Alex Tarter, Chief Cyber Consultant and CTO, Thales, and Matt Walmsley, EMEA Director, Vectra, discuss the different variables that contribute to secure operations in the data centre sector, and how effective detection and response can be the difference between a contained security incident or an organisational damaging breach.
The COVID-19 pandemic has reshaped the way many industries operate and yet there is still great demand within the IT sector, particularly as the surge in data puts pressure on the need for data centres. However, Alex Tarter, Chief Cyber Consultant and CTO, Thales, says that even before the pandemic, cloud adoption was reshaping the way data centres operated and how CIOs kept their organisation’s infrastructure secure. “With 93% of businesses using a multi-cloud strategy to store data, it’s the go-to IT environment, especially now that a substantial amount of the UK workforce is logging on remotely,” said Tarter. “This widely distributed workforce, based overwhelmingly on the cloud, is challenging security teams to adapt at an unprecedented rate. So, how can data centre leaders ensure they operate securely?
“As remote working, or at least hybrid patterns, look set to stay well beyond the pandemic, it’s vital that data centre leaders reduce their reliance on employees in data centres and hosting facilities. Fortunately, even on-site security solutions such as hardware security modules (HSMs), are now available as cloud services, which can be accessed remotely.
“Access to cloud-based technologies has shifted the day-to-day operations of data centre leaders; for instance, the decline in on-premises ‘traditional’ IT infrastructure has been accelerated by the pandemic, with usage of these facilities decreasing by over half (54%) in 2020, when compared to 2018.”
Tarter said that the industry is also seeing data centres going ‘dark’ at an increasing rate – dark data centres ultimately help to manage costs and improve physical security, as they operate almost entirely remotely through lights out management (LOM).
As businesses look to revisit earlier projects put on hold during the first months of lockdown, Tarter added that data centre leaders need to start focusing more heavily on securing their cloud infrastructure offerings. “It’s time for organisations to adapt their security practices to these new conditions by reducing the reliance on employees being physically in data centres, while employing systems to keep their employee and customer data secure and encrypted in the cloud,” said Tarter.
“If businesses don’t take these steps now and adapt to this new reality, it might be the case that they’re much less agile and not able to pivot when faced with new threat vectors or external influences. For most organisations, the starting point for securing data on the cloud is being situationally aware. This means understanding what data it has, where it’s stored, who can access it and the risks associated with storing it. From here, security teams can start to remotely implement access control, encryption, key management and key security.”
Tarter said that data centre leaders need to make sure that their infrastructure isn’t just secure, but resilient to unexpected operational shifts.
Matt Walmsley, EMEA Director, Vectra, is of a similar view when it comes to data centres being a tantalising target due to the wealth of information they contain. However, he believes that unless the attacker gets lucky and finds an Internet-facing vulnerability, directly compromising a data centre takes a significant amount of effort and planning. As a result, cyberattacks that target data centres tend to be patient, mature operations that emphasise persistence and require flying below the radar of security teams. Walmsley considers some of the critical attack vectors used to target data centres:
Co-opting administrative access — Administrative protocols can give attackers backdoor access into the data centre without the need to directly exploit an application vulnerability. And by using standard admin tools such as SSH, Telnet or RDP, attackers easily blend in with normal admin traffic.
Local authentication loopholes — Many data centres implement additional local authentication options that can be used in an emergency, to access the hosts and workloads they need to manage. However, these options are not logged and the same login credentials are often shared across hosts and workloads for the sake of simplicity. When attackers find the credentials by compromising an administrator, they can silently access the data centre.
Hardware backdoors — Today’s data centres are synonymous with virtualisation. Yet virtual disks are ultimately dependent on physical disks and the physical disks run in physical servers. Physical servers have their own management planes designed for lights-out and out-of-band management. These actions are often performed via protocols such as Intelligent Platform Management Interface (IPMI). IPMI has well-documented security weaknesses and are often slow to receive updates and fixes. Additionally, there is currently a worrying 88,336 hosts’ IPMI interfaces exposed to the Internet. The combination of IPMI vulnerabilities and its immense power make it a significant attack vector for threat actors attempting to subvert the security of the data centre.
Advanced attackers, including nation-states, increasingly target physical servers, routers, switches and even firewalls. At a fundamental level, the attackers use rootkits that sit below the level of the operating system, making them extremely difficult to detect using traditional methods. These techniques allow attackers to infect the very devices that are trusted and charged with protecting the network, and then use those devices to launch attacks deeper into the network.
Hidden command-and-control traffic, the reconnaissance, the lateral movement, the compromise of user and admin credentials are all prerequisites that lead up to the intrusion into the data centre. An attack is typically at a mature stage by the time it reaches a data centre. Subtle attackers attempt to stay low and slow by patiently exfiltrating data at rates that are less likely to be noticed or arouse suspicion. Efforts can also be made to obscure data exfiltration in hidden tunnels within normally allowed traffic, such as HTTP, HTTPS or DNS traffic.
Rapid detection and effective response to the evidence of a hidden attacker active in or approaching the data centre can make the difference between a contained security incident or an organisational damaging breach. The signals that betray hidden attackers through their immutable behaviour are there but hidden in the vast noise of legitimate communications and interactions. It’s here that automation, powered by AI, is increasingly supporting security teams in protecting their data centre using Network Detection and Response (NDR) platforms to detect and respond to hidden attacks at speeds and scale unattainable by human efforts alone.