Risk event categories

Understand the different categories of threats identified by risk events.

DDR This content is available through the IBM Guardium® Data Detection and Response module.

Abnormal or unexpected behavior
The asset is exhibiting deviations from normal activities. These may be anomalies, which are detected by comparing hourly activity with an average hour’s activity, or policy violations. Investigating these discrepancies is essential to identify whether the irregularities stem from legal activities or breaches of established policies.
Brute force attack
Hackers may attempt to access a database by trying common combinations of user names and passwords, such as 'ADMIN/ADMIN,' or by trying multiple variations of passwords for a specific user.
The occurrence of failed login attempts by multiple users, especially users such as 'ROOT', 'ADMIN', 'WP', and other common username can raise a suspicion of an attack. Moreover, multiple failed login attempts by a single user also raise suspicion of an attack. Other factors, such as excessive exceptions and policy violations, support this suspicion.
Credential stealing
There is a suspicion that an unauthorized user accessed the database. A new connection profile was used to access an account, exhibiting anomalies. This may indicate that a user’s credentials were stolen and misused. Errors that are associated with the account are reported.
Cross-site scripting (XSS)
Cross-site scripting (XSS) attacks attempt to insert malicious JavaScript code into the server through input fields and APIs. When such a script is stored in the database, it becomes persistent and is activated every time that a user accesses the data. SQL statements that include JavaScript may indicate an attempt to inject such malicious code.
Data stealing
This attack is an attempt to retrieve data for unauthorized use. Data stealing is identified by abnormally high data retrieval activity. It may serve as the initial step in a ransomware attack, where the attacker steals the data and then removes it from the database altogether.
Data tampering
In this attack, the attacker accesses the database to modify or remove data. This may cause loss of data or disruption in system operations. Anomalies in the volume of data deletion or modification may indicate such an attack. Exceptions that are caused by missing data may support this suspicion.
Distributed Denial-of-Service (DDoS)
Typically, Distributed Denial-of-Service (DDoS) attacks target a network, web server, or web service and should be detected at these levels. However, these attacks can cause a significant increase in data activity and overload the database.
An extreme increase in data activity may indicate a DDoS attack. Also, certain SQL statement patterns can raise suspicion of such an attack, whether there is an increase in data activity or not.
OS command injection
OS command injection, also known as shell injection, is an attempt to run commands on the operating system, injected through an application. Certain patterns of SQL statements may indicate that the statement includes an OS command and can be suspected as an OS command injection attempt.
Schema tampering
Schema tampering refers to the malicious modification or removal of database elements, such as tables, views, and stored procedures. These modifications may cause excessive exceptions as applications fail to use these schema elements in a usual manner.
An anomaly in the volume of activities that modify or remove schema elements may indicate such an attack. Exceptions that are related to schema elements that don’t exist support this suspicion.
SQL Injection
SQL injection attacks attempt to use application vulnerabilities by concatenating user input with SQL queries. If successful, these attacks can run malicious SQL commands by using the legitimate application connection. There are various SQL injection techniques. Explore policy violations and exceptions to understand which techniques, suggesting an SQL injection, were identified.
Uncategorized
Unusual activity that does not fall under any specific category occurred. Although this anomalous event does not fall under one of the pre-defined categories, it still suggests risk and warrants attention.