Imperva Data

Protection
Hands On
Participant Guide

Version 1.5
Last updated: 07 Aug 2024
Purpose
The purpose of this document is to facilitate understanding and provide a step-by-step instruction to
navigate and make use of the different features within the platform to derive key information to
complete the questions in the hands on lab quickly and easily.

Able to acquire key information/metrics quickly also means lower & better MTTD (Mean time to
detect) and MTTR (Mean time to respond) for any suspicious events and potential incidents.

About Imperva
Imperva Data Security Fabric is the first data-centric solution that enables your organization's
security and compliance teams to quickly and easily secure sensitive data, no matter where it resides,
with an integrated, proactive approach to visibility and predictive analytics via some of the core
features listed below:

• Discover ungoverned data, classify all data, and assess vulnerabilities.

• Gain complete visibility and ensure compliance with continuous monitoring, auditing and
analyzing all data store and data types.
• Detect and report non-compliant, risky, or malicious data access behavior across all your data
repositories enterprise-wide to accelerate remediation.

Imperva Data Security Fabric consists of multiple data security centric platforms which can integrate
and provide security protection for databases anywhere across any infrastructure or any
environment. In this lab, we will focus on the below:
Imperva DAM Imperva DRA
(Database Activity Monitor) (Data Risk Analytics)
Look & Feel

Purpose • DB Hygiene/Compliance • Prioritize Risks

• DB Activity Visibility • Analyze Unknown Risks
• DB Audit & Security Policy • User Entity Behavioral Analytics

Imperva.com 2
Instructions
There will be some guided scenarios to help participants as a quick orientation to the platform, and
subsequently the guide will provide step by step instructions to enable participants to find the right
information required for the lab.

We will be using Database Risk & Visibility Matrix as a reference to the core scenarios of the lab.

Scenarios Platform Description

Objective is to quickly see which DBs are subject to which

compliance
(Guided) DAM/DBF
Objective is to quickly see which DBs are secured & un-secured.

(Guided) DRA Objective is to quickly see associated DB risks.

The Classified DB DAM/DBF Objective is to quickly see which DBs have sensitive data.

Objective is to quickly have visibility to DB operations to

The Auditable DB DAM/DBF
support audit activities

The Security DB DAM/DBF Objective is to quickly see which DBs have possible violations.

Objective is to investigate and look for findings based on

The Riskier DB DRA
suspicious activities and threats

Imperva.com 3
Important Note:
Use of GUI
Scripting or any command line is not required in any part of the exercise.

Use of Filters
We will be extensively using filters for this lab for several reasons
1. Enable consistent viewpoint across all participants
2. Focus only the important events (as system related DB events are filtered away)

Use of multiple platforms (DAM/DBF as well as DRA)

As part of day-to-day security monitoring as well as investigation, triage and in-depth analysis of
specific incidents, different platforms are used for different use cases.

DAM/DBF comes as a foundation of database security providing a good understanding and context
to the database activities as well as risks which are governed by both common and custom security
compliance and guidelines.

DRA comes as a user-focus and incident focus viewpoint where related events or incidents which
attributes to a user or an entity are being analyzed and correlated.

We will explore more in-depth what these platforms do within the lab activities.

Use of lab facilitators

There is no penalty in seeking assistance from our lab facilitators.
As much as we recommend for participants to explore and try the tasks on your own.
Do feel free to seek help from time to time when you are stuck or unsure.

Imperva.com 4
Guided Scenario 1: The Compliant & Secured DB
Imperva Data Security Fabric provides an easy way to manage different compliances across multiple
DBs which are monitored. Using tags, DBs activities can be easily filtered based on compliance
requirements (i.e. PDPA, IT-RM, PCI-DSS), in addition, tags can also be used for easy reporting &
report generation.

Imperva Data Security Fabric provides a complete set of tools to help you discover, classify and
manage assets in your network that include database services, database data user rights and more.
It then allows you to use this information to create security policies to monitor them, alert you to
suspicious activity, audit activity to these various assets, and more.

Service discovery scans your network for open ports and determines the services listening on these
ports. Any new databases can be discovered in a scheduled & continuous manner.

Credential Information
Link: https://dbf.hsldemo.net
Username: ctfuser
Password: Imperva123!

