Not Only Love Is in the Air

Air-gapping is a security measure designed to isolate digital assets and networks from outside connections, to protect against hackers, malware, and other threats by creating an impenetrable barrier. It has its merits, but it has its security issues too, and for a cybersecurity solution to deploy, it needs the right solutions and set-up.

From Network Protection to Deployment: Types of Air Gapping

Network Air Gapping

Network air gapping creates an isolated network disconnected from the internet, enhancing security and preventing unauthorized access. Common in high-security environments like military and financial systems, this setup complicates data transfer, maintenance, and updates, which must be done manually, posing significant operational challenges.

Deployment Air Gapping

Deployment air gapping involves placing critical applications in isolated, physically separated networks to shield sensitive data from external cyber threats. Commonly used in banking, healthcare, and utilities, these servers can only be accessed physically. Data handling is done via USB, external media, or physical plug-ins.

Virtual Air Gapping

Virtual air gapping isolates activities and devices using separate virtual machines (VMs), providing superior security compared to firewalls and anti-virus software. Different VMs are used for web surfing, accessing the corporate network, and performing confidential tasks. This method avoids the inefficiencies of physical air gaps, effectively separating the corporate network from the internet and sensitive data.

As a security measure Air gapping is designed to create a potentially impenetrable barrier between digital assets, networks, and potential threats such as hackers, malware, insiders, power outages, and natural disasters. Implementation begins with the creation of a separate network that is completely disconnected from all external networks and the Internet. This strategy involves isolating digital assets from all network connections and ensuring physical separation to thwart unauthorized access. For example, storing backup tapes in a secure facility such as a salt mine is an example of the extreme measure of air-gapping to prevent unauthorized data access. Air gaps serve two primary security purposes: defending against network attacks and protecting digital assets from destruction, unauthorized access, or tampering.

Operational Challenges for High-Security Environments

Air-gapped networks operate without physical or wireless connections to external networks and the Internet, requiring manual data transfers to strengthen security. This process requires additional verification protocols to be applied prior to manual data transfers to ensure they are not compromised, such as scanning, digital signature verification, data sanitization, and more. However, this approach makes maintenance and operations difficult, with challenges such as managing software updates and synchronizing data due to the lack of connectivity. Despite these hurdles, air-gapped networks are commonly used in high-security environments such as military and financial systems to protect sensitive data.

An air-gapped network architecture involves placing critical applications on isolated networks that are physically separated from external networks, thereby protecting sensitive data and transactions from cyber threats and unauthorized access. This strategy strengthens security by eliminating potential attack vectors associated with Internet connectivity, thereby preventing data breaches, fraud, and other cyberattacks.

In air-gapped environments, data transfer, patches, and updates occur via USB drives, external media, or other offline methods (sneakernet), requiring secure handling/verification of physical media to prevent potential introduction of malware into the air-gapped network. Application and system management requires a physical connection to the internal network. Although more secure, air-gapped environments are generally considered more demanding and costly to manage.

What if Cyber Risks in Air-Gapped Networks Still Exist?

Air-gap attacks occur in environments where work and internet networks are physically separated, known as network separation, which shall protect internal information from external intrusion. Network separation, classified into physical and logical separation, forms the base environment for air-gap attacks, which often use side-channel methods involving timing information, power, and electromagnetic signals.

Despite the potentially higher security due to the lack of communication with external networks, data and networks behind air gaps are unfortunately still exposed to various cyber risks:

1. Insider attacks: Malicious insiders with access to the network can intentionally compromise security by introducing malware or stealing sensitive data.

2. Physical attacks: Attackers could physically enter the facility where the network is located without an internet connection to plant malicious devices or steal data.

3. Attacks via the mobile network: Sophisticated methods such as the exploitation of electromagnetic emissions or acoustic signals can potentially penetrate shielded environments.

4. Attacks via the supply chain: Malware can be introduced via hardware, e.g. routers or manipulated software, and exploit vulnerabilities of the respective manufacturer to gain access to the isolated environment.

5. Human error: Errors in manual data transfer, such as the use of infected media, can unintentionally introduce vulnerabilities or malware into the network.

