Security operations | 2 min read2023 Great eXpeltations report: top six findings
Our second annual Great eXpeltations report details the major trends our security operations center (SOC) team saw in customer environments last year. It also offers insights and advice to help you avoid these threats.
Security operations | 4 min readAttacker-in-the-middle phishing: how attackers bypass MFA
A new credential phishing tactic–called “attacker-in-the-middle”–can be effective at end-running MFA defenses. This analysis describes AitM and provides helpful advice for defending against it.
Security operations | 2 min readSecurity alert: high-severity vulnerability affecting OpenSSL V3 and higher
The OpenSSL Project has identified two security vulnerabilities affecting OpenSSL v3.0 and later. Potentially affected users of versions 3.0.0-3.0.6 should upgrade to v3.0.7 as soon as it is reasonable to do so.
Security operations | 4 min readWho ya gonna call (to make the most of your SIEM data)?
Customers who import their SIEM to a tool like Workbench can translate all the hours invested in development into customized rules. In other cases, they may realize they no longer need a SIEM.
Tips | 5 min readAn Expel guide to Cybersecurity Awareness Month 2022
As proud Champions of Cybersecurity Awareness Month 2022, we’ve curated some Expel resources to help your organization improve its cybersecurity posture—this October, and beyond.
Security operations | 2 min readEmerging Threats: Microsoft Exchange On-Prem Zero-Days
Until a patch is issued for the Microsoft Exchange Server zero-day vulnerabilities, there are a few things security teams can do to temporarily mitigate risk. Here’s what we recommend.
Security operations | 12 min readDetection and response in action: an end-to-end coverage story
This dramatized case study illustrates how our MDR, phishing, and threat hunting services work, and most importantly, how they work together.
Security operations | 6 min readIncident report: how a phishing campaign revealed BEC before exploitation
By the time the 89th phishing alert sounded, we knew a large-scale campaign had successfully hit a customer. This case walks you through what happened, what we did, and how it played out.
Talent | 8 min readA year in review: An honest look at a developer’s first 12 months at Expel
Get a peek behind the curtain as one of our senior software engineers reflects on his experience during his first year at Expel, from the interview process all the way to where he is now.
Security operations | 2 min readA defender’s MITRE ATT&CK cheat sheet for Google Cloud Platform (GCP)
In this new handy guide, we mapped the patterns we’ve seen throughout our GCP incident investigations to the MITRE ATT&CK Framework to help give you a head start protecting your organization.
Security operations | 4 min readHow Expel’s Alert Similarity feature helps our customers
We process millions of alerts each day, and many look similar to one another. We asked ourselves: is it possible to teach our bots to compare similar “documents” and suggest or recommend a next step? (Spoiler alert: YES!)
Security operations | 2 min readCutting Through the Noise: RIOT Enrichment Drives SOC Clarity
Cutting Through the Noise: RIOT Enrichment Drives SOC Clarity
Security operations | 5 min readDetecting Coin Miners with Palo Alto Networks NGFW
With cryptojacking on the rise, we walk through why we’ve found Palo Alto Networks next-generation firewall is great at detecting it, and some actions we’ve integrated into our detection bot to help.
Expel insider | 3 min readRSA Conference Day 3: Impressions From the Show Floor
Day three of the conference was full of interesting conversations with long-time industry folks who are no stranger to RSA. Here are some of our favorite takeaways and observations.
Threat Intelligence | 3 min readExpel Quarterly Threat Report: Cybersecurity data, trends, and recs from Q1 2022
Top takeaways from our first quarterly report, filled with patterns and trends we identified from Q1 2022. Our goal? Help translate the events we detect into a security strategy for your organization.
Security operations | 6 min readIncident report: From CLI to console, chasing an attacker in AWS
Our SOC detected and stopped unauthorized access in one of our customer’s AWS environments. Here’s how we spotted it, the steps we took to understand what they did, lessons learned and key takeaways.
Security operations | 5 min readAttack trend alert: Email scams targeting donations to Ukraine
As more people look to donate to Ukrainian relief efforts, bad actors are taking advantage. Lookout for these phishing scams to ensure your donations are actually going to help those in need.
Security operations | 2 min readTop 7 recs for responding to the Lapsus$ breach claims
While the situation surrounding the reported breach of Okta by Lapsus$ is still developing, here are our top 7 recommendations you can take to protect yourself and your org.
Security operations | 5 min readEvaluating MDR providers? Ask these questions about their onboarding process
Looking for an MDR provider? Make sure you understand their onboarding process. Here are the questions you should ask when you’re evaluating MDRs. Bonus: learn how we do onboarding here at Expel.
Security operations | 4 min readAttack trend alert: AWS-themed credential phishing technique
They’re at it again. This time attackers are phishing for credentials by sending fake AWS log-in pages to unsuspecting users. Find out how our crew identified and triaged a phishing email.
Expel insider | 2 min readGreat eXpeltations 2022: Cybersecurity trends and predictions
Introducing Great eXpeltations 2022: Cybersecurity trends and predictions — an annual report from our security operations center (SOC) on top threats, how to handle them, and what to expect this year.
Security operations | 9 min readThe Grinchy email scams to watch out for this holiday season
As the holidays approach, cyber Grinches are targeting phishing campaigns to steal data, credentials and more. Look out for these email scams while online shopping and checking your inbox this season.
Security operations | 5 min readThe top phishing keywords in the last 10k+ malicious emails we investigated
Curious how attackers are prompting victims to engage with phishing campaigns? Check out the top keywords from the malicious emails our SOC investigated and our top resilience recommendations.
Security operations | 6 min readSwimming past 2FA, part 2: How to investigate Okta compromise
First we showed you how to spot an Okta compromise in this two-part blog series. Now we’ll walk you through our investigation and share five tips on how you can strengthen your security defense.
