Threat descriptions
Understand the different types of threats identified by Active threat analytics.
- Account takeover
- A nonauthorized user accesses an account.
- Anomaly
- Anomalies are behaviors that are contrary to “normal” behavior in any aspect of tracked activity.
- Brute force attack
- Suspected failed login attacks cover many scenarios. The failed logins are usually by one database user or by multiple database users on one database. The factors that are considered include the user, the timing, the frequency, and other actions taken by the suspicious user.
- Cross-site scripting
- Cross-site scripting (XSS) attacks attempt to insert malicious JavaScript code into the server through client input fields and APIs. When such a script is in place, it is persistent and activated every time that a user accesses the affected page. A typical scenario inserts JavaScript through a web page and then runs every time that page is accessed.
- Data tampering
- A data tampering attack attempts to change or delete information. This type of attack typically exhibits a high volume of data deletion or removal.
- Denial of Service
- A denial of service attack attempts to impact service availability by creating excessively high demands on memory or resources or by causing server unavailability.
- Insider threat: possible data leak
- This attack is an attempt to retrieve data for unauthorized use.
- Malicious stored procedure
- A malicious stored procedure is a block of SQL code that is designed to evade detection and to run complex attacks over an extended time period. The stored procedure can be run repeatedly, change its behaviors over time, or remain dormant for long periods of time, all of which makes it harder to identify its activities as suspicious. For example, a stored procedure that caused unusual activity to be identified in an audit can go dormant and be forgotten by the time of the next audit.
- Massive grants
- Symptoms of massive grant attacks include granting many new privileges to various users and permissions that are being granted by users that don’t usually grant permissions.
- New grants
- Granting privileges to users is a normal procedure. However, grants can also transfer privileges to users to stage attacks under a different username. Guardium opens a case if it identifies suspicious behavior of a user with recently granted privileges.
- OS command injection
- These attacks are attempts to run commands on the operating system, from a client to a process. For example, inserting operating system commands to erase files or, in Guardium, to set outlier mining parameters with the goal of preempting the identification of attack symptoms. The attacker usually does not know whether the attack succeeded and uses tools like ping to check communication between its client and the server.
- Schema tampering
- Schema tampering is characterized by changes to database elements such as tables, views, or stored procedures.
- SQL injection (general)
- SQL injection attacks attempt to exploit application vulnerabilities by concatenating user input with SQL queries. If successful, these attacks can run malicious SQL commands that use the legitimate application connection. SQL injection attacks can be difficult to identify because the individual steps of an attack, analyzed independently of the other steps, might be considered legitimate. Using threat detection analytics, Guardium identifies potential SQL injection attacks by capturing the individual steps and analyzing them as part of a single complex attack.
- SQL Injection: Tautology
- In a tautology type attack, code is injected that uses the conditional operator OR and a query that evaluates to TRUE. Tautology-based SQL injection attacks usually bypass user authentication and extract data by inserting a tautology in the "WHERE" clause of an SQL query. The SQL query results transform the original condition into a tautology that causes, for example, all the rows in a database table to be open to an unauthorized user.
- SQL Injection: Side channel
- SQL injection attacks often result in a general error with no indication of the reason for failure. In side channel attacks, the attacker typically inserts code that has a "side effect" like sleeping for 2 seconds if an attack is successful. This technique allows the attacker to measure the side effect and determine whether the attack was successful. For example, the injected code might sleep for 2 seconds if the MySQL version in 5.6: if the request takes more than 2 seconds to return, the attacker confirms that the server is running MySQL 5.6.
- SQL Injection: Denial of Service
- A denial of service attack attempts to impact service availability by creating excessively high demands on memory or resources or by causing server unavailability.