The Database Kill Chain

Posted on

Cyber Threat Modeling Frameworks 

Modern attacks targeting sensitive data have become complex. An organization with many assets might be lost when trying to assess its overall risk, understand the pain points and prioritize the tasks required to secure its information systems. Cyber threat modeling frameworks were introduced to help solve this issue. By identifying the different parts of the attack and identifying the techniques used, we can get a clearer picture of an attack or proactively solve security issues before becoming a victim.

Two major cyber threat frameworks are Lockheed Martin’s Cyber Kill Chain and MITRE ATT&CK. Lockheed Martin’s Cyber Kill Chain was first introduced in 2011 and is simpler than MITRE ATT&CK, with only 7 steps for an attack. MITRE ATT&CK was first introduced in 2013 and contains a full mapping of the Tactics, Techniques and Procedures (TTPs) used in an attack. This framework is the main standard used by many vendors to describe an attack.

Today, we introduce a new framework defined by Imperva’s Threat Research group.

Why Reinvent the Wheel?

Imperva’s data security solutions have existed for a long time, always striving to enhance protection and understanding of evolving threats. One of our initiatives is to correlate security findings to a relevant framework control. While frameworks like MITRE ATT&CK are very detailed, we found that when trying to use them to identify and describe a database-related attack, they are not fully suitable.

Introducing the Database Kill Chain

The Database Kill Chain outlines the key stages an attacker follows to gain access to an organization’s data. Whether it’s a compromised account originating from outside the network or a frustrated employee, this scenario assumes that the attacker has already gained access to the network and examines the attack phases from the database’s perspective.

This kill chain definition was inspired by the MITRE ATT&CK framework and consists of five database attack phases, as shown in Figure 1.

Figure 1

  1. Initial Access: The attacker gains access to the database,
  2. Data Intelligence: Inside, the attacker gathers information on valuable data targets by examining system metadata to map out sensitive areas, entry points, users, roles and permissions
  3. Persistence: The attacker secures ongoing access by creating privileged accounts, adding backdoors, or altering access policies, sometimes deploying malware or modifying triggers for continuous entry.
  4. Exploitation: Vulnerabilities are exploited to escalate privileges, evade detection, or run malicious code. Techniques may include SQL injection, altering logs, and bypassing security to expand reach.
  5. Data Access: The attacker now accesses sensitive data, possibly exfiltrating it gradually, encrypting, or damaging it. Tactics may also include ransomware to block access until a ransom is paid.

Note that while the first and last phases mark the entry point and ultimately achieve data access, the inner phases can vary in order or repeat as needed.

Breaking Down the Phases Using DB Tactics

Each DB attack phase consists of one or more DB tactics (as shown in Figure 2), which correspond directly to the known MITRE adversary tactics framework. These DB tactics represent stages of attack behavior specifically mapped to database environments, covering actions an adversary might take to compromise and manipulate data within the database kill chain. By aligning with MITRE’s standardized tactics, this framework focuses on only those tactics relevant to database security, allowing for a more targeted approach to identifying and mitigating threats specific to database environments.

Figure 2

Snowflake’s 2024 Breach

Snowflake’s 2024 data breach is a good example of our database kill chain.

In June 2024, it was reported that many recent data breaches were allegedly related to many stolen Snowflake accounts (Initial Access). The threat actor used a tool internally named “rapeflake” which was named FROSTBITE by Mandiant. FROSTBITE was used to gather information like user, roles, IPs, etc. (Data Intelligence). Temporary stages were created (Exploitation), and data was copied into them, and then exfiltrated using GET requests (Data Access). The use of temporary stages is a defense evasion attempt, as temporary stages are deleted at the end of a session. Some tables were exfiltrated using ‘select *’, which is a noisy method (Data Access).

Figure 3

Conclusion

The data threat landscape, with its complex attacks and data breaches, leaves organizations no choice but to use threat modeling frameworks when assessing risk and analyzing attacks. After exploring frameworks like MITRE ATT&CK, and examining multiple breaches and their TTPs, we have decided to publish this enhanced framework, which focuses mainly on database attacks. This framework serves as a guideline for our products- to give our customers a clear view of their organization’s security status and threat map.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The post The Database Kill Chain appeared first on Blog.

Related Posts