Find stealthy new threats that slip past your security tech
Proactively hunt for unexpected activity
(a.k.a. spotting the camouflage)
When you’re looking for attackers and the alarms didn’t go off, it can be difficult to know where to start. In addition to your MDR, you need a multi-layered security approach. With Expel Hunting, we pull data from your security tech, detect attacker activity, fill in your blind spots and tell you how to prevent them.
What you get:
- Threat hunts performed by experienced analyst
- Hunt techniques aligned to your unique risks
- Clear guidance on what to improve
- Hunting with the tools you’ve already invested in
What we do
We pick the hunt technique best suited to your unique risks, your security tech and activity we’ve observed in your environment.
Our bots do the tedious work of collecting and enriching data, while our analysts use human judgement to dig into outliers and investigate.
We provide details of each hunting technique along with the data we collect, analyst insights and the final results of the hunt.
How it works
Every month, we pull data we’ve been collecting from your tech and create a hypothesis to determine the hunt. Bots then take on actions that can be automated (think data gathering and clustering) so our analysts can focus on things only a human can track.
Our analysts apply their expertise to investigate things that flew under the radar. We tell you when we find a threat and also share notable activity that looks “abnormal” (like activities a software performed that you and your team didn’t know about … not bad, but strange). And we provide a step-by-step guide on how to investigate.
What we look for
(The hunt is on)
Our techniques map to the MITRE ATT&CK framework with each hunt looking for tactics attackers use during specific stages of the attack lifecycle. We create a hypothesis and then look for activity where you would’ve expected alerts to be generated. The results also help fill gaps in your detection strategy.
Hunting techniques tailored to your tech
We’re constantly adding to our library of hunting techniques based on the most recent threat activity we see among our clients. Here’s a list of techniques to give you a sense of the things we look for.
|MDR for on-prem||MDR for SaaS apps||MDR for cloud infrastructure|
|Anomalous process relations|
|Connections to sinkholded domains|
|Successive reconnaissance commands|
|Legitimate services for command-and-control|
|Scripted web downloader|
|Execution from user directories|
|Historical scripting activity|
|Login from datacenter|
|App consent grants|
|Suspicious inbox rules|
|Failed API requests|
|Unsupported cloud regions|
|EC2 unused/unsupported cloud regions|
We want to demystify what hunting is and what it’s not. So here goes nothin’ …
Finding anomalous process relationships — commands that don’t belong together — might indicate a problem within your environment. Here’s how to spot ‘em.
So you decided you want to build a threat hunting program … but where do you start? Here are our three must-dos when you’re planning your hunt.