Page 49 - Cyber Warnings
P. 49
Database Honeypots: Sweet and Simple Breach Detection
By: Dave Rosenberg, CTO of Products, DB Networks
Organizations are quickly coming to the realization that if they haven’t already been a victim of a
cyber attack, it’s very likely they ultimately will. It’s not a matter of “if” but rather of “when”. A
much larger concern to organizations is that once they’ve been attacked, cyber criminals can
often operate undetected for very long periods of time.
Mandiant stated in the 2016 M-Trends that the average dwell time from breach to detection is
presently on the order of 146 days. Cyber criminals can do a lot of damage over that extended
length of time.
The key to quickly identifying system breaches is sufficient instrumentation and real-time
analysis. The task of security instrumentation and analysis may appear daunting. An emerging
strategy is to not only instrument at the perimeter but also deep inside the infrastructure. It’s
critical to instrument the likely goal of a cyberattack – breaching the organization’s databases.
Databases hold the “crown jewels” of an organization, and this may include financial data,
personal information, correspondence, as well as intellectual property. In some organizations
the database infrastructure may even store highly classified government information.
Regardless, databases are always a highly prized target for cyber criminals.
An often over looked yet simple security instrument is a database honeypot. Setting up a
database honeypot results in an instrument any organization can employ to assist in identifying
when a breach has occurred or is reoccurring.
Honeypots are useful decoys because once a cyber attacker has penetrated the organization’s
perimeter they typically begin reconnaissance to understand the network and all of the
connected systems.
The idea with the honeypot is to trigger an alert to identify the cyber attack very early in the
attack process, hopefully during the reconnaissance phase when the damage is minimal.
A database honeypot can be quickly established by simply creating a database table not to ever
be accessed by anyone or any application.
Multiple honeypots can be created across the infrastructure, and the more honeypot traps an
organization sets the greater the likelihood of exposing a breach. It’s important for the database
honeypot to appear legitimate and enticing.
While the most effective database honeypot will be unique to each organization, in general,
financial information tends to make an enticing target. A honeypot table named
EMPLOYEE_DIRECT_DEPOSITS as an example that may just do the trick. You don’t need to
49 Cyber Warnings E-Magazine October 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
