Jumping the air gap: 15 years of nation-state efforts

Back to the list of Speakers and Sessions
Watch the stream
Learn from the best. Nation-state actors have been breaching air-gapped networks for over a decade and a half: discover how they are doing it, so you can better protect yours.

Air-gapping is used to protect the most sensitive of networks: ICSes running pipelines and power grids, voting systems, or SCADA systems operating nuclear centrifuges just to name a few. In the last 24 months, four malicious frameworks devised to breach air-gapped networks emerged, bringing the total to 17, by our count. This prompted us to step back and reanalyze all those frameworks from the vantage point of having discovered and analyzed three of these in the past six years. We put the frameworks in perspective to see what history could teach us in order to improve air-gapped network security and our abilities to detect and mitigate future attacks.

This exhaustive analysis allowed us to isolate several major similarities in all of them, even those 15 years apart. We pinpoint the specific areas of air-gapped networks that are consistently leveraged by malware in order to operate, and provide objective advice on how best to prioritize the deployment of resources to increase security.

Specifically, this presentation covers the similarities in execution vectors used on the connected and air-gapped sides of targeted networks, the air-gap-crossing mechanisms and communication protocols used to control the components running on the isolated networks, the information stealing techniques, and, finally, the propagation and lateral movement capabilities.

Our analysis shows how most frameworks differ only from an implementation perspective in so many aspects, mostly due to the severe constraints imposed in air-gapped environments. Armed with this information, we cover techniques that can be implemented to harden specific areas that have been repeatedly abused by air-gap-aware frameworks and strategies to detect their presence, such as how to prevent removable drive abuse and detect host- and network-based reconnaissance activity often observable within the isolated network under attack.

Our aim is to convince the audience of the importance of having all the proper defense mechanisms to mitigate the techniques used by virtually all of these frameworks observed in the wild, before starting to look into the many theoretical air-gap bypass techniques that have gotten most of the spotlight in recent years despite none of them ever being used in a real attack.

This is a must-see session for anyone responsible for the security of an air-gapped network, but also for anyone interested in the history and evolution of these fascinating attacks.