CASE STUDY

Threat Intelligence to Remediate Platform Abuse

by | Apr 8, 2020 | Case Study, Outside Intel, Trust and Safety

The Challenge

A publicly traded technology company (the Client) with thousands of global employees maintains a premier business unit application platform regularly abused by eCrime and cyber espionage actors. The Client requested Nisos’ expertise in threat intelligence to inform efforts to build more efficient automated detections and alerts around their commercial product focused on platform abuse.

Why Nisos

The Client requested our access and expertise in analyzing edge network telemetry beyond the reach of their SOC. While their SOC is robust, they have limited resources dedicated to threat intelligence and do not have access to the external telemetry and datasets maintained by Nisos.

While the Client monitors threat intelligence for their platforms on a daily basis and coordinates with the SOC to set up a variety of alerts, they called in our expertise when it was clear the totality of information was too much for their threat intelligence team to consume and analyze. The threat intelligence team wanted to focus on creating actionable alerts and needed our expertise to provide the in depth baseline of their threat landscape.

Preparation

We did not require network access to the Client’s environment. We used our access to discreet, external telemetry and proprietary datasets to support the engagement.

Execution

On the eCrime side, we discovered unsophisticated actors actively selling stolen Client application credentials, dangling the false promise of free or “hacked” access as bait for phishing schemes, or using the application as a tool to take over a victim’s computer in tech support scams.

More sophisticated actors with nation-state backing have used a variety of remote access tools for Advanced Persistent Threat (APT) attacks, including tools from the Client’s larger suite of applications. Although we saw no evidence of the specific platform under study being used or targeted, a review of such attacks shed light on how the platform could potentially be deployed for espionage or criminal purposes on third parties.

  • At least three sophisticated APT campaigns originating out of China and Iran used Client’s remote access tools to carry out a series of exploits against high-profile business and military targets.
  • A sophisticated cyber-criminal organization used the Client’s product suite in conjunction with a third-party game app to deliver malware to business targets.

We highlighted reporting about vulnerabilities in Client’s code that Client’s application development team was able to ultimately secure. For example the storage of the URL parameter “lang” and use of Cross Site Request Forgery protection were problematic vulnerabilities that were ultimately remedied.

Impact

The Client recognized our solution was more comprehensive, analytic, and actionable than a simple threat intelligence feed. Nisos’ reporting enabled them to address the complex issue of platform abuse in a new way. To protect their brand and increase customer confidence in their product, the Client took the comprehensive list of doppelganger domains we compiled and initiated unauthorized domain takedowns with the various domain providers.

The Client was also able to blacklist IP addresses of doppelganger domains on their own firewall and they passed the cross-site forgery problems to the internal development team for remediation. In addition, they provided the list of IPs to their customers to also block at their network border devices, effectively forcing the threat actors to start from scratch or find a new platform to abuse.

About Nisos

Nisos is the Managed Intelligence™ company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.

For additional information, contact info@nisos.com

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks