How vGate helps investigate virtual security incidents in virtual infrastructure

    Modern virtual data centers are usually well protected from outside attacks. Traditionally, virtual infrastructures (VIs) use firewalls, antiviruses, IPS / IDS and other components, but for some reason they often forget about attacks from the inside, completely trusting the administrators of the VI. At the same time, the specifics of the virtual infrastructure implies a larger number of privileged users compared to the physical environment, which automatically creates a separate group of VI incidents related to intentional (for example, copying protected information) or unintentional actions (for example, the administrator accidentally turned off the host). Thus, in a virtual infrastructure, it is necessary to control and restrict access for privileged users,


    In order to show what incidents are possible in the virtual infrastructure, we deployed a virtual server on the VMware platform. Certified vGate R2 is used to protect the simulated VI. Its main functions are:
    • access control to various VI objects due to enhanced authentication and separation of powers between VI administrators and IS administrators;
    • protection of VMs and confidential data stored and processed on these machines;
    • VI protection in accordance with the requirements of regulators.

    In addition, vGate has a number of tools that can be used to identify and investigate information security incidents. Such mechanisms include “Audit” and “Reports”. This is more detailed.

    "Audit" in vGate registers security events (for example, unauthorized access to infrastructure, creating or deleting VMs, changing VMs, etc.) and collects them from all protected resources (ESX servers, VMware vCenter Server, vGate authorization server). With the help of "Audit", you can filter security events (in different categories), configure the list of registered events, send security events via SNMP \ SMTP protocols and keep a log of events in a text document.
    With the help of “Reports”, you can monitor the system and receive various reports, for example, on the most frequent IS events, access to VIs after hours, unauthorized attempts to change settings controlled by policies, access to VM files and VI management, and others.

    Next, we will try to simulate the actions of the attacker and show what incidents can occur in the virtual infrastructure and how they can be identified and investigated using vGate. Our virtual stand consists of:
    • from a server with VMware vCenter and two ESXi hosts (host number 1 and host number 2);
    • vGate authorization server (deployment option when routing is performed by vGate authorization server), which also houses the workplace of the information security administrator (we will call it AIB for short);
    • Workstation of the administrator of virtual infrastructure No. 1 (AVI 1), which has access to confidential information (the authentication agent vGate and VMware vSphere Client are installed on the workstation); Workstation of the administrator of virtual infrastructure No. 2 (AVI 2), who does not have access to confidential information (the authentication agent vGate and VMware vSphere Client are installed on the workstation).

    Simulated situations

    Incident number 1. Password selection

    AVI 1, when trying to access the authentication server, receives the following message through the agent:

    AVI seeks help from the AIB, which, using filtering in audit events, found out that on a computer with IP three attempts were made to enter the password of AVI 1 (the number of attempts incorrect password entry is configured by the vGate password policy), after which the AVI 1 account was blocked. AIB knows that IP belongs to AWI AVI 2. Thus, AIB found out that AVI 2 recognized the AVI 1 login and tried to find the password for its account.

    Incident No. 2. Cloning of VM

    There was a leak of confidential information that was processed on the WIN7 virtual machine, AIB filters events by categories:

    And it finds an event related to the WIN7 virtual machine in the list:

    It finds out that AVI 1 cloned this VM, which requires further investigation to determine the cause of the AVI one.

    Incident No. 3. Violation of the integrity of the VM

    The VM1 virtual machine does not start, but personal data is processed on this machine and, in accordance with the security policies in force in the organization, integrity monitoring is configured for it. AIB filters the audit events by the “text contains” parameter and enters the name of the virtual machine VM1.

    It turns out that the integrity of the vmx file was violated, namely, the amount of RAM in the virtual machine was changed.

    Having looked at earlier events, AIB finds out that AVI 1 changed the configuration of the VM.

    Incident number 4. Violation of the availability of VM

    When trying to access the virtual machine, the user is denied due to the inaccessibility of the virtual machine. AIB filters the audit events by the “text contains” parameter and enters the name of the virtual machine.

    As a result of applying the AIB filter, all security events related to this virtual machine will be available. AIB finds out that AVI 1 changed the settings of the virtual machine, deleted it or performed other actions with the virtual machine that led to its inaccessibility.

    Incident No. 5. Analysis of open ports

    AIB during periodic monitoring of events generated the report “Most frequent IS events”

    The report often includes the event “Attempted unauthorized access to the protected object”. AIB for further analysis filters the audit events by the type of events “warning” and category “access control”.

    As a result of applying the AIB filter, it sees repeating events in which the subject and access object are the same, and the destination ports are different. From which we can conclude that AVI 2 (IP ran software for analyzing open ports.

    Incident No. 6. Exhaustion of resources

    The user of the WIN7 VM cannot access it, or the performance of this VM is slow. The user turns to AVI 1, who sees that new VMs have appeared on this host. AVI 1 addresses AIB about what happened.

    AIB in the audit events uses additional filtering by event categories. Having selected the category “Virtual Machines” in the list of events associated with virtual machines, he finds the cloning and launching events of AVI 2 of several virtual machines. Accordingly, AIB concludes that AVI 2, through cloning and subsequent launch of a large number of virtual machines, caused the exhaustion of host computing resources.

    Incident No. 7. Shutdown of VM

    The WIN7 virtual machine has an agentless antivirus (or, for example, an intrusion detection / prevention system) that provides protection for all virtual machines on a given host, but a virus infection nevertheless occurred. Having made a selection of events related to this virtual machine, AIB found out that AVI 1 turned off this machine, which is an occasion to find out the reasons.


    The above examples are quite simple, but their main goal was to show the vGate incident detection functionality, which can be used to identify more complex incidents. Each of the incidents considered can be prevented by using the appropriate vGate settings and policies, as well as setting up operational notifications to security administrators about suspicious and malicious actions. If vGate, for example, is integrated with the SIEM system, this in total will provide even more tools for identifying and investigating incidents not only in the virtual infrastructure, but in the entire infrastructure as a whole.

    Also popular now: