Here are four valuable guidelines for cyber defenders to harden these networks against sophisticated APT frameworks, removable storage access policies.

In the first half of 2020 alone, four previously unknown malicious frameworks had emerged—all designed to breach the highly-secure air-gapped networks. This has brought the total number of such frameworks to 17.

Naturally, systems that run critical infrastructure are of high interest to numerous attackers, including any and all advanced persistent threat (APT) groups. These groups are typically sponsored by or part of nation-state efforts. Ultimately, if an air-gapped system is infiltrated, these threat actors can intercept confidential data in order to spy on countries and organizations.

The discovery and analysis of anti-air-gapping frameworks used by the APT group is an uphill task because sometimes multiple components all have to be analyzed together in order to have the complete picture of how the attacks are really being carried out.

One cybersecurity firm that took the hard way was able to use the knowledge made public by more than 10 different organizations over the years, together with some ad hoc analysis to clarify or confirm some technical details.

Researchers at ESET, led by Alexis Dorais-Joncas, have revisited each framework known to date, comparing them side by side in an exhaustive study that reveals several major similarities, even within those produced 15 years apart. By putting the frameworks in perspective, the firm hopes that cybersecurity professionals around the world can learn from cyber history and, to a certain extent, improve air-gapped network security and detect and mitigate future attacks better.

15 years of research in a nutshell

ESET has put together the following list of detection and mitigation methods to protect air-gapped networks against the main techniques used by all the malicious frameworks publicly known to date:  

  1. Prevent email access on connected hosts
    Preventing direct access to emails on connected systems would mitigate this popular compromise vector. This could be implemented with browser/email isolation architecture, where all email activity is performed in a separate, isolated virtual environment.
  2. Disable USB ports and sanitize USB drives
    Physically removing or disabling USB ports on all the systems running in an air-gapped network is the ultimate protection. While removing USB ports from all systems may not be acceptable for all organizations, it may still be possible to limit functional USB ports only to the systems that absolutely require it. A USB drive sanitization process performed before any USB drive gets inserted into an air-gapped system could disrupt many of the techniques implemented by the studied frameworks.
  3. Restrict file execution on removable drives
    Several techniques used to compromise air-gapped systems end up with the straight execution of an executable file stored somewhere on the disk, which could be prevented by configuring the relevant Removable Storage Access policies.
  4. Perform regular analysis of the system
    Performing a regular analysis of the air-gapped system to check for malicious frameworks is an important part of security in order to keep data safe.

These measures go along with the standard cybersecurity best practices of ensuring that endpoint security solutions are able to detect and block the widest range of exploit classes.

ESET researchers present their analysis of all malicious frameworks used to attack air-gapped networks known to date. An air-gapped network is one that is physically isolated from any other network in order to increase its security. This technique can help protect the most sensitive of networks: industrial control systems (ICS) running pipelines and power grids, voting systems, and SCADA systems operating nuclear centrifuges, just to name a few.

According to Dorais-Joncas: “Maintaining a fully air-gapped system comes with the benefits of extra protection. But just like all other security mechanisms, air gapping is not a silver bullet and does not prevent malicious actors from preying on outdated systems or poor employee habits. Unfortunately, threat groups have managed to find sneaky ways to target these systems. As air-gapping becomes more widespread, and organizations are integrating more innovative ways to protect their systems, cyber-attackers are equally honing their skills to identify new vulnerabilities to exploit.”