Guided Scenario Task 1: Get the number of DBs and find out the compliance based on tags
Guided Scenario Task 2: Get the Inventory of DB as well as their status

Regulation 1 3 1
Compliance
PDPA IT Risk Mgmt PCI-DSS

Secured 0 3 3 0
DB Secured Non-Secured Agent-based Agent-less

Imperva.com 5
Difficulty: Guided
Steps:
1. Login to Imperva MX Platform using the above credential information.
2. Click on “Setup” in the menu at the top then “Agents” in the sub-menu.

3. Click on each Agent and see the individual tags

Imperva.com 6
Guided Scenario 2: The Risky DB
Using AI/ML to detect and define Risk

Imperva Data Risk Analytics (DRA) is a security solution that provides protection to the databases in
your environment. Data Risk Analytics dynamically learns users’ normal data access patterns and
then identifies inappropriate or abusive access activity to proactively alert IT teams to dangerous
behavior.

Credential Information
Link: https://dra.hsldemo.net/
Username: IMPVCU\ctfuser
Password: Imperva123!

Guided Scenario Task 2: Get the number of Critical, High, Medium and Low Risk Issues

Risky 16 13 12 2
Behavior Critical High Medium Low

Difficulty: Guided
Steps:
1. Login to DRA using the above credential information.

2. [Critical] Record down the number of “Critical” Risk Issues. [ for example 3] [ ]
[High] Record down the number of “High” Risk Issues. [ ]
[Medium] Record down the number of “Medium” Risk Issues. [ ]
[Low] Record down the number of “Low” Risk Issues. [ ]
******

LAB Task: Find out number of most severe issues for the top 3 Users.
Difficulty: Guided

Imperva.com 7
Steps:
1. Login to DRA using the above credential information.
2. Observe the number of “Critical” Risk Issues for Mariam Harris.
Observe the number of “Critical” Risk Issues for John Heidorn.
Observe the number of “Critical” Risk Issues for Tim Cooper.

Guided Task: Finding Suspicious Application Data Access

An interactive (human) user is directly accessing business data that should normally only
be accessed via an application.
Difficulty: Guided
Steps:
1. Mouseover to “Security Events” and Click on “Issues”

Imperva.com 8
 2. Click on “Application Data on Several Databases Suspiciously Accessed Multiple Times by a
Single User” with Issues ID #572 and Client Details “john.heidorn”.
(Note: 1 Issue contains multiple Incidents)

3. Click on “Suspicious Application Data Access” with Incident ID #1309

4. Click on “What influenced the severity of this incident” to expand.

5. Click on the ”↓” button next to “applicative tables” to expand.

6. Click on the ”↓” button next to “DB connections” to expand.

Imperva.com 9
Below are the investigation notes which are derived from the DRA platform which gives context
and investigative insights of the incident or issue which answers the fundamental question to Who,
What, Where, When and How.

Investigation Notes Information

Who?
John Heidorn
Human User
What?
contract, customer, asset, employee
What DB table is involved?
Where?
159.3.108.69 using win7x-john.h-desk
Source IP Address
When?
Feb 25 2022, 5:53pm – 6:10pm
Event Time/Date
How? The tables accessed seem to hold applicative and/or sensitive data
Why is this flagged as issue?
Significant influence

The user has used a service account to access the database

Moderate influence

The user has accessed an excessive number of records

Minor influence

Imperva.com 10
Scenario: The Classified DB
Imperva Data Security Fabric provides a complete set of tools to help you discover, classify and
manage assets in your network that include database services, database data user rights and more.
It then allows you to use this information to create security policies to monitor them, alert you to
suspicious activity, audit activity to these various assets, and more.

Data Classification consists of scanning database services to classify data types hosted on these
services. It uses credentials you provide to search existing services, either found through service
discovery, or manually configured.

Custom classifications can be created and automatically discovery through scheduling.

