Airgap is the home for Zero Trust Isolation and industry’s first Ransomware Kill Switch. We stop Ransomware and any malicious lateral communications in seconds.
Ransomware as a weapon of choice or just a diversion?
Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. Over the past year, cyber incidents have impacted many companies, non-profits, and other organizations, large and small, across multiple sectors of the economy.
Ransomware malware, denial of service attacks, and brute force account takeover are common threat vectors. These methods are used by local hackers, state-sponsored terrorist, and underground cybercriminals. While these methods seem to be overly used in the cyber world today, they still work. Even with advancements of adaptive controls in EDR, XDR, and email security space, these attack capabilities still cause a vast amount of disarray.
CISA, FBI, and United States Secret Service have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.
Hacker groups have become very nimble while using these methods. On any day, some place in the world, a new variant of a malware, ransomware, or phish attack is released. Within seconds of the release of the cyber attack, the hackers will change their attack tool and re-release the payload somewhere in the world.
This unpredictable method of attack against the cloud, internal networks, and SaaS platforms continues to plague the victims’ systems.
Predicting the unpredictable
We typically define cyber warfare as an act of war using internet-enabled technology to perform an attack on a nation’s digital infrastructure, such as with computer viruses or a distributed denial-of-service attack.
For cybercriminals, ransomware is all about making money and, in order to achieve that goal, they aim to gain access to as many PCs and servers as possible before deploying their ransomware. They then demand a ransom payment for the decryption key. Unfortunately, these campaigns of extortion are proving successful because cybercriminals can make hundreds of thousands of dollars in one go if the target organization pays.
Because the attacks could use changed variants of ransomware commonly used by cyber criminals, it creates the possibility that the real culprit for the attack and the motives behind it will remain forever hidden. It’s therefore possible that nation-state-backed hacking campaigns with the goal of pure destruction could turn to ransomware as an attacking tool, not specific to financial gain.
A global problem with troubling regional alliances
The Federal Bureau of Investigation has warned U.S. businesses to be on the alert for a sophisticated Iranian hacking operation whose targets include defense contractors, energy firms and educational institutions.
The Russian group, known as “Turla” and accused by Estonian and Czech authorities of operating on behalf of Russia’s FSB security service, has used Iranian tools and computer infrastructure to successfully hack in to organizations in at least 20 different countries over the last 18 months, British security officials said.
The hacking campaign, the extent of which has not been previously revealed, was most active in the Middle East but also targeted organizations in Britain.
Officials in Russia and Iran did not immediately respond to requests for comment sent on Sunday. Moscow and Tehran have both repeatedly denied Western allegations over hacking.
Unlike conventional attacks, cyberattacks can be hard to accurately predict the possible impact. Plausible deniability exists because, most times, cyberattacks can be launched from an unwitting host. For example, partial control of your home computer could be taken over without you knowing it and used to start a chain of attacks.
Cyberwarfare is already operational well before the battle has begun
But there’s powerful evidence tying Russian hackers to cyberattacks in Ukraine. Going back to 2015, after the Russian invasion of the Crimean Peninsula, suspected Russian hackers knocked out electric power for around 230,000 customers in western Ukraine. Attackers repeated the trick the following year, expanding the list of targets to include government agencies and the banking system. In the hours before Russian troops invaded, never-before-seen malware designed to wipe data hit Ukraine — an attack the Ukrainian government said was “on a completely different level” from previous attacks.
Beware the Chinese Ransomware Attack With No Ransom
Taiwan suspects that state-backed hackers were behind at least one major malware attack on the island last year. In May 2020, CPC Corporation — a government-owned refiner in Taiwan — was hacked and left unable to process electronic payments from customers. The Ministry of Justice Investigation Bureau accused a hacker group linked to China of carrying out the attack.
A breach by Chinese hackers of almost a dozen targets in Taiwan looked, on the surface, like just another ransomware attack: infiltrate a network, encrypt a ton of files, lock the owners out of their own systems, and wait to be paid.
Formosa Petrochemical Corp. and state-run petroleum company CPC Corp. were among those hit in May 2020 by the Chinese Winnti group. The U.S. indicted seven members last year for a series of attacks that allegedly affected over 100 high-tech and online gaming companies globally.
How closed-loop systems have become exposed to real-world cyber attacks
Stuxnet virus represents an actual threat
A malicious computer attack that appears to target Iran’s nuclear plants can be changed to wreak havoc on industrial control systems around the world, and represents the most cyberthreat known to industry, government officials, and rival hacker groups.
Unsecured Internet of Things devices have already seen a botnet level attack, including Miral. This botnet used to carry out Distributed Denial of Service attacks against websites. But because that secret double life didn’t really affect the day-to-day performance of these gadgets, owners probably barely noticed.
It’s easy to imagine a situation where the growing deployment of IoT devices could be used against us, too. An attacker could switch on every smart appliance at once to overload the power network causing chaos by turning every smart lock into a useless piece of metal. IoT gadgets are vulnerable tools for cyber espionage: we are literally filling our homes and offices with cameras and microphones that are far too easy to hack.
How to make the unpredictable - predictable?
Each day, more cybersecurity architects, SecOps and DevOps realize that corrections following the normal workstream of detection, correction and monitoring will not work in the future. More attack vectors have become more sophisticated in evading detection layers within the security fabric. More often, patching a system as a corrective action becomes a lost cause. Many patches become outdated even before the client executes a change control. Most often, the patches from the software and hardware manufacturers cause more problems than solving the immediate security vulnerability. Hackers and cybercriminals know this. More often, the hackers’ study releases notes from all the major software companies to determine which CVE they should exploit as part of their zero-day attack.
