Risk analysis

更新时间:
复制 MD 格式

Background

Businesses face escalating security threats, particularly in authentication and access control. Traditional perimeter defenses are often insufficient against evolving cyberattacks, where attackers compromise core assets by stealing privileged accounts or exploiting vulnerabilities such as weak passwords and plaintext passwords. Network Detection and Response (NDR) can detect risky logon behavior (such as the use of privileged accounts, weak passwords, plaintext passwords, and leaked AccessKey pairs), sensitive data operations, and high-risk service activity, and helps you visualize and analyze logon behavior.

Prerequisites

You have provisioned traffic from your assets. For more information, see Provisioning.

Logon behavior risk types

Risk type

Analysis

Privileged account abuse

A privileged account provides extensive access to systems and data. A compromised privileged account can lead to catastrophic consequences. Monitoring and analyzing the logon behavior of privileged accounts in real time lets you quickly detect anomalous activities. Examples include logons from unknown geographic locations, access attempts outside of business hours, or unusual logon frequencies. This proactive monitoring helps prevent and mitigate potential threats.

Weak password logon

Using a simple, easy-to-guess password is a primary cause of account compromise. You can significantly reduce the risk of brute-force attacks by enforcing strong, complex passwords. This product detects successful logons that use a weak password in network traffic, such as logons to Web, MySQL, or FTP services. It then alerts your security operations team to take corrective action, enhancing overall system security.

Plaintext password transmission

Transmitting a plaintext password or a password that is not properly encrypted with a method such as base64, SHA, or AES, exposes your systems to attack. Encrypting all communications and monitoring network traffic for potential password exposure are critical security measures. This helps defend against external attackers and prevents accidental exposure of sensitive information by internal users.

Logon with a leaked AccessKey pair

In a cloud environment, an AccessKey pair (AK/SK) is a core credential for authentication and authorization. If an AccessKey pair is leaked, an attacker can use it to access cloud resources such as Object Storage Service (OSS), databases, and virtual machines. The attacker can then perform malicious actions, including data theft, resource abuse, or unauthorized deployments. An attacker might also perform lateral movement to access other cloud resources, or even abuse cloud resources for cryptomining or Distributed Denial-of-Service (DDoS) attacks.

More seriously, an attacker can use a leaked AccessKey pair to launch a fileless attack through legitimate API calls, without relying on malicious files or processes. This type of attack is highly stealthy and often evades traditional endpoint detection tools. This product monitors for successful logons that use a leaked AccessKey pair to quickly identify and alert on anomalous activity. This enables your team to take prompt action, prevent potential threats, and secure your cloud environment.

Logon behavior analysis

  1. Log on to the Network Detection and Response console.

  2. In the left-side navigation pane, choose Risks.

  3. On the Overview tab, view logon behavior risks and database behavior risks. You can click View Details to see more information on the corresponding tab.

Logon behavior

Privileged account logon behavior

On the Logon Activity > Privileged Accounts tab:

  • View logs

    In the Actions column, click View Logs to go to the Investigate page. This page shows logs filtered by logon behavior criteria such as Source IP and Destination Port.

  • View privileged account logon risk details

    1. In the Actions column, click Details. In the Details panel, view the Basic Information and Privileged Account Login Details for the target asset.

    2. In the Actions column, click View Payload to view the detailed payload for the record. Click the image icon to export all privileged account logon details included in this detection record.

Weak password logon behavior

On the Logon Activity > Weak Passwords tab:

  • View asset details

    1. In the list of weak password logon risks, click an address in the Destination IP Address column to view the corresponding Asset Information.

    2. In the lower section of the Asset Information dialog box, click Threat Analysis, Protocol Log, or Packet Query to go to the corresponding page and analyze the specified IP address. For more information, see Threat Analysis, Log Analysis, and Retrospective Analysis.

  • View logs

    In the Actions column, click View Logs to go to the Investigate page. This page shows logs filtered by logon behavior criteria such as Source IP and Destination Port.

  • View weak password risk details

    1. In the Actions column, click Details. In the Details panel, view the Basic Information and Weak Password Login Details for the target asset.

    2. In the Actions column, click View Payload to view the detailed payload for the record. Click the image icon to export all weak password logon details included in this detection record.

Plaintext password logon behavior

On the Logon Activity > Plaintext Credential tab:

  • View asset details

    1. In the list of plaintext password logon risks, click an address in the Destination IP Address column to view the corresponding Asset Information.

