How-to: Spot Data Thieves Even If They Drop the Audit Table

Principal SE John McGovern shows how ExtraHop can help security analysts and DBAs find who executed a SQL DROP against the database.

 
If a tree falls in the woods and no one hears, does it make a sound?

If a hacker steals from your database and there are no logs, did they steal data?

If a table is dropped from the database, how does the DBA know who did it?

ExtraHop can't help with the first question, but it can answer the other two conundrums with data off the wire. In the video above, Principal SE John McGovern shows how ExtraHop can help security analysts and DBAs find who executed a SQL DROP against the database.

The workflow is super simple:
Discover - Search to find all database transaction records that include the word "drop."
Explore - The resulting list of transactions is interesting, and it shows client IP addresses. But what about this client's activity before they did the DROP? To see this, click on the flow ID for any transaction you want to investigate, then remove the "drop" filter. Now, the ExtraHop platform is listing out every single SQL statement executed by that client against the database, in order, starting from the SELECT statement all the way down to the DROP.
Trace - Need more? With a click, you can download the packets associated with this specific flow so that you can perform forensic investigation.

Borrowing from the Perl motto, the above workflow is an example of how ExtraHop makes easy things easy and hard things possible. Without ExtraHop, DBAs would rely on a database profiler to record this type of activity. But a hacker who has just queried sensitive data from the database can use a DROP to delete the audit logs themselves, essentially wiping away their digital fingerprints. In those cases, there's very little an analyst or DBA can do to investigate. That is, unless they have an ExtraHop!

At ExtraHop, we call these types of super-simplified workflows "haikus" because it's hard to imagine stripping it down further. And with that, I leave you with this real haiku ...

Database hacked
Audit table drop? Oh no!
Answers on the wire

Related blog posts:

Log Data vs. Wire Data: Why There's a Clear Winner
Don't Trust Log Data! Lessons from the Cryptonomicon
Network Teams Need A Better Workflow

XKCD: Exploits of a Mom

XKCD

Subscribe to our Newsletter

Get the latest from ExtraHop delivered straight to your inbox.