Moving towards a Zero Trust isolation strategy
Hackers and their methods will continue to develop. Software and hardware platforms will always have vulnerabilities in some form. Even with automated patch management, all systems within the enterprise network and cloud presence will be vulnerable.
How will organizations change the playing field against cyber attacks?
Similar to the agile DevOps strategy for application development, SECOPS and NETOPS teams are seeing the value in zero-trust isolation functional. Application developers have moved rapidly over the last 4 years by moving away from virtual machines, Windows-based operating systems, and applications to more of a Docker container strategy. Within the Docker container, developers can control their own version of the LINUX operating system along with developing their application’s explicit functioning with their container. By moving their workloads into a container, the DevOps and application development teams predictably control when they update their LINUS image, their application, and security controls. With their deployment of Kubernetes, the teams control where they can deploy their containers; cloud, on-premise, or FEDRAMP network. With Docker, application containers now become predictable platforms.
Importance of Containment protection for Critical infrastructure
Real-time visibility, OT/IT/IoT workload segmentation, least-privileged & just-in-time (JIT) access, adaptive incident response ,and breach containment must work together to protect critical workloads at scale and provide intuitive, high-availability deployment and SOC log extensibility.
Deploying preventive or containment capabilities alone will not solve every attack issue inside of corporate IT or OT/ICS/IoT networks. While micro-segmentation reduces the attack surface, several other critical adaptive controls need to be enabled in coordination. Deploying layers of adaptive controls without a level of coordination in many cases does not improve the business or security resilience of the organization. A good example of this is the implementation of multi-factor authentication supporting zero trust remote access strategies.
Organizations have responded by enabling Multi-Factor Authentication on employee access to their SaaS and Cloud applications through their (Single-Sign on) SSO providers. The use of MFA protects these services by providing an additional layer of security validation such as a phone or token to verify a user’s identity before granting access.
MFA is a critical piece of the zero-trust strategy, however, this adaptive control offers no prevention or reactive capabilities during a ransomware outbreak.
Airgap networks SAA can enable MFA authentication. It builds upon MFA authentication by also analyzing user traffic and preventing Remote User Airgap Access Gateway Airgap Management Web App SSH APP RDP Corporate Data Center Virtual Data Center Public Cloud Seamless Deployment Securing Web and Non-Web Application Access Organizations need a solution that can ensure private applications are accessed securely while delivering a frictionless user experience. attempts to breach the applications, essentially acting as a web application firewall.
Airgap SAA deployment does not require any changes to your existing infrastructure.
Even with a well-coordinated adaptive control, containment, and isolation strategy, having a well-defined security response plan will also reduce the overall impact of the cyber event. CISOs, SECOPS, and NETOPS should align to the same response plan in case of an outbreak to include:
Determine which systems were impacted, and immediately isolate them.
Only in the events you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection.
Triage impacted systems for restoration and recovery.
Ultimately, the goal of the organization should be the following:
With Airgap ZTI deployed within the OT/ICS/IOT and corporate networks, organizations will be in compliance with security regulations ISO 27001/2 by seeing and controlling which devices are allowed on your network.
Airgap automatically logs all IT/OT/IOT devices agentless and enforces access policies per identities and contexts. All elements of ISO 270001/2 covering management and organization of information, restriction and access control, monitoring and lines of responsibility are provided in the SaaS platform.
How can network security become predictable?
Isolation and segmentation of a network is not new to the IT landscape. Micro-segmentation also has been implemented by many global organizations looking to divide up their flat networks from their implementation of SD-WAN, SASE/Zero Trust access and legacy VLAN segmentation. While these methods are proven to segment traffic, agent based solutions do not contain a ransomware outbreak within a micro-segmented zone. The complexity and cost of implementing SD-WAN and agent-based segmentation tools have been called into question by many CIOs and CISOs over the lack of containment during a cyber attack outbreak.
Moving forward with Agentless Zero Trust Isolation™ with Airgap Networks
Airgap Networks released in 2021 at Black Hat conference can offer zero trust agentless segmentation for anywhere networks without the need to deploy an agent on the client or host machines. Airgap’s strategy of creating ring-fenced protection zones within existing networking topology makes it strategically important for organizations battling unpredictable known or unknown threats, including ransomware. No network is 100% safe from a cyberattack. However, Airgap Ransomware Kill Switch™ can block ransomware from moving outside of the fenced zones within the network. Leveraging a zero trust containment and compartmental strategy, Airgap has succeeded in stopping ransomware from affecting other systems outside of the fenced zones.
Will Townsend, a global blogger and a contributor to moors insights and strategy, recently commented on Airgap Networks capabilities. “Network segmentation is designed to ringfence every endpoint, implement zero-trust provisions across LAN, data center, and cloud, and employ autonomous policy and artificial intelligence to facilitate policy decisions. Airgap’s ability to do all the above without device agents is compelling. It doesn’t modify existing networking infrastructure and can work with headless devices found in many Operational Technology (OT) environments. Airgap is also trailblazing the Secure Asset Access (SAA) category. SAA aims to employ zero trust principles by enforcing integrated single sign-on (SSO) before granting remote access to any private application.”
Airgap Zero Trust Segmentation is in line with full visibility and control over the entire network traffic flow. It can eliminate unauthorized lateral movement and know your security hygiene at all times. Ring Fencing every single IP device (IT/OT/IOT) gives you granular control needed to contain breaches with our patented Ransomware Kill Switch technology.
Airgap’s identity-based agentless segmentation is the only solution from the core to see and throttle north-south and east-west communications without displacing your existing investments.
There is no way to know for certain when and what shape a cyber-attack may be started, but deploying Airgap networks zero trust security without implicit trust and understanding C&C communication behaviors can reduce the attack surface to the minimal impact of what we expect to come. Making the SECOPS and DEVOPS strategies for ransomware attacks more predictable to stop and contain.