Threat descriptions

Understand the different types of threats identified by Active threat analytics.

Account takeover
A nonauthorized user accesses an account.
A case is opened when an account is accessed by a new connection profile. For example, a known user is connecting from a different source IP or is using a different source program. Errors or exceptions that are associated with the source are also reported.
Anomaly
Anomalies are behaviors that are contrary to “normal” behavior in any aspect of tracked activity.
Guardium® identifies anomalies by using outlier mining (including the volume of outliers, severity of individual events, and predicted volume of outliers at specific times of day), and an anomaly detection algorithm.
Brute force attack
Suspected failed login attacks cover many scenarios. The failed logins are usually by one database user or by multiple database users on one database. The factors that are considered include the user, the timing, the frequency, and other actions taken by the suspicious user.
Cross-site scripting
Cross-site scripting (XSS) attacks attempt to insert malicious JavaScript code into the server through client input fields and APIs. When such a script is in place, it is persistent and activated every time that a user accesses the affected page. A typical scenario inserts JavaScript through a web page and then runs every time that page is accessed.
Guardium constantly monitors for XSS patterns in database requests.
Data tampering
A data tampering attack attempts to change or delete information. This type of attack typically exhibits a high volume of data deletion or removal.
Guardium observes whether errors are generated by the data deletion and whether the removal or deletion actions affected sensitive data.
Denial of Service
A denial of service attack attempts to impact service availability by creating excessively high demands on memory or resources or by causing server unavailability.
One means of identifying these attacks is by a high volume of outliers and weighted anomalies. The volume of outliers in this case is high enough to impact availability: for example, a thousand times the average activity.
Insider threat: possible data leak
This attack is an attempt to retrieve data for unauthorized use.
Data leaks are identified by abnormally high data retrieval activity. The activity can be either the number of activities or the number of records that are affected, depending on whether records affected tracking is enabled in the Guardium environment.
Malicious stored procedure
A malicious stored procedure is a block of SQL code that is designed to evade detection and to run complex attacks over an extended time period. The stored procedure can be run repeatedly, change its behaviors over time, or remain dormant for long periods of time, all of which makes it harder to identify its activities as suspicious. For example, a stored procedure that caused unusual activity to be identified in an audit can go dormant and be forgotten by the time of the next audit.
A malicious stored procedure can be used to disguise the drop of an important table or to extract the contents of a table. Examples of suspicious activity include:
  • The creation of a stored procedure with a DROP statement that affects sensitive objects.
  • SQL exceptions that are caused by missing objects.
  • A procedure that is dormant for an extended time period but is then modified.
Guardium finds malicious stored procedures by tracking the activity around individual stored procedures and, together with outlier mining data, correlating the symptoms and users.
Massive grants
Symptoms of massive grant attacks include granting many new privileges to various users and permissions that are being granted by users that don’t usually grant permissions.
Guardium identifies and flags such behaviors.
New grants
Granting privileges to users is a normal procedure. However, grants can also transfer privileges to users to stage attacks under a different username. Guardium opens a case if it identifies suspicious behavior of a user with recently granted privileges.
OS command injection
These attacks are attempts to run commands on the operating system, from a client to a process. For example, inserting operating system commands to erase files or, in Guardium, to set outlier mining parameters with the goal of preempting the identification of attack symptoms. The attacker usually does not know whether the attack succeeded and uses tools like ping to check communication between its client and the server.
Guardium observes patterns of operating system commands that an attacker might attempt to run on the target server.
Schema tampering
Schema tampering is characterized by changes to database elements such as tables, views, or stored procedures.
Guardium identifies these changes and correlates them with other factors such as whether the changes generated errors or were performed by a privileged user.
SQL injection (general)
SQL injection attacks attempt to exploit application vulnerabilities by concatenating user input with SQL queries. If successful, these attacks can run malicious SQL commands that use the legitimate application connection. SQL injection attacks can be difficult to identify because the individual steps of an attack, analyzed independently of the other steps, might be considered legitimate. Using threat detection analytics, Guardium identifies potential SQL injection attacks by capturing the individual steps and analyzing them as part of a single complex attack.
Typical symptoms of SQL injection attacks that Guardium identifies include:
  • An attacker tries to identify the structure of a dynamic SQL query: for example, the number of columns queried.
  • An unusually large quantity of new queries, specifically queries that are uniquely or unusually structured.
  • Access to tables that contain information about the database structure.
SQL Injection: Tautology
In a tautology type attack, code is injected that uses the conditional operator OR and a query that evaluates to TRUE. Tautology-based SQL injection attacks usually bypass user authentication and extract data by inserting a tautology in the "WHERE" clause of an SQL query. The SQL query results transform the original condition into a tautology that causes, for example, all the rows in a database table to be open to an unauthorized user.
Guardium prevents this type of attack by identifying multiple variations on tautological expressions in the database requests.
SQL Injection: Side channel
SQL injection attacks often result in a general error with no indication of the reason for failure. In side channel attacks, the attacker typically inserts code that has a "side effect" like sleeping for 2 seconds if an attack is successful. This technique allows the attacker to measure the side effect and determine whether the attack was successful. For example, the injected code might sleep for 2 seconds if the MySQL version in 5.6: if the request takes more than 2 seconds to return, the attacker confirms that the server is running MySQL 5.6.
Guardium finds side channel attacks by identifying the use of commands such as sleep and comments in the database requests.
SQL Injection: Denial of Service
A denial of service attack attempts to impact service availability by creating excessively high demands on memory or resources or by causing server unavailability.
Guardium identifies these attacks, for example, by analyzing the syntax used in the database requests.