Risk event categories

Understand the different categories of threats identified by Risk events.

Account takeover

A nonauthorized user accesses an account.

A case is opened when an account is accessed by a new connection profile. For example, a known user is connecting from a different source IP or is using a different source program. Errors or exceptions that are associated with the source are also reported.

Brute force attack

Suspected failed login attacks cover many scenarios. The failed logins are usually by one database user or by multiple database users on one database. The factors that are considered include the user, the timing, the frequency, and other actions taken by the suspicious user.

Cross-site scripting (XSS)

Cross-site scripting (XSS) attacks attempt to insert malicious JavaScript code into the server through client input fields and APIs. When such a script is in place, it is persistent and activated every time that a user accesses the affected page. A typical scenario inserts JavaScript through a web page and then runs every time that page is accessed.

Guardium® constantly monitors for XSS patterns in database requests.

Data tampering

A data tampering attack attempts to change or delete information. This type of attack typically exhibits a high volume of data deletion or removal.

Guardium observes whether errors are generated by the data deletion and whether the removal or deletion actions affected sensitive data.

Denial of Service

A denial of service attack attempts to impact service availability by creating excessively high demands on memory or resources or by causing server unavailability.

One means of identifying these attacks is by a high volume of outliers and weighted anomalies. The volume of outliers in this case is high enough to impact availability: for example, a thousand times the average activity.

Data Leak

This attack is an attempt to retrieve data for unauthorized use.

Data leaks are identified by abnormally high data retrieval activity. The activity can be either the number of activities or the number of records that are affected, depending on whether records affected tracking is enabled within the Guardium environment.

Global risk

A Global risk is a pervasive and high-level risk that warrants further investigation. Similar suspicious activities were observed/spread/viewed on multiple assets but were not associated with any one specific asset.

Massive grants

Symptoms of massive grant attacks include granting many new privileges to various users and permissions that are being granted by users that don’t usually grant permissions.

Guardium identifies and flags such types of behavior.

OS command injection

These attacks are attempts to run commands on the operating system, from a client to a process. For example, inserting operating system commands to erase files or, in Guardium, to set outlier mining parameters with the goal of preempting the identification of attack symptoms. The attacker usually does not know whether the attack succeeded and uses tools like ping to check communication between its client and the server.

Guardium observes patterns of operating system commands that an attacker might attempt to run on the target server.

Schema tampering

Schema tampering is characterized by changes to database elements such as tables, views, or stored procedures.

Guardium identifies these changes and correlates them with other factors such as whether the changes generated errors or were done by a privileged user.

SQL Injection: Tautology

In a tautology type attack, code is injected that uses the conditional operator OR and a query that evaluates to TRUE. Tautology-based SQL injection attacks usually bypass user authentication and extract data by inserting a tautology in the "WHERE" clause of an SQL query. The SQL query results transform the original condition into a tautology that causes, for example, all the rows in a database table to be open to an unauthorized user.

Guardium prevents this type of attack by identifying multiple variations on tautological expressions in the database requests.

SQL Injection: Side channel

SQL injection attacks often result in a general error with no indication of the reason for failure. In side channel attacks, the attacker typically inserts code that has a "side effect" like sleeping for 2 seconds if an attack is successful. This technique allows the attacker to measure the side effect and determine whether the attack was successful. For example, the injected code might sleep for 2 seconds if the MySQL version in 5.6: if the request takes more than 2 seconds to return, the attacker confirms that the server is running MySQL 5.6.

Guardium finds side channel attacks by identifying the use of commands such as sleep and comments in the database requests.

SQL Injection: Denial of Service

A denial of service attack attempts to impact service availability by creating excessively high demands on memory or resources or by causing server unavailability.

Guardium identifies these attacks, for example, by analyzing the syntax used in the database requests.

Uncategorized

The Risk Engine was unable to categorize this event. Although this anomalous event does not fall under one of the pre-defined categories, it still suggests risk and warrants attention.