From my experience in the industry my guess is that the term originated in the US to resolve the ambiguity of the term "state" here. "State actor" is really what's meant, but to many US listeners would not necessarily imply a "top level" sovereign. Yes, that probably came out of a misunderstanding of the meaning of the term "nation-state," but I think the number of people who know the correct definition of the term is really pretty small.
I feel like I see people being pedantic about "nation-state" and how the US isn't one quite frequently in the last few years and while it's not something that can be proven in an airtight manner, it's bordering on some sort of political statement to insist.
It seems that the UK, Israel, and Pakistan are considered nation-states. Is the US more like them, or more like the Ottoman Empire?
Saying that the US is obviously not a nation-state, seems like denying that there is an American identity the way that there is an Israeli one.
It's like saying '2013 blue Ford Fusion' and then when someone points out it's actually a green Dodge complaining that they're being pedantic. Why be so bizarrely overly specific? Would have been less work to be more generic.
Pedantically, the word "nation" in nation-state refers to a specific grouping of people. One which has a single shared history, ethnicity, culture, etc. The US is multicultural with citizens from a diverse range of ethnic backgrounds, so under that definition it doesn't qualify
Yes, these days all counties are multicultural to some degree, and it is hard to draw a clear cutoff. The Wikipedia page uses 85% of the state being a single predominant group as a dividing line, but recognizes some special cases as well. However, if all of France had the demographics of Paris it would be far below that threshold and in fact would not be considered a nation-state.
It is very simple to justify when you consider the US alone.
However, if you choose virtually any other countries that you might consider to be nation-states, then you could describe them in the same manner. The way I read your definition, you describe two polarities, which lend themselves to any conclusion about any country, depending on which is emphasized.
I felt like the UK, Pakistan, and Israel were three good examples of countries claimed by some to be nation-states that show the definition is complicated and subjective.
And indeed, it already was denied that the UK is a nation-state, in this thread!
Totally agree, the definition is complicated and subjective! Really more of a spectrum than a clear binary. You could certainly argue that the US has a "shared history" that unites its various ethnic groups, thereby making it a single nation. Or you could argue that different racial groups and immigrant communities have had sufficiently distinct experiences that they shouldn't be lumped together.
Israel is a wrong example too. Since it's an example of a State established on a foreign Nation since the colonization of Palestine. It's actually a very useful example to illustrate the difference between State and Nation. One could argue that a nation can be built in 73 years, but for the purpose of your argument you should have chosen France, Germany, Japan, Italy, etc.. unless I misunderstood your argument.
To be clear, Israel is an example of a country that is claimed to be a nation-state. I didn't intend to say it is or isn't, so I use the passive voice on purpose.
If you think it is not, that is further proof that nobody agrees on definitions or classifications.
In this context doesn't it mean "have one or more organisations that are scoped with gaining this kind of access for military, economic, or prestige both online and in the physical world, and have almost unlimited resources".
Nothing to do with national identity or how the people in that nation feel about their country, government, each other or themselves.
"Air-gapping is used to protect the most sensitive of networks. In the first half of 2020 alone, four previously
unknown malicious frameworks designed to breach air-gapped networks were publicly documented. ESET
Research decided to revisit each framework known to date and to put them in perspective, side by side.
Here are the key findings stemming from this exhaustive study:
• All the frameworks are designed to perform some form of espionage.
• All the frameworks used USB drives as the physical transmission medium to transfer data in and out
of the targeted air-gapped networks.
• We have not found any case of actual or suspected use of covert physical transmission mediums,
such as acoustic or electromagnetic signals.
• Over 75% of all the frameworks used malicious LNK or autorun files on USB drives to either perform
the initial air-gapped system compromise or to move laterally within the air-gapped network.
• More than 10—critical severity—LNK-related remote code execution vulnerabilities in Windows have
been discovered, then patched by Microsoft, in the last 10 years.
