Online Training Special Offer: Get an iPad, ASUS Chromebook or Take $250 Off with Online Training!


To attend this webcast, login to your SANS Account or create your Account.

Attacks on Databases: When NoSQL became NoDatabase

  • Friday, January 20th, 2017 at 1:00 PM EST (18:00:00 UTC)
  • Matt Bromiley
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

You can now attend the webcast using your mobile device!


During the holiday season of 2016, security researchers and NoSQL database administrators started to discover something chilling: data stored in MongoDB databases started to vanish - and vanish quickly. Data was being removed gigabytes at a time, and all that was left was a ransom note demanding payment for data restoration. To date, over 100TB of data has disappeared. Businesses came to a halt as critical data was no longer available. Third-party agreements fell through as availability dropped to 0%. Even more concerning, some organizations could not fully quantify the contents of their data, unable to determine if breach notifications were required. Fast forward a couple of weeks, and we are seeing another type of data store suffer the same fate: Elasticsearch. Unfortunately, these attacks were a long time coming and we've seen the warning signs for years.

In this webcast, we're going to take a comprehensive look at the ongoing attacks on MongoDB and Elasticsearch. Via analysis of compromised databases, we'll examine how the attacks take place and just how easy they are to perform. We'll also analyze the artifacts left behind by the attackers, extracting what data we can to build out their TTPs. Lastly, we'll also discuss how to secure your NoSQL instances going forward. This is not a list you want to be on.

Threat hunting and Incident response tactics and procedures have evolved rapidly over the past several years. Your team can no longer afford to use antiquated incident response and threat hunting techniques that fail to properly identify compromised systems, provide ineffective containment of the breach, and ultimately fail to rapidly remediate the incident. Incident response and threat hunting teams are the keys to identifying and observing malware indicators and patterns of activity in order to generate accurate threat intelligence that can be used to detect current and future intrusions.

Learn how to hunt your adversary with FOR508: Digital Forensics, Incident Response & Threat Hunting course!

Speaker Bio

Matt Bromiley

Matt Bromiley is a SANS Certified Digital Forensics and Incident Response instructor, teaching Advanced Digital Forensics, Incident Response, and Threat Hunting (FOR508) and Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response (FOR572), and a GIAC Advisory Board member. He is also a principal incident response consultant at a major incident response and forensic analysis company, combining experience in digital forensics, incident response/triage and log analytics. His skills include disk, database, memory and network forensics, as well as network security monitoring. Matt has worked with clients of all types and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.