Attack Vector Concept — Air Gap — Security analysis with Threat Modeling
Air Gap — Description
An air gap attack is an attack that travels into a network architecture even though it is network wise isolated to the rest of the world. To succeed with such an attack, a piece of malware needs to be brought into the internal network environment more or less by hand. Such cases can be when computers or portable media are first connected to external networks and then, later, connected to the internal network. There are several probabilities to consider regarding this; first the probability of an externally connected computer being infected and then how often that same computer is connected to the inside network. Another case is when externally developed software or updates are being taken from the outside and installed/updated on the inside.
Talking about isolated environments, protected by air gaps, we often mean highly sensitive environments related to critical infrastructure like power plants and similar appliances. However, as we shall see in the next sections, bringing potentially infected pieces of equipment into an internal network zone, might give the attacker a short cut deep into internal network zones, bypassing several network based protection mechanisms.
But for now, we start by looking at a traditional air gap environment and how to represent an attack targeted at it.
Model
When modeling the air gap, we have not connected the “Ext GW” to the “External Zone” network. An “External Gateway” probably does not even exist, otherwise there would not be an air gap. Then we have connected the attacker to a separate host that we imagine have been, more or less deliberately, infected by malicious software introduced by the attacker. (Connection between the attacker and the “Infected Host” is “Compromise”. Then we add a Router object representing the air gap, short-circuiting the (non-existent) external gateway.
Attack Vector Attenuation
So far, we have set up a router representing an air gap and let it have perfect parameters; the malware on the infected host’s side will not be able to enter the internal zones. Bridging an air gap is considered a hard thing to achieve, even though it is not impossible. Therefore, we want to introduce some hopefully small probability that this might happen. To achieve this, please select the firewall connected to the air gap router object and look at the defenses of it.
As we can see, the defence Enabled is set to On (by default) and the defence KnownRuleSet is also set to On (for this particular firewall).
Consider the case when employees connect equipment they have previously connected to foreign network zones to the internal network zones says once a year. Then the malware has managed to bypass the perfect air gap that often (1/365=0,003), which means we can set the “Enabled” defence of the air gap to 1–0,003=0,997.
In other words; during 0,3% of the time, the air gap will not be functional but instead a bypass route from the infected host to the internal network zones protected by the air gap.
Conclusions
In the above set-up, the air gap router is actually the business or IT security rule saying that no external equipment may be connected to any internal network zones. Therefore, the firewall connected to the air gap router shall be perfect; KnownRuleSet=On. The access control connected to it shall also be perfect and the necessary network administration zone shall also be isolated and not connected to anything else. According to the securiCAD logic, this router is then impossible to traverse. The malware on the infected host will not be able to reach the internal zones.
When introducing the attack step attenuation set up, using the “Enabled” defense of this perfect router we have added, the extra router is acting as a “valve” deciding how probable we estimate this type of attack to take place.
