AnnouncementCase StudyCheckmarkcustomer-story-iconData Sheethow-to-logoposts
skip to Main Content

Expel Hunting

Find stealthy new threats that slip past your security tech

Proactively hunt for unexpected activity

(a.k.a. spotting the camouflage)

When you’re looking for attackers and the alarms didn’t go off, it can be difficult to know where to start. In addition to your MDR, you need a multi-layered security approach. With Expel Hunting, we pull data from your security tech, detect attacker activity, fill in your blind spots and tell you how to prevent them.

What you get:

  • Threat hunts performed by experienced analyst
  • Hunt techniques aligned to your unique risks
  • Clear guidance on what to improve
  • Hunting with the tools you’ve already invested in

What we do

Tailor

We pick the hunt technique best suited to your unique risks, your security tech and activity we’ve observed in your environment.

Analyze

Our bots do the tedious work of collecting and enriching data, while our analysts use human judgement to dig into outliers and investigate.

Strengthen

We provide details of each hunting technique along with the data we collect, analyst insights and the final results of the hunt.

How it works

Every month, we pull data we’ve been collecting from your tech and create a hypothesis to determine the hunt. Bots then take on actions that can be automated (think data gathering and clustering) so our analysts can focus on things only a human can track.

Our analysts apply their expertise to investigate things that flew under the radar. We tell you when we find a threat and also share notable activity that looks “abnormal” (like activities a software performed that you and your team didn’t know about … not bad, but strange). And we provide a step-by-step guide on how to investigate.

What we look for

(The hunt is on)

Our techniques map to the MITRE ATT&CK framework with each hunt looking for tactics attackers use during specific stages of the attack lifecycle. We create a hypothesis and then look for activity where you would’ve expected alerts to be generated. The results also help fill gaps in your detection strategy.

2x-93x93-2x-unwanted-users-blending-in

Unwanted users
blending in

2x-93x93-2x-API-calls-anonymous

API calls that are truly
anonymous

2x-93x93-2x-multiple-IP-addresses

IP Address activity to
help spot abnormalities

2x-93x93-2x-misconfigured-tools-costing-money

Misconfigured tools that
could be costing you
money

2x-93x93-2x-best-practices

User activity to help
highlight best practices

2x-93x93-2x-odd-configurations

Odd configurations
within your
infrastructure

Hunting techniques tailored to your tech

We’re constantly adding to our library of hunting techniques based on the most recent threat activity we see among our clients. Here’s a list of techniques to give you a sense of the things we look for.

MDR for on-prem MDR for SaaS apps MDR for cloud infrastructure
Anomalous process relations
Connections to sinkholded domains
HTTP beaconing
Successive reconnaissance commands
Legitimate services for command-and-control
Scripted web downloader
Execution from user directories
Historical scripting activity
Geo-infeasibility
Login from datacenter
App consent grants
Suspicious inbox rules
Failed API requests
Unsupported cloud regions
RDS modifications
EC2 modifications
EC2 unused/unsupported cloud regions

Blog

What is (cyber) threat hunting and where do you start?

We want to demystify what hunting is and what it’s not. So here goes nothin’ …

Blog

How to find anomalous process relationships in threat hunting

Finding anomalous process relationships — commands that don’t belong together — might indicate a problem within your environment. Here’s how to spot ‘em.

Blog

3 must-dos when you’re starting a threat hunting program

So you decided you want to build a threat hunting program … but where do you start? Here are our three must-dos when you’re planning your hunt.

Give us 30 minutes to show you how we can take hunting off your plate.

Back To Top