Skip to main content

5.6 Detecting Attacks on Data and Applications

Topic 5.6: Detecting Attacks on Data and Applications

Detecting attacks against data and applications is a critical function of cybersecurity operations. This process involves monitoring how data is accessed and used, and analyzing system and application logs for signs of malicious activity. The goal is to identify indicators of compromise (IoCs) that reveal an attack is in progress or has already occurred.

One of the primary methods for detecting attacks on data is through the process of accounting, which involves tracking and logging when data is accessed and by whom. Security analysts can review these access logs for suspicious activity, such as:

  • A user accessing files or applications that are outside their normal job responsibilities.
  • Access patterns that deviate from a user's established baseline, including logging in at unusual times or from unfamiliar locations.
  • Repeated attempts to access, copy, or delete sensitive files.

A clever detective control is the use of a honeypot. In this context, a honeypot can be a decoy file or database that appears to contain valuable information (like a list of passwords or customer credit card numbers) but is actually fake. Since there is no legitimate reason for anyone to access this file, any attempt to do so is immediately flagged as malicious activity, and an alert is sent to security personnel.

To detect unauthorized modifications to data, cryptographic hash functions can be used to ensure data integrity. A hash, or digest, of a file is calculated and stored securely. Periodically, a new hash of the file can be calculated and compared to the original. If the hashes do not match, it is definitive proof that the file has been altered, which could be a sign of malicious activity.

When selecting detective controls, organizations must consider several factors. The cost of the solution is important; while simple controls like honeypots and hashing are inexpensive, more advanced Data Loss Prevention (DLP) services that monitor all data usage and transmission can be costly. The sensitivity or criticality of the data also dictates the level of monitoring required. Data that is classified under legal or regulatory frameworks (such as PII, PHI, or PCI data) often has specific monitoring and reporting requirements.

Specific application attacks can be detected by analyzing log files for their unique signatures:

  • SQL injection attacks can be identified by searching user input logs for SQL control words (like WHERE or FROM), boolean conditions (OR 1=1), or special characters like single quotes and double dashes (--).
  • Cross-site scripting (XSS) attacks are often indicated by the presence of HTML script tags () in user input fields.
  • Buffer overflow attacks against web applications may be detected by looking for unusually long strings in URL lengths, cookie lengths, or other parts of an HTTP request.
  • Directory traversal attacks are revealed by searching for HTTP GET requests that contain path sequences like ../ as an adversary attempts to navigate the server's file system.