The talk is about what to do if there is a breach of an Oracle database. This covers the response process which is in essence a checklist of actions to take when there is a breach and also some suggestion of who should be involved and why. The first step is to assess what if any incident has occurred and if we can prove the incident is real then we must hand over control to the incident co-ordinator. This person manages the process and who is involved and what access is granted and allowed. I discuss this process in details so please have a look at the slides.
The next step is to do Live Response. This is the process of gathering the evidence in the correct order so that the evidence gathering itself does not affect the evidence! So in simple terms you may want to gather SQL statements that have been executed to see if any of them are dodgy BUT gathering the SQL statements means running SQL so this affects the historic statements. We discuss this and other issues in the area of gathering evidence in the slides.
The final part of a breach response and analysis is the process of actual forensic analysis of a breach that has occurred in the Oracle database. This means placing the evidence in time line and assessing if its relevant to the investigation and what part does it play and what other evidence must be gathered or sought. We aim to ask certain questions:
- Was there a breach?
- How did they get in?
- Who did they get in as?
- What did they do?
- Did they change anything?
- What could they have done with the reach they had if they had more skill?
The slides cover a lot more material and they are new to my site, so please have a look
#oracleace #oracle #database #forensics #security #gdpr #liveresponse #databreach
