Expel's Managed Detection & Response (MDR) uses detection strategy to focus our efforts. All of our detection strategy is influenced by the Lockheed Martin Cyber Kill Chain® and the MITRE ATT&CK® frameworks.

Quick Links

• About the Two Frameworks
• How Our Detection Strategy Works
• Detection Strategy by Integration
  • Cloud
  • Email
  • Endpoint
  • Identity
  • Network
  • SaaS

About the Two Frameworks

We use both of these frameworks in the design of our security products. 

• Lockheed Martin's Cyber Kill Chain identifies the seven stages of an attack that must all be completed in order for an adversary to be successful. 
• MITRE's ATT&CK is a global knowledge base of the tactics and techniques used by adversaries that have been observed in the real world. 

The seven stages of the Cyber Kill Chain align well with the MITRE ATT&CK framework.

How Our Detection Strategy Works

ATT&CK covers the full lifecycle of adversarial actions, including cyber adversary behavior and taxonomy. This level of detail is leveraged by Expel's MDR for detection strategy, which we use to triage and process the signals coming in from your vendor technology. 

In general, our detection strategy strives to balance three considerations:

1. Where malicious activity can be detected. We want to make sure you are alerted to potential attacks at the earliest possible stage.
2. When it makes the most sense to respond. We want to focus on the most critical threats in order to minimize unnecessary alerts and increase your overall efficiency.
3. What options are available to mitigate the malicious activity. We want to create a range of response options for different types of incidents, from tailored incident response plans to automatic containment.

Our detection strategy varies slightly based on the type of integration, but we focus our initial activities on stages 3 and 4 of the Cyber Kill Chain: Delivery and Exploitation. This is where we begin to see higher fidelity detections, meaning signals that have the highest likelihood of representing an active, post-compromise attack. 

• In the Reconnaissance and Weaponization stages (pre-ATT&CK phase), we are more likely to find noise and observed risks that have not yet matured into active threats. For example, port scanning is an early stage activity that is constantly occurring on the Internet, however it does not often lead to later stage activity. So while it can represent risk, port scanning will only rarely mature into an active threat that requires a response.
• In the Delivery stage, we are looking for antivirus alerts, blocked executions, and similar detections. These events may not yet be an issue, but they can mature into activity that is malicious.
• In the Exploitation stage, we are looking for malware executions that have begun exploiting the environment. For example, we may see a script running out of context or being run under the root directory when it should not be. 

The leads found in the Delivery and Exploitation stages are often, but not always, higher fidelity signals that still allow time to act.

Important Note

Because our detection strategy focuses on where the fidelity is higher and where we still have time to act, the Expel Alerts we send to you are based on certain signals pulled from the noise in your environment. This is why your security devices can generate an alert that Expel notes as benign in Workbench and closes, and also why you may see an alert in your vendor technology but not in Workbench.

Detection Strategy by Integration

Cloud

Detection

Our cloud security detection strategy focuses on two common signal types at the control plane and resource levels: authentication events and API events. In limited cases, we also ingest certain data plane events such as network activity. We do this by integrating directly with cloud providers as well as cloud security service providers to gain a complete view of your cloud footprint. 

We consume these events through a mix of raw log analysis and security alert processing, which are then run through our detection engine to look for signs of post-exploitation activity. When a threat is detected, our automated response bot, Ruxie, takes action by enriching evidence fields with first- and third-party threat intelligence. Additional Ruxie actions query a wide span of technologies in order to directly arm analysts with key pieces of investigative information and related events.

Response 

In addition to verbose evidence collection for cloud alerts, cloud technologies are useful for triaging SaaS and identity alerts as well. User activities within the cloud providers, along with related alerts for anomalous indicators, help analysts gain a full picture of the activity that occurred within a session.

MITRE ATT&CK Coverage

Coverage:

• Initial Access
• Execution 
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Access 
• Discovery
• Impact

Explanation:

Along with traditional authentication monitoring, cloud IAM auditing for permission abuse enables coverage of Initial Access, Persistence, and Privilege Escalation. User interaction across all cloud provider services (storage, compute, security monitoring, etc.) enables detection coverage for Execution, Defense Evasion, Credential Access, Discovery, and Impact. 

