An air-gapped network is one that is physically isolated from any other network to increase its security. This technique can help protect the most sensitive of networks: industrial control systems (ICS) running pipelines and power grids, voting systems, and SCADA systems operating nuclear centrifuges, just to name a few.
Systems that run critical infrastructure are of high interest to numerous attackers, including all Advanced Persistent Threat (APT) groups. APT groups are typically sponsored by or part of nation-state efforts. Ultimately, if an air-gapped system is infiltrated, these threat actors can intercept confidential data to spy on countries and organizations.
In the first half of 2020 alone, four previously unknown malicious frameworks designed to breach air-gapped networks emerged, bringing the total number to 17.
Discovering and analysing this type of framework poses unique challenges as sometimes there are multiple components that all must be analysed together to have a complete picture of how the attacks are really being carried out.
Using the knowledge made public by more than 10 different organizations over the years, and some ad hoc analysis to clarify or confirm some technical details, ESET researchers put the frameworks in perspective to see what history could teach cybersecurity professionals to improve air-gapped network security.
“Unfortunately, threat groups have managed to find sneaky ways to target these systems. As air-gapping becomes more widespread, and organizations are integrating more innovative ways to protect their systems, cyber-attackers are equally honing their skills to identify new vulnerabilities to exploit,” says Alexis Dorais-Joncas, ESET’s security intelligence team in Montreal.
He opined that for organizations with critical information systems and/or classified information, the loss of data could be hugely damaging.
“Our findings show that all frameworks are designed to perform some form of espionage, and all the frameworks used USB drives as the physical transmission medium to transfer data in and out of the targeted air-gapped networks,” he continued.
Tips for detection and mitigation methods to protect air-gapped networks
Prevent email access on connected hosts
Preventing direct access to emails on connected systems would mitigate this popular compromise vector. This could be implemented with browser/email isolation architecture, where all email activity is performed in a separate, isolated virtual environment.
Disable USB ports and sanitize USB drives
Physically removing or disabling USB ports on all the systems running in an air-gapped network is the ultimate protection. While removing USB ports from all systems may not be acceptable for all organizations, it might still be possible to limit functional USB ports only to the systems that absolutely require it.
A USB drive sanitization process performed before any USB drive gets inserted into an air-gapped system could disrupt many of the techniques implemented by the studied frameworks.
Restrict file execution on removable drives
Several techniques used to compromise air-gapped systems end up with the straight execution of an executable file stored somewhere on the disk, which could be prevented by configuring the relevant Removable Storage Access policies.
Perform regular analysis of the system
Performing regular analysis of the air-gapped system to check for malicious frameworks is an important part of security to keep data safe.
In addition, it is worth noting that endpoint security products are generally able to detect and block several exploit classes, so having such technology not only deployed but also kept up to date could have a positive impact.
“Maintaining a fully air-gapped system comes with the benefits of extra protection. But just like all other security mechanisms, air gapping is not a silver bullet and does not prevent malicious actors from preying on outdated systems or poor employee habits,” concluded Dorais-Joncas.