Even with growing cloud adoption data centres still house a huge amount of information and for attackers, represent a valuable target that is hard to resist. The vast security measures put in place by enterprises to protect their data centres means attacking and infiltrating a data centre system is a slow process which requires patience. In order to compromise a data centre, a significant amount of time and effort needs to be put into planning and executing the attack.
Subsequently, the attacker needs to operate below the radar of the security teams. Attackers can stay hidden in networks for months, even years, in order to get to their final goal: exfiltrate or manipulate data from the data centre. It is, therefore, incredibly important for security teams to understand what they need to look out for when monitoring for these attacks. In our experience, there are six critical attack vectors and techniques that cyber-attackers use in order to pull off a sophisticated attack against data centres.
Who’s accessing what
Firstly, there is the co-opting of administrative access. Due to the privileged access administrative accounts have to the data centre; they are natural targets for attackers. The protocols used by administrators give attackers powerful access into the data centre if they are able to authenticate. Ultimately, this is a much easier way of accessing the data centre because it removes the need to exploit an application vulnerability. By using standard admin tools and services such as SSH, Telnet or RDP, attackers can easily blend in with legitimate admin traffic, meaning they can go undetected for a long time. Consequently, any attacker that has breached the system is even harder to track and recognise. It is vital that security teams stay vigilant to any changes in the observed privilege behaviours.
Local authentication options
Data centre admins sometimes implement local authentication options, or additional admin accounts to be used in an emergency in order to access the hosts and the workloads they need to manage. These local authentication options and accounts are usually not logged so there is no record of them being used. Furthermore, the login details are often shared across hosts and workloads to simply make life easier. Naturally, this poses a huge risk because attackers will find these authentication credentials by compromising an administrator, and then they carefully and silently access the data centre with the knowledge that their presence and activity is not being logged.
Authenticated local access also allows the attacker to extend further into the data centre hardware. For example, virtualisation is tantamount to the running of a data centre. This virtual environment lifecycle in the data centre is an interesting one because, in order to work, it needs to run on the physical hardware. Therefore, the virtual discs found in data centres can only work with the presence of physical disks, and the physical disks run in physical servers. Physical servers are independently managed by management planes. The management planes are designed to have a lights-out and out-of-band management, with their own memory, power, processes and protocols. This enables administrators to mount disks and re-image servers in situations where the power to the main server is powered off.
Intelligent Platform Management Interface (IPMI) is an example of a protocol which allows an action such as the one above. There are a variety of own branded versions of IPMI, such as Dell iDRAC or HPE Integrated Lights-Out (ILO) which some hardware servers use. However, they are all established on the IPMI framework and they perform the same functions.
Despite this, IPMI and similar protocols are renowned for having security weaknesses and vulnerabilities that attackers can utilise and take advantage of. Worryingly, in September 2019, researchers at Eclypsium found over 47,000 workstations and servers that were running on Supermicro motherboards and were exposed to the internet, and wide open to attacks, due to the vulnerabilities found in baseboard management controller (BMC) which is a component of IPMI. This is not a-typical for IPMIs and naturally represents an attractive target for attackers looking for an easy route into a data centre.
Sitting below the operating system
IPMI is not the only vulnerable aspect of a data centre. Because data centres are such an attractive target, physical servers, routers, switches, and firewalls are targeted by the most advanced attackers, including nation-states. The attackers are clever and sly so will aim low and use methods to enter the data centre at a critical level but stay beneath the radar. This is often at the level of the operating systems which ultimately makes them incredibly difficult to detect with traditional methods. Techniques such as these are used by attackers because it enables them to infect the security devices which are meant to protect the data centre network. They can then use those devices to launch attacks that penetrate an even deeper level of the network.
Stealing the digital jewels one piece at a time
It is vital that administrators keep an eye on their data. The end goal of an attack is to steal or manipulate this data. Attackers seek to create monetary value from the data they find, so it is prudent to start viewing data centres essentially like a bank vault full of money. Like any criminal, attackers will try and steal data with as little disruption as possible. They do not want to draw attention to themselves, so depending on the skillset of the attackers, they will use a variety of approaches to smuggle data out of the data centre. One approach may be to take the data in bulk, or alternatively, take it a little bit at a time in an attempt to avoid detection. The latter example is the more obvious approach as it stops attention being drawn to the attacker. The data is then often moved directly to the Internet, or to a staging area in the campus network.
The bottom of the chain
No one data centre is the same; they vary according to users and organisations. There is however a method to the attacks and a series of events which unfold prior to the attack on the data centre. This usually involves starting at the bottom of the chain. For example, their first point of penetration may be through a compromised employee account, that may have been compromised though a phishing email, or a malware riddled application, for example. This allows them access to the network where the attackers look to expand their presence by targeting other devices, and while doing so, plant backdoors or hidden tunnels to communicate with each other inside the now compromised network. Patience and resilience are key to their next stage because they then spend time recognising and identifying valuable assets and resources within the network which they can utilise to make their time and presence worth the effort. The administrator’s credentials are an attacker’s golden trove and once they access this, the attack is usually at its most mature. This enables them to attack an organisation’s data centre because administrators are often the only individuals who can access the data. The movements prior to access of the administrator’s credentials build up to the peak attack on the data centre.
Attackers are usually more inclined to focus on the physical infrastructure of a data centre and understand the levels required to gain access. They have no problem starting at the bottom of the chain and working their way up through the network in order to reach the pivotal level of data centre access. Therefore, organisations need to look at the bottom of the chain, from employee accounts and client devices, and work their way up through the system, employing security at every level to ensure attackers can’t gain access to what is arguably their most valuable asset – their data centre. By doing this, even if attackers were to find a way to start accessing information which will give them the key to a data centre, they will expose themselves to multiple detection opportunities that provide security teams the best chance to find attackers early. Early detection can make the difference between a contained incident or a successful takeover that costs the organisation time, effort, reputational damage and money.
Matt Walmsley, senior technology industry marketer, Vectra