Infrastructure back doors |
|||
|
cent of traffic never leaves the data centre , making it invisible to traditional network perimeter security controls , yet there are still gaping holes in the desired ‘ defence in depth ’ of many data centre security architectures .
Rather than directly target live virtual instances , intruders instead focus on subverting the physical infrastructure that the virtual machines rely on . Building back doors into data centre and networking infrastructure isn ’ t the work of an apprentice or limited capability cyber criminal . There are historical examples of back doors found in security equipment from vendors including Cisco Systems , Fortinet , Juniper and China ’ s Huawei . Nation states have the resources , capabilities and inclination to build and use such back doors in key vendor systems .
A common historical approach to data centre security includes the use of software agents running inside the VM to protect and monitor the workload . In the case of infrastructure back doors , all the application and data centre virtualisation security in the world wouldn ’ t have stopped bad actors , like the Equation Group , using a sub-OS rootkit . Such an approach allowed them to invisibly bypass
|
higher level technical defences .
Another poorly considered data centre attack vector is the exploitation of low-level infrastructure management protocols such as Intelligent Platform Management Interface ( IPMI ) in order to attack low-level resources like the Basic Input / Output System ( BIOS ). According to Shadow Server , 32 per cent of IPMI servers run decades-old insecure versions , five per cent had the default password , 30 per cent had easily guessable passwords and only 72 per cent authenticate access . What would happen if these IPMI interfaces were reachable over the public Internet ? The operators of 6,284 UK hosts may be finding out as our country ranks sixth in the world for net accessible IPMI hosts . When an attacker can plant a backdoor below the operating system of a server and read the physical disk , then they can see any data they want .
Unified approach
Security architects need to address these realities by building a unified approach to cyber security that unifies visibility of the virtualised data centre with the physical campus and remote office environments .
|
‘ Attacks may be relatively mature by the time they manifest .’ |
It ’ s also important to be able to spot threats between virtual machines under a single hypervisor – including the inspection of vSwitch traffic , that never leaves its local hypervisor , to reveal attack behaviours between virtual workloads .
Detection capabilities , regardless of vendor or technology , need to include the ability to reveal attack behaviours interacting with sub-OS rootkit back doors and attempting to subjugate the data centre ’ s physical infrastructure . Automated , machine learning algorithms in advanced threat detection platforms are often an appropriate choice in these cases . Such solutions relentlessly monitor the vast amount of network traffic across the whole enterprise . Doing so , they rapidly prioritise and alert on indicators of in-progress attacks , focus on behavioural traits rather than signatures , and include capabilities to handle ‘ unknown unknowns ’.
For the stretched security analyst , with responsibility for the ever morphing data centre , the ability to accurately spot attacks early in their lifecycle , regardless of their tactics can make the difference between quietly managing a minor security incident or facing down a full scale breach and organisational crisis .
|