A common language is essential when communicating between different security teams. When Red Canary uses a behavioral analytic to hunt for adversary behavior, or confirms threatening activity in your environment, it is important that you quickly understand what we’re communicating.
We found that the MITRE ATT&CK® taxonomy of behavioral techniques best fits our philosophy, so we exclusively use MITRE ATT&CK throughout Red Canary (supplemented by our own techniques when appropriate, which we contribute back to MITRE ATT&CK).
How does Red Canary use MITRE ATT&CK?
Many Red Canary objects are mapped to MITRE ATT&CK to aid your understanding and response:
Each detection analytic (detector) is mapped to one or more MITRE ATT&CK techniques the analytic identifies.
A coverage heatmap allows you to understand the total technique coverage that Red Canary contributes to your security program.
Potentially threatening events resulting from detection analytics show the set of MITRE ATT&CK techniques used to identify the event.
Confirmed threats (detections) published following the investigation of potentially threatening events show the set of MITRE ATT&CK techniques compiled from the underlying events.
Many reports and summary evaluations include MITRE ATT&CK as a dimension to help you understand what techniques are used in your environment (including a heatmap of techniques involved in confirmed threats).
What if Red Canary identifies a technique that is not in MITRE ATT&CK?
If Red Canary identifies an adversary technique that isn’t yet included in MITRE ATT&CK, we create a new technique identifier prefixed with RC (instead of the typical T prefix). We then submit that technique to the MITRE ATT&CK team. Once it is added to MITRE ATT&CK, we remove the RC prefix and replace it with the new identifier.
How can I see what MITRE ATT&CK techniques Red Canary detects?
We provide a MITRE ATT&CK matrix heatmap that shows the technique coverage Red Canary contributes to your security program.
Learn more about using MITRE ATT&CK heatmaps to understand Red Canary's threat coverage.
Does Red Canary support MITRE ATT&CK sub-techniques?
Red Canary has collaborated with the MITRE ATT&CK team throughout the definition of sub-techniques and is very excited about how they improve MITRE ATT&CK usage.