Threat Hunting for Swells in Database Read Volume

Introduction

When attackers have breached your network, one of the most common things they will be doing is looking into your systems that have sensitive data. This data is often kept on databases making them a big old bullseye for hackers who have gained entry. This article will detail how to threat hunt by looking at Database Read Volume on your network. Hopefully, you are not currently facing an attack at your organization, but if you are and you are not sure how to begin investigating the attack – let this article be your guide.

Indicators of Compromise

Indicators of Compromise, or IoCs, are pieces of forensic data that Information Security professionals can use in their threat investigations. Following IoCs to the threats is similar to following a breadcrumb trail to someone who has stolen bread. You must look closely at what you are seeing (data-wise) and from all angles, and if you do, then you have a good shot at tracking down the threat.

Swells in Database Read Volume are a dead giveaway that a threat has breached your network. Once they are in your network, they will leave signs that they have been messing around in your data stores. These signs are likely not just small clues but rather huge, massive spikes in read volume that far exceed what you normally see. This is especially true for databases that contain credit card information – the attackers know what they are looking for and have ten ways ‘til Sunday to help them get it. When attackers begin extracting data, you will see the database read volume jump even higher.

How to Threat Hunt for Swells in Database Read Volume

Just as a thief will leave tracks, so will the attacker or attack vector. With that said, the question is (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/_gPD_sAS0gk/