Air Gap Hopper

This content pack is set to be a "toolbox" for organisations with "Air Gap" networks. There are currently two use-cases. Reputation query across air gap and offline Panorama content update.

Comment

Inspiration

The idea for "Air Gap" toolbox came actually from a need of our customers. Many of them have some kind of "Air Gapped" or "Offline - Disconnected from the internet" Networks. Those customers are from different disciplines. They could be military, government, industrial and even financial like banks and trading companies with highly secure offline networks. The fact that those networks are disconnected make the customers "suffer" from simple things like: upgrading their equipment or content efficiently or making real-time intelligence queries. Or even simple things like whois. I am not talking about automation of moving files in and out (most of it done manually). We thought it does not need to be like this and we have the perfect technology to help them!

What it does

So far ,we built two use cases:

  1. Intelligence/Reputation query from internal/air-gapped network to the internet by using unidirectional diodes (UDP on the way out and files on the way in).

  2. Getting content update files for Panorama management server (to update the content like A/V on firewalls) from the internet to the Air-gapped network .

How we built it

We used two XSOAR servers to accomplish this task. One internal and one external. Each use-case has two playbooks that run on each server and depend on each other in order to work. We mostly utilise existing Integrations and automations to do the task but had to do additional development to accomplish all our goals. We added:

  • 5 New commands for Panorama and SMB
  • 1 Automation
  • 1 Incident type
  • 1 custom field

More info in the videos of the usecase.

https://youtu.be/Ss3K9jpwzic

https://youtu.be/fQxhtzYX3R4

Challenges we ran into

We had some issues with Panorama API but eventually manages to solve it to run smooth like butter :-) Another issue was our planning to meet and work for two straight days - Plan was shuttered by the LockDown so we had to move to Zoom - less convenient option for Hackathon.

Accomplishments that we're proud of

We are really proud to be able to assemble a diverse (we have 2 SE's 1 SA and 1 Support Engineer . One female and 3 male participants) team of people from different roles in the company and be able to create something that in our opinion will be very useful for our customers.

disruption #collaboration #execution #integrity #inclusion #innovation

What we learned

We learned a lot about the lines of work of other roles , other technologies. Every one of us deepened their skill in their main technology + added additional skills in technologies mastered by peers.

What's next for Air Gap Hopper

We are not stopping here. We have many more "Air Gap" use-cases in our mind. Just few examples:

  • Getting logs for troubleshooting out of Secure networks after "Masking" all sensitive data.
  • Getting more type of files in - after using CDR,Sandboxing, AV inspection
  • Getting data of monitoring/analytics systems out tot he main management system.
  • Automation in ICS Networks (Industrial and IOT world) *"Helping" ICS networks with no SIEM to get logs out to main SIEM/Analytics system

And many more :-)

  • PS - we are here not for the money , we want the Jackets! (money would be ok as well though...)

Built With

Share this project:

Updates