As an extension of your security team, we are focused on understanding the risks to your organization, by leveraging the security signal your investments generate. Hunting is a way of furthering managing the risks that your organization is facing. We extend our focus beyond post-compromise activity to proactive monitoring of events/data that aren’t being surfaced by your existing security investments.
What is hunting?
In short, hunting is a proactive effort that applies a hypothesis to discover suspicious activity or areas of risk that may have slipped by your security devices. Rather than solely relying on our customer security devices to detect and generate alerts on certain activity, we query customer devices for a bulk set of data which we analyze based on our hypothesis and deliver additional value from our customers security investments.
With hunting, we assume that something has already failed and you're compromised. The attacker has gotten past the perimeter (aka inside the network) and we’re looking for them. Because we don’t know where the attacker is hiding or who they’re trying to impersonate, we start with a theory based on common tactics attackers use. We use the MITRE ATT&CK framework as our guide to developing new hunting theories. It outlines the tactics and techniques attackers commonly use at each stage of the attack lifecycle. Events that match our theory become investigative leads for an analyst to further review.
What’s our process?
Step 1: Expel uses a library of hunting techniques to pick from representing hypotheses to detect risk at various stages of the attack life cycle. Engagement Managers work with you to select hunting techniques or a series of techniques that work best for you, based on your technology stack and available hunts at Expel.
Step 2: Our hunting platform (Jager) uses Scavenger to schedule data collection in your environment to fit the hypotheses of the hunts available in your environment. This includes sorting, filtering, calculating, enriching and down-selecting data based on specific logic.
Step 3: Engagement Managers instantiate a hunt for our analysts to run, based on feedback from the customer and the data collected by our hunting platform.
Step 4: Jager generates an output of items that meet the hypothesis of the hunt and prepares them for analyst review by uploading the results to Workbench.
Step 5: Analysts use Jupyter Notebooks to analyze and triage the post-processing results from Jager. Jupyter Notebooks include customer context, tuning suppressions, enrichment, graphs, charts, tables and tools to assist analysts with identifying indicators of risk from a bulk set of post-processing results.
Step 6: Analysts tag records which they believe you should know about. The tagged records are uploaded to the Workbench Findings report as well as a finding note from the analyst.
- Malicious: Events identified as Malicious are indicative of attacker behavior or is an indicator or serious risk. Malicious findings are generally accompanied by recommended containment and remediation actions or resilience recommendations.
- Suspicious: Events identified as Suspicious are events which cannot be confirmed either because it’s also similar to some system administration type activities or because further analysis of the event was not available through security tech and OSINT. These events may present risk and need further customer validation to determine if the activity is expected.
- Notable: Events identified as Notable are likely benign but noteworthy and may potentially present limited risk to you.