Another examination package with a set of threat detection rules has been uploaded to the MaxPatrol SIEM incident detection system of the Russian company Positive Technologies. By installing the package, MaxPatrol SIEM users will be able to detect suspicious activity in the MySQL Enterprise Edition database management system (DBMS). This will allow you to quickly localize attacks and prevent data leaks or DBMS failure.
According to 78% of information security specialists in Russia, the main goal pursued by cybercriminals by attacking their companies is to steal valuable information. In Q2 2021, hackers stole personal data (36% of attacks), trade secrets (22%), and customer databases (3%). Companies can store such information in database management systems.
MySQL is the second most widely used database management system in the world. Positive Technologies specialists have studied how MySQL Enterprise Edition is attacked and created an expertise package with rules for detecting the actions of cybercriminals.
This is the fifth package of expertise aimed at identifying attacks on popular DBMS. Previously, MaxPatrol SIEM was loaded with rulesets to detect attacks against PostgreSQL, Oracle Database, Microsoft SQL Server and MongoDB.
“If an attacker gains access to the DBMS and remains unnoticed, he will be able to control business processes, disrupt them if he wants, and moreover, this will allow him to expand the attack and compromise the entire local network”, - noted Alexander Kostyakov, specialist of the business systems and databases security department of Positive Technologies.
Thanks to the new rules, MaxPatrol SIEM users will be able to identify cases when attackers: try to access the command execution environment from using user-defined functions (UDF) - UDFs allow you to execute commands on the server through the database, which means that attackers can take over the infrastructure and develop an attack; clear the list of blocked IP addresses, which can be used to bypass bans on connecting to the DBMS; guess the password for accounts with access to MySQL; they look at the audit table for intelligence purposes - from the table you can find out the IP addresses of users and, indirectly, their privileges, which can be used to develop an attack; change user rights or delete accounts, for example, to restrict administrator access to the system.
In total, the expert package allows you to identify 21 suspicious actions in MySQL.
To start using the forensic suite to detect attacks against MySQL, you need to update MaxPatrol SIEM to version 6.1 or 6.2 and install the rules from the forensic suite.