Databases Reference
In-Depth Information
and the invocation happen by entities other than the attacker, it will require
an investigation well beyond what happened at the database to figure out
who the attacker is and what methods were used to coerce the injection.
The second and third types are somewhat comparable in terms of
sophistication, but a type 3 Trojan is usually easier to carry out. In terms of
what you need to monitor, for type 1 and type 2 the focus is on monitoring
execution of stored procedures, whereas for type 3 and type 4 the focus is
on monitoring creation and modification of procedural objects.
9.2
Baseline calls to stored procedures and take
action on divergence
In order to address Trojans of type 1 and type 2, you need to track execu-
tions of stored procedures. Because stored procedures form the backbone of
many applications and because there are hundreds of built-in stored proce-
dures in any database, you cannot simply track all stored procedure execu-
tion and go though long audit reports. You need to be able to quickly sift
through the massive amounts of calls and identify what is unusual.
This is precisely where a baseline is most effective. You should create a
baseline of stored procedure execution. This baseline will enumerate execu-
tion patterns, including which stored procedures are normally executed
using which database user, from which source program, from which net-
work node, and so on. Once you have this baseline, you can monitor diver-
gence from this baseline rather than monitoring every execution of every
stored procedure. If an attacker has managed to inject a Trojan into a stored
procedure and now invokes it directly, chances are this action will diverge
from normal execution patterns.
When you monitor divergence, you can choose three levels of action.
You can log the information so that you can review all divergence to decide
what is suspect and what is normal. If you define that something is normal,
you should always add it to the baseline so that your baseline gets more pre-
cise with time and so you don't have to inspect this false positive again. The
next level of action you can implement is a real-time alert. This will require
more work but may be necessary depending on the sensitivity of the data-
base. Also, it may be possible that you already have an incident response
team in place, which should be getting these types of alerts. Finally, if you
are confident in your baseline, you may choose to enable prevention capa-
bilities, using systems such as a baseline-capable firewall.
Search WWH ::
Custom Search