Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/15/2011
05:57 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Database Auditing, Forensics Style

Forensic auditing of databases is not new, but there's a growing need for breach analysis

David Litchfield presented "Hacking and Forensicating an Oracle Database Server" at the Black Hat 2011 conference. During the presentation, Litchfield discussed a handful of ways to hack into Oracle 10 and 11 databases, demonstrated how to completely alter the database platform by injecting arbitrary code into memory, and then leveraged the database to compromise the underlying operating system. Many of the attacks and techniques are not new to the research community, but they impressed upon the audience how devastating these hacks can be.

Click here for more of Dark Reading's Black Hat articles.

It also nicely framed the need for forensic tools to trace what hackers have done to your system. Litchfield closed the presentation with a demonstration of his database forensic analysis tool. Ten years ago, nobody was interested in forensic auditing of databases. A couple of vendors offered database audit to complement monitoring and assessment capabilities, but there was no market because customers were not interested. Firms wanted to know whether someone was snooping through their data and did not yet understand that attackers altered database contents and functionality. They wanted to know what their employees were doing because security -- at the time -- was considered and "insider threat" problem. Customers purchased DAM products that collected SQL statements and grouped them by user.

A few years later, customers adjusted to both internal and external threats, and DAM products changed to detect specific attack patterns -- anomalous query constructs --as well as marco usage patterns to detect behavioral anomalies.

It has taken a decade, but the market now realizes that attackers alter databases. If you want to know what happened, then you will need to conduct a forensic audit -- and you can forget going to your firewall or SIEM logs for the complete picture. We also know most breaches are not discovered immediately, and, in many cases, are detected by people outside of the company. Security professionals, services firms, and enterprises are now looking for forensic auditing tools as part of their breach preparedness planning. If you are establishing a breach readiness plan, having tools on hand to analyze the database is essential to understanding what was compromised and how.

There are a couple of important distinctions worth noting, and one of them is that database auditing is different than database activity monitoring. The former is geared to be a detailed forensic examination of database state and quantification of what exactly happened to a database server following a breach. Database activity monitoring is geared to be a real-time examination of incoming queries looking for an attack. A forensic audit will commonly use system tables, memory segments, TLS logs, and -- most important -- the redo logs.

For those of you who don't know Oracle, there is a difference between the audit logs and the redo logs. The redo logs are a core component of Oracle used to maintain data accuracy and help the DBA recover the database in the event of an emergency. Some transactions need to be "rolled back" -- say, due to a disk full error -- or reapplied (i.e., rolled forward) in the event of a power failure.

Redo logs are a good source of reliable information, but they are seldom used because of several specific limitations. For example, redo logs don't store the original query; rather, they store a form of shorthand notation that makes sense to the database. Human readability was never a consideration. Second, they contain a ton of information not relevant to a forensic audit, so it needs to be filtered. Finally, redo logs could be actively used by the database or in an archived state; you need a tool that can read both because it's not always clear where the relevant events are stored.

What's important about Litchfield's tool is that it provides access to an important data source for forensic audits, and it performs the core collection, filtering, and presentation features needed to make sense of the redo logs. While it's not quite fully finished, it's a handy tool that can be downloaded and evaluated for free.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3697
PUBLISHED: 2020-01-24
UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of gnump3d in openSUSE Leap 15.1 allows local attackers to escalate from user gnump3d to root. This issue affects: openSUSE Leap 15.1 gnump3d version 3.0-lp151.2.1 and prior versions.
CVE-2019-3694
PUBLISHED: 2020-01-24
A Symbolic Link (Symlink) Following vulnerability in the packaging of munin in openSUSE Factory, Leap 15.1 allows local attackers to escalate from user munin to root. This issue affects: openSUSE Factory munin version 2.0.49-4.2 and prior versions. openSUSE Leap 15.1 munin version 2.0.40-lp151.1.1 a...
CVE-2019-3693
PUBLISHED: 2020-01-24
A symlink following vulnerability in the packaging of mailman in SUSE SUSE Linux Enterprise Server 11, SUSE Linux Enterprise Server 12; openSUSE Leap 15.1 allowed local attackers to escalate their privileges from user wwwrun to root. Additionally arbitrary files could be changed to group mailman. Th...
CVE-2019-3687
PUBLISHED: 2020-01-24
The permission package in SUSE SUSE Linux Enterprise Server allowed all local users to run dumpcap in the "easy" permission profile and sniff network traffic. This issue affects: SUSE SUSE Linux Enterprise Server permissions versions starting from 85c83fef7e017f8ab7f8602d3163786d57344439 t...
CVE-2019-3692
PUBLISHED: 2020-01-24
The packaging of inn on SUSE SUSE Linux Enterprise Server 11; openSUSE Factory, Leap 15.1 allows local attackers to escalate from user inn to root via symlink attacks. This issue affects: SUSE SUSE Linux Enterprise Server 11 inn version 2.4.2-170.21.3.1 and prior versions. openSUSE Factory inn versi...