rolex
SSupported by cloud hosting provider DigitalOcean – Try DigitalOcean now and receive a $200 when you create a new account!

Identifying Insider Threats From The PassFreely Oracle Exploit Through Database UBA And Artificial Intelligence

Listen to this article

Founded in 2009, DB Networks pioneered artificial intelligence (AI) based database security. Their customers include the world’s largest financial institutions, healthcare providers, manufacturers, and governments. DB Networks non-intrusively discovers all databases, tables being accessed, and the applications accessing the databases. Patented machine learning and behavioral analysis technologies are used to immediately identify compromised credentials and database attacks. Recently, we interviewed Benjamin Farber, Ph.D. Distinguished Member of Technical Staff at DB Networks to learn more about database user behavior analytics (UBA), insider threats, and the recently revealed PassFreely Oracle exploit.

Bengamin_Farber

Q: Benjamin, thanks for your time today. I know DB Networks uses artificial intelligence to identify and alert on database insider threats and database attacks. Could you walk us through how your technology works?

A: Sure. We use deep protocol inspection to extract database objects, such as table information and user information, from a torrent of database sessions we non-intrusively observe on the database network. That information is then analyzed using an adaptive stability model to uniquely profile what “normal” is for each session and each object. Next, we use reinforcement machine learning to dramatically improve the model’s accuracy over time. Essentially the model learns exactly what “normal” user and application behavior is.

Our solution is field proven to be highly accurate and accuracy is critical in order to avoid Security Operations Center (SOC) analyst alert fatigue. To that end, unexpected behaviors are relayed to a multi-dimensional clustering routine. From these clusters of events we’re able to derive extremely high quality incidents with extensive supporting information. We look further to consider incidents as either users centric or asset centric, allowing us to detect distributed attacks as well. Clustering also ensures security personnel are not overwhelmed with an endless stream of low value alerts. Instead, by aggregating related events together, we provide highly actionable database UBA.

DB_Networks_SQL_AnalysisRecommended: Lemonaid Health Is Leading A Second Wave In Telemedicine With Technology Algorithms

Q: Could you please describe what database UBA is and how database UBA specifically relates to identifying insider threats?

A: It turns out database UBA is extremely important as we develop the next generation of proactive and AI-based database security technologies. As I previously mentioned, the event clustering technology is the foundation of our database UBA. It rolls up anomaly detection from highly granular database activity to incidents that share a common set of attributes such as an individual user. Traditionally, UBA has referred to a cyber security activity used to detect insider threats, compromised credentials, advanced persistent threats, and fraud. In this regard UBA seeks to identify likely threats by examining patterns of machine and human behavior to detect anomalies that deviate from an established norm. If your present security tools are unable to tell you what each user typically does, what information they’ve accessed, or what information they’ve modified you cannot recognize new and potentially risky user behavior.

In a nutshell, database UBA enables anomaly detection down to the database table level. Previously UBA focused on macro level interactions between users and the data they interacted with: what file servers, what database servers, etc. Our team at DB Networks has brought a new dimension to traditional UBA by applying behavior analytics to identify insider threats in the database infrastructure. Should a user’s credentials become compromised, the subsequent use of the compromised credential will most certainly deviate from a previous normal operating profile and as such will immediately trigger an alert. This new level of analysis vastly improves the coverage and resolution of UBA in the area of databases which have historically been the most attacked asset in the enterprise.

Q: WannaCry ransomware has recently been in the news. WannaCry is based on one of the many hacking tools that were stolen from the NSA. Another of those stolen NSA hacking tools is PassFreely. How do hackers use PassFreely to breach Oracle databases?

A: Without getting too deep into the weeds, PassFreely works by modifying the in-memory Oracle database management system software running on a compromised server. Once the Oracle database software has been modified with the PassFreely rouge instructions all subsequent accesses to the Oracle database will bypass the Oracle authentication process. Essentially any user and password combination will be able to gain administrative database access.

This exploit is extremely worrisome in that it enables your Oracle database management system to work against you. For example, once you’ve gained access to the database as an administrator you can decrypt any encrypted database records, bypass database auditing, as well as access or modify any database records you like. Worse still, because the PassFreely exploit only modified the Oracle software in memory it will be automatically and completely removed upon restart of the Oracle system. That could make incident response extremely difficult.

However, it turns out the risk this creative exploit poses is in fact the same risk any insider threat poses, that being unfettered access to sensitive information. While PassFreely is a critical attack vector, no question, every organization is susceptible to countless social engineering attacks that pose similar risks. That is why at DB Networks we focus on behavioral based detection for addressing insider threat. The actions of an attacker will deviate, often significantly, from normal database usage patterns. DB Networks machine learning techniques immediately identify those anomalies and will provide detailed alerts to security personnel.

DB_Networks_Database UBARecommended: CSI GlobalVCard Modernizes And Automates B2B Payables Through Innovative Payment Solutions

Q: What can organizations do to protect their databases from a PassFreely style of attack?

A: Applying all patches in a timely manner is absolutely necessary and good security hygiene. However in this particular case patching won’t get you completely out of the woods. The best recommendation is a two-level approach. Apply the available patches to close the backdoor vulnerability that enables PassFreely remote server access. The idea there is if the server isn’t compromised, then PassFreely can’t be implemented. While this is an adequate stop-gap approach it doesn’t address the risk that PassFreely or a derivative could be implemented through an alternate attack vector.

In addition to the standard patch based remedy, a more proactive approach would include taking a thorough inventory of sensitive database assets and who is interacting with them to understand the scope of your risks. Also, it’s important to implement continuous monitoring such as DB Networks DBN-6300 behavioral-based insider threat detection solution. With these steps in place, future attacks based on derivatives of PassFreely would be immediately identified and security analysts alerted.

Q: Do you have any advice for organizations on database security best practices?

A: First, know what you have to protect, and where it’s located. Don’t settle for periodic, static snapshots. Rather strive for continuous monitoring of every active database in your infrastructure. Next, measure your risk in quantitative terms so you can understand how each change to your security stance affects your risk. DB Networks, for example, offers an entire analytics suite devoted to measuring your risk because we know this is the only way to make good decisions. Third, be proactive. I know that sounds trite, but the upfront cost of a proactive security stance is trivial compared to the alternative. Take the time and effort to investigate those high-risk segments of your environment. Finally, invest carefully in automation to avoid being inundated in an avalanche of low quality alerts. A good security tool should do the work for you, not generate more work.

Activate Social Media:
Facebooktwitterredditpinterestlinkedin
,
Mercedes-Benz-EQS