How to protect air-gapped networks from malicious frameworks

ESET researchers present their analysis of all malicious frameworks used to attack air-gapped networks known to date. An air-gapped network is one that is physically isolated from any other network in order to increase its security. This technique can help protect the most sensitive of networks: industrial control systems (ICS) running pipelines and power grids, voting systems, and SCADA systems operating nuclear centrifuges, just to name a few.

Naturally, systems that run critical infrastructure are of high interest to numerous attackers, including any and all APT groups. APT groups are typically sponsored by or part of nation-state efforts. Ultimately, if an air-gapped system is infiltrated, these threat actors can intercept confidential data in order to spy on countries and organizations.

In the first half of 2020 alone, four previously unknown malicious frameworks designed to breach air-gapped networks emerged, bringing the total number to 17.

The challenges of discovering and analyzing this type of framework

Discovering and analyzing this type of framework poses unique challenges as sometimes there are multiple components that all have to be analyzed together in order to have the complete picture of how the attacks are really being carried out.

Using the knowledge made public by more than 10 different organizations over the years, and some ad hoc analysis to clarify or confirm some technical details, researchers put the frameworks in perspective to see what history could teach cybersecurity professionals and, to a certain extent, even the wider public about improving air-gapped network security and our abilities to detect and mitigate future attacks. They have revisited each framework known to date, comparing them side by side in an exhaustive study that reveals several major similarities, even within those produced 15 years apart.

“Unfortunately, threat groups have managed to find sneaky ways to target these systems. As air-gapping becomes more widespread, and organizations are integrating more innovative ways to protect their systems, cyber-attackers are equally honing their skills to identify new vulnerabilities to exploit,” says Alexis Dorais-Joncas, who leads ESET’s security intelligence team in Montreal.

“For organizations with critical information systems and/or classified information, the loss of data could be hugely damaging. The potential that these frameworks have is very concerning. Our findings show that all frameworks are designed to perform some form of espionage, and all the frameworks used USB drives as the physical transmission medium to transfer data in and out of the targeted air-gapped networks,” explains Dorais-Joncas.

Detection and mitigation methods to protect air-gapped networks against malicious frameworks

With the risks identified, ESET has put together the following list of detection and mitigation methods to protect air-gapped networks against the main techniques used by all the malicious frameworks publicly known to date:

• Prevent email access on connected hosts — Preventing direct access to emails on connected systems would mitigate this popular compromise vector. This could be implemented with browser/email isolation architecture, where all email activity is performed in a separate, isolated virtual environment.
• Disable USB ports and sanitize USB drives — Physically removing or disabling USB ports on all the systems running in an air-gapped network is the ultimate protection. While removing USB ports from all systems may not be acceptable for all organizations, it might still be possible to limit functional USB ports only to the systems that absolutely require it. A USB drive sanitization process performed before any USB drive gets inserted into an air-gapped system could disrupt many of the techniques implemented by the studied frameworks.
• Restrict file execution on removable drives — Several techniques used to compromise air-gapped systems end up with the straight execution of an executable file stored somewhere on the disk, which could be prevented by configuring the relevant Removable Storage Access policies.
• Perform regular analysis of the system — Performing a regular analysis of the air-gapped system to check for malicious frameworks is an important part of security in order to keep data safe.

In addition, it is worth noting that endpoint security products are generally able to detect and block several exploit classes, so having such technology not only deployed but also kept up to date could have a positive impact.

“Maintaining a fully air-gapped system comes with the benefits of extra protection. But just like all other security mechanisms, air gapping is not a silver bullet and does not prevent malicious actors from preying on outdated systems or poor employee habits,” comments Dorais-Joncas.