    2. In the lower section of the Asset Information dialog box, click Threat Analysis, Protocol Log, or Packet Query to go to the corresponding page and analyze the specified IP address. For more information, see Threat Analysis, Log Analysis, and Retrospective Analysis.

  • View logs

    In the Actions column, click View Logs to go to the Investigate page. This page shows logs filtered by logon behavior criteria such as Source IP and Destination Port.

  • View plaintext password logon risk details

    1. In the Actions column, click Details. In the Details panel, view the Basic Information and Plaintext Credential Login Details for the target asset.

    2. In the Actions column, click View Payload to view the detailed payload for the record. Click the image icon to export all plaintext password logon details included in this detection record.

Leaked AccessKey pair logon behavior

On the Logon Activity > Leaked AK/SK tab:

  • View asset details

    1. In the list of leaked AccessKey pair logon risks, click an address in the Destination IP Address column to view the corresponding Asset Information.

    2. In the lower section of the Asset Information dialog box, click Threat Analysis, Protocol Log, or Packet Query to go to the corresponding page and analyze the specified IP address. For more information, see Threat Analysis, Log Analysis, and Retrospective Analysis.

  • View logs

    In the Actions column, click View Logs to go to the Investigate page. This page shows logs filtered by logon behavior criteria such as Destination IP Address and Destination Port.

  • View leaked AccessKey pair logon risk details

    1. In the Actions column, click Details. In the Details panel, view the Basic Information and Leaked AccessKey Pair Login Details for the target asset.

    2. In the Actions column, click View Payload to view the detailed payload for the record. Click the image icon to export all leaked AccessKey pair logon details included in this detection record.

Other operations

  • Export data

    1. Click the image icon in the upper-right corner of the list to add a download task.

    2. In the upper-right corner of the page, click Download Tasks. In the Tasks, you can view the download tasks for all risk types.

    3. In the Actions column for a Completed task, you can click Download or Delete.

  • View sensitive data

    Click Sensitive Information to view the sensitive information related to the logon behavior.

  • Customize list fields

    Click the image icon to customize the fields displayed in the list.

Sensitive data behavior

  1. In the left-side navigation pane, choose Risks.

  2. On the Sensitive Data tab, view detected sensitive data and file transfers on your provisioned assets.

    Sensitivity level

    Description

    S1

    Non-sensitive data. Disclosing this type of data is unlikely to cause harm. Examples include provinces, cities, and product names.

    S2

    Generally sensitive data. This data is not suitable for public disclosure, and the harm from a data breach is low. Examples include names and addresses.

    S3

    Critically sensitive data. This data is highly sensitive, and even a small leak can cause serious harm. Examples include ID numbers, account passwords, and database credentials.

    S4

    Core confidential data. This data must not be disclosed under any circumstances. Examples include genetic data, fingerprints, and irises.

    • View asset details

      1. In the sensitive data or sensitive file behavior list, click an IP in the IP Address column to view the corresponding Asset Information.

      2. In the lower section of the Asset Information dialog box, click Intelligence Profile, Protocol Log, or Packet Query to go to the corresponding page and analyze the specified IP address. For more information, see Threat Analysis, Log Analysis, and Retrospective Analysis.

    • View logs

      In the Actions column, click View Logs to go to the Investigate page. This page shows logs filtered based on the behavior criteria.

    • View sensitive data and file behavior details

      Sensitive data

      • In the Actions column, click Details. In the Details panel, view the Basic Information and Sensitive Information for the target asset.

      • Click the number in the Sensitive Information Items column to view the sensitive information included in the record.

      • In the Actions column, click View Payload to view the detailed payload for the record.

      Sensitive file

      • In the Actions column, click Details. In the Details panel, view the Basic Information and Sensitive File Risk Details for the target asset.

      • In the Actions column, click File Details to view information about the sensitive file included in the record.

      • In the Actions column, click View Payload to view the detailed payload for the record.

High-risk service behavior

  1. In the left-side navigation pane, choose Risks.

  2. On the High-Risk Service tab, view the details of detected high-risk service behaviors.

  3. In the Actions column, click View Logs to go to the Investigate tab. This page shows logs filtered by the behavior criteria.

