As organizations begin to manage an ever-increasing number and breadth of databases, both on-premises and in the cloud, the areas where cyberattacks can occur have become larger and more difficult to deal with. Unfortunately, the malicious individuals (internal or external) are just as aware of this as we are. They’re constantly researching, testing, trying to defeat and destroy application and data security solutions. As our security measures change and evolve, their attack methods evolve and become more and more complex.
Knowing the behavior patterns of cyber attackers allows us to understand the “Database Threat Landscape” much better. Threat landscape is the name given to all potential or actual cyber threats that affect a particular industry, user group or environment. Understanding the threat landscape for databases will be very helpful in creating an effective implementation and data-centric security strategy. In this post, we will examine four main cyber attacker profiles, one internal and three external. So we’ll get an idea of their methods and motivations and let you use what you know about them to prevent attacks.
Cyber attackers can be broadly divided into two categories: internal threats and external threats. Internal, the threat inside your organization, is created when data is accidentally or intentionally left vulnerable to attack. Internal attackers are often motivated by money, often accompanied by a “dislike”. An internal attacker may have a relatively simpler job than an external one, as they likely have access to assets and credentials and are far less suspicious than an external threat.
Of course, there are some methods that organizations can implement to reduce the risk of internal attacks. The most obvious and easiest thing to do is to make sure that employees don’t do nonsense things like sharing their passwords with an insider, or worse, an outsider. Similarly, you should make sure that they log out properly when they complete their work in environments containing sensitive data. In the continuation of this, it is very important for security teams to carefully determine the permissions and privilege levels to access sensitive data and to monitor these accesses. In short, a user should not have access to any data that is useless and does not need to know. Most importantly, and indeed the root of all of this, user behavior should also be followed with watchful eyes. For example, if an internal user who has never accessed a sensitive data source, suddenly accesses and starts downloading a large amount of sensitive data then security teams should be automatically notified and inquiries should be made.
The attackers we will describe in the following three profiles are external attackers and their motivations for attacks also vary.
The Hit And Run Attacker: When attackers in this profile see a vulnerability, public database or similar, they do whatever they can and leave. They do not search other databases, try to break into the organization’s network, or exploit other exotic vulnerabilities. They just do what they can for the moment, take what they can get, and sell them to the highest bidder.
The Curious Attacker: This profile usually has a predetermined goal, or even a roadmap, but they think it won’t hurt anyone to look around a little without too much suspicion. They are still attached to their root purpose.
The Resident Attacker: The most dangerous profile. As in the case of the Equifax breach, which 143 million people’s information was stolen including their social security numbers, an attack by this type of attakers would penetrate the network and remain there for months, perhaps even years. They simultaneously use keyloggers, sniffers, and more to steal credentials and compromise databases.
Many organizations, in particular, almost invite hit-and-run attackers with open arms. While most security teams do their best to prevent the exploitation of newly discovered security vulnerabilities, some DBAs and DevOps staff run operations and workloads publicly in the cloud where security teams do not reach or take account of them. If these data are left unsecured, they become targets that hit-and-run attackers can easily attack. If you are using service publicly, even just for search and analytics, you should make sure they are properly configured and updated.
It is known that approximately 75% of the data stolen in security breach cases is personal data. While a hit-and-run attacker might want to steal data that can be momentarily and dynamically beneficial, such as a credit card number, a “curious attacker” can kill some time around, find and steal data that they can associate with each other and cause greater damage. In this sense, it is important to have solutions with strong malware detection/prevention capabilities in-house to make it harder to install and spread malware on end-user machines.
The resident attacker plays his game step by step, strategically. The best way to reduce the risk these attackers pose to your data is to simply play this game with them. To deal with the Curious attacker, in addition to the tactics mentioned above, you should make sure that your privileged users’ passwords are changed frequently. Consider a zero-trust network to ensure robust data security controls. All of this is unfortunately only a part of the iceberg of risk reduction.