• All the frameworks were built to attack Windows systems. We have not found any evidence of actual
or suspected malware components built to target other operating systems.
In this white paper, we will describe how malware frameworks targeting air-gapped networks operate,
and provide a side-by-side comparison of their most important TTPs. We also propose a series of detection
and mitigation techniques to protect air-gapped networks from the main techniques used by all the mali-
cious frameworks publicly known to date."
Bullet points require a blank line to be separated on HN (this happens to a lot of people):
---
Air-gapping is used to protect the most sensitive of networks. In the first half of 2020 alone, four previously unknown malicious frameworks designed to breach air-gapped networks were publicly documented. ESET Research decided to revisit each framework known to date and to put them in perspective, side by side. Here are the key findings stemming from this exhaustive study:
• All the frameworks are designed to perform some form of espionage.
• All the frameworks used USB drives as the physical transmission medium to transfer data in and out of the targeted air-gapped networks.
• We have not found any case of actual or suspected use of covert physical transmission mediums, such as acoustic or electromagnetic signals.
• Over 75% of all the frameworks used malicious LNK or autorun files on USB drives to either perform the initial air-gapped system compromise or to move laterally within the air-gapped network.
• More than 10—critical severity—LNK-related remote code execution vulnerabilities in Windows have been discovered, then patched by Microsoft, in the last 10 years.
• All the frameworks were built to attack Windows systems. We have not found any evidence of actual or suspected malware components built to target other operating systems.
In this white paper, we will describe how malware frameworks targeting air-gapped networks operate, and provide a side-by-side comparison of their most important TTPs. We also propose a series of detection and mitigation techniques to protect air-gapped networks from the main techniques used by all the malicious frameworks publicly known to date.
> All the frameworks used USB drives as the physical transmission medium [...] We have not found any case of actual or suspected use of covert physical transmission mediums, such as acoustic or electromagnetic signals
What about the red channel transmission in VGA cables from the Snowden leaks, if memory serves?
I'm happy to see this claim because I usually skip these articles about leaking this or that in a lab environment via EM (they seem too esoteric to me but the media seems to love it because it really plays to the imagination), but at the same time it worries me that I can think of a counter example off the top of my head. Maybe it doesn't qualify as a "framework" or wasn't bidirectional, even if it was used to leak confidential data.
The paper is specific to delivery of malware to airgapped networks. The NSA's RAGEMASTER which you are thinking of, and the whole VAGRANT family, is only a surveillance system - it does not allow for the insertion of any type of software.
There is also a useful differentiation in that NSA TAO-type techniques generally require that physical access be established (either to the environment or to equipment being taken into the environment), so in some sense they do not "jump" the air-gap... it's assumed that the method of insertion has already solved that problem. This paper discusses tools that are intended to make their way from a public network into an air-gapped one. In other words, there is a difference between tools for merely exfiltrating from an airgapped environment (having gained access some other way) and tools to actually gain access to the environment by software means. Physically infiltrating, tampering, etc to get an implant into an airgapped environment is old hat in the intelligence world, and so there are many defenses against it, but a "malware" approach to getting a software implant in is a pretty new thing with fewer defenses. Although as this paper shows, epoxy in the USB ports has proven surprisingly effective.
Also interesting that "All the frameworks used USB drives as the physical transmission medium to transfer data in and out
of the targeted air-gapped networks. We have not found any case of actual or suspected use of covert physical transmission mediums,
such as acoustic or electromagnetic signals."
Alternatively, such a tool would be so valuable that it would be carefully and sparingly employed.
Go too far down that rabbit hole, though, and you start getting into badBIOS territory (a great "conspiracy" theory in the sense of a wild and unprovable idea, though not in the sense of any actual conspiracy.)
>Over 75% of all the frameworks used malicious LNK or autorun files on USB drives to either perform
the initial air-gapped system compromise or to move laterally within the air-gapped network.
I don't get why autorun was created. It's an obvious security issue.
