CASE STUDY

DDOS Investigation Leads to Much Greater Network Security Bolstering

by | Apr 16, 2020 | Case Study, Outside Intel

The Challenge

A multinational manufacturer (The Client) needed assistance investigating a large-scale distributed denial of service (DDOS) attack against several publicly accessible websites and applications. In the course of the attribution investigation, we detected indicators of wide-spread compromise on the Client’s network using external telemetry not available to the Client.

Why Nisos

The Client had a strong understanding of it’s internal network security and posture, but desired to work with a partner that could draw on data and analytic expertise outside of its environment to extend the reach of its investigation and better inform its response.

Preparation

Nisos analysts conducted an external investigation based on information and lead data provided by the Client’s information security teams. Nisos analysts conducted a broad-spectrum external threat hunt using a variety of third-party data sets and OSINT-derived data to provide context surrounding the DDOS attack as well as locate potential indicators of a compromise currently active inside of the Client network.

Execution

Nisos analysts took the following approach:

  1. Gather available log data from Client’s information security team and parse data for unique selector information to include source and destination IP addresses, client user-agents and HTTP request content.
  2. Research identified attack sources and related activity in open source reporting and commercial Threat Intelligence feeds.
  3. Review external network traffic from Client registered network ranges in third-party datasets for suspected botnet and other anomalous traffic.
  4. Search third-party datasets for non-Client targeted traffic from identified attack sources to profile the attack hosts and provide context-based analysis of activity.
  5. Review OSINT and “Dark Web” data sources for attacker communications to include attack planning and after-action discussions.
  6. Research and monitor known discussion boards, chat rooms and paste sites for information and communications related to attack.

Due to the widely distributed nature of the attack and limitations in available technical data surrounding this event, direct attribution of the actors via purely technical means was not plausible. We employed alternative methods in parallel to the technical analysis in an attempt to identify the threat actors based on potential participation in discussion boards, forums, user groups, etc.

In the course of the investigation, Nisos operators detected a wide range of suspicious network connections between registered Client network ranges and malicious Internet-based hosts.

  1. Potential Gumblar, Kasidet, Pony Loader, VertexNet Botnet/C2 traffic originating from corporate networks.
  2. Suspicious network-based connections and flow data originating from corporate networks.
  3. Network and web application connections from suspicious and known malicious source IP addresses. Several of these source addresses were detected in contemporary botnet and indicator of compromise (IOC) reporting.

Impact

Using our findings, the Client was able to gain greater context and understanding of the nature of the threats to its environment, well beyond the initial DDOS attack. Working with Nisos, the Client developed an action plan to harden its defenses with a more advanced threat hunting program.

Initial steps included:

  1. Continuous threat hunting and develop internal threat hunting processes
  2. Deployment of Sysmon on Microsoft Windows-based systems
  3. Deployment of OSQUERY on Windows, Linux, and OSX systems
  4. Change management processes across enterprise solutions
  5. Incremental changes to harden current firewall policy
  6. Scripted containment procedures for detections and incidents
  7. Implementation of a hardware and software asset inventory system 

About Nisos

Nisos is the Managed Intelligence company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.

For additional information, contact info@nisos.com

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights Retainer℠
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks