Actively Countering Advanced Persistent Threats with External Telemetry
A technology company (the Client) with thousands of employees across the globe was under attack by a nation-state level adversary. They requested Nisos’ assistance to provide critical intelligence to detect indicators and respond to the attack. Given the nature of the Client’s platforms and sensitive data, the Client has been and continues to be a target of nation-state actors.
The Client requested our access and expertise to analyze edge network telemetry beyond the reach of their SOC to ensure the adversary no longer maintained access following the Client’s incident response effort. While the Client responds to security incidents on a daily basis, they called in our expertise when it was clear an advanced attacker had gained access to their environment. They required a high level expertise and an adversarial mindset to bear against this problem set. More specifically, the Client needed to confirm whether the attacker was truly out of their network and whether or not Nisos could identify any additional details that would provide the SOC with actionable threat intelligence to counter future attacks.
We did not require network access to the Client’s environment. We used our access to discreet, external telemetry and proprietary datasets to support the engagement. We established an out-of-band communications channel using an encrypted chat application in the event the Client’s email was compromised.
The Client SOC displayed well above average ability to detect and respond to sophisticated attacks for a mid-market technology company. The Client’s SOC was able to detect and correlate the following adversary actions:
- Scanning activity on the edge of their network
- Initial access via client-side exploitation
- Credential harvesting via in-memory mimikatz
- Lateral movement using remote service creation and WMI
- Process trees associated with malicious activity
- Persisted keystroke logger and screenshot capture tools (on-disk)
- Command and control (C2) traffic
Using a variety of both commercially available and proprietary technical datasets, we assisted the Client’s SOC in identifying:
- The actor’s C2 server
- The use of the commercial attack platform with an https profile
- The source range from where the C2 server was managed
- Additional C2 servers, using the same management port, in use with other active targets
- Management activity associated with the C2 server
- The Digital Ocean VPS used for port and web application scanning
Above and Beyond Traditional EDR
Shortly after the attack, the Client’s Endpoint Detection and Response (EDR) vendor alerted the Client of a sophisticated attack occurring on the Client’s network. While the vendor had significant EDR telemetry at its disposal, their analysis was insufficient to identify the C2 server and only provided confirmation of what the SOC had already observed.
The EDR vendor’s analysis mistakenly identified an intermediate Certificate Authority IP address as the IP address for the C2 server and failed to identify the installation and persistence of a keystroke logger and screenshot capture tool. The EDR vendor correctly identified this as a sophisticated attack, but this conclusion was reached solely based on the attacker’s lack of typos in executing native commands and powershell.
Using a list of IPs the vendor sent the Client’s SOC, we assisted the Client in determining they were related to the attacker. However, the IP information alone failed to identify the attacker’s C2 server until Nisos provided additional telemetry. It was clear the EDR vendor had a limited window into the attack and experienced difficulties in differentiating benevolent host traffic from actual malicious traffic.
With Nisos’ assistance, the Client was able to identify and mitigate an advanced attack within hours of the initial compromise and the Client’s detection of the attack. This prevented the attackers from gaining a foothold on the network and armed the Client with actionable intelligence to have equal defensive success should this attacker attempt to return in the future. Based on a team effort, combining analysis from the Client, the EDR vendor, and Nisos, the Client was confident the attackers were no longer active in the network and did not compromise any critical internal resources.
Whether it is supporting a Client’s internal security team or working alongside other security service providers, Nisos can bring capabilities to bear that go beyond the Client network and cursory analysis. Nisos’ wealth of experience and data analytics can augment the team and make everyone a more effective network defender.
Nisos is the Managed Intelligence company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.
For additional information, contact firstname.lastname@example.org