FEATURE
It ’ s time for organisations to adapt their security practices to these new conditions by reducing the reliance on employees being physically in data centres .
and require flying below the radar of security teams . Walmsley considers some of the critical attack vectors used to target data centres :
Co-opting administrative access – Administrative protocols can give attackers backdoor access into the data centre without the need to directly exploit an application vulnerability . And by using standard admin tools such as SSH , Telnet or RDP , attackers easily blend in with normal admin traffic .
Local authentication loopholes – Many data centres implement additional local authentication options that can be used in an emergency , to access the hosts and workloads they need to manage . However , these options are not logged and the same login credentials are often shared across hosts and workloads for the sake of simplicity . When attackers find the credentials by compromising an administrator , they can silently access the data centre .
Hardware backdoors – Today ’ s data centres are synonymous with virtualisation . Yet virtual disks are ultimately dependent on physical disks and the physical disks run in physical servers . Physical servers have their own management planes designed for lights-out and out-of-band management . These actions are often performed via protocols such as Intelligent Platform Management Interface ( IPMI ). IPMI has
Matt Walmsley , EMEA Director , Vectra
well-documented security weaknesses and are often slow to receive updates and fixes . Additionally , there is currently a worrying 88,336 hosts ’ IPMI interfaces exposed to the Internet . The combination of IPMI vulnerabilities and its immense power make it a significant attack vector for threat actors attempting to subvert the security of the data centre .
Advanced attackers , including nationstates , increasingly target physical servers , routers , switches and even firewalls . At a fundamental level , the attackers use rootkits that sit below the level of the operating system , making them extremely difficult to detect using traditional methods . These techniques allow attackers to infect the very devices that are trusted and charged with protecting the network , and then
use those devices to launch attacks deeper into the network .
Hidden command-and-control traffic , the reconnaissance , the lateral movement , the compromise of user and admin credentials are all prerequisites that lead up to the intrusion into the data centre . An attack is typically at a mature stage by the time it reaches a data centre . Subtle attackers attempt to stay low and slow by patiently exfiltrating data at rates that are less likely to be noticed or arouse suspicion . Efforts can also be made to obscure data exfiltration in hidden tunnels within normally allowed traffic , such as HTTP , HTTPS or DNS traffic .
Rapid detection and effective response to the evidence of a hidden attacker active in or approaching the data centre can make the difference between a contained security incident or an organisational damaging breach .
The signals that betray hidden attackers through their immutable behaviour are there but hidden in the vast noise of legitimate communications and interactions . It ’ s here that automation , powered by AI , is increasingly supporting security teams in protecting their data centre using Network Detection and Response ( NDR ) platforms to detect and respond to hidden attacks at speeds and scale unattainable by human efforts alone . u
50 Issue 30 | www . intelligentciso . com