DDOS Investigation Leads to Much Greater Network Security Bolstering
A multinational manufacturer (The Client) needed assistance investigating a large-scale distributed denial of service (DDOS) attack against several publicly accessible websites and applications. In the course of the attribution investigation, we detected indicators of wide-spread compromise on the Client’s network using external telemetry not available to the Client.
The Client had a strong understanding of it’s internal network security and posture, but desired to work with a partner that could draw on data and analytic expertise outside of its environment to extend the reach of its investigation and better inform its response.
Nisos analysts conducted an external investigation based on information and lead data provided by the Client’s information security teams. Nisos analysts conducted a broad-spectrum external threat hunt using a variety of third-party data sets and OSINT-derived data to provide context surrounding the DDOS attack as well as locate potential indicators of a compromise currently active inside of the Client network.
Nisos analysts took the following approach:
- Gather available log data from Client’s information security team and parse data for unique selector information to include source and destination IP addresses, client user-agents and HTTP request content.
- Research identified attack sources and related activity in open source reporting and commercial Threat Intelligence feeds.
- Review external network traffic from Client registered network ranges in third-party datasets for suspected botnet and other anomalous traffic.
- Search third-party datasets for non-Client targeted traffic from identified attack sources to profile the attack hosts and provide context-based analysis of activity.
- Review OSINT and “Dark Web” data sources for attacker communications to include attack planning and after-action discussions.
- Research and monitor known discussion boards, chat rooms and paste sites for information and communications related to attack.
Due to the widely distributed nature of the attack and limitations in available technical data surrounding this event, direct attribution of the actors via purely technical means was not plausible. We employed alternative methods in parallel to the technical analysis in an attempt to identify the threat actors based on potential participation in discussion boards, forums, user groups, etc.
In the course of the investigation, Nisos operators detected a wide range of suspicious network connections between registered Client network ranges and malicious Internet-based hosts.
- Potential Gumblar, Kasidet, Pony Loader, VertexNet Botnet/C2 traffic originating from corporate networks.
- Suspicious network-based connections and flow data originating from corporate networks.
- Network and web application connections from suspicious and known malicious source IP addresses. Several of these source addresses were detected in contemporary botnet and indicator of compromise (IOC) reporting.
Using our findings, the Client was able to gain greater context and understanding of the nature of the threats to its environment, well beyond the initial DDOS attack. Working with Nisos, the Client developed an action plan to harden its defenses with a more advanced threat hunting program.
Initial steps included:
- Continuous threat hunting and develop internal threat hunting processes
- Deployment of Sysmon on Microsoft Windows-based systems
- Deployment of OSQUERY on Windows, Linux, and OSX systems
- Change management processes across enterprise solutions
- Incremental changes to harden current firewall policy
- Scripted containment procedures for detections and incidents
- Implementation of a hardware and software asset inventory system
Nisos is the Managed Intelligence company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.
For additional information, contact firstname.lastname@example.org