Expel's Threat Intelligence Capabilities
Expel has a Cyber Threat Intelligence team which monitors threats via feeds, communities, and other sources, as well as finding and identifying patterns of attack on our customer base. We use this information to proactively inform customers about late-breaking threats, via Threat Bulletins, and proactively hunt across our customer base.
What are Threat Bulletins?
Threat Bulletins are communications that Expel issues to customers when we detect or are informed of industry-wide, emerging threats. These communications provide guidance on how to mitigate the risk from these impending threats.
To view Threat Bulletins, navigate to Threats > Emerging Threats in Workbench.
When does Expel issue a Threat Bulletin?
Expel reserves Threat Bulletins for serious situations, such as when:
- We learn of or detect a new or novel/emerging attack by a threat actor
- A threat is related to a new vulnerability
- A known vulnerability goes from being a proof-of-concept with no known exploits, to being easily executable
Expel informs you of any pertinent information on the threat, what we're doing to protect you, and/or what you may need to do to protect your organization — such as implementation of a patch or compensating control.
What are Emerging Threat Hunts?
When Expel determines a Threat Bulletin is necessary, there is often a need to do a historical scan of the requisite technology logs for any known indicators of compromise (IOCs) in a customer's environment to determine possible impact.
In those situations, we will search the raw logs of supported technology for the IOCs we know about at the time, and determine if you appear to be impacted. If potential impact is detected, a hunt on that data will begin and Expel alerts may be generated and triaged by Expel SOC analysts to determine if any malicious activity did in fact take place. SOC analysts will then open investigations and incidents as necessary. Expel always recommends double-checking your environment for the IOCs we provide in these communications.
When does Expel conduct or deliver an Emerging Threat Hunt?
Emerging Threat Hunts are offered to Expel MDR customers who have purchased the Expel MDR Premium tier, or signed with equivalent entitlements.
Expel makes a determination to deliver an Emerging Threat Hunt if the nature of the threat and its urgency warrants a historical IOC sweep of the customer base. For example, when we have high fidelity specifics on the IOCs tied to an attack and determine that existing vendor technology defenses may not catch or block the attack, and Expel detections would not have alerted for the attack.
In some cases, an Emerging Threat Hunt would not apply, such as when there is an update to a vulnerability's exploitation maturity, but with no known cases of exploitation, and that require in-person exploitation.
Limitations may also prevent an Emerging Threat Hunt from being conducted in your environment even in cases when Expel issues a Threat Bulletin. For instance, if a customer doesn't have the appropriate technology onboarded to Workbench at the time, if Expel doesn’t access to the logs, or if the customer is not subscribed to Expel MDR Premium tier.
What can I expect from an Emerging Threat Hunt?
Emerging Threat Hunts are the follow-on actions from a Threat Bulletin when the situation is a good fit for a threat scan to be conducted.
In the Threats section in Workbench there would be a clear trail of activity done in your environment, including:
- What we were looking for (the IOCs) and why
- Where in your environment we were looking
- The time range when we were looking (a two-week period is the default)
- Whether we found evidence of threats in your environment, and any resulting alerts, investigations, or incidents
How is Expel protecting me from that threat moving forward?
Expel will create a detection for the threat when applicable. This will be tagged with the term "Emerging Threat," will be visible in the Detections area of Workbench, and will be linked to from the Threat Bulletin.
In some cases, that detection will no longer apply, such as if IOCs become stale or vendors have implemented the necessary detections and these would be duplicates.
Limitations of an Emerging Threat Hunt
Expel Emerging Threat Hunts do have limiting factors, including:
- A two-week default period of a historical lookback.
- An Expel Threat Bulletin must be issued for us to conduct these — meaning we do not take customer requests for ad hoc threats — however, you can open an on-demand investigation in those situations.
- Not all technology or attack surfaces may be supported or considered in scope for a viable Emerging Threat Hunt.
- Customers will need to be subscribed to the appropriate MDR SKUs and tiers, as applicable.