offgridtech.xyz

A Blog about IT, Security, Cloud and Off-Grid Technologies.

SQL Injections Part 2: A Threat-Informed Defense

SQL Injections Part 2: A Threat-Informed Defense

In the first part of this series, I delved into the mechanics of SQL injections, using the OWASP Juice Shop—an intentionally vulnerable web app—to demonstrate how such attacks are executed. That discussion laid the groundwork for understanding both the execution and impact of SQL injections. Now, I turn my attention to defense, focusing on the identification of threats and mitigation of vulnerabilities in order to protect my valuable assets, like my cloud infrastructure and data.

Identifying Vulnerabilities: The First Line of Defense

SQL injection vulnerabilities stem from improper input validation and the absence of parameterized queries. Industries with sprawling infrastructures and sensitive data become prime targets for attackers leveraging these weaknesses. Organizations with public-facing web applications should already be aware that URL and input fields are common attack vectors, along with HTTP headers and cookies, which serve as some of the less obvious entry points.

Analyzing SIEM Logs for SQL Injection Attempts

A critical component of my threat-informed defense strategy has been analyzing SIEM logs for evidence of SQL injection attempts. For example, I encountered a log entry that flagged an SQL injection attempt:

Leveraging the MITRE ATT&CK Framework for Defense

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is an open-source framework for classifying and describing cyberattacks and intrusions. In the screenshot, you’ll notice the figure “T1190”. That’s because T1190 is the MITRE ATT&CK designator Technique, Exploit Public-Facing Applications, a technique that falls under the Tactic of “Initial Access” where SQL injections find their home category. Through the ATT&CK framework, I can map out a list of threat actors that commonly use this technique as part of their arsenal. While not directly relevant for a small, cloud-hosted blog like mine, big targets like the oil and gas industry and government sectors can greatly benefit from this knowledge. For example, some commonly known Threat Groups that utilize T1190 include:

  1. APT29 is a group linked to Russia’s SVR intelligence agency. Since 2008, they’ve focused on hacking into government systems across Europe and NATO countries, as well as research and think tank organizations. Notably, they breached the Democratic National Committee in mid-2015.
  2. Axiom is believed to be a Chinese group involved in cyber spying. Their activities, dating back to at least 2008, have targeted industries like aerospace, defense, government operations, manufacturing, and the media.
  3. Fox Kitten is thought to be connected to Iran’s government and has been active since 2017. Their hacking efforts span the Middle East, North Africa, Europe, Australia, and North America, affecting sectors such as oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.

Mitigations and Best Practices

MITRE also provides a list of mitigations for every technique and sub-technique. Big enterprises that find themselves as the target for such attacks can map out all the necessary mitigations for techniques used by their suspected adversaries:

  • M1048 Application Isolation and Sandboxing: Limiting what processes and system features the exploited target can access.
  • M1050 Exploit Protection: Employing Web Application Firewalls (WAFs) to prevent exploit traffic from reaching the application.
  • M1030 Network Segmentation: Isolating externally facing servers and services from the rest of the network.
  • M1026 Privileged Account Management: Implementing least privilege principles for service accounts.
  • M1051 Update Software: Regularly updating software to mitigate exploitation risk.
  • M1016 Vulnerability Scanning: Continuously scanning for vulnerabilities to patch them promptly.

Along with mitigation techniques, they also provide a list of how you can accurately detect such attack techniques:

  1. Application Log (DS0015): It might be challenging to spot when someone is trying to hack into software because it depends on the detection tools you have. Sometimes, these hacking attempts don’t work, or they might make the software act up or even shut down. Tools like Web Application Firewalls can help by catching suspicious activity, such as unusual or unexpected inputs that hackers might use.
  2. Network Traffic (DS0029): By carefully examining network traffic, you can find signs of hacking attempts, including SQL injection attempts or other common hacking methods. This involves looking closely at the data passing through the network to spot anything unusual that could indicate a security breach.

Conclusion

Building a threat-informed defense against SQL injections requires not only an understanding of the attack itself but also a deep knowledge of potential vulnerabilities within one’s systems. Leveraging frameworks like MITRE ATT&CK and tools like SIEM logs plays a crucial role in identifying and mitigating these vulnerabilities. As I continue to navigate the cybersecurity landscape, these insights and practices form the cornerstone of my defense strategy, ensuring a robust posture against the ever-present threat of SQL injections.