The Classified DB Task 1: Find out what are the Sensitive Data in the Database

Classification
0 0 0 0 0 0
Personal Data Credit Card Financial Health Mobile Phone Fraud

Difficulty: ★★
Steps:
1. Continue using the Imperva DAM MX Platform.
2. Go to Discovery & Classification, Click on Classified DB Data

Imperva.com 11
 3. Click on “Distribution by Data Type”

4. On the “Filter” on the most left, for “Saved Filters”,

Click on “Accepted Sensitive”

a. If the filter is missing, Click on the Clear Filter button (above the chart)
b. Click on the “filter: Last scan only is [True]”, add the “decision is [accept]” to the
condition

Imperva.com 12
 5. [Personal Data] Observe the total number of classified data
[Credit Card] Observe the number of “Payment Card” records
[Financial] Observe the number of “Payment Card” + “Account Number” records
[Health] There is no health-related sensitive data records
[Mobile Phone] Observe the number of “Phone” records
[Fraud] Observe the total number of classified data (Everything can be used as Fraud)
******

Imperva.com 13
Scenario: The Auditable DB
Auditing is defined as the saving of data regarding activity for the purpose of review and analysis.
The ability to audit this activity, which is expressed in access to sensitive data, is a key aspect in
securing your data, providing visibility into transactions being conducted in day-to-day operations,
and creating an audit trail that can assist in analyzing data theft, sensitive data exposure, and other
behavior that may impact your company’s data.

Imperva Data Security Fabric manages and tracks all activity in your network, as defined through
sites, services, server groups and applications. Additionally, you can configure audit policies that
audit database activity and access to files on file servers, which can then be queried and used to
analyze this activity.

Find out what are the Audit-related data in the Database

The Auditable DB Task : Find out what are the Audit-related data in the Database
0 0 0 0 0 0 0 0
Audit
Service Admin Sensitive data
Applications Users SQL error Delete/update activities New user created Local Activities
Login/Logout access/response

Difficulty: ★★
Steps:
1. Continue using the Imperva DAM MX Platform.
2. Go to “Audit” at the top menu, then click on “DB Audit Data”
3. Click on “Filter” on the most left, Click on “Saved Filters”, Click on “User List”
Select “Last 3 Months” within Time Frame.

4. [Service Admin Login/Logout] Count the number of rows with Logins.

******

Imperva.com 14
 5. Click on “DB Users” under Source Analysis.

6. [Users] Count the number of rows with logins.

******
7. Click on the Clear Filter button
Click on “Source Applications” under Source Analysis

8. [Applications] Count the number of rows with Source Applications.

Do not count Empty/Blank Source Applications.
******

Imperva.com 15
 9. Click on “SQL Errors” under Additional Views
Make sure are there no active filters.

10. [SQL error] Count the number of rows with SQL errors.
******
11. Click on “Sensitive Query Overview” under Data Access Patterns header
12. Click on “Filter” on the most left, Click on “Saved Filters”,
Click on “Sensitive Query – Sensitive Data”

13. [Sensitive Data Access/Response] Count the number of rows with Sensitive Data
Access/Response.
******
14. Click on “Filter” on the most left, Click on “Saved Filters”,

Imperva.com 16
 Click on “Delete & Update Filter”
Click on “Data Modification Analysis”

15. [Delete/update activities] Count the number of rows of all the delete and update
operations.
Do not count the Insert operations.
******
16. Click on “Click on “Newly Created Users” under "Privileged operations” header

a. Click on the Clear Filter button (make sure no criteria shown)

b. Make sure the time frame is “last 3 months”

17. [Newly created users] Count the number of rows of list of users (objects).
******

Imperva.com 17
 18. Click on the Clear Filter button
Click on “Source IPs” under Source Analysis

19. [Local Activities] Count the number of rows with local address
(Count only unique addresses from 0.0.0.0, 127.0.0.1 & 10.0.0.0/16)
******

Imperva.com 18
Scenario: The Security DB
Imperva DAM/DBF comes with is a set of definitions that characterize security violations and actions
that take in response to them.

It also contains predefined policies that provide protection against the majority of known attacks and
threats. You can use the default policies, modify them or create user-defined policies.

Imperva DAM/DBF also incorporates a proprietary database scanner which is regularly updated with
the latest vulnerability definitions discovered by the Imperva ADC (Application Defense Center)
team. It runs these scans to assess your resources, searching for vulnerabilities and determining risk.

