Imperva Cyber Community

 View Only

Breach Detection: Data Exfiltration

By Stefan Pynappels posted 08-10-2020 05:09

Photo can be found here

Using Imperva Data Risk Analytics (DRA) to Detect Attempted Data Theft

Data breaches are an expensive and increasingly common threat to organizations.  As companies collect more rich data sets regarding their users, cybercriminals target these data repositories to use the information for fraud and other criminal activities.  A successful attack can cost a company millions in recovery costs, lost sales, and regulatory penalties.

Imperva Data Risk Analytics (DRA) can help an organization to identify and respond to data breaches as they happen.  By monitoring the organization’s databases and how employees interact with them, DRA can build a profile of normal usage and generate alerts regarding anomalies that could indicate an attack in progress or usual or negligent employee actions that place an organization’s sensitive data at risk.

Using Imperva DRA to Identify Data Exfiltration

Before an attacker can sell an organization’s sensitive data or use it for fraudulent activities, they need to be able to access the data and exfiltrate it from the network.  In many cases, this requires an attacker to use a compromised account to perform unusual access attempts and take suspicious actions on an organization’s database.

Imperva DRA includes several specialized alert types designed to draw security analysts’ attention to anomalous activities that likely indicate an attempt at data exfiltration.  In addition to the alert itself, Imperva DRA provides contextual information that speeds alert triage and incident response and remediation activities.

Excessive Database Record Access

A cybercriminal performing a data breach requires a large amount of sensitive data to be profitable.   For an attack to be worthwhile, an attacker needs to steal most or all of the data stored within an organization’s databases.  Additionally, this needs to be done quickly to minimize the probability that the attack will be detected before data exfiltration is complete.

As a result, cybercriminals will often perform bulk data extraction from an organization’s databases in volumes much greater than is usual for the compromised account that they are using to access the database.  Imperva DRA identifies this anomalous behavior and raises an Excessive Database Record Access alert, enabling incident responders to take action as quickly as possible.

Suspicious Database Command Execution

Most database users and applications only use a subset of the available set of database commands.  Other, rarer commands exist that can be used to bypass the regular permissions model of the database.  This could enable a user with limited database access to escalate their permissions to achieve more complete access.

Gaining elevated privileges on a database may be necessary for a cybercriminal to gain access to the data that they wish to steal from the company.  Imperva DRA monitors for the use of the suspicious database commands that can help to achieve this and raises a Suspicious Database Command Execution alert if this type of anomalous behavior is detected.  Based upon this alert, the incident response team can identify a compromised or abused account and take action to block or investigate the intended data exfiltration.

Suspicious Dynamic SQL Activity

Dynamic SQL queries are designed to allow SQL queries to be built at runtime.  They are designed to provide flexibility in cases where an application may need to be capable of performing queries that were not anticipated at compile time.

While dynamic SQL can be used for legitimate purposes, it is also a valuable tool for a cybercriminal that has gained control over an application with database access.  The use of dynamic SQL means that the attacker is not limited by the set of commands built into the application and can create their own to achieve their desired goals.

Imperva DRA monitors for the use of dynamic SQL within an organization’s databases and raises a Suspicious Dynamic SQL Activity alert if abnormal use of dynamic SQL is detected.  This allows incident responders to investigate the use of dynamic SQL and determine whether it is a harmless anomaly or points to a compromised account and attempted data exfiltration.

Database Access at Non-Standard Times

Most employees have set working hours.  While this may deviate from the traditional “nine to five”, there are certain periods within the day in which an employee is most likely to perform queries against an organization’s database.

In many cases, attempted cyberattacks and data breaches against an organization are designed to fall outside of these standard business hours.  This is likely due to the fact that, outside of office hours, the organization’s security team is likely to be understaffed, delaying incident detection and response and improving the attacker’s probability of success.  Other factors may contribute as well, including the possibilities that an attacker may have other responsibilities during working hours and that the attacker may be operating from a completely different timezone.

Database access attempts at non-standard hours can be a clear indicator of attempted data exfiltration.  Imperva DRA tracks patterns of life for an organization’s employees and their interaction with enterprise databases.  If an access attempt is detected outside of standard business hours, it triggers an alert and provides information to the organization’s security team that can be used to triage and respond to the potential attack.

Imperva DRA Detects Data Exfiltration

Exfiltration of sensitive data from an organization’s database can harm a company in a number of different ways.  At a minimum, a successful data breach requires expensive cleanup activities and can damage a company’s reputation with its customers.  At worst, a data breach can result in lawsuits and penalties levied by data protection regulators.

Imperva DRA provides an early warning system that can help an organization to detect an attempted data breach early in the attack lifecycle.  This potentially enables incident responders to respond before any damage is done and minimizes the impact of the cybersecurity incident to the organization.

Data Risk Analytics Overview

To view an overview of what DRA can do for you, you can watch the video 👉 here.  👈 You will need to login to the community to watch it. In it you will find: 

  • A Short Introduction to DRA
  • High level Use cases DRA solves
  • Advanced Investigation & Tuning
    • Tips for investigation
    • Tips for tuning
    • Tips for mitigating risk and threats

Learn More with Imperva Community 

The Imperva Community is a great place to learn more about how to use Imperva cybersecurity technologies like WAF Gateway,  Data Risk Analytics, Database Activity Monitoring and more to establish efficient, secure processes for enterprise networks. Rely on the expertise of Imperva partners, customers and technical experts. 


Other Relevant Content

In-depth video of Data Risk Analytics 

Breach Detection: Reconnaissance