Michael Sabo VP of Marketing DB Networks

SQL injection attacks remain an unsolved threat to enterprise databases and critical information stored at the core of the network.  The Open Web Application Security Project (OWASP) continues to rank SQL injection attacks at the top of its 10 most critical web application risks.  Over the past 15 years, hundreds of millions of database records have been stolen using this method.  Recently, the website for E! Online was attacked with SQL injection and hackers got away with database tables, usernames and passwords. Attacks such as this occur each and every day.

Why is this such a concern?  With SQL injection the attacker is attempting to slip an SQL fragment through a web applications web form, URL, or a cookie with the intent to have it executed on the database.  The purpose of the rogue SQL instruction is often to export core database contents, such as personal records or intellectual property information, to outside servers to be sold or for malicious intent. 

Today’s SQL injection attackers are becoming increasingly more destructive.  Their SQL injection attacks install malware on the inside of the organization undetected.  The SQL injection attack is often the first volley in a far more complex and multi-vector attack chain.  Once they’ve breached an organization’s systems, the attackers can gain access to additional servers with escalated privileges.  The attacker may also continue to corrupt the database to inflict further damage and finally crash the database completely in a database denial of service (Db-DoS) attack.  Records that have been corrupted over a very long period of time make data recovery a difficult task because database backups also get corrupted.  This chain reaction was all initiated through an initial SQL injection attack.  A Barclays analysis estimates that 97% of data breaches worldwide are still due to SQL injection somewhere along the line.

Despite all these threats and warnings, most organizations continue to invest significantly more on network security than they do to protect their core infrastructure assets, such as their databases.  This is true even though the database holds the organization’s “crown jewels,” private information, and/or mission critical data.  For example, a web application firewall (WAF) is a popular network security tool which organizations deploy at the perimeter.  A WAF attempts to detect SQL injection threats which are attacking at the core database tier while examining the situation from the web tier.  However, the WAF is too far removed from the actual attack surface and is unable to determine how the application will interpret a very obscured SQL injection attack.  The WAF sees only SQL fragments that might be obfuscated, but not the actual rogue SQL statements that will be executed on the database.  It was not designed for this type of monitoring and cannot protect organizations at the core of their networks.

To make matters worse, any third party software an organization is running may also be vulnerable to SQL injection.  Not all third party software has been exhaustively tested for SQL injection vulnerabilities.  If the framework which applications are written on is itself vulnerable to SQL injection, the system is at risk.  Once an attacker discovers a framework attack vector by probing the system looking for the vulnerability, they can easily execute a number of attacks via SQL, causing havoc.  Experienced pen testers know that web applications tied to a relational database are often vulnerable to SQL injection or can be made vulnerable through malware.

When organizations do look inward at protecting the core network, current SQL injection protection techniques using signatures and black listing require time-consuming and error-prone manual updating, and are not effective against database hackers who obfuscate their SQL injection using Advanced Evasion Techniques (AET) to conceal their attacks.  There are literally an infinite number of ways to obfuscate a SQL injection attack.  It’s a losing battle to attempt to use signatures as a defense.

Organizations today need a new approach to safeguard their valuable database assets from SQL injection attacks.  They need a solution that is designed to operate close to the core assets they are protecting, with the ability to understand the protocols used by the systems accessing the data.  They need to go beyond simple pattern-based threat detection and be capable of accurately separating normal behavior from attacks.  New approaches require continuously monitoring the actual attack surface at the core network.  Finally, next-generation approaches are based on behavioral analysis.  By using behavioral analysis, for example, organizations can easily distinguish between normal usage and attacks, including zero-day attacks.

It is no surprise that real-time and continuous monitoring of all SQL statements between web application and databases is needed for the advanced threat detection of rogue SQL statements.  SQL statement monitoring is best accomplished with a new solution set of Core IDS solutions, offered by companies such as DB Networks, or by a database firewall appliance operating on a mirrored network port at the database tier.  With core network security focused on the database tier, the actual SQL requests can be observed.  Core IDS solutions operate completely non-intrusively so when continuously monitoring they do not interfere with database management systems or database activity monitoring (DAM).

How important is continuous monitoring?  The Federal Information Security Management Act (FISMA) requires continuous monitoring compliance, as specified in NIST 800-53.  All Federal agencies, and any organization that provides IT services to federal agencies, must be FISMA compliant.  The Federal government is taking the lead in decreeing continuous monitoring for database security by requiring Core IDS solutions to continuously monitor SQL database transactions and the contents of the transaction as the information is transmitted.

Continuous monitoring is also a critical component of the Risk Management Framework (RMF) described in NIST Special Publication 800-37.  With the RMF, effective continuous monitoring is emphasized as a critical component of near real-time risk management.  Additionally, the RMF stresses the use of detection automation to deliver the critical information necessary to make cost-effective, risk-based decisions in real-time that support the organization’s mission.  The emphasis is on selecting and implementing proper security controls in addition to continuously monitoring, so when threats are detected the appropriate threat measures can be instantly executed.

As most organizations stand today, once their perimeter defenses have failed, their “soft core” is exposed and vulnerable to cyber attacks.  However, continuous monitoring with intrusion detection at the core immediately identifies these breaches.  A Core IDS, such as the DB Networks IDS-6300, provides the continuous monitoring and security event information necessary to respond to attacks in real-time.  Without continuous monitoring, it is impossible to discover attacks in real-time and address the threats immediately.  In addition, intelligence gathered from continuously monitoring at the core helps identify vulnerabilities in the applications where the breach occurred.  Coding issues can be rapidly identified and traced to their source where they can be remediated.  Also, continuous monitoring can actually find active databases which might be running without IT’s knowledge.  All in all, the more rapidly a security incident can be identified and responded to, the more limited its damage will be.

Core IDS solutions and database firewalls take these protections a step further through the use of behavioral analysis that examines the captured SQL statements and identifies SQL injection attacks in real-time by alerting any out-of-the-ordinary behavior.  In DB Networks’ case, its behavioral analysis model identifies all rogue SQL statements, including zero-day attacks. This is possible because rogue SQL statements simply don’t match the normal behavior of the legitimate web application database transactions.

While Web applications can produce dynamic, and often extremely complex SQL, it turns out this behavior can be modeled.  With the ability to parse and analyze SQL statements, organizations gain unique insight into the SQL statements being created by their applications.  These behavioral analysis techniques create multiple unique models of how an application creates the SQL statements that it sends to the database.  All SQL statements are evaluated against these models for proper behavior.  Any SQL statement that deviates from these unique models causes the system to alarm in real-time.  The behavioral learning and model creation is automated, making it much faster and more accurate than manually generated signatures or the tuning of signatures to suppress false alarms.  The more advanced Core IDS solutions typically take a day or two to establish all learning and models, while other solutions can take a month or more.

SQL injection attacks remain a serious problem for organizations, and hardly a week goes by that you don’t hear about another breach of an organization’s databases.  The industry has been working for 15 years to address these issues, with limited progress until now.  Today new solutions aimed at protecting the core network are yielding proven success.  The unique approach of continuous monitoring the core network for intrusion detection using behavioral analysis is allowing organizations to accurately identify database attacks in real-time.  Soon organizations will gain the upper hand in their battle against SQL injection attacks.