Watch the stream
Air-gapping is used to protect the most sensitive of networks: ICSes running pipelines and power grids, voting systems, or SCADA systems operating nuclear centrifuges just to name a few. In the last 24 months, four malicious frameworks devised to breach air-gapped networks emerged, bringing the total to 17, by our count. This prompted us to step back and reanalyze all those frameworks from the vantage point of having discovered and analyzed three of these in the past six years. We put the frameworks in perspective to see what history could teach us in order to improve air-gapped network security and our abilities to detect and mitigate future attacks.
This exhaustive analysis allowed us to isolate several major similarities in all of them, even those 15 years apart. We pinpoint the specific areas of air-gapped networks that are consistently leveraged by malware in order to operate, and provide objective advice on how best to prioritize the deployment of resources to increase security.
Specifically, this presentation covers the similarities in execution vectors used on the connected and air-gapped sides of targeted networks, the air-gap-crossing mechanisms and communication protocols used to control the components running on the isolated networks, the information stealing techniques, and, finally, the propagation and lateral movement capabilities.
Our analysis shows how most frameworks differ only from an implementation perspective in so many aspects, mostly due to the severe constraints imposed in air-gapped environments. Armed with this information, we cover techniques that can be implemented to harden specific areas that have been repeatedly abused by air-gap-aware frameworks and strategies to detect their presence, such as how to prevent removable drive abuse and detect host- and network-based reconnaissance activity often observable within the isolated network under attack.
Our aim is to convince the audience of the importance of having all the proper defense mechanisms to mitigate the techniques used by virtually all of these frameworks observed in the wild, before starting to look into the many theoretical air-gap bypass techniques that have gotten most of the spotlight in recent years despite none of them ever being used in a real attack.
This is a must-see session for anyone responsible for the security of an air-gapped network, but also for anyone interested in the history and evolution of these fascinating attacks.
Alexis Dorais-Joncas APT Research Manager, Proofpoint
Alexis Dorais-Joncas is the Senior Manager of Proofpoint’s APT research team, where he and his team of threat researchers and intelligence analysts focus on tracking the most elusive state-sponsored threat actors and ensuring Proofpoint customers are protected against these persistent attackers. Prior to joining Proofpoint, Alexis led ESET’s Montreal-based R&D branch office for over 10 years, where his team focused on malware research, network security and targeted attacks tracking. Alexis is an established speaker on current cyberthreats, having spoken in front of diverse audiences at events such as Northsec, Bluehat, Botconf, First CTI, Sector and Rightscon. He has also been quoted in several security and technical media such as Wired, ITWorldCanada and Ars Technica, with broadcast appearances on Radio-Canada and Skynews. Alexis holds an M. Sc. in Electrical Engineering from the University of Sherbrooke in Canada.