Today’s ransomware attacks are more sophisticated and often spread through unpredictable attack vectors. So, there is no silver bullet for avoiding such attacks in a complex IT environment. But it is relatively easy to detect ransomware early in the kill chain. After the initial attack vector, the ransomware can spread laterally through the entire network in a matter of few days, if not in hours, encrypting all of the critical production and backup data, finally demanding a ransom in exchange for a decryption key. However, hackers can also exfiltrate the data to ‘name and shame’ your company or sell it on the dark web leading to a double whammy. So, having a good strategy to defend against such attacks would undoubtedly prevent organizations from paying millions of dollars, depending on the magnitude of the attack and the sensitivity of the data in ransom, penalties, and litigation costs.
One of the critical components of this strategy is to air gap your backup storage. An air gap is a safeguarding mechanism that isolates the backup storage of an organization from any network access. According to the federal regulatory agency FFIEC, “An air-gapped data backup architecture limits exposure to a cyber-attack and allows for data restoration to a point in time before the attack began.” Similarly, the federal agency CISA recommends regularly backing and air gaping the organizations’ critical data. A correctly implemented air gap solution should be able to protect backup data from a ransomware attack as well as helps to restore data quickly after its containment.
A typical air gap deployment involves a software-only solution or a software and hardware (hybrid) solution. Whether using a software solution or a hybrid solution, you should always complement the air gap implementation with the following tools to be more effective.
A Network Detection and Response (NDR) tool is an AI-based network traffic analysis tool that can detect and stop spreading ransomware early in the kill chain. The network equipment vendors like Cisco Systems, Juniper Networks, Gigamon, and Arista Networks offer NDR solutions in-house or in partnership with companies like Vectra and Darktrace.
Another essential tool is a Data Backup and Recovery tool supporting immutable (read-only) backups that cannot be encrypted or deleted by ransomware. Many network storage vendors like Dell Technologies (EMC), IBM, HPE, NetApp, and Pure Storage offer an immutable backup solution in-house or in partnership with companies like Veeam, Veritas Technologies, Commvault, Rubrik, and Cohesity. Some of these solutions can also provide ransomware detection capabilities which means you may not need a standalone NDR.
However, even though these products claim to meet or exceed the air gap benefits, they are again a piece of software vulnerable to ransomware exploitation. Moreover, some of these products’ primary focus is cloud-based disaster recovery services which, according to FFIEC, have unique data integrity risks. Therefore, it is essential to complement a backup software and NDR with an actual air gap solution for any organization requiring higher data security and integrity.
Air-gapping using a software-only approach
There are different ways of implementing software-only air gaps. For example, a simple script applies a firewall rule to open up network access to the backup source when the backup software initiates the process. The problem with the software-only approach is that ransomware could circumvent the firewall policy using privilege escalation or other firewall vulnerabilities, exposing your backup data to attacks. Today’s ransomware can exploit the vulnerabilities of any Linux variants, Unix-like OSs, and Windows OS. So, many security appliances, application servers, L2/L3 switches, and even NAS devices could be easy targets for the attack.
Air-gapping using a hybrid approach
The following example shows how a scale-out NAS cluster is air-gapped using an Echola Systems‘ fiber-cut optical switch VFC2011-SM. The VFC2011 is a 20-port switch with LC connectors, and each port can support up to 100G. Considering both directions (Rx/Tx), one switch can support up to 10 nodes of 25G (single-lane), and 4 such switches can support up to10 nodes of 100G (4-lanes with breakout cables). Since it is an L1 (physical layer) switch, there is no way the ransomware can breach the vault. The fiber-cut switch’s management port is also completely isolated from network access. But you have to ensure that your vault network is not discoverable and accessible from your production network due to any wrong network connection leaks, which could expose your vault network to attacks.
An air gap client is a piece of software that runs on a separate host as a VM or as a containerized app inside the vault. All incoming traffic to the VM is permanently blocked. The air gap client communicates with an air gap monitor software that runs on the production network. The air gap monitor uses NDR and Backup software APIs to get their state periodically and store them in their own memory space. The air gap client gets these states by polling the air gap monitor from within the vault.
If your NDR can’t catch ransomware early in the kill chain, the backup data may not be clean. Therefore, you must ensure that the restoration process begins with a clean backup or snapshot.