Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/15/2011
05:57 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Database Auditing, Forensics Style

Forensic auditing of databases is not new, but there's a growing need for breach analysis

David Litchfield presented "Hacking and Forensicating an Oracle Database Server" at the Black Hat 2011 conference. During the presentation, Litchfield discussed a handful of ways to hack into Oracle 10 and 11 databases, demonstrated how to completely alter the database platform by injecting arbitrary code into memory, and then leveraged the database to compromise the underlying operating system. Many of the attacks and techniques are not new to the research community, but they impressed upon the audience how devastating these hacks can be.

Click here for more of Dark Reading's Black Hat articles.

It also nicely framed the need for forensic tools to trace what hackers have done to your system. Litchfield closed the presentation with a demonstration of his database forensic analysis tool. Ten years ago, nobody was interested in forensic auditing of databases. A couple of vendors offered database audit to complement monitoring and assessment capabilities, but there was no market because customers were not interested. Firms wanted to know whether someone was snooping through their data and did not yet understand that attackers altered database contents and functionality. They wanted to know what their employees were doing because security -- at the time -- was considered and "insider threat" problem. Customers purchased DAM products that collected SQL statements and grouped them by user.

A few years later, customers adjusted to both internal and external threats, and DAM products changed to detect specific attack patterns -- anomalous query constructs --as well as marco usage patterns to detect behavioral anomalies.

It has taken a decade, but the market now realizes that attackers alter databases. If you want to know what happened, then you will need to conduct a forensic audit -- and you can forget going to your firewall or SIEM logs for the complete picture. We also know most breaches are not discovered immediately, and, in many cases, are detected by people outside of the company. Security professionals, services firms, and enterprises are now looking for forensic auditing tools as part of their breach preparedness planning. If you are establishing a breach readiness plan, having tools on hand to analyze the database is essential to understanding what was compromised and how.

There are a couple of important distinctions worth noting, and one of them is that database auditing is different than database activity monitoring. The former is geared to be a detailed forensic examination of database state and quantification of what exactly happened to a database server following a breach. Database activity monitoring is geared to be a real-time examination of incoming queries looking for an attack. A forensic audit will commonly use system tables, memory segments, TLS logs, and -- most important -- the redo logs.

For those of you who don't know Oracle, there is a difference between the audit logs and the redo logs. The redo logs are a core component of Oracle used to maintain data accuracy and help the DBA recover the database in the event of an emergency. Some transactions need to be "rolled back" -- say, due to a disk full error -- or reapplied (i.e., rolled forward) in the event of a power failure.

Redo logs are a good source of reliable information, but they are seldom used because of several specific limitations. For example, redo logs don't store the original query; rather, they store a form of shorthand notation that makes sense to the database. Human readability was never a consideration. Second, they contain a ton of information not relevant to a forensic audit, so it needs to be filtered. Finally, redo logs could be actively used by the database or in an archived state; you need a tool that can read both because it's not always clear where the relevant events are stored.

What's important about Litchfield's tool is that it provides access to an important data source for forensic audits, and it performs the core collection, filtering, and presentation features needed to make sense of the redo logs. While it's not quite fully finished, it's a handy tool that can be downloaded and evaluated for free.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...