How to use air gaps for ransomware defense
Air gaps can be a valuable last line of defense against ransomware. However, both logical and physical air gaps have vulnerabilities that can be exploited by bad actors.
Ransomware is a major factor that drives data backup strategies. Data recovery is critical for organizations to get back online without paying ransom fees. Because of this, backup environments have become prime targets of ransomware attacks.
Air-gapped storage has gained popularity as a tool against ransomware -- for good reason. Air gaps create a backup copy that is isolated and more difficult for bad actors to access and encrypt. However, air gapping is also not foolproof against ransomware. There are some key best practices that will ensure that air-gapped backups are secure.
Air gaps vs. ransomware
Air gapping is a technique that stores a backup copy on a storage infrastructure that is not accessible from an external connection. There are physical air gaps that use a removable storage media to create isolation and logical air gaps that create isolation by removing access from host or administration networks.
Air gaps are inherently effective against ransomware for backup protection. The isolation provides a stopgap against intentional logical corruption, such as encryption, as well as unintentional corruption resulting from human error. Even if the hacker can penetrate the production environment or the main backup environment, the air-gapped copies are stored separately and cannot be accessed.
Why air gaps are not bulletproof
Air-gapped storage strategies have their merits, but they also have their vulnerabilities.
Removable storage media, such as tape or removable disk, have the potential to be stolen if a bad actor were to gain physical access to the device in question. There is also the capacity for human error, such as a storage device inadvertently being left plugged in, online and possibly accessible.
Arguably, the biggest concern for both physical and logical air gaps is the rise of sleeper ransomware attacks that infiltrate the backup environment and lie dormant. With these attacks, it is possible for ransomware to slip into the storage media rotation undetected or when a network is temporarily open for a data transfer. Bad actors sometimes monitor for patterns of behavior so that they know when to strike. This would mean that the ransomware would be on the backup, rendering the air-gapped copy unusable.
How to use air gaps for ransomware protection
There are several factors that determine the success of an air-gap strategy, beyond simply sending a backup copy off-site. The air-gapped copies should be immutable so that, even if they are accessed, they cannot be encrypted or deleted by attackers. Another way to inhibit bad actors is encryption of data at rest and in flight.
For physical air gaps, a best practice is to make sure that the tape cartridge or other storage device is not accessible by the application. For logical air gaps, users should understand who has control over opening the network connection and what safeguards exist to make sure that the network connection is open only during the data transfer. Anomaly detection to understand behavior that could indicate a ransomware attack -- such as large-scale encryption or deletion requests -- is another valuable safeguard.
Malware vs. ransomware: What's the difference?