Today’s ransomware attacks are more sophisticated and often spread through unpredictable attack vectors. So, there is no silver bullet for avoiding such attacks in a complex IT environment with remote working and outsourced service providers in the mix. But it is relatively easy to detect ransomware early in the kill chain. After the initial attack vector, the ransomware can spread laterally through the entire network in a matter of a few days, if not hours, encrypting all of the critical production and backup data, finally demanding a ransom in exchange for a decryption key. However, hackers can also exfiltrate the data to “name and shame” your company or sell it on the dark web leading to a double whammy. So, having a good strategy to defend against such attacks would undoubtedly prevent organizations from paying millions of dollars, depending on the magnitude of the attack and the sensitivity of the data in ransom, penalties, and litigation costs.
One of the critical components of this strategy is to air gap your backup storage. An air gap is a safeguarding mechanism that isolates the backup storage of an organization from any network access. According to the federal regulatory agency FFIEC, “An air-gapped data backup architecture limits exposure to a cyber-attack and allows for data restoration to a point in time before the attack began.” Similarly, the federal agency CISA recommends regularly backing and air gaping the organizations’ critical data. A correctly implemented air gap solution should be able to protect backup data from a ransomware attack as well as helps to restore data quickly after its containment.
A typical air gap deployment involves a software-only or a software and hardware (hybrid) solution. However, whether using software or a hybrid solution, you should always complement the air gap implementation with the following tools to be more effective.
The first one is a Data Backup and Recovery tool supporting immutable (read-only) backups that cannot be encrypted or deleted by ransomware. Many network storage vendors like Dell Technologies (EMC), IBM, HPE, NetApp, and Pure Storage offer an immutable backup solution in-house or in partnership with companies like Veeam, Veritas Technologies, Commvault, Rubrik, and Cohesity.
Another essential tool is Network Detection and Response (NDR), an AI-based network traffic analysis tool that detects and stops spreading ransomware early in the kill chain. The network equipment vendors like Cisco Systems, Juniper Networks, Gigamon, and Arista Networks offer NDR solutions in-house or in partnership with companies like Vectra and Darktrace. Some of the Data Backup and Recovery solutions mentioned above can also provide ransomware detection capabilities which means you may not need a standalone NDR.
However, even though these products claim to meet or exceed the air gap benefits, they are again a piece of software vulnerable to ransomware exploitation. Moreover, some of these products’ primary focus is cloud-based disaster recovery services which, according to FFIEC, have unique data integrity risks. Therefore, it is essential to complement backup software and NDR with an actual air gap solution for any organization requiring higher data security and integrity.
Air-gapping using a software-only approach
There are different ways of implementing software-only air gaps. For example, a simple script applies a firewall rule to open up network access to the backup source when the backup software initiates the process. The problem with the software-only approach is that ransomware could circumvent the firewall policy using privilege escalation or other firewall vulnerabilities, exposing your backup data to attacks. Today’s ransomware can exploit the vulnerabilities of any Linux variants, Unix-like OS, and Windows OS. So, many security appliances, application servers, L2/L3 switches, and even NAS devices could be easy targets for the attack.
Air-gapping using a hybrid approach
According to FFIEC, An air gap is a security measure that isolates a secure network from unsecure networks physically, electrically, and electromagnetically. The following scale-out NAS cluster example uses Echola Systems’ fiber-cut optical switch VFC2011-SM to provide electrical and electromagnetic isolation through fast optical switching (switching time well less than 10ms). The network isolation is achieved through fiber-cut simulation that can be automated using REST APIs/CLIs through an out-of-band management channel. You can also use this device as a kill switch to instantly block the lateral movement of ransomware for better containment.
The VFC2011 is a 20-port switch with LC connectors, and each port can support up to 100G. Considering both directions (Rx/Tx), one switch can support up to 10 nodes of 25G (single-lane), and 4 such switches can support up to10 nodes of 100G (4 lanes with breakout cables). Since it is an L1 (physical layer) switch, there is no way the ransomware can breach the vault. The fiber-cut switch’s management port is also completely isolated from network access. But you must ensure that your vault network is not discoverable and accessible from your production network due to any network leaks, which could expose your vault network to attacks.
An air gap client is a piece of software that runs on a separate host as a VM or as a containerized app inside the vault. All incoming traffic to the VM is permanently blocked. The air gap client communicates with an air gap monitor software using the inside-out connection to the production network. The air gap monitor uses NDR and Backup software APIs to get their state periodically and store them in their own memory space. The air gap client gets these states by polling the air gap monitor from within the vault. Once the backup/replication is complete, the air gap client severs the connectivity. Please note that the air gap client and monitor script are implementation dependent, so you must write your own. Please refer to the automation section of the VFC2011-SM manual for scripting help.
If your NDR can’t catch ransomware early in the kill chain, the backup data may not be clean. Therefore, you must ensure that restoration begins with a clean backup or snapshot.