Page 50 - Cyber Warnings
P. 50
actually populate the database honeypot with any data. Any attempt to read or update the
honeypot table will trigger an alert, and that’s the goal for this security instrument.
It’s possible to use native database auditing facilities to monitor the database honeypot.
However hackers may see that auditing is enabled and become suspicious. Another option is to
employ non-intrusive continuous monitoring of database traffic such as the DB Networks DBN-
6300.
Alerts on any access to the database honeypot can be created and because it operates on a
SPAN port or network TAP its operation won’t be visible to the attacker. You want to gather as
much forensics data as possible to understand the origin and scope of the attack.
However, if you tip your hand, valuable forensics may be unobtainable as the attacker may
begin to exploit other areas of your infrastructure where you lack adequate monitoring.
Should the database honeypot trigger, the highest priority alert needs to be sent to the security
operation center for immediate action. This is potentially an extremely serious security situation.
It’s a clear indication there’s nefarious activity deep into the IT infrastructure.
The alert could be the result of an insider nosing around where they shouldn’t be or it could
possibly be a cyber attacker you’ve ensnarled. In either case the highest level of response is
necessary to triage the situation.
In the case of the cyber attacker, you not only know they have the ability to access your
databases, but they have most certainly breached other networks and security mechanisms to
reach that point deep into your IT infrastructure.
A simple database honeypot is certainly limited in its scope no question about that. However,
the return on investment as a security instrument is quite large and most certainly should be
considered as part of a database defense in depth strategy.
About the Author
Dave is DB Networks CTO of Products responsible for leading the advanced technical research
and patent development. Prior to joining the company, Dave served as VP of Engineering at
WireCache, where he and his team developed the industry’s first general purpose, Oracle
database accelerator appliance. DB Networks acquired this important technology in 2009 which
brought Dave and WireCache team into DB Networks.
Dave brings more than 30 years of technology development experience, including ten years at
VP level for Oracle Corporation’s server technology.
Dave earned his B.A. in Mechanical Engineering/Fluid Mechanics from UC Berkeley, and
served in the Air Force for six years, where he earned his M.S. in Astronautical Engineering
from the Air Force Institute of Technology.(yes, he is a rocket scientist!).
50 Cyber Warnings E-Magazine October 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
