Thinking Ransomware Defense: Air Gaps?
Air Gaps Aren’t Effective; Scratch Them From Your List . . .
The number of companies falling victim to ransomware attacks continues to grow each day. Ransomware inflicts extreme pain, leading to business closure or significant business disruptions. Vendors are developing technology architectures and approaches to solve for these challenges. Each technology and approach has its pros and cons. However, an air gap is not effective, as malwares are sophisticated enough to thwart such measures. Let me explain.
Imagine a drawbridge across a river that operators lift to allow tall ships to pass under. After a ship passes, you drop the leaves down to allow vehicles to drive over. Air-gap setups are analogous to drawbridges. You lift the drawbridges upright (network in disconnected mode) until you need to move the data.
GIF source: Wikimedia Commons
. . . Because . . .
Enterprises have built tools, processes, and procedures that use this network segregation at best to act as an air gap. Backup teams connect two isolated networks similar to a drawbridge connection. Herein lies the problem. Connecting networks a few times a day, even if for a limited time, is enough for the malware to traverse. Malwares creep into the corporate network despite multiple layers of security tools. What would stop malware from moving along the channel riding over legitimate backup data? Ransomware developers know how and when the network pipe opens — and how to exploit that opening.
The business requirements and operational realities of air gaps collectively do not allow firms to operate an ideal (physical) air gap. A few reasons are:
- It’s humanly impossible to manage an air-gap setup. Firms must manage an increasing volume, variety, and change velocity of data. You can’t operate a physical air gap where people or machines carry disks to and fro between two disconnected infrastructures. It can happen only in highly classified or secret services deployments.
- Today’s operational models and technologies will make air gaps useless. Firms increasingly use technologies such as continuous data protection or asynchronous replication to achieve stringent availability and recovery service-level agreements. Developing and maintaining a true air-gap setup will only mar the service-level achievements.
- COVID-19 adds fuel to the fire. COVID has lowered firms’ ability to fully staff a data center. Your IT processes and technologies prior to the pandemic may have enabled an air-gap setup. Now, your ability to maintain those operations has significantly reduced. You would have resorted to a network-based air gap. The pandemic has led firms to divest even more from their own data centers. Firms are opting to consume cloud storage services instead.
- Cloud storage as an air gap is an oxymoron. Firms have absolutely no capability to transfer ongoing backup copies via physical disks/media into the public cloud. Backup or replication tools need a live network connection to move data to public cloud storage.
- Malware can traverse even with a perfect air gap while at an unachievable ideal state. Going back to the bridge analogy, when the flanks go down, you do not inspect a vehicle (the backup copies) for a weapon (the ransomware payload). You don’t examine whether the vehicle itself is a weapon. Malware can get itself carried via the backup media to land in the backup target. Numerous examples demonstrate that a malware destroys backup infrastructure before conducting mass-scale encryption or declaring a mega lockout.
For network air gaps to be effective, you must inspect each transferred byte before or after the transfer. If you were to do so in real time, it would be an operational nightmare and lead to longer backup cycles. It will be similar to chaos on the bridge if you inspect each vehicle as thousands of vehicles line up to cross and you have limited time.
I do not want to end with a dystopian view. We must face the realities before they hit us hard — which they frequently do.
Let me complete the circle by sharing a list of four technologies that could boost your defense mechanism. Individually, none of these create a strong, even defense; collectively, they do.
If you want to discuss this topic further, please submit an inquiry request and I will be happy to talk.