CASE STUDY

BlackLight Simplifies the Search for Indicators of Compromise

HSBC Uses BlackLight to Analyze Large Data Sets

Web shells are commonly used in cyber-attacks and can have a variety of malicious purposes.   They can also be difficult to detect.  When one of the largest banks in the world received a notification from their Endpoint Detection and Response (EDR) solution indicating there was a possible web shell attack, it became a priority to determine if any systems were compromised.  In order to maintain availability, the potentially compromised systems had to be analyzed quickly and thoroughly.

Four systems were identified as potentially compromised.  All data stored on the systems had to be reviewed.  While there are many forensic tools available, BlackLight was chosen for this analysis for its ability to process a number of large data sets.  An index of all the data was created in a single BlackLight case file. Index searches were then performed to confirm no indicators of the specific compromise suspected were on any of the systems.

BlackLight made the entire process easy.  All investigative activity was tagged, automatically building the incident report. The interface is intuitive, making the searching, filtering and pivoting extremely easy for the user.  The results of the analysis provided compelling proof that there was no compromise.

The interface is intuitive, making the searching, filtering and pivoting very easy,

Steven Mitchell, HSBC Analyst

Main Takeaways:

  • The Endpoint Detection and Response (EDR) solution notified there was a potential web shell attack.
  • In order to prevent a disruption of service, the data on four systems possibly impacted by the attack had to be quickly examined to confirm there was no compromise.
  • BlackLight was used to collate and index the data into one case file.
  • Index searching was performed across the entire data set. The results provided compelling proof there was no compromise.
  • BlackLight’s intuitive interface made the entire process quick and easy.

Quick Facts

Features: 

BlackLight indexing and index search features were used to confirm no systems were compromised.

Problem Solved:

An Endpoint Detection and Response (EDR) solution indicated there was a possible web shell attack.  BlackLight was used to quickly confirm no systems were compromised.

Solution Provided:

One of the largest banks in the world, used BlackLight to quickly analyze data on possibly compromised systems

Overall Results:

A single BlackLight case file was used to process all systems suspected of compromise.

Add BlackBag To Your Toolkit

See how easy it is to make BlackBag part of your everyday carry with a free trial or quote.