Find out what are the Security-related Data in the Database

0 0 0 0 0 0 0 0
Security
Unauthorized source
Select * CVE Mis-config Excessive Response 200+ Violated policy Privilege commands Login failed
IPs

Imperva.com 19
The Security DB Task 1: Find out what are the (Select *) commands from audit

Security
0
Select *

Difficulty: ★★
Steps:
1. Continue using the Imperva DAM MX Platform.
2. Go to “Audit” at the top menu, then click on “DB Audit Data”

3. Click on “Filter” on the most left, Click on “Filter – Select *”

4. Select “Last 3 Months” for Time Frame

5. [Select *] The list will show list of database activities with Select * operations.
******

Imperva.com 20
The Security DB Task 2: Find out what are the Sensitive Data in the Database

Security 0 0
CVE Mis-config

Difficulty: ★★
Steps:
1. Continue using the Imperva DAM MX Platform.
2. Go to “Risk Management” at the top menu, then Click on “Risk Console”

3. Filter from the “Assessment Results” by Clicking on “Known Vulnerabilities” under “Scan
Name”.
4. Click on “Add to Filter”
5. Click on “This field”

Imperva.com 21
 6. [CVE] The list will show list of total number of CVEs

******

7. Click on the Clear Filter button

8. On the “Filter” on the most left, for “Saved Filters”,

Click on “Misconfiguration”

9. [Mis-config] The list will show list of total number of Misconfigurations.

******

Imperva.com 22
The Security DB Task 3: Find out what are the potential Security Violations

0 0 0
Security
Unauthorized source
Excessive Response 200+ Violated policy
IPs

Difficulty: ★★
Steps:
1. Continue using the Imperva DAM MX Platform.
2. Go to “Monitor” at the top menu, then click on “Alerts”
3. Click on the “Alerts” subtab.

4. Go to the bottom of the screen and Click on “Advanced”

Select “90” days in “Last Few Days”
Click “Apply”

5. [Violated Policy] Count the Total number of aggregated alerts

(Hint: Count the number of rows, take note of the page 2)
******

Imperva.com 23
 6. Click on “Filter” on the most left, Click on “Saved Filters”,
Click on “Custom – Security: DB Query High Response Size”

7. [Excessive Response 200+] The list will show list of database activities with “Excessive
Response 200+” operations.
(Hint: Count the number of rows)
******
8. On the “Filter” on the most left, for “Saved Filters”,
Click on “Custom – Security: Unauthorized Source IPs”

9. [Unauthorized source IPs] The list will show list of database activities with “Unauthorized
source IPs” operations.
******

Imperva.com 24
The Security DB Task 4: Find out what are the potential Security Violations

Security 0 0
Privilege commands Login failed

Difficulty: ★★
Steps:
1. Continue using the Imperva DAM MX Platform.
2. Go to “Audit” at the top menu, then click on “DB Audit Data”
3. Select “Last 3 Months” within the Scope

4. Click on the Clear Filter button

5. Click on “Privileged Query Overview” under Privileged Operations

6. [Privileged commands] Count the number of rows with Privileged Queries.

******

Imperva.com 25
 7. Click on “Failed Logins” under Additional Views

8. [Login failed] Count the number of rows with failed logins.

******

Imperva.com 26
Lab Scenario: The Riskier DB
Using AI/ML to detect and define Risk
The Imperva DRA is used to detect:

• Compromised users whose credentials are stolen, or who unknowingly introduce malware
into the enterprise
• Malicious users who deliberately steal or tamper with corporate assets; and
• Careless users who inadvertently put sensitive data at risk

The Riskier DB Task 1: Finding DB Service Account Abuse

An interactive (human) user is using a DB service account to access the database.

Difficulty: ★★★
Hints to Answer:
1. Look for john.heidorn
2. Look for Several Database Service Accounts Abused Multiple Times by a Single User
3. Look for Issue ID #571
4. Look for Incident ID #1304

The Riskier DB Task 2: Finding Excessive Database Records Access

An individual has queried records in excess of what this individual, their peer group, and the
organization normally query.

Difficulty: ★★★
Hints to Answer:
1. Look for mariam.harris
2. Look for Excessive Database Records Access
3. Look for Issue ID #534
4. Look for Incident ID #1004

Imperva.com 27
The Riskier DB Task 3: Suspicious Sensitive System Tables Scan
An interactive (human) user has scanned sensitive system tables on several databases over a
relatively short period of time in an abnormal way. This could be an indication that a hacker or
malicious user is running a reconnaissance attack searching for interesting databases that can be
accessed in the organization.

