As business needs compel organizations to manage an ever-increasing number of database types, both on-premise and in the cloud, the threat surface has also become larger and far more difficult to manage effectively. The bad actors out there know this, too. They are constantly probing, testing, and trying to defeat your application and data security solutions. Their methods have evolved and their attacks have become more sophisticated.
Knowing what these cyber attackers are about can help you better understand the “Database Threat Landscape” and create a more effective application and data-centric security strategy. To start, it is helpful to characterize the entities from whom you need to protect your assets. In this post, we’ll profile the four principal types of cyber attacker – one originating inside the organization and three from the outside – so you can gain some insight into their methods and motivations and use what you know about them to thwart their attacks.
Cyber attackers are commonly split into two groups: “Inside Threats” and “Outside Threats.” The first threat type, originating inside the organization, is generally activated when employees leave data exposed, either maliciously or by mistake/oversight. For malicious inside cyber attackers, the motive is usually money, often accompanied by a dislike for the company. The malicious insider usually has access to assets or credentials and is less suspicious than an outside threat.
There are best practices that organizations can engage in to mitigate malicious insider threat risk: The most obvious, and also the easiest thing to do, is to make sure your employees are not doing stupid things like sharing passwords – either internally, or worse externally – and not properly logging out of environments that contain sensitive data when they are done working. Second, it is important for security teams to constantly monitor user permissions and privilege levels to access sensitive data. In short, if a user’s job does not require access to specific sensitive data, they shouldn’t have it. It is also critical for security teams to have the necessary visibility into the data estate to know what constitutes normal data use. For example, if an internal user who has never accessed a sensitive data source before suddenly starts downloading a lot of sensitive data, security teams should be made aware automatically. You can get a more comprehensive accounting of how to mitigate insider threats here.
Attack methods used by outside cyber attackers depend on their motivation, as these three threat profiles show:
- The Hit and Run attacker identifies an opportunity – a vulnerability, publicly open database, or something else – takes what they can, and leaves. This kind of attacker won’t search for other databases, penetrate the organization’s network, or try to execute exotic exploits, etc. They just take what they can and sell it to the highest bidder.
- The Curious attacker usually sets out with a purpose, but has enough interest to look around a little bit, but not too much. They are still focused on their original purpose, malware deployment, data exfiltration, etc.
- The Resident attacker is the most dangerous type. As in the “Equifax” breach, the Resident will penetrate the organization’s network and stay for months, sometimes years. They use keyloggers, sniffers, and other methods to steal credentials and compromise databases, using “Slow & Low” and other methods to stay undetected.
Many organizations make it easy for Hit and Run attackers to steal data. While most security teams do their best to mitigate the exploitation of newly-discovered vulnerabilities, some DBAs and DevOps people are migrating operations and workloads to publicly open services in the cloud that security teams do not account for. If left sitting out there unsecured, this data can fall easy prey to Hit and Run attackers. If you are using publicly open services, even if only for search and analysis, ensure they are visible, configured properly, and that security updates and patches are current.
Imperva Research Labs reports that nearly 75% of all data stolen in security breaches is personal data. While a Hit and Run attacker may just want to steal instant-value data like credit card numbers, left unchecked, the Curious attacker can stick around and steal personal data they can correlate and turn into Personally Identifying Information (PII), which has more long-term value. Again, complete visibility into the data estate ensures that abnormal data exfiltration can be quickly discovered and remediated. It is also critical to have robust malware detection/prevention capabilities to make it hard to install and spread malware on end-user machines.
While the Resident attacker is playing the “long game”, the best way to mitigate the risk they represent to your data is to play the long game right along with them. In addition to the tactics recommended for dealing with the Curious attacker, make sure that your privileged users are changing passwords frequently. Consider a zero-trust network to complement robust data security controls. This is just the tip of the risk mitigation iceberg. There are many tactics organizations can use to make themselves a much harder target. An Imperva solutions expert can help you develop a strategy to meet these challenges.
Imperva’s data security solution adds several layers of protection to your data. Imperva protects your data wherever it lives, on-premises, in the cloud, and in hybrid environments. It also provides security and IT teams with full visibility into how the data is being accessed, used, and moved around the organization.
Want to see Imperva’s data security solution yourself? Contact us to learn more.
Try Imperva for Free
Protect your business for 30 days on Imperva.