Attacks on Databases: When NoSQL became NoDatabase

  • Webcast Aired Friday, 20 Jan 2017 1:00PM EST (20 Jan 2017 18:00 UTC)
  • Speaker: Matt Bromiley

During the holiday season of 2016, security researchers and NoSQL database administrators started to discover something chilling: data stored in MongoDB databases started to vanish - and vanish quickly. Data was being removed gigabytes at a time, and all that was left was a ransom note demanding payment for data restoration. To date, over 100TB of data has disappeared. Businesses came to a halt as critical data was no longer available. Third-party agreements fell through as availability dropped to 0%. Even more concerning, some organizations could not fully quantify the contents of their data, unable to determine if breach notifications were required. Fast forward a couple of weeks, and we are seeing another type of data store suffer the same fate: Elasticsearch. Unfortunately, these attacks were a long time coming and we've seen the warning signs for years.

In this webcast, we're going to take a comprehensive look at the ongoing attacks on MongoDB and Elasticsearch. Via analysis of compromised databases, we'll examine how the attacks take place and just how easy they are to perform. We'll also analyze the artifacts left behind by the attackers, extracting what data we can to build out their TTPs. Lastly, we'll also discuss how to secure your NoSQL instances going forward. This is not a list you want to be on.


Threat hunting and Incident response tactics and procedures have evolved rapidly over the past several years. Your team can no longer afford to use antiquated incident response and threat hunting techniques that fail to properly identify compromised systems, provide ineffective containment of the breach, and ultimately fail to rapidly remediate the incident. Incident response and threat hunting teams are the keys to identifying and observing malware indicators and patterns of activity in order to generate accurate threat intelligence that can be used to detect current and future intrusions.

Learn how to hunt your adversary with FOR508: Digital Forensics, Incident Response & Threat Hunting course!