Database behavior analysis

  1. In the left-side navigation pane, choose Risks.

  2. On the Database Activity tab, view information about database risk behaviors on public and private networks.

    Risk type descriptions

    Risk type

    Description

    Data and information anomalies

    • The data and information anomaly risk involves database operations that read sensitive information beyond the normal scope. This can lead to the leakage of critical system information or expose the internal state of the database. These risks often manifest as unauthorized queries of system metadata, access to sensitive tables, or retrieval of environment parameters. Examples include attempts to read core database configurations, user permission structures, or system version information. Such anomalous operations can leak sensitive internal information that provides an attacker with key intelligence for subsequent attacks, such as data theft.

      SELECT * FROM information_schema.tables;
      SELECT * FROM pg_settings;
      SELECT * FROM mysql.user; 
    • Such anomalous operations can provide intelligence for subsequent security attacks and pose a potential threat. Therefore, you must use a comprehensive audit mechanism to identify these anomalous behaviors and limit unnecessary information exposure. This ensures business continuity while maintaining the confidentiality and security of data assets.

    File system modification risk

    • The file system modification risk refers to operations that alter key files or core configurations while the database is running. Such risks are often triggered by operational errors or anomalous commands. They can lead to unauthorized tampering of core system parameters, sensitive data leakage, or compromised system stability. For example, improperly modifying the log storage path or adjusting security policy restrictions by using specific statements can create opportunities for unauthorized access or malicious code injection.

      SET GLOBAL slow_query_log_file = '/tmp/slow_query.log';
      ALTER SYSTEM SET shared_preload_libraries = 'pg_stat_statements,auto_explain';
      SET GLOBAL local_infile = 1;
    • Promptly auditing and tracking these types of operations helps ensure the compliance and security of database configurations and maintain the integrity and controllability of the underlying operating environment. This prevents security issues caused by configuration anomalies and enhances the overall security posture of the system.

    Permission configuration risk

    • The permission configuration risk arises from improper permission allocation or incorrect security policy configuration during database operations. This can lead to excessive exposure of privileged information or failure of access control mechanisms. This type of risk often involves critical operations with high security sensitivity, such as granting permissions, adjusting authentication parameters, and managing system-level resources. Examples:

      GRANT ALL PRIVILEGES ON *.* TO 'dev_user'@'%';
      CREATE USER admin IDENTIFIED BY 'admin';  
      GRANT ALL ON customer_data TO public; 
    • This type of risk can manifest as the unnecessary granting of high-risk permissions, the downgrading of core security mechanisms, or the enabling of sensitive features that could be used for privilege escalation. Improper permission configuration can violate the principle of least privilege and create opportunities for unauthorized operations and lateral movement, leading to sensitive data leakage or system compromise.

    • To effectively control these risks, you must use an audit mechanism to identify permission grants that exceed business needs and parameter settings that deviate from security baselines. This practice ensures that the permission system design complies with the principle of segregation of duties, strengthens the overall security controls of the database, and prevents data access violations or system-level security events that are caused by privilege abuse.

    Data deletion risk

    • The data deletion risk refers to high-risk operations during database maintenance that can directly lead to data loss or the destruction of key structures. These operations typically involve the deletion of core objects such as data tables, databases, and views. Such operations often lack necessary filter conditions or business justification. Examples include clearing sensitive data without scope limits, deleting entire databases, and deleting dependent components like functions and stored procedures. These actions can directly cause business interruptions, irreversible loss of historical data, or disrupt system functionality.

      DELETE FROM user_credentials;
      TRUNCATE TABLE financial_transactions;
      DROP DATABASE sales_system;
      DROP TRIGGER trg_after_insert;
    • This risk includes not only explicit Data Definition Language (DDL) operations, such as DROP and TRUNCATE, but also Data Manipulation Language (DML) deletion statements, such as DELETE, that lack precise filter conditions. To effectively identify and control these high-risk behaviors, you must use an audit mechanism to detect unconventional deletion patterns. This prevents data asset destruction from operational errors or malicious behavior, thereby guaranteeing data integrity and business continuity.

  3. In the Actions column, click Details to view risk behavior details, AI-powered analysis, and remediation suggestions.

  4. In the Actions column, click View Logs to go to the Investigate tab. This page shows data filtered by specific criteria. For more information, see Protocol Parsing Backtrack.

References

To ensure data security, you can configure NDR policies to deny viewing and exporting of sensitive data.