Amid a rise in state-sponsored cyberattacks, security-related bodies must protect themselves from hostile actors who have developed the means to even target networks that are completely disconnected from the internet, a cyber expert for Israel's Elbit Systems said.
In a presentation at the "CybertechLive: Intelligence in the Cyberspace" online conference, Ofer Rotberg, head of Elbit's endpoint detection and response (EDR) group, described the challenge of protecting these air-gapped networks from a growing number of threats. Elbit was a sponsor of the event.
"Defense organizations have very high cyber security awareness. Often they choose to protect their networks by isolating them from any unsafe external network, such as the internet," Rotberg said.
The idea behind the air-gapping of networks, he said, "is to completely disconnect such and other connections that still remain open and can be exploited for attack. For example, connecting a removable storage device, VPN connection to suppliers and partners, etc."
The isolated network is connected to an external network through a filtering mechanism which may include several defense complements. Most of the filtering systems include a content decomposition and reconfiguration component for removing malicious content or files, said Rotberg.
"Although it is not easy to jump over an air-gapped system, the prize is tempting. And this is the reason we see a rise in the number of attacks that manage to skip over the airgap systems and attack the internal networks," he said.
Rotberg noted that endpoint cyber security tools have evolved from antivirus signature-based defense to behavior-based detection. "Elbit's EDR product was one of the first to be developed using this rationale and was designed from the ground up to detect suspicious behaviors that characterize powerful and advanced attackers," he said.
According to Elbit, its EDR product detects targeted and unknown threats, performs forensics and proactively hunts for malware by providing a unique hybrid detection engine that combines machine learning, graph-based malware analysis and behavioral analytics over big data. This hybrid approach, Elbit says, is proven to detect a broader range of malicious activities, including threats that have never before been encountered, and minimizes false positives.
In the second part of the presentation, Meir Brown, head of Elbit's endpoint detection research group, provided a step-by-step demonstration of how such an attack takes place. He showed how an attacker could manage to outsmart the malware filtration system and penetrate an internal network.
He used the example of Ramsey malware that was discovered in May 2020. Brown said Elbit's malware group had analyzed it and noticed its unique ability to bypass the air-gapping of networks.
According to Brown, the attack is carried out as follows: First, the malicious file is unknowingly downloaded from the internet and executed on a non-air-gapped computer. The file then transfers itself onto a removable media, such as a USB, as files are copied onto it. When the removable media is inserted into the air-gapped network and the file is executed, the malware is downloaded. Once inside the network, the malware collects data and hides it inside legitimate files that are later copied onto the removable media. When the media is reconnected to the public network, the attackers find the document and exfiltrate the data.
Brown said Elbit's EDR solution, designed for isolated networks, provides the in-depth visibility needed to mitigate state-sponsored attacks on air-gapped solutions, enabling the defender to see what is happening in both the exposed and air-gapped systems, understand how the malware got there, and what to do next.