Detect Insider Threats with Behavioral Analytics: An AI-Based System to Improve the Security of Isolated Networks

An AI-based network detection system can help minimize cyber risks in isolated networks by analyzing user behavior patterns to detect insider threats. Especially with behavioral analysis: The AI system constantly monitors the typical behavior patterns of users and devices on the network, such as usual login times, data access habits and file transfer activities, and learns from them. By creating a baseline for normal behavior, the AI can detect deviations from this norm. For example, if an employee or device that normally accesses certain files suddenly accesses sensitive or restricted data at unusual times, the AI will report this as an anomaly. When the AI detects suspicious activity such as unusual data access or large data transfers that deviate from the usual patterns, the security team is immediately notified. The more data the AI system collects over time, the more accurately it can distinguish between harmless anomalies and real threats, reducing the number of false positives and improving overall security.

By proactively detecting unusual behavior that indicates malicious insider activity, an AI-powered network detection system significantly increases the security of networks with air gaps and helps to minimize cyber risks in isolated networks in a number of ways, particularly regarding the following scenarios:

• Insider threats: AI analyzes user and device behavior patterns to detect anomalies that indicate potential threats, such as unusual data access or transfer activities, and alerts users to these anomalies.

• Physical attacks: AI-based monitoring and control systems can also improve physical security by detecting unauthorized access, movement, or other unusual activity on the network, helping to identify physical infiltrations.

• Supply chain attacks: AI can verify the integrity of hardware and software before it enters the protected environment and identify and contain potential threats to the supply chain. For example, if vulnerabilities in the hardware or software of the shielded network that are exploited by malware attempt to move laterally within the network or establish and communicate with a command and control (C&C) channel, an AI-based security system can detect this.

• Human error: AI can support the data transfer process in the network by scanning and checking media for malware before they enter the network, thus reducing the risk of accidental contamination. In addition, AI can provide real-time guidance and checks to ensure that data transfers are handled securely.

Put Some Intelligence in the Air First:

Implementing a cybersecurity tool via an air-gapped deployment is an option for many sensitive industries, where access control and authentication should result in data privacy and compliance and may prevent unauthorized access to the cybersecurity tool system within the air-gapped network, especially with regard to storing and processing sensitive network data within the air-gapped environment. Tools such as ExeonTrace's machine learning NDR ensure effectiveness despite the lack of Internet connectivity. With its pre-trained models, customers select AI models and algorithms that can operate effectively with the network metadata (pre-) collected within the air-gapped environment without requiring constant Internet access for updates or training. It does not require the deployment of network sensors to capture network traffic and metadata, nor does it require a connection to external servers.

To implement an air-gapped network, organizations must begin with assessment and planning by identifying critical assets and infrastructure that could benefit from air-gapping. Design the network architecture to ensure physical isolation and incorporate strong access control mechanisms. During implementation, build and install the network without physical or wireless connections and use encrypted methods for data transfer. Establish data handling protocols by defining and enforcing strict data transfer policies, such as the use of sanitized and verified physical media. Finally, maintain the network with regular updates and patches, and conduct scheduled security audits to ensure compliance with security policies.

ExeonTrace’s AI models deployed within the air-gapped environment ensure that their models are properly configured and optimized for the specific network architecture and traffic patterns. The captured network data is pre-processed within the air-gapped environment. This includes cleaning, aggregating, and structuring the data to prepare it for AI analysis. Using pre-trained AI algorithms to analyze network data and detect anomalies, intrusions, or suspicious activity, the algorithms are implemented to identify patterns indicative of cyber threats without relying on external data sources and later develop mechanisms to generate alerts and notifications based on the AI-detected threats. This ensures that the alerts can be managed and responded to within the air-gapped environment, potentially integrating with other local security incident management systems, and makes it possible to continuously monitor the performance of the AI-powered cybersecurity tool within the air-gapped environment and evaluate and strengthen its effectiveness in detecting and responding to threats based on historical data and real-world incidents.

To enforce security and compliance, additional data diodes can be used to physically enforce a one-way data path, ensuring that information can only flow in one direction, designed to allow data to be sent out of the secure network (outbound) but block any data from entering the network (inbound), maintaining the integrity of an air-gapped system by eliminating the possibility of inbound connections, thereby preventing any external threats from accessing the network.