Blog  

Deception in the Data Center

Cyber Deception and UK Businesses

The modern data center is a highly virtualized environment, cloud and on-premise, highly dynamic and where the defensive challenges are multiple and complex. Business continuity is paramount in terms of focus of investment, and protecting these assets from digital risks is a real challenge. The fact is, data centers are massive playgrounds for threat actors eager to explore and compromise them through thousands of ever-changing networks, servers, devices, databases and services, offering an irresistible opportunity to exfiltrate a huge amount of personal and financial information, credentials, health records, or for pure monetary extortion through ransomware attacks.

What is a Data Center?

A data center is the physical space where computer systems and their components are housed. The data center holds a combination of computing components, storage, and networking devices. The data center centralizes both IT operations and physical equipment, usually in a secured space.

Data centers were once complexes of complicated devices, wires, and hardware, and they used enough electricity to power a small town. However, today, modern data centers are often smaller, connected to virtual servers and multi-cloud environments such as the public cloud. Popular public cloud platforms such as Amazon Web Services (AWS), Microsoft Azure, Oracle Cloud, and Google Cloud Platform (GCP) are now the centralized space of information for our everyday use of all kinds of technologies, from social media applications to personal storage and conferencing applications.

How does a Data Center Operate?

A data center is a network of resources designed to allow applications to share data. Data centers should be able to communicate within themselves, but also across cloud networks. Just about every large organization has its own data center, and if not, they share a public data center with other organizations. A data center often includes:


- Storage systems
- Security devices
- Routers
- Firewalls
- Servers
- Controllers
- Environmental controls like A/C and emergency equipment
- Power sources, such as battery banks or generators


Challenges to Data Center Security

The fundamental objective of data center security is to avoid interruption of service. The challenge of the data center in terms of vulnerability management is overwhelming because of the myriad of servers, operative systems and applications requiring constant patching and because the interrelations and potential incompatibilities that might compromise the continuity of the services. So this patching issue makes the situation recurrent and critical.

With all this it is no surprise that cyber attacks have become commonplace on this extense attack surface. All paths lead to the data center…including cyber attacks!

Alert Fatigue

To make matters worse, security teams on the defensive side face what is known as “alert fatigue” due to the enormous amount of information generated by most security solutions. These alerts need to be assessed and analyzed, or triaged, looking for breaches that in many cases end up as false positives. This slows down the response to the incident exponentially, making the detection of a live breach quite unlikely.

Impact on Performance

Another concern is related to the performance impact that a security solution in place can have on the services. Signatures-based security solutions, like Antivirus or EDR which are based on process whitelisting or AI process validation, require an agent running on the servers and the continuous update of the local intelligence to be operative. This means that there is always the possibility that legitimate processes will be blocked or legitimate network traffic will be dropped or redirected due to an automated false positive.

Inaccurate Baselines

Other solutions are based on the definition of a baseline behavior requiring a previous learning process of the network traffic. Network anomaly detection solutions are prone to false positives as network baselines are so difficult to derive.

Blind Spots

Other detection systems like IPS or NGFW are not suited to detect advanced persistent threats with human attackers moving laterally from servers, escalating privileges and not being noticed in their actions. Because this behavior appears to be normal, permitted privilege escalation or typical employee behavior, it almost always goes undetected by traditional threat detection systems. In this way, attackers learn the environment and the security strategies in place in order to circumvent them and prepare further attacks.

The Difference with Deception

Deception technologies can fill a very important detection gap when it comes to the insidious attacks that are behind most of the security breaches in the data center. When these attacks are detected on time, it helps organizations avoid disastrous consequences to their reputation, data security, and bottom line.

How can deception be so much more effective?

A deception technology like CounterCraft is not based on signatures, patterns, baselines, or any other kind of collective intelligence. By designing specific deception campaigns we can place a number of deception hosts in the data center, fully instrumented to look like real production servers, run real services, and seed specific breadcrumbs which can only be noticed by APT-grade attackers. These breadcrumbs work to create choice and confuse the attacker as they try to prioritize next actions.

Messing with the attacker’s psyche is required in order to deflect them from the real assets and lure them into our deception buffer zones. Once they set foot in a deception environment, we obtain a confirmed alert of a real live attack in progress and all subsequent actions are closely monitored to obtain actionable intelligence, allowing the defensive team to manage the attack and prepare the response accordingly.

The CounterCraft difference is that it causes no interference with the production environment. Therefore, the agility on the deployment of the different deception campaigns can be customized to the particular needs as defined by the security team. This approach has shown to be very effective with the different customers and verticals we work with.

How to Secure a Data Center

As you can see, securing a data center is not an easy proposition. When thinking about the security of the data center, the key is layering.

Start with the physical security of the space. From its location to the layout of the building, consider how to best prevent unwanted entry or accidents. Build in physical security, such as ID locks and posts for security persons.

When thinking of the digital security of a data center, employ a various-pronged strategy. Start by zoning your network, breaking it into pieces with different access rules, making it more resilient to attacker movement. Consider running an out-of-band network. Scan applications and code for vulnerabilities. And, after taking all of these steps, install a deception technology like CounterCraft’s Cyber Deception Platform—this is one of the only ways you have to guarantee that any unauthorized lateral movement, whether by insider threat or by attackers, will be detected.

Like Jim Morrison said, this is the end. But you can...