IAM and other service abuse can be considered lateral movement, but the specific attacks are covered under Persistence, Privilege Escalation, and Discovery. Limited data plane auditing means detections for Command & Control, Collection, and Exfiltration are extremely limited in cloud infrastructure.

Email

Detection

Expel integrates directly with email security providers and uses their data to quickly identify and investigate email and identity-based attacks to:

• generate Expel alerts for investigation
• provide enriched context to a threat
• offer decision support for incident scoping and severity identification

Expel consumes email security provider events through a mix of raw log analysis and security alert processing, which pass through our detection engine to identify signs of post-exploitation activity. When a threat is detected, our automated response bot takes action by enriching evidence fields with first- and third-party threat intelligence. Additional bot actions query a wide span of technologies in order to directly arm analysts with key pieces of investigative information and related events.

Email security providers do not provide full-body email text to Workbench analysts, but rather the alert data provided by the email security providers' devices. Full-text analysis of user-submitted emails is offered via Expel’s Managed Phishing service offering. When events are promoted to Expel alerts, additional workflows are used to query to enrich the event with context.

Response 

Email alerts are useful to identify and mitigate email threats such as phishing, business email compromise (BEC), and malware. Additionally, telemetry from other integrations with Expel is used to correlate activity across the kill chain to paint a more comprehensive picture of an attack beyond the email threat surface. For example, for an onboarded EDR or network security device, Expel can correlate the observation of a malicious attachment in the email security provider with the downloading and execution of that attachment in these integrations. If no other integrations are onboarded, analysts will use the context from the alert as well as Expel-internal enrichment sources (file/IP/URL lookups) to make the best determination of an alert.

MITRE ATT&CK Coverage

Coverage:

• Initial Access
• Execution 
• Persistence
• Privilege Escalation

Explanation:

Our email security coverage leverages both email security vendor alerts and raw device events to provide visibility into key MITRE ATT&CK tactics. Detections for active impersonation, malware attachments, malicious URLs, and general phishing threats provide robust coverage for the Initial Access tactic.

Correlated suspicious file activity, such as an attachment being downloaded or executed by a user, directly addresses the Execution tactic. For Persistence and Privilege Escalation, we correlate these initial email threats with suspicious authentications, MFA events, and other device-level activities to detect the post-compromise behavior that follows a successful email-based attack. This correlation is crucial for identifying when an attacker attempts to maintain their foothold or gain higher-level permissions after the initial breach.

Endpoint

Detection

Our endpoint detection strategy focuses on two common signal types: process and network events. By integrating directly with EDR vendors, we can process security alerts to extract evidence and normalize event details. These normalized signals are then processed through our detection engine to look for signs of post-exploitation activity. 

In addition to categorical handling of vendors' security alerts, Expel maintains a large library of behavioral detections to augment vendor detections. When a threat is detected, our automated response bot, Ruxie, takes action by enriching evidence fields with first- and third-party threat intelligence. Additional Ruxie actions query a wide span of technologies directly to arm analysts with key pieces of investigative information and related events.

Response

Endpoints provide rich context for processes and also support other types of Expel Alerts. For example, we use source device identification across a number of alert types when a source IP or hostname is available, because it provides rich context about the actor behind the activity. 

Additionally, endpoints provide valuable information for network alerts to help identify what process triggered a connection.

MITRE ATT&CK Coverage

Coverage:

• Initial Access
• Execution 
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Access
• Discovery
• Command & Control

Explanation:

Endpoint logs include a variety of important information such as processes, file and network events, and authentications. This allows for monitoring across all tactics to the right of Initial Access. Collection and Exfiltration coverage are intentionally limited due to triage and fidelity issues. In certain cases, these detections can be enabled after further per-environment configuration.

