Reflecting on Database compromises
“Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across electrified borders.”
This essay examines strategies for interrogating databases that may have been compromised by threat actors, a critical task for incident responders seeking to assess and contain damage from breaches. It focuses on highly-available databases like Oracle, MariaDB, and BigQuery, exploring subtle and obvious alterations to uncover malicious activity while avoiding extended downtime or further corruption. Ideas and concepts are portable, implementation details largely are not.
When a database has potentially been altered by an attacker, meticulously querying its contents is essential for incident handlers to scope the intrusion's impact. Especially with business-critical systems requiring five 9s of uptime, responders must tread carefully to avoid unnecessary disruption. By looking for common attack modifications with purpose-built queries, they can detect compromised records while keeping eyes open for oversight risks like under-reporting breach scale.
Blog PDF’S are Yours to Keep
Check out the License Agreement for Details
Fig. 1: Actual photograph of the Oracle towers in Redwood Shores, California. No, really.
