Risk event categories
Understand the different categories of threats identified by risk events.
DDR This content is available through the IBM Guardium® Data Detection and Response module.
- Abnormal or unexpected behavior
- The asset is exhibiting deviations from normal activities. These may be anomalies, which are detected by comparing hourly activity with an average hour’s activity, or policy violations. Investigating these discrepancies is essential to identify whether the irregularities stem from legal activities or breaches of established policies.
- Brute force attack
- Hackers may attempt to access a database by trying common combinations of user names and passwords, such as 'ADMIN/ADMIN,' or by trying multiple variations of passwords for a specific user.
- Credential stealing
- There is a suspicion that an unauthorized user accessed the database. A new connection profile was used to access an account, exhibiting anomalies. This may indicate that a user’s credentials were stolen and misused. Errors that are associated with the account are reported.
- Cross-site scripting (XSS)
- Cross-site scripting (XSS) attacks attempt to insert malicious JavaScript code into the server through input fields and APIs. When such a script is stored in the database, it becomes persistent and is activated every time that a user accesses the data. SQL statements that include JavaScript may indicate an attempt to inject such malicious code.
- Data stealing
- This attack is an attempt to retrieve data for unauthorized use. Data stealing is identified by abnormally high data retrieval activity. It may serve as the initial step in a ransomware attack, where the attacker steals the data and then removes it from the database altogether.
- Data tampering
- In this attack, the attacker accesses the database to modify or remove data. This may cause loss of data or disruption in system operations. Anomalies in the volume of data deletion or modification may indicate such an attack. Exceptions that are caused by missing data may support this suspicion.
- Distributed Denial-of-Service (DDoS)
- Typically, Distributed Denial-of-Service (DDoS) attacks target a network, web server, or web service and should be detected at these levels. However, these attacks can cause a significant increase in data activity and overload the database.
- OS command injection
- OS command injection, also known as shell injection, is an attempt to run commands on the operating system, injected through an application. Certain patterns of SQL statements may indicate that the statement includes an OS command and can be suspected as an OS command injection attempt.
- Schema tampering
- Schema tampering refers to the malicious modification or removal of database elements, such as tables, views, and stored procedures. These modifications may cause excessive exceptions as applications fail to use these schema elements in a usual manner.
- SQL Injection
- SQL injection attacks attempt to use application vulnerabilities by concatenating user input with SQL queries. If successful, these attacks can run malicious SQL commands by using the legitimate application connection. There are various SQL injection techniques. Explore policy violations and exceptions to understand which techniques, suggesting an SQL injection, were identified.
- Uncategorized
- Unusual activity that does not fall under any specific category occurred. Although this anomalous event does not fall under one of the pre-defined categories, it still suggests risk and warrants attention.