Identity

Detection

Our identity security detection strategy focuses on optimizing user authentication and application access activity monitoring. This is achieved by directly integrating with identity providers and polling for audit and data access logs. 

These events are analyzed through a combination of raw log analysis and security alert processing, which are then evaluated by our detection engine for signs of suspicious login activity or post-exploitation behavior. When a threat is identified, our automated response bot, Ruxie, enriches evidence fields with first- and third-party threat intelligence. Additionally, Ruxie queries a wide range of technologies to provide analysts with critical investigative information and related events.

Response

For alerts that contain source user information, identity technologies can provide rich context such as groups, locations, job title, and other pieces of metadata. Additionally, for cloud and SaaS alerts, identity technologies are queried to provide verbose context around user login behavior. This allows analysts to investigate the underlying session behind the activity they are triaging.

MITRE ATT&CK Coverage

Coverage:

• Initial Access
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Access

Explanation:

Authentication audit logs allow for traditional Initial Access monitoring, while user identity changes (device management, MFA configuration, etc.) and administrative audit logs enable monitoring of Persistence, Privilege Escalation, Defense Evasion, and Credential Access. Identity activities and audit logs are mostly limited to early attack stage behavior, so tactics to the right of discovery are not included in the strategy.

Network

Detection

Network traffic monitoring is a critical element of our detection strategy, offering insight into the activity of data as it moves across an organization's systems. The network traffic data source focuses on network connection creation (the initial construction of a network connection such as socket information, and src and dst IP and Ports ), network traffic content (logged network traffic data showing both protocol header and body values like PCAP), and network traffic flow (summarized network packet data, with metrics, such as protocol headers and volume like netflow or http logs). 

We pull this information into our detection pipeline as events in the form of both security alerts and raw telemetry (depending on the integration). When a threat is detected, our automated response bot, Ruxie, takes action by enriching evidence fields with first- and third-party threat intelligence. Additional Ruxie actions query a wide span of technologies directly to arm analysts with key pieces of investigative information and related events.

Response

Network technologies are utilized for support across many types of Expel Alerts such as endpoint and cloud. The main focus of the response strategy is on source IP, destination IP, and domain tracking to identify related connections, along with user activity summaries to give extra alert context.

MITRE ATT&CK Coverage

Coverage:

• Initial Access
• Execution 
• Discovery
• Lateral Movement
• Command & Control

Explanation:

Due to limitations on the information available to network appliances, coverage for these technologies is generally limited to a few key tactics. We observe Initial Access and Execution through certain packet streams, but the core detection ability is focused on internally-originating traffic which can help identify Discovery, Lateral Movement, and Command & Control.

SaaS

Detection

Our SaaS detection strategy is designed to identify and respond to suspicious user activity across cloud-based applications. By integrating directly with SaaS platforms, we continuously monitor user behavior and focus on activities such as unusual login patterns, excessive data downloads, or unauthorized access to sensitive files. 

In addition to user activity, we also detect other key SaaS-related events such as changes to administrative settings, the creation or modification of privileged accounts, and unexpected data sharing with external parties. These events are processed through our detection engine, which leverages behavioral analytics and threat intelligence to flag potential risks. When anomalies are detected, our automated response bot, Ruxie, takes action by enriching evidence fields with first- and third-party threat intelligence. Additional Ruxie actions query a wide span of technologies directly to arm analysts with key pieces of investigative information and related events.

Response

Similar to identity technologies, SaaS apps can hold valuable information such as user roles, location, and other metadata that helps analysts triage Expel Alerts of all types that contain source user information.

MITRE ATT&CK Coverage

Coverage:

• Initial Access
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Access

Explanation:

Authentication logs help enable detection for Initial Access, while application administration logs enable coverage for Persistence, Privilege Escalation, Defense Evasion, and Credential Access. Tactics such as Execution, Discovery, and Lateral Movement are excluded due to log availability and lack of techniques in the SaaS space. Collection, and the tactics that follow, are excluded intentionally due to triage and fidelity issues. In certain cases, these detections can be enabled after further per-environment configuration.