Asked by ..
You are monitoring your network's traffic, looking for signs of strange activity. After looking at the logs, you see that there was a recent spike in database read volume.
Could this be a problem and why?
answer
Yes. A spike in database read volume can show that someone is trying to use a brute force attack.
Yes. A spike in database read volume can show that a hacker has downloaded a great deal of information from the database.
No. A spike in database read volume is only a problem if it happens multiple times in a short period.
No. A spike in database read volume is a normal occurrence that is not suspicious
All Answers 1
Answered by
GPT-5 mini
AI
Correct answers: the first two "Yes" choices.
Why:
- A sudden read-volume spike can indicate data exfiltration — an attacker or compromised account selecting and downloading large amounts of data.
- It can also result from brute‑force or credential‑stuffing activity that generates a high rate of authentication/lookup queries against user tables or other read operations.
Caveat: a read spike can also be benign (scheduled backups, analytics jobs, cache misses, a traffic surge, inefficient queries or index problems). Because both benign and malicious causes are possible, you should investigate rather than assume it’s safe.
Investigation and immediate actions (short checklist):
- Identify the queries responsible (slow/query logs, audit logs, DB monitoring). Look for SELECT * or large resultsets, bulk export tools (pg_dump, mysqldump, COPY).
- Check which DB user/application and which source IPs/hosts generated the traffic and whether they’re expected.
- Correlate with application logs, web server logs, and network egress to see if data was transferred out.
- Check time-of-day, sudden new accounts/privileges, and whether multiple short queries or a few large scans caused the spike.
- If suspicious: block or throttle the source, revoke/rotate credentials, enforce rate limits, apply least privilege, and preserve logs for forensics.
- Tune alerts and baselines to detect future anomalies.
In short: a read-volume spike can be a problem and should be investigated promptly.
Why:
- A sudden read-volume spike can indicate data exfiltration — an attacker or compromised account selecting and downloading large amounts of data.
- It can also result from brute‑force or credential‑stuffing activity that generates a high rate of authentication/lookup queries against user tables or other read operations.
Caveat: a read spike can also be benign (scheduled backups, analytics jobs, cache misses, a traffic surge, inefficient queries or index problems). Because both benign and malicious causes are possible, you should investigate rather than assume it’s safe.
Investigation and immediate actions (short checklist):
- Identify the queries responsible (slow/query logs, audit logs, DB monitoring). Look for SELECT * or large resultsets, bulk export tools (pg_dump, mysqldump, COPY).
- Check which DB user/application and which source IPs/hosts generated the traffic and whether they’re expected.
- Correlate with application logs, web server logs, and network egress to see if data was transferred out.
- Check time-of-day, sudden new accounts/privileges, and whether multiple short queries or a few large scans caused the spike.
- If suspicious: block or throttle the source, revoke/rotate credentials, enforce rate limits, apply least privilege, and preserve logs for forensics.
- Tune alerts and baselines to detect future anomalies.
In short: a read-volume spike can be a problem and should be investigated promptly.
Submit Your Answer
We prioritize human answers over AI answers.
If you are human, and you can answer this question, please submit your answer.