Slightly off-topic, but can anyone tell me how you’d know that your database has been accessed by a threat actor? Should I be periodically reviewing all my logs for something unusual?
Yep. Quick and dirty you could alert on large or slow queries, and check the logs periodically. I know it’s probably not effective but I grep logs and watch the terminal looking for aberrant shapes. I believe AWS offers a ML solution to watch your infra and alert for things that are out of the usual, and I’m sure (haven’t built it, but talked to people that worked in the systems) the big companies have sophisticated systems looking for threats that use everything above and far more.
MarkMarine|3 years ago