Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/15/2011
05:57 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Database Auditing, Forensics Style

Forensic auditing of databases is not new, but there's a growing need for breach analysis

David Litchfield presented "Hacking and Forensicating an Oracle Database Server" at the Black Hat 2011 conference. During the presentation, Litchfield discussed a handful of ways to hack into Oracle 10 and 11 databases, demonstrated how to completely alter the database platform by injecting arbitrary code into memory, and then leveraged the database to compromise the underlying operating system. Many of the attacks and techniques are not new to the research community, but they impressed upon the audience how devastating these hacks can be.

Click here for more of Dark Reading's Black Hat articles.

It also nicely framed the need for forensic tools to trace what hackers have done to your system. Litchfield closed the presentation with a demonstration of his database forensic analysis tool. Ten years ago, nobody was interested in forensic auditing of databases. A couple of vendors offered database audit to complement monitoring and assessment capabilities, but there was no market because customers were not interested. Firms wanted to know whether someone was snooping through their data and did not yet understand that attackers altered database contents and functionality. They wanted to know what their employees were doing because security -- at the time -- was considered and "insider threat" problem. Customers purchased DAM products that collected SQL statements and grouped them by user.

A few years later, customers adjusted to both internal and external threats, and DAM products changed to detect specific attack patterns -- anomalous query constructs --as well as marco usage patterns to detect behavioral anomalies.

It has taken a decade, but the market now realizes that attackers alter databases. If you want to know what happened, then you will need to conduct a forensic audit -- and you can forget going to your firewall or SIEM logs for the complete picture. We also know most breaches are not discovered immediately, and, in many cases, are detected by people outside of the company. Security professionals, services firms, and enterprises are now looking for forensic auditing tools as part of their breach preparedness planning. If you are establishing a breach readiness plan, having tools on hand to analyze the database is essential to understanding what was compromised and how.

There are a couple of important distinctions worth noting, and one of them is that database auditing is different than database activity monitoring. The former is geared to be a detailed forensic examination of database state and quantification of what exactly happened to a database server following a breach. Database activity monitoring is geared to be a real-time examination of incoming queries looking for an attack. A forensic audit will commonly use system tables, memory segments, TLS logs, and -- most important -- the redo logs.

For those of you who don't know Oracle, there is a difference between the audit logs and the redo logs. The redo logs are a core component of Oracle used to maintain data accuracy and help the DBA recover the database in the event of an emergency. Some transactions need to be "rolled back" -- say, due to a disk full error -- or reapplied (i.e., rolled forward) in the event of a power failure.

Redo logs are a good source of reliable information, but they are seldom used because of several specific limitations. For example, redo logs don't store the original query; rather, they store a form of shorthand notation that makes sense to the database. Human readability was never a consideration. Second, they contain a ton of information not relevant to a forensic audit, so it needs to be filtered. Finally, redo logs could be actively used by the database or in an archived state; you need a tool that can read both because it's not always clear where the relevant events are stored.

What's important about Litchfield's tool is that it provides access to an important data source for forensic audits, and it performs the core collection, filtering, and presentation features needed to make sense of the redo logs. While it's not quite fully finished, it's a handy tool that can be downloaded and evaluated for free.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.