CASE STUDY

Eight Hours to Attribution

by | Apr 2, 2020 | Adversary Research, Case Study

The Challenge

A multinational manufacturer (The Client) came to Nisos for help responding to an unusual incident. An unauthorized user opened a trouble ticket in the Client’s internal IT ticketing system. In the ticket, the actor demonstrated access to sensitive client resources and associated the ticket with a senior IT security executive. The actor provided two other pieces of information; a PowerShell snippet with valid credentials to the client network, and an anonymized email address at which to reach them.

Why Nisos

The Client was aware of Nisos’ threat hunting capabilities against their internal network environment and combining this with external data analysis, geolocation, and social media attribution capabilities to investigate and attribute the threat actor. In this case, attribution was especially important given the apparent insider knowledge the attack maintained and the need for Client to characterize the nature of the threat.

Preparation

While Nisos maintained remote internal network access as part of ongoing support to threat hunting and threat intelligence operations, our analysts conducting the external attribution investigation did not need network access to the client’s environment. We used our access to external telemetry and proprietary datasets to support the engagement.

We based our investigation on the following data points. The perpetrator included a screenshot of a PowerShell script with credentials. He had used these credentials to access the network, peruse the corporate Sharepoint, check email, and open the trouble ticket. The account was a widely shared account. From the anonymized email address, the actor sent taunting emails to a senior executive. The Client provided Nisos analysts with source IP addresses for the taunting emails.

Execution

While Nisos maintained remote internal network access as part of ongoing support to threat hunting and threat intelligence operations, we used OSINT analytic expertise to surface additional email addresses, phone numbers, and social media handles used by the actor.

Leveraging internal datasets and multiple corroboration points, Nisos analysts conclusively attributed the perpetrator as an IT analyst working for a foreign engineering firm.

Additional open source research indicated the actor had previously written PowerShell scripts to partially automate processes, in addition to conducting preventative and audit checks with the aid of his custom scripts. These scripts were similar to those he used in his unauthorized access of the Client environment.

During our investigation, the Client revealed additional information. The threat actor had mentioned the name of a former Client employee in his support ticket to the senior executive but did not elaborate about the nature of their relationship. Research on social media showed first degree connections between the actor and the former Client employee. Further, our netflow analysis matched the originating IP address with the actor’s known place of work, the foreign engineering firm where the former Client employee also worked.

We were ultimately able to show that the former Client employee had a management position in the foreign engineering firm for which the attacker now worked. The screenshots left by the actor to prove access also contained browser bookmarks confirming a link between the attacker and the former employee.

Impact

Within eight hours of the incident, the Client was able to use the information we provided to remediate the malicious activity and prevent the threat actor from accessing the network in the future. Further, with strong, conclusive attribution of the threat actor, the Client understood his likely motivations and profile in order to characterize the threat and prepare themselves for potential future attacks. Since the actor was not able to take further malicious steps nor monetize their access, our Client saved significant time and money while neutralizing the potentially high reputational risk such a provocative threat actor posed.

About Nisos

Nisos is the Managed Intelligence™ company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.

For additional information, contact info@nisos.com

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks