The Threat Hunting Team

Red Canary’s Threat Hunting team comprises experts in Incident Response, Network and Systems Administration, Identity and Access Management (IAM), and Risk and Vulnerability Management. We conduct simultaneous hunts across your environment, leveraging our diverse backgrounds and perspectives. While one team member may initiate a hunt, we collaborate seamlessly, providing additional research assistance. In each hunt, a designated primary hunter leads the process from start to finish.

How We Assist You

Our hunts are guided by formulated hypotheses, drawing on intelligence, tactics, techniques, or entities. By analyzing data from all our customers, we can detect suspicious or malicious patterns in other environments, which we then verify within your environment. This proactive approach enhances security posture and helps prevent future incidents.

Security Testing

When conducting a penetration test or Red Team exercise, you may choose to engage with Red Canary’s Threat Hunting team in one of three ways:

• No Notice - Do not inform Red Canary of an upcoming security test.

• Minimal Engagement - Inform Red Canary of an upcoming security test but share little to no information about it.

• Full Engagement - Inform Red Canary of an upcoming security test and share scope and methodology details.

Regardless of your engagement level, we will continue to investigate threats and protect you from real-world adversaries. For more information, see The Red Canary Approach to Security Data and Threat Detection and Threat Hunting & Security Testing.

When We’ll Call You

When making the decision to call you, we defer to analyst discretion based on the criticality of the published threat. Generally when one or more of the following conditions are met, we'll make the decision to call you:

• Red Canary has confirmed active, hands-on-keys activity observed within the environment.

• Red Canary has confirmed ransomware or ransomware precursors are progressing rapidly or unchecked within the environment.

• A Threat is published that AR is unable to remediate, and both AR and the Threat Hunting team deem it severe enough that it needs your immediate attention.

• Red Canary has identified other critical and urgent threats that do not fall exactly into the above criteria.

In some cases we may reach out if there is a high severity threat or a multitude of related threats that our analysts find concerning and that you have not acknowledged for a while after publication. These communications will primarily occur during our business hours (6AM-6PM MST), barring any increase in severity or criticality. If you require additional notification for specific types of threats or alerts, these can be configured via automate playbooks in your portal.

Note

If you are conducting security testing and have not informed Red Canary, the analyst will use this same criteria when making a decision to call you about a published threat. Once the activity is confirmed to be part of testing, we will ask for your response preference.

Our Pillars

The Threat Hunting program at Red Canary is structured around three core pillars: Hunt, Respond, and Advise.

Hunt

Our Hunt pillar employs a blend of unstructured and structured hunting methods. Drawing from our team's extensive expertise, some members advocate for a data-driven approach, thoroughly investigating all available data to pinpoint potential weaknesses in your environment. Others favor a structured methodology involving intelligence-driven hunts based on internal or external threat intelligence, entity-driven hunts focusing on high-risk or high-value entities like endpoint activities, and user behavior to proactively tackle security risks.

We also conduct TTP-driven hunts targeting known Tactics, Techniques, and Procedures (TTPs) associated with threat actors when applicable.

Threat Hunt Impact

• Hygiene Recommendations

• Concerning People Practices

• Areas of Risk and Exposure

• Mitigation Strategies

• Identification of Malice

• Reporting & Knowledge Enablement

Respond

Our Respond pillar complements our Hunt pillar. If we detect a threat in your environment, we offer a summary of the threat and guide your response and remediation to help neutralize the threat where applicable. Aside from response efforts stemming from our threat hunts, your dedicated team of threat hunters is available to address any threats in your environment, whether they stem from published threats from Red Canary or alerts from your external sources integrated with us. Learn how to contact us here.

Respond Impact

• Timely Resolution

• Effective Mitigation

• Prevention of Data Loss or Breach

• Minimal Disruption

• Enhanced Security Posture

• Learning and Improvement

• Compliance Adherence

• Maintained Trust

Advise

Our Advise pillar is dedicated to providing guidance and support to strengthen your security program, drawing from the collective expertise of our team. In a hunt where response actions are needed, we also offer guidance on mitigating the identified threat within your environment to prevent it from occurring again. Additionally, we're here to assist you with your security-focused roadmap items. For example, if you're considering adding a new security product to your stack and seek feedback from individuals with hands-on experience, we're here to help. We provide insights into how well the product aligns with your security requirements based on our relationship with you over time. For products that we need more experience in, we offer additional resources or guidance on obtaining an assessment before proceeding with a production rollout should you or your team be interested.

Advise Impact

• Clarity and Understanding

• Empowerment

• Effective Solutions

• Risk Mitigation

• Positive Impact

• Feedback Loop

• Long-Term Value

• Trust and Confidence

• Continued Learning

• Alignment with Objectives

Our Process

We maintain thorough internal tracking of all our hunting activities. You'll find a published threat in your portal when a threat is detected . Should you have further questions regarding our findings, please contact us through our established communication channels for additional clarification. In cases where additional context is needed but additional log sources are not, we will request it through the same communication channels.

As our investigations advance and new pertinent data sources come to light, whether you still need to integrate them with us or Red Canary does not currently support them, we will openly present our findings up to that juncture and suggest the next steps for your team. We'll specify the log source(s), aspects requiring further investigation, and the implications of our findings, empowering you to assess potential threats in your environment based on our hunt hypotheses. If you wish to integrate additional data sources, please refer to integration options with Red Canary. Our hunts are designed to provide logic and assistance for your in-house security team to continue or repeat initiated hunts within your environment, enhancing protection and awareness. We may offer code samples, query logic, and additional research or resources as part of our hunt outcomes.

Our customers seamlessly integrate diverse data sources with us, including Endpoint solutions like Carbon Black Cloud, Carbon Black EDR, CrowdStrike Falcon, Microsoft Defender for Endpoint, Palo Alto Cortex XDR, and SentinelOne. We offer a multi-cloud solution, partnering with leading platforms like AWS, GCP, and Azure and integrate identity sources like Okta. Additionally, we manage alerts from various sources.

Related Articles

• Threat Hunting FAQ

• Threat Hunting & Security Testing

Contact Us

• For more information on the Threat Hunting team, contact Red Canary.