Risk event categories

Understand the different categories of threats identified by Risk events.

Account takeover
There is a suspicion that an unauthorized user has accessed the database.
A new connection profile has been used to access an account, along with a notable increase in new activities. For example, a known user may have connected from a different client IP or is using a different application. Errors or exceptions that are associated with the source are also reported.
Brute force attack
There are multiple scenarios that fall under suspected failed login attacks. The occurrence of multiple failed logins for different users or multiple failed logins for a single user, combined with other factors, raises suspicion of an attack. These factors include accessing sensitive data, insufficient privileges, excessive new activity and others.
Cross-site scripting (XSS)
Cross-site scripting (XSS) attacks attempt to insert malicious JavaScript code into the server through client input fields and APIs. When such a script is in place, it is persistent and activated every time that a user accesses the affected page. A typical scenario inserts JavaScript through a web page and then runs every time that page is accessed.
Data tampering
A data tampering attack attempts to change or delete information. This type of attack typically exhibits a high volume of data deletion or removal.
Guardium® observes whether errors are generated by the data deletion and whether the removal or deletion actions affected sensitive data.
Denial of Service
A denial of service attack attempts to impact service availability by creating excessively high demands on memory or resources or by causing server unavailability.
One means of identifying these attacks is by a high volume of outliers and weighted anomalies. The volume of outliers in this case is high enough to impact availability: for example, a thousand times the average activity.
Data Leak
This attack is an attempt to retrieve data for unauthorized use. Excessive "select", i.e. data retrieval, activities on the database are a characteristic of this attack.
Global risk
Similar suspicious activities have been observed across multiple assets. This observation suggests that the suspicious activities are not limited to the observed asset alone. Instead, they indicate a widespread attack. A global risk is a pervasive and high-level risk that warrants further investigation.
Massive grants
A user granted many new privileges to various users. It may also be a user who typically does not grant privileges that has now granted a significant number of privileges.
OS command injection
These attacks are attempts to run commands on the operating system, from a client to a process. For example, inserting operating system commands to erase files or, in Guardium, to set outlier mining parameters with the goal of preempting the identification of attack symptoms. The attacker usually does not know whether the attack succeeded and uses tools like ping to check communication between its client and the server.
Guardium observes patterns of operating system commands that an attacker might attempt to run on the target server.
Schema tampering
Schema tampering refers to modifications made to database elements, including tables, views, or stored procedures. The Risk events engine observed an extremely high level of schema tampering activity.
SQL Injection: Tautology

In a tautology type attack, code is injected that uses the conditional operator OR and a query that evaluates to TRUE. Tautology-based SQL injection attacks usually bypass user authentication and extract data by inserting a tautology in the "WHERE" clause of an SQL query. The SQL query results transform the original condition into a tautology that causes, for example, all the rows in a database table to be open to an unauthorized user.

SQL Injection: Side channel
SQL injection attacks often result in a general error with no indication of the reason for failure. In side channel attacks, the attacker typically inserts code that has a "side effect" like sleeping for 2 seconds if an attack is successful. This technique allows the attacker to measure the side effect and determine whether the attack was successful. For example, the injected code might sleep for 2 seconds if the MySQL version in 5.6. If the request takes more than 2 seconds to return, the attacker confirms that the server is running MySQL 5.6.
Guardium finds side channel attacks by identifying the use of commands such as sleep and comments in the database requests.
SQL Injection: Denial of Service
A denial of service attack attempts to impact service availability by creating excessively high demands on memory or resources, or by causing server unavailability.
A policy rule identifies these attacks by, for example, analyzing the syntax used in the database requests.

Unusual activity that didn’t fall under any specific category occurred. Although this anomalous event does not fall under one of the pre-defined categories, it still suggests risk and warrants attention.