Leveraging Database Honeypots to Gather Threat Intelligence

Abstract

In the digital age, the proliferation of personal data within databases has made them prime targets for cyberattacks. As the volume of data increases, so does the frequency and sophistication of these attacks. This thesis investigates database security threats by deploying open source database honeypots to gather threat intelligence. We utilized five different honeypots at various interaction levels, deploying a total of 275 low-interaction, 50 medium-interaction, and 8 high-interaction honeypots over 20 to 23 days to collect a wide range of adversarial data. Through this deployment, we gathered 37, 618, 111 log entries from 8, 786 IPs.
Our analysis of these logs indicate that databases exposed to the internet are most likely to be dis-covered within an hour of deployment due to pervasive internet scanning. Additionally, we found that adversaries exhibit preferences for attacking certain database management systems, engage in irregular attack frequencies marked by short bursts, utilize diverse tools, and exploit both cloud service providers and infected machines. The findings also provide a high-level overview and analysis of observed attacks, including remote code execution, worms, botnets, data theft, and cryptojacking.