Vectra Networks today announced its moving to detect backdoors embedded in network infrastructures in data centres.
Hitesh Sheth, CEO of Vectra Networks, told SCMagazineUK.com at Gartner's Security & Risk Management Summit how the move is spurred by a number of backdoors in network infrastructure which were brought to light by the Snowden revelations in 2013, and with the more recent hacking group Shadow Broker's leaks which saw NSA hacking tools for sale.
Those very tools leaked by the Shadow Brokers were alleged to be using vulnerabilities in Fortinet and Cisco firewalls.
It should be noted that these incidents are nothing new, some date back to the late-1990s, through the early and mid-2000s.
The company is looking to protect firewalls, servers, routers and switches, found in almost every private enterprise data centres and public clouds.
According to Oliver Tavakoli, chief technology officer of Vectra Networks, “Attackers recognise that the keys to the kingdom can be found deeper in the physical devices used to build the data centre infrastructure.”
Vectra plans to monitor for improper use of administrative activity including those involving low-level management protocols such as IPMI. They claim these protocols are increasingly targeted by attackers because they give a backdoor into the virtual environment yet are rarely monitored by security solutions.
These attacks have shown the ability to survive operating system upgrades, and definitive diagnosis often requires physically dismantling the device to analyse the underlying firmware. Additionally, this type of activity on the devices and interfaces in question is typically not logged, making it hard to detect any abnormalities.
According to research conducted by Vectra Networks, 32 percent of IPMI servers run decades-old insecure versions, five percent had the default password, 30 percent had easily guessable passwords and only 72 percent authenticate access.
Steve Nice, security technologist at Node4 claimed: “We have to assume that data centres are not secure as there are still unknown vulnerabilities in all vendor network devices. So implementing a SIEM and monitoring the basics such as network traffic flow to detect malicious events is critical.”
Likewise, Andrew Tang, service security director for MTI Technology said: “Data centres are only as secure as you configure them to be. You can have a top of the range burglar alarm and locking system on your front door, but if you don't use them, or use them incorrectly, they aren't going to be very secure. Most data centres will have two firewalls: the front firewall which will come from one manufacturer, and a second firewall from a different manufacturer, with the ‘crown jewels' inside. If you're using two different firewall manufacturers, it's rather unlikely that someone will find the first firewall and then go on to find the second firewall – though that can't be ruled out completely. But again, while bad programming causes some issues, bad configuration causes more issues in data centres than the actual manufacturer of the firewall.”
Vectra Networks claim to be, “the first to deliver technology that reveals the existence of backdoors, rootkits or attacks emanating from trusted infrastructure,” said Tavakoli. “We want customers to identify devices in their data centre that may have been compromised so they can stop attacks before damage is done.”
However, security company SentinelOne offers a server protection platform, which uses behavioural analytics to protect from attacks on the physical layer.
A spokesperson for SentinelOne confirmed: “Attacker's motives are changing from the usual endpoints to data centres, where attackers are able to steal whole databases undetected due to administrators having zero visibility into the servers.”
Interestingly, Vectra is also looking to secure AWS/Azure infrastructure in the future. Matt Walmsley, director of EMEA marketing at Vectra Networks told SC: “A challenge facing operators of virtualised data centres is securing the physical infrastructure on which their virtual or shared service sits. The point of attack sits in the area outside of the hypervisor and virtual machines, utilising support and management protocols such as IPMI. It is the physical infrastructure layer – the servers, switches and firewalls – that are being targeted. When attackers gain control of the physical infrastructure, they can persist even when machines are reimaged. Organisations using public clouds need to detect the abuse of administrative credentials as a key indicator of an attacker's behaviour trying to steal or destroy digital assets.”
