automatically and manually. Red Canary automatically associates threats with profiles when it knows that an attribute (such as a unique command line) is specific to a known threat. To supplement this automatic approach, analysts also manually review threats to try to associate them to known threat actors. Since profile-to-threats associations are based on human assessments, they may change over time in response to new information.

Why are not all threats associated with profiles?

The Red Canary Intelligence Team associates a threat to known profiles whenever we can. We make these associations when we assess that a threat likely corresponds with a named profile. Each of these associations is a human assessment based on evidence. There are times when we recognize a behavior as malicious or suspicious but cannot tie it to a known threat. Sometimes identifying a threat is simple (for example, based on a known string, TTP, or indicator), but other times it takes many months or years or requires visibility into larger contexts that we don't yet have.

Why do I see a threat associated with a profile after the threat has already been published?

We want to get information to you about malicious or suspicious activity as soon as possible, so you can take action. Trying to associate threats in real time might slow this down, so we go back and review threats after they are published to follow up and try to associate threats to help inform you on your response.

Why are most of the profiles on tools rather than groups?

Clustering activity into groups takes time, analysis, and a significant volume of data. For this reason, many threats are initially associated with tools. Over time, the Intelligence Team may identify a new cluster of activity and create a new group based on that analysis. (We did this with Blue Mockingbird).

Why is there no attribution to countries in the profiles?

Attributing activity to the person behind the keyboard is difficult and requires novel and varied collection sources. Our Red Canary Intelligence Team does not definitively assign any threats to an individual, company, or country since attribution of who is behind the keyboard is not a requirement for many of our customers. Instead, we focus on clustering similar activity and using that context to inform decisions. Other companies and teams take a different approach and attribute directly to the person or country behind the keyboard (for example, CrowdStrike uses the term BEAR for Russian threats). In using the threat actor names provided by other organizations, Red Canary assesses if there is overlap in activity with things another team has attributed, but we don't evaluate their validity of their attribution to a specific person, company, or country.