Perimeter
8/15/2011
05:57 PM
Adrian Lane
Adrian Lane
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Database Auditing, Forensics Style

Forensic auditing of databases is not new, but there's a growing need for breach analysis

David Litchfield presented "Hacking and Forensicating an Oracle Database Server" at the Black Hat 2011 conference. During the presentation, Litchfield discussed a handful of ways to hack into Oracle 10 and 11 databases, demonstrated how to completely alter the database platform by injecting arbitrary code into memory, and then leveraged the database to compromise the underlying operating system. Many of the attacks and techniques are not new to the research community, but they impressed upon the audience how devastating these hacks can be.

Click here for more of Dark Reading's Black Hat articles.

It also nicely framed the need for forensic tools to trace what hackers have done to your system. Litchfield closed the presentation with a demonstration of his database forensic analysis tool. Ten years ago, nobody was interested in forensic auditing of databases. A couple of vendors offered database audit to complement monitoring and assessment capabilities, but there was no market because customers were not interested. Firms wanted to know whether someone was snooping through their data and did not yet understand that attackers altered database contents and functionality. They wanted to know what their employees were doing because security -- at the time -- was considered and "insider threat" problem. Customers purchased DAM products that collected SQL statements and grouped them by user.

A few years later, customers adjusted to both internal and external threats, and DAM products changed to detect specific attack patterns -- anomalous query constructs --as well as marco usage patterns to detect behavioral anomalies.

It has taken a decade, but the market now realizes that attackers alter databases. If you want to know what happened, then you will need to conduct a forensic audit -- and you can forget going to your firewall or SIEM logs for the complete picture. We also know most breaches are not discovered immediately, and, in many cases, are detected by people outside of the company. Security professionals, services firms, and enterprises are now looking for forensic auditing tools as part of their breach preparedness planning. If you are establishing a breach readiness plan, having tools on hand to analyze the database is essential to understanding what was compromised and how.

There are a couple of important distinctions worth noting, and one of them is that database auditing is different than database activity monitoring. The former is geared to be a detailed forensic examination of database state and quantification of what exactly happened to a database server following a breach. Database activity monitoring is geared to be a real-time examination of incoming queries looking for an attack. A forensic audit will commonly use system tables, memory segments, TLS logs, and -- most important -- the redo logs.

For those of you who don't know Oracle, there is a difference between the audit logs and the redo logs. The redo logs are a core component of Oracle used to maintain data accuracy and help the DBA recover the database in the event of an emergency. Some transactions need to be "rolled back" -- say, due to a disk full error -- or reapplied (i.e., rolled forward) in the event of a power failure.

Redo logs are a good source of reliable information, but they are seldom used because of several specific limitations. For example, redo logs don't store the original query; rather, they store a form of shorthand notation that makes sense to the database. Human readability was never a consideration. Second, they contain a ton of information not relevant to a forensic audit, so it needs to be filtered. Finally, redo logs could be actively used by the database or in an archived state; you need a tool that can read both because it's not always clear where the relevant events are stored.

What's important about Litchfield's tool is that it provides access to an important data source for forensic audits, and it performs the core collection, filtering, and presentation features needed to make sense of the redo logs. While it's not quite fully finished, it's a handy tool that can be downloaded and evaluated for free.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.