Learn real-world skills from real-world cyber security practitioners. View upcoming Live Online Events.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Sorry, the slides for this webcast are not available for download.

Attacks on Databases: When NoSQL became NoDatabase

  • Friday, January 20, 2017 at 1:00 PM EST (2017-01-20 18:00:00 UTC)
  • Matt Bromiley

You can now attend the webcast using your mobile device!



During the holiday season of 2016, security researchers and NoSQL database administrators started to discover something chilling: data stored in MongoDB databases started to vanish - and vanish quickly. Data was being removed gigabytes at a time, and all that was left was a ransom note demanding payment for data restoration. To date, over 100TB of data has disappeared. Businesses came to a halt as critical data was no longer available. Third-party agreements fell through as availability dropped to 0%. Even more concerning, some organizations could not fully quantify the contents of their data, unable to determine if breach notifications were required. Fast forward a couple of weeks, and we are seeing another type of data store suffer the same fate: Elasticsearch. Unfortunately, these attacks were a long time coming and we've seen the warning signs for years.

In this webcast, we're going to take a comprehensive look at the ongoing attacks on MongoDB and Elasticsearch. Via analysis of compromised databases, we'll examine how the attacks take place and just how easy they are to perform. We'll also analyze the artifacts left behind by the attackers, extracting what data we can to build out their TTPs. Lastly, we'll also discuss how to secure your NoSQL instances going forward. This is not a list you want to be on.

Threat hunting and Incident response tactics and procedures have evolved rapidly over the past several years. Your team can no longer afford to use antiquated incident response and threat hunting techniques that fail to properly identify compromised systems, provide ineffective containment of the breach, and ultimately fail to rapidly remediate the incident. Incident response and threat hunting teams are the keys to identifying and observing malware indicators and patterns of activity in order to generate accurate threat intelligence that can be used to detect current and future intrusions.

Learn how to hunt your adversary with FOR508: Digital Forensics, Incident Response & Threat Hunting course!

Speaker Bio

Matt Bromiley

Matt Bromiley is a SANS digital forensics and incident response (IR) instructor, teaching FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics and SANS FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. He is also an IR consultant at a global IR and forensic analysis company, combining experience in digital forensics, log analytics, and incident response and management. His skills include disk, database, memory and network forensics; incident management; threat intelligence and network security monitoring. Matt has worked with organizations of all shapes and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.