Advanced Persistent Surveillance: Insider “Hating” with ExtraHop and Wire Data

My last few posts have been centered around how we can go about finding potential breaches in your environment using ExtraHop’s wire data analytics platform. Most of these have involved placing a logical boundary around a set of CIDR blocks and reporting on L4 transactions that fall outside defined boundaries. In the case of our Stream Analytics Critical Control Points post, we look at connections from PROD to networks other than PROD and taking a packet capture when we note a violation. (Please see SACCP post).

In this next post, I want to talk about how we can provide surveillance around L7 security. In today’s post we are going to look at monitoring database traffic at Layer 7.


A disgruntled employee is about to start querying a sensitive database to steal important information.  Since the user has approved credentials and will be accessing the database over approved ports and using approved protocols, many standard security tools will not detect this insider’s behavior as they are operating in the “Behind the Perimeter Blind Spot” that exists in most organizations.  In this hypothetical scenario, we have a table called “Employees” that we want to audit any/all ad hoc selections against it.  The way the CRM application is set up, the only transactions we should observe against this table would involve stored procedures.  Any “Select, Insert, Update or Drop” methods should be alerted on immediately.

Database: CRM
Sensitive Table: Employees

We set up the audit trigger below telling us to start a PCAP capture in the event that we see any sort of database transaction that includes “from employees”.



We assign this trigger to the Database server housing our CRM Application and we should then be alerted any time someone runs an ad hoc query against the database.

Now, when an insider makes an ad hoc query, we can alert, send a syslog or, as in the case of the trigger above, initiate a packet capture.  As you can see below, we see a number of SENSITIVE TABLE PCAP files pertaining to the client that ran the report as well as the server it was run against.



When we look at the PCAP we can see the Ad Hoc query that they ran as well as use the PCAP file as digital evidence to begin the process of dealing with the individual violating the policy.  As you can see, the user ran the query “select LastName from Employees”.  This is demo data but that could have been Select * from Customers or CCards.




As I recall, the Anthem breach was actually a system owner who notices someone running Ad Hoc queries against their customer database.  By providing Layer 7 visibility into the actual transaction, insiders can be effectively “named and shamed” when auditing with ExtraHop’s Wire Data platform.  In today’s world, credentials are a joke (trust me, I sit at the core and look at packets all day).  When an insider is using approved credentials and coming in over approved ports and protocols, the aperture needs to be increased to provide visibility into the L7 transactions to ensure that they are appropriate and that an insider is not running unauthorized queries against your sensitive data.

Layer 7 auditing with ExtraHop positions you to give insiders a cardboard box, not access!

Thanks for reading!


Leave a Reply