Difficulty: ★★★
Hints to Answer:
1. Look for mariam.harris
2. Look for Suspicious Sensitive System Tables Scan
3. Look for Issue ID #490
4. Look for Incident ID #1305

The Riskier DB Task 4: Excessive Multiple Database Access

A user has attempted to access an abnormally high number of different databases over a short
period of time. This could be an indication that a hacker or malicious user is running a
reconnaissance attack searching for interesting databases that can be accessed in the organization.

Difficulty: ★★★
Hints to Answer:
1. Look for Excessive Multiple Database Access
2. Look for Issue ID #559
3. Look for Incident ID #1203

Imperva.com 28
Annex A: Filter definitions
DB Audit data
Filter name Field Operation Values
Delete and Update Database Not equals master
filter Object Not equals oauth_access_tokens
#tmp_role_member_ids
#sver
#tempbackup
Object Type Equals table
Operation Not equals select
Filter – Select * Database Not equals Information_schema
Master
Model
Msdb
Mysql
Performance_schema
Sys
Object Not equals Tables
Dm_xe_sessions
Sysdatabases
Columns
Dm_resource_governor_resource_pools
Data_spaces
Server_event_sessions
Dm_cluster_endpoints
Filegroups
Database_recovery_status
Statistics
Syspolicy_system_health_state
#t_514907_result_b
Pg_attrdef
Databases
Availability_databases_cluster
#t_514907_result_a
Database_files
Dm_hadr_cluster
Schemata
Database_mirroring
Objects
Server_principals
Syspolicy_configuration
Availability_replicas
Operation Equals Select
Parsed Query Contains Select *
from index
Source Not Equals Postgresql jdbc driver
Application
Sensitive Query – Table group Equals Choose all beginning with DAM CTF site
Sensitive data Choose all beginning with sv2013
User Not equals Hashed user
Hashed user (Unsupported SSL Cipher)
Nt service\sqlagent$2014sql
User List User Not equals Hashed user
Hashed user (Unsupported SSL Cipher)
Nt service\sqlagent$2014sql

Imperva.com 29
Classified DB data
Filter name Field Operation Values
Accepted Sensitive Decision equals Accept
Last scan only True

Alerts
Filter name Field Operation Values
Custom - DB Query Custom Policy equals Custom – Security: DB Query High Response Size
High Response Last few Days 90
Size
Custom- Custom Policy equals Custom – Security: Unauthorized Source IPs
Unauthorised Last few Days 90
Source IPs

Risk Management – Risk Console

Filter name Field Operation Values
Misconfiguration Last Scan in each True
policy
Result Equals Failed
Info

Imperva.com 30
APPENDIX A: Metrics & Investigation

General Metrics

Regulation 1 3 1
Compliance
PDPA IT Risk Mgmt PCI-DSS

Secured DB
0 3 3 0
Secured Non-Secured Agent Based AgentLess

Classification
[pg 11-13] Personal Mobile
Credit Card Financial Health Fraud
Data Phone

Audit Sensitive
[pg 14-18] Service Delete /
Data New User Local
Admin Applications Users SQL Errors Update
access / Created Activities
Login / Logout Activities
Response

Security
Excessive
[Pg 19-26] Violated Unauthorized Privileged
Select * CVE Mis-config Response Login Failed
Policy Source IPs Commands
+200

Risky 16 13 12 2
Behaviour
Critical High Medium Low

The Riskier DB Task 1: Finding DB Service Account Abuse

Investigation Notes Information
Who?
Human User
What?
What kind of data is related
Where?
Source Host/IP Address
When?
Event Time
How?
How it happened? Incident
Which?
Which Application?

Imperva.com 31
The Riskier DB Task 2: Finding Excessive Database Records Access
Investigation Notes Information
Who?
Human User
What?
What kind of data is related
Where?
Source Host/IP Address
When?
Event Time
How?
How it happened? Incident
How?
How many records in total is
assessed?
Which?
Which Application?

The Riskier DB Task 3: Suspicious Sensitive System Tables Scan

Investigation Notes Information
Who?
Human User
What?
What kind of data is related
Where?
Source Host/IP Address
When?
Event Time
How?
How it happened? Incident
Which?
Which Application?

The Riskier DB Task 4: Excessive Multiple Database Access

Investigation Notes Information
Who?
Human User
What?
What kind of data is related
Where?
Source Host/IP Address
When?
Event Time
How?
How it happened? Incident
Which?
Which Application?
End of Document

Imperva.com 32