When Autorun, and Windows 95, were being developed, CD-Rs were multi-thousand dollar machines with media that cost $15+/disc, and USB was still being hashed out in the research labs. As such, the only real removable media that would have been used under Autorun would have been professionally mastered CDs, which had a $450+ minimum outlay for a master, and usually a minimum lot size atop of that, which was more than most people up to no good would have been willing to spend. Yes, as Autorun became a more viable attack vector, more protections should have been put in place, but in 1995, it was pretty low-risk.
We already had viruses on DOS before CDs existed. The fact CDs supported autorun and Microsoft programmed Windows to have that feature on by default was mind-blowingly stupid and an obvious vector for viruses even at the time Windows 95 was new.
> We already had viruses on DOS before CDs existed.
But they weren't a credible threat that was significant enough to be worth worrying about.
We already have guns, but I don't do anything to protect myself against gun attack. It wouldn't be worth the time or effort or inconvenience for the level of threat. Maybe in thirty years we'll live in a dystopia and it'll be laughable that I went around unprotected against guns? But for today it's reasonable to ignore.
They didn’t detail any espionage activity other than stealing files, even though their study included stuxnet which we know altered centrifuge control parameters.
I wanted to know what types of facilities and platforms are being targeted.
I guess air-gapped Windows machines are the biggest targets for governments and in any case the biggest interest of malware researchers. Elsewhere in the malwareverse, most botnets are made up only of Windows machines, even though some are not, and even though non-Windows machines certainly need to be protected. So, these exploits are the ones that have come to light recently.
I was a little surprised to read that air-gapped machines are so often used in conjunction with removable media. That just doesn't feel like a good idea because of all the attack surface.
On the other hand, the article implicitly gives some interesting ideas for how one could reduce that attack surface by removing software, drivers, and other functionality from an airgapped device. For example, I think there are ways in Linux that we can say that a USB interface should only accept devices of a certain USB class (and perhaps it would be helpful in a different way to say "class and manufacturer ID"), and also that only one kind of filesystem should be mountable, and you can say that it shouldn't be possible to execute a binary directly from that filesystem. Combining these things, you could say that a machine should only accept FAT16 mounting of a mass storage device made by Kingston, and ignore anything else. I don't know if you can specify that kind of stuff in Windows, but it would be pretty valuable for this application!
Windows also can limit the USB devices connected (nowadays natively, I believe before third-party solutions were available), you can do things like require specific signatures on executables, ...
I'd expect the big problem usually is actually defining a useful but minimal set of things allowed, so people can actually do their work. Otherwise you'll quickly get to the point of an admin overriding stuff because they need (or "need") something else, or users finding workarounds.
In many cases, providing users with multiple machines of different security levels would be a useful thing to do, but is cheapened out on. E.g. I've seen companies with blanket policies of "all machines that connect to business-network X need to be locked down". And then they made an application on that network mandatory for everybody (even if its something dumb like employee time tracking), so now there are (annoying) procedures for employees that can't actually work with fully restricted machines (e.g. developers, who need to be able to install software because their job is making and testing installed software...) to circumvent the security policy, instead of giving such employees a second cheap machine to do their timesheet entry.
Another example I've heard about was putting less restricted PCs with their own internet connection into control rooms. Not "needed", but it was an effective way of keeping employees who were bored out of their minds during night shifts etc from putting whatever stuff they were going to use to keep themselves entertained (movies, games, ...) on the actual control network PCs through any way they could find. Of course they weren't supposed to plug their USB drives with movies into any work PC, but it was easier to give them a safe place to do it anyways than trying to police it perfectly.
> I was a little surprised to read that air-gapped machines are so often used in conjunction with removable media. That just doesn't feel like a good idea because of all the attack surface.
Our IT is also surprised. Unless the "air gaped machine" will run only one program which will never change, you need a way to transfer SW to this machine. And like our IT: we do not need CDROMs, every computer has an USB port. And from a (deranged) security perspective a CDROM id equal with an USB stick.
