Spear phishing has been getting a lot of attention lately—and for good reason. It has proven to be an effective means to deploy malware inside a closed organization--even one with good security. For example, the Oak Ridge National Laboratory, home to one of the world's most powerful supercomputers, was forced to shut down email systems and all Internet access for employees following a sophisticated cyberattack. The more famous RSA breach is also thought to have been a result of spear phishing.
We don’t typically use our blog space to promote product. But recently one of our customers has deployed a clever strategy that is worth sharing broadly since it qualifies as an industry best practice: use database activity monitoring (DAM) to help mitigate spear phishing. This doesn’t seem intuitive, so how would it work?
The customer, a large financial institution, starts with the assumption that the organization is infected. To them, as hackers and phishers get more sophisticated and targeted with phishing, it’s not a question of ‘if’ but ‘when.’ Though you should deploy anti-virus, you can’t rely a 100% block rate. The idea? Since the perimeter is porous, defend yourself by putting a camera with a security guard inside the vault itself. This approach is what the customer calls “DAMing the database.” This method blocks unwarranted theft of data by blocking the malware that tries to steal goods out of the malware’s usual target: the database. How does DAMing the database work?
Essentially, DAM monitors access to the super-sensitive targets, identifies access attempts to sensitive data such as corporate transactions, customer details, employee records. Anyone—or any malware—that is not supposed to be accessing that data, or is accessing too much of that data, or is accessing the data in an anomalous fashion would issue an alert or get blocked. How does this work?
DAM checks the entry method. Legitimate individuals should, typically, access data through a main door. In addition, many databases provide an alternative side-door for privileged users, such as higher-level managers. With DAM, you require anyone not entering through approved doors is a suspicious at best and, at worst, malware creating a tunnel. A proper DAM solution should identify and block inappropriate access.
Similarly, a database control would check and ensure that the client’s application is approved for usage. For example, an organization may permit access to the database only through a particular customized Web-based application whereas malware tries to bypass legitimate access channels. Any connection to the database by any other application (say, Excel) would be blocked. Potentially, sophisticated malware emulates administrators. In such cases, only administrators can access the database through a local client – the controls should block access originating from a local connection when the user is not an administrator.
Monitor the activity of the individuals. If employees have been granted miscellaneous access permissions, you should monitor what they are doing. Malware from spear phishing typically causes unusual behavior including:
- Low-level employees attempting to access data only managers can.
- Downloading unusually high volumes of data.
- Accessing data that isn’t aligned with a job function, e.g., a marketing employee accessing financial data.
Such behavior is can be an indication of infection. DAM tracks the activity of the logged in individuals and weird behavior would issue an alert and/or block the suspicious activity.
Monitor the activity of privileged users. Managers, by definition, have greater privileges. If spear phishing infects higher-level employees, the malware’s work is much easier. Nonetheless, malware will cause unusual activity and DAM tries to pay attention to weird behavior. Database controls would track the activity of the privileged users and monitor what are these privileged users accessing:
- Is it something they are doing in order to perform their job?
- Is this something would normally access?
- If they retrieve data – how much data did the retrieve? Was it appropriate for their job?
- What about other activities that they are performing – is that their normal behavior or does it signify some suspicious, out of the ordinary, behavior?
If any of the above scenarios occurs, DAM should record and block the activity while alerts go off.