Preventing Corporate Sabotage by a High-Level Executive

by | Jun 22, 2020 | Case Study, Outside Intel

The Challenge

The CEO of a multinational manufacturer (Client) identified an urgent need to remove a key executive, along with several accomplices, from the operations of the company, based on concerns that these insiders were intent on sabotaging the company. Given the known IT expertise and access of the executive and his associates, the Client needed to prevent these persons of interest (POI) from stealing sensitive data or disrupting the network prior to being fired. The Client also intended to pursue legal action against the POI and needed digital evidence preserved.

Why Nisos

With the entire IT team at the company under suspicion, the Client needed a partner that could surreptitiously gain control of the Client network, reduce the accesses of the POI, prepare the network for a lockout, and preserve data in line with the chain of custody for future evidentiary efforts. All of this had to be accomplished without impacting daily business operations.

Based on the criticality of these efforts, the Client did not want to hand over its network to an unknown commodity and sought referrals from trusted industry connections. An executive whom Nisos had helped with an insider threat issue recommended Nisos as a company that was both capable of the significant challenge at hand and discreet.


With the Client’s permission and assistance, Nisos placed a physical device on the Client network to gain persistent access. Nisos identified POI remote workstations and deployed a tool that caused the workstations to be stuck in a “boot loop,” never allowing the user to log in while preserving forensic data.

Nisos created an email alias and forwarding rule that retained copies of all emails received by POI, lowered the privileges for all administrators, and lowered domain accesses and group memberships for all POI accounts.


The moment the terminations were delivered, Nisos executed a script that locked the entire company out of the Client network. Nisos re-activated the accounts of individuals unconnected to the bad behavior and deployed a script requiring a mandatory password change upon login which ensured that any existing credentials to which a POI had access would be unusable. Nisos operators on-site conducted forensic analysis of all POI devices.


Following the terminations, Nisos conducted a compromise assessment and determined that the bad actors did not leave behind any malicious technical artifacts or retain access to the network. In what otherwise could have been a hugely disruptive event for the Client, business operations were able to resume seamlessly following the terminations.

About Nisos

Nisos is the Managed Intelligence™ company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.

For additional information, contact

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks