We've shared some Expel data on #BEC attacks. Key takeaways? - Inbox rules to delete undeliverable bounces is the MIMIKATZ of #BEC - Scrutinize logins from odd geolocations like it's an encoded PS command - MFA all the things, conditional access policies in the meantime

Ever wondered what it's like to work in a #SOC that plays defense in #AWS? We wrote this post for you. Go behind the scenes in our SOC as we respond to an attack in AWS. We share: detection, investigation, escalation & lessons learned. expel.io/blog/behind-th…

As a #SOC leader you have to manage your alert arrival rate AND cognitive loading. If you don’t, well, SOC burnout has entered the chat. Next Tues we'll release part 2 of our SOC metrics series and share how we use data (and tech) to prevent analyst burnout Expel.

One of the (many) things I had to learn when I made the jump from practitioner to #SOC manager / leader was time series analysis and its application to threat detection. It's more than a line that goes 📉 - it lets you know what's happening. Ref: expel.io/blog/performan…

Another day, another red team dumping lsass via ProcDump: - Lateral movement via PsExec - CMD shell spawned from PSEXESVC service to run procdump64.exe -ma -r lsass.exe na.dmp - PSEXESVC.exe run from services.exe means host was recipient of PsExec connection - Blocked by #EDR

Great blog about lateral movement by Expel's very own Jon Hencinski. Especially useful if you have never found and investigated an attacker moving through a network hencinski.medium.com/whats-lateral-…

Teach #SOC analysts how to ask the right questions - not just how to follow a playbook - An alert is a question - Asking the right questions is key - #OSCAR isn't just a grouch, it's an investigative framework Steal the Expel methodology: expel.io/blog/how-to-in…

Jon Hencinski Sounds a lot like diagnostic inquiry chrissanders.org/2016/05/how-an…

#SOC culture isn't text or memes on a slide. It's how the team reacts / operates. When an analyst makes the wrong call (they will), do you analyze to find blame? Or have you created psychological safety and a culture where mistakes are shared openly and used for learning?

Quick 🧵of some of the insights and actions we're sharing with our customers based on Q2 '21 incident data. TL;DR: - #BEC in O365 is a huge problem. MFA everywhere, disable legacy protocols. - We’re 👀 more ransomware attacks. Reduce/control the self-install attack surface.

Gathering my thoughts for a panel discussion tomorrow on scaling #SOC operations in a world with increasing data as part of the Sans #BlueTeamSummit. No idea where the chat will take us, but luck favors the prepared. A 🧵 of random thoughts likely helpful for a few.

Another awesome #BlueTeamSummit panel, another great visual summary from Ashton Rodenhiser !

Once a month we get in front of our exec/senior leadership team and talk about #SOC performance relative to our business goals (grow ARR, retain customers, improve gross margin). A 🧵on how we translate business objectives to SOC metrics.

>50% of the incidents we detect are identity-based. Right now, we’re seeing #BEC activity focused on payroll fraud via Workday. Attack paths: - Compromise #O365 account via 🎣, recon, gain access to Workday - Compromise #Okta (SSO) account via 🎣, access Workday via SSO

SOC defenders, trust your gut. Inbox-rules may seem legit but if the auth pattern is unusual, take a step back. Am I seeing potential account compromised and steps to perform payroll fraud?

To improve scale and quality of our #SOC we look at a *ton* of data, ask a lot of “What if..” questions. A guiding principle: every change we make must put us in a better position to protect our customers. The goal !=make numbers move, the goal=improve ability to protect.

Recent pre-ransomware incident identified by our #SOC: - Initial access: Remote access using compromised credentials - Enumeration: AdvancedIPScanner, net commands - Lateral movement: PsExec, RDP, SMB - Defense Evasion: AmsiScanBuffer bypass, cleared Windows event logs -