Expel Unveils Threat Research and Cloud Detection, Response and Remediation Capabilities and Resources

Expel, the managed security provider that aims to make security easy to understand, use and improve, unveiled new threat research and cloud detection, response and remediation resources.

“As defenders, we need to use every advantage we have. One of those is all of us being part of a defense community, sharing knowledge—about threats, vulnerabilities, defensive strategies—to better protect each other,” said Dave Merkel, CEO and co-founder of Expel. “I hope our threat intel and cloud security resources are useful to both our customers and the cybersecurity community at large.”

Recommended AI News: Zebra Pen Launches Augmented Reality Consumer Experience

The Expel Quarterly Threat Report (QTR) showcases the established and emerging trends and incidents the Expel security operations center (SOC) team observed across customer environments. The SOC team gathers its findings through investigations into alerts, email submissions, and hunting leads and threats from the second quarter of 2022 (April 1 to June 30). A thorough analysis of incidents identifies patterns and trends to help guide strategic decision-making and operational processes.

Some key takeaways from the QTR include:

• Identity-based attacks—which include credential theft, credential abuse, and long-term access key theft—accounted for 56% of all incidents identified by the Expel SOC in Q2.

• Ransomware threat groups and their affiliates have mostly abandoned the use of Visual Basic for Application (VBA) macros and Excel 4.0 macros to gain initial entry to Windows-based environments.

• Fourteen percent of identity attacks against cloud identity providers satisfied the multi-factor (MFA) requirement by continuously sending “Push” notifications to users until they approved.

Recommended AI News: Monite Partners With Codat to Enable Any App to Embed Invoicing and Bill Payment Features  

MITRE ATT&CK in Google Cloud Platform: A defender’s cheat sheet. As threat actors increasingly operate in the cloud, the Expel SOC team observes their activity and strategies to share information to educate defenders. The MITRE ATT&CK guide for Google Cloud Platform (GCP) contains a breakdown of the tactics the Expel SOC team sees attackers use most often during attacks in GCP. The guide also includes best practices for investigating incidents, and helps inform organizations’ GCP alert triage, and incident response to quickly remediate issues. Lastly, this cheat sheet includes a “mind map” that lays out the relationship between MITRE ATT&CK tactics, GCP services, and API calls to help security teams better understand how threat actors execute attacks. To learn more and download the defender’s cheat sheet for MITRE ATT&CK in GCP.

Expel Cloud Detection and Response. Expel ingests events and log data from GCP, Amazon Web Services (AWS), and Azure and enriches it with customer-specific context such as the type of environment (e.g., production, development) or user (e.g., admin) to hone detection based on risk and expected behaviors. Expel layers on the detections, ingesting security signal from cloud-native services and writing custom detections tailored to each cloud provided from the logs in the cloud admin control plane. Expel’s cloud infrastructure strategy is focused on catching misconfigurations, suspicious logins and unusual admin activity, like resource sharing.

Recommended AI News: Omnicom Precision Marketing Group Leads Forrester’s Creative Agency Assessment

[To share your insights with us, please write to sghosh@martechseries.com]