Red Canary’s Threat Hunting team comprises experts in Incident Response, Network and Systems Administration, Identity and Access Management (IAM), and Risk and Vulnerability Management. We conduct simultaneous hunts across your environment, leveraging our diverse backgrounds and perspectives. While one team member may initiate a hunt, we collaborate seamlessly, providing additional research assistance. In each hunt, a designated primary hunter leads the process from start to finish.

How We Assist You

Our hunts are guided by formulated hypotheses, drawing on intelligence, tactics, techniques, or entities. By analyzing data from all our customers, we can detect suspicious or malicious patterns in other environments, which we then verify within your environment. This proactive approach enhances security posture and helps prevent future incidents.

Our Pillars

The Threat Hunting program at Red Canary is structured around three core pillars: Hunt, Respond, and Advise.

Hunt

Our Hunt pillar employs a blend of unstructured and structured hunting methods. Drawing from our team's extensive expertise, some members advocate for a data-driven approach, thoroughly investigating all available data to pinpoint potential weaknesses in your environment. Others favor a structured methodology involving intelligence-driven hunts based on internal or external threat intelligence, entity-driven hunts focusing on high-risk or high-value entities like endpoint activities, and user behavior to proactively tackle security risks.

We also conduct TTP-driven hunts targeting known Tactics, Techniques, and Procedures (TTPs) associated with threat actors when applicable.

Threat Hunt Impact

• Hygiene Recommendations

• Concerning People Practices

• Areas of Risk and Exposure

• Mitigation Strategies

• Identification of Malice

• Reporting & Knowledge Enablement

Respond

Our Respond pillar complements our Hunt pillar. If we detect a threat in your environment, we offer a summary of the threat and guide your response and remediation to help neutralize the threat where applicable. Aside from response efforts stemming from our hunts, your dedicated team of threat hunters is available to address any threats in your environment, whether they stem from published threats from Red Canary or alerts from your external sources integrated with us. Learn how to contact us here.

Respond Impact

• Timely Resolution

• Effective Mitigation

• Prevention of Data Loss or Breach

• Minimal Disruption

• Enhanced Security Posture

• Learning and Improvement

• Compliance Adherence

• Maintained Trust

Advise

Our Advise pillar is dedicated to providing guidance and support to strengthen your security program, drawing from the collective expertise of our team. In a hunt where response actions are needed, we also offer guidance on mitigating the identified threat within your environment to prevent it from occurring again. Additionally, we're here to assist you with your security-focused roadmap items. For example, if you're considering adding a new security product to your stack and seek feedback from individuals with hands-on experience, we're here to help. We provide insights into how well the product aligns with your security requirements based on our relationship with you over time. For products that we need more experience in, we offer additional resources or guidance on obtaining an assessment before proceeding with a production rollout should you or your team be interested.

Advise Impact

• Clarity and Understanding

• Empowerment

• Effective Solutions

• Risk Mitigation

• Positive Impact

• Feedback Loop

• Long-Term Value

• Trust and Confidence

• Continued Learning

• Alignment with Objectives

Our Process

We maintain thorough internal tracking of all our hunting activities. You'll find a published threat in your portal when a threat is detected . Should you have further questions regarding our findings, please contact us through our established communication channels for additional clarification. In cases where additional context is needed but additional log sources are not, we will request it through the same communication channels.

As our investigations advance and new pertinent data sources come to light, whether you still need to integrate them with us or Red Canary does not currently support them, we will openly present our findings up to that juncture and suggest the next steps for your team. We'll specify the log source(s), aspects requiring further investigation, and the implications of our findings, empowering you to assess potential threats in your environment based on our hunt hypotheses. If you wish to integrate additional data sources, please refer to integration options with Red Canary. Our hunts are designed to provide logic and assistance for your in-house security team to continue or repeat initiated hunts within your environment, enhancing protection and awareness. We may offer code samples, query logic, and additional research or resources as part of our hunt outcomes.

Our customers seamlessly integrate diverse data sources with us, including Endpoint solutions like VMware Carbon Black Cloud, VMware Carbon Black EDR, CrowdStrike Falcon, Microsoft Defender for Endpoint, Palo Alto Cortex XDR, and SentinelOne. We offer a multi-cloud solution, partnering with leading platforms like AWS, GCP, and Azure and integrate identity sources like Okta. Additionally, we manage alerts from various sources.

Related Articles

• Threat Hunting FAQ

• Threat Hunting & Security Testing

Contact Us

• For more information on the Threat Hunting team, contact Red Canary.