Security operations | 6 min readHow Expel goes detection sprinting in Google Cloud
Building detections in Google Cloud Platform (GCP) but not sure where to start? Time to get strategic. Our detection and response engineers demystify the process for building detections in the cloud.
Security operations | 9 min readWell that escalated quickly: How a red team went from domain user to kernel memory
A red team recently swooped in and showed off some new tactics. What started as a PowerShell download cradle quickly turned into a custom rootkit download. Find out how we spotted the crafty red team.
Security operations | 4 min readHow should my MDR provider support my compliance goals?
Need to ensure your tech, privacy and security policies are compliant? Find out what compliance means in practice and how your MDR provider can support your compliance program, not become a liability.
Security operations | 4 min readSwimming past 2FA, part 1: How to spot an Okta MITM phishing attack
Crafty attackers are finding new ways to bypass multiple-factor authentication. Find out how our SOC detected an attack and get some tips on how your org can prevent credentials phishing.
Security operations | 4 min readSomeone in your industry got hit with ransomware. What now?
We’re noticing a trend in ransomware attacks. But that doesn’t mean it’s time to go into panic mode. Find out what you need to know and get some tips on how you can keep your org safe.
Security operations | 7 min readCloud attack trends: What you need to know and how to stay resilient
We shared the top attack trend spotted during the pandemic and what to keep an eye out for looking ahead. But how do you remediate and stay resilient against these attacks? Our crew shares some tips.
Check out our newest infographic to learn about the top attack trend during the COVID-19 pandemic, how our SOC’s data reinforces these recent findings and how you should be looking ahead.
Engineering | 12 min readMigrating to GKE: Preemptible nodes and making space for the Chaos Monkeys
Find out how Expel’s internal teams collaborated to migrate our core infrastructure from a legacy environment to GCP, with no downtime (while also making sure they were prepared for a little chaos).
Engineering | 6 min read5 best practices to get to production readiness with Hashicorp Vault in Kubernetes
Flying blind when it comes to running Hashicorp Vault in Kubernetes? We’ve got you covered. Accelerate your path to production without compromising on security with these tips and best practices.
Tips | 6 min readHow to create (and share) good cybersecurity metrics
Establishing metrics is vital. But how do you report progress and have a conversation about what you’re seeing? Are you even looking at the right things? Here are some tips on measuring cybersecurity.
Engineering | 12 min readBehind the scenes: Building Azure integrations for ASC alerts
Find out how Expel’s internal teams built an integration on top of Azure signal – creating a new detection strategy for ASC that provides more context around alerts and improves customer visibility.
Expel insider | 3 min readIntroducing Expel Workbench™ for Amazon Web Services (AWS)
We’re excited to announce the launch of our first SaaS product! It automates the investigation of AWS alerts and logs – allowing your team to spend less time finding and fixing security issues.
Engineering | 7 min readPlotting booby traps like in Home Alone: Our approach to detection writing
Find out how Expel’s D&R engineers think about detection writing, and how this process helps our SOC analysts make smart decisions and gain a deeper understanding of our customers’ environments.
Threat Intelligence | 6 min readSupply chain attack prevention: 3 things to do now
What do you do when you can’t trust the internet? Supply chain attacks like the SolarWinds Orion breach are not new. Here are some things you can do to help prepare and guard against similar attacks.
Security operations | 8 min readImproving the phishing triage process: Keeping our analysts (and our customers) sane
Here’s how Expel created a phishing triage process that keeps our analysts’ heads above water while also ensuring that a trained pair of eyes is on every email submitted by our customers.
Security operations | 3 min readThe SolarWinds Orion breach: 6 ideas on what to do next and why
Here are some of our early observations on the SolarWinds Orion breach, plus our ideas on what to do next to detect related activity and better protect your org.
Security operations | 8 min readHow to investigate like an Expel analyst: The Expel Workbench managed alert process
Ever wonder about how Expel’s analysts investigate alerts? Our SOC team created a workflow called the Expel Workbench managed alert process. Read on to find out how it works and how it can help you.
Security operations | 6 min readEvilginx-ing into the cloud: How we detected a red team attack in AWS
Red team sneak attack? Bring it on. Find out how we tackled a red team attack using open source offensive security tools in AWS and what you can do to protect your org from similar attacks.
Security operations | 4 min readThe CISO in 2020 (and beyond): A chat with Bruce Potter
It’s impossible to sum up a year that felt like 1000 in a single blog post. But we did gather some topline takeaways on security trends and the evolving role of the CISO from Expel’s Bruce Potter.
Engineering | 2 min readAnnouncing Open Source python client (pyexclient) for Expel Workbench
We’re open sourcing a python client in the Expel Workbench! This labor of love will allow our customers to take advantage of our APIs. Find out what the release of the pyexclient project includes.
Security operations | 9 min readPerformance metrics, part 2: Keeping things under control
In this second post in our three-part series on all things metrics and SOC leadership, our team dives into details of what metrics and techniques are used to protect the SOC against volatility.
Security operations | 10 min readPerformance metrics, part 1: Measuring SOC efficiency
How do you establish metrics for SOC efficiency? This first post in a three-part series shares our team’s approach to setting SOC goals, creating a strategy and measuring success.
Tips | 9 min read3 steps to figuring out where a SIEM belongs in your security program
How can a SIEM help you address your business needs? Do you even need a SIEM? Here are some tips to help you make a decision that works best for you.
Security operations | 5 min readManaged detection and response (MDR): symptom or solution?
An uncommonly clear review of what managed detection and response (MDR) is, where it came from and what it can/can't do for you.