Network Segmentation and How it Can Prevent Ransomware

 Ransomware is on the rise. In 2020, ransomware attacks surged by 150% , with the average attack extorting as much as $170,000 (although cybercriminal groups such as Maze, Egregor, and RagnarLocker extorted much higher amounts of $1-2 million). Ransomware has even been dubbed “ the face of cybercrime in 2020 .” Clearly, this is a lucrative crime, but what is considered ransomware?
Ransomware is any number of malicious programs launched by bad actors who then gain unauthorized access to a system. Once they’ve gained access, these criminals then encrypt the victim’s files, denying access until the victim pays a ransom. As you can no doubt imagine, ransomware can be very, very devastating, especially when the attackers target healthcare systems and financial firms, gaining access to medical and PCI data.
To mitigate the risks of ransomware and boost their IT security, many organizations are adopting something known as network segmentation. In this article, we will explore various aspects of network segmentation, including:

• What network segmentation is,
• What the different types of network segmentation are, and
• The benefits of network segmentation.
  

Network segmentation refers to dividing a larger network into smaller sub-networks with limited inter-connectivity between them. By controlling traffic flows between various sub-networks and by restricting attacker lateral movement, network segmentation prevents unauthorized users from accessing the organization’s intellectual property and data. In other words, a large, open network can be easily traversed by a user, but if the network is segmented – and the “doors” between these segments are limited and locked – it becomes much more difficult for an attacker to navigate his or her way through the network.

Network Segmentation VLAN

Segmenting by VLAN is already a common practice for most businesses and organizations, because segmenting a network into subnets, in addition to preventing free lateral access, helps speed up network performance. We’re willing to bet that your business already has subnets in place.

CONSIDERATIONS FOR VLAN IMPLEMENTATION

Before implementation, carefully plan the VLAN structure based on organizational needs, considering factors like network topology and scalability. Additionally, focusing on the physical security of VLAN switches is paramount. Placing these switches in physically secure locations behind locked doors is essential to prevent unauthorized physical access, establishing a foundational layer of defense. Implementing strict access controls further fortifies the security posture, ensuring that only authorized personnel can make configuration changes to the VLAN switches. Moreover, continuous monitoring of VLAN performance and configuration is imperative.

Firewall Segmentation

Firewalls are another common method of preventing unauthorized access to various parts of a network. Firewalls work by using a predetermined set of rules to either allow or deny certain traffic into and out of a network. These rules can be signature-based, anomaly-based, or a whole host of other custom parameters.

FIREWALL RULES AND POLICIES

Firewalls play a pivotal role in preventing unauthorized access to different network segments. Their functionality is based on a set of rules that either allow or deny specific traffic, including signature-based, anomaly-based, or custom parameters. Configuring firewall rules and policies is essential for controlling the flow of network traffic. These rules define what is permitted or denied, forming a critical layer of defense against potential threats.

APPLICATION OF STATEFUL INSPECTION

Stateful inspection, a vital feature of firewalls, involves tracking the state of active connections and making decisions based on the context of the traffic. It blocks communication from outside a network segment unless explicitly allowed. This approach safeguards against attackers from infiltrating the network. Stateful inspection also protects against attacks targeting processes such as TCP or DNS by scrutinizing context and state information, ensuring a robust defense strategy.

Least Privilege Segmentation

In IT, we don’t typically think of Least Privilege rules as a form of segmentation, but they are. “Least Privilege” is a common practice that restricts access to certain areas within a network, based on a user’s credentials and job requirements. For example, a custodian in a hospital would have access to patient rooms, but would not have access to medical records. Likewise a CSO for a company may have root privileges within a network, but the accountant would not.

PRINCIPLE OF LEAST PRIVILEGE IN ACCESS COINTROL

Implementing the principle of least privilege ensures that users have the minimum access necessary for their tasks. This approach minimizes the risk of unauthorized access, providing a more secure network environment.

ROLE-BASED ACCESS CONTROL(RBAC)

RBAC further refines access control by assigning specific access rights based on job roles. Adopt a role-based access model, assigning unique logins and passwords for each administrator. In addition, configure switches to grant distinct logins, passwords, and privilege levels based on administrators' specific roles. This granular approach tailors access permissions to individual responsibilities, enhancing security and accountability.

Using Network Segmentation to Stop Ransomware

Threats from Ransomware

Without network segmentation, lateral movement within a network is extraordinarily simple. Think about printing from your computer at home: that is a lateral movement between your computer and the printer, and it’s as easy as a click of a button. Network segmentation divides the network, preventing this lateral movement, and therefore preventing access to sensitive data. Instead of one security perimeter around the entire network, you’ve essentially set up multiple security perimeters within the network. 

IMPROVE OPERATIONAL PERFORMANCE

Segmented networks limit traffic to only subnets that need to see it, as well as aid in the localization of technical network issues. The reduced traffic congestion helps to improve the overall performance of the network.

LIMIT DAMAGE FROM CYBER ATTACKS

Segmentation drastically reduces the time, money, and effort spent in recovering from a data breach. When hackers breach a segmented network, their activity is restricted to a single subnet. This allows security teams to upgrade the security controls in other segments before the attackers gain access to them. This prevents the entire system from being breached. 

PROTECT VULNERABLE DEVICES

Not every device in a network is built with advanced security defenses. Network segmentation can help to prevent malicious traffic from reaching devices that cannot protect themselves from an ongoing attack. 

REDUCE COMPLIANCE SCOPE

Even though the main aim of network segmentation is to prevent data breaches, it is also common among merchants that want to reduce their compliance scope. A system is considered in-scope for PCI DSS when its components are directly connected to the CDE (Cardholder Data Environment) or can potentially affect its security. In a non-segmented network, the entire network is in-scope for compliance which significantly increases the costs and work required to secure the business network. With segmentation in place, only systems or subnets that are connected to the CDE need to be tested for compliance.

Here are a few examples of networking segmentation:

Secondary Switches

By allowing users to connect securely to the network through secondary switches, you are adding another layer of security, as each switch can be configured with several different options, including firewalls and DHCP Snooping.

RAID Configurations

There are several kinds of RAID configurations. While only a few apply in this situation (e.g., RAID 0), what RAID configurations do is divide the data between two or more servers, each with its own layer of protection. This way, should an attacker gain access to one server, he or she will be unable to move (or at least have great difficulty doing so) between these servers.

Extranets

One attack vector that is becoming popular is to gain access to a network through a vendor . A common practice when working with vendors is to establish an extranet: an access portal with limited access to the network. By establishing an extranet for vendors, you are once more tightening the attack surfaces between the compromised vendor and your own network.


Least Privilege

As we noted above, practicing the principle of Least Privilege will help prevent lateral movement within a network. For example, if Bob’s account is compromised by an attacker, but Bob has no access to any sensitive data at all, then the attacker has, essentially, wasted his own time.

Perform Regular Network Audits

Audits are one of the best ways to make sure a network is being regularly inspected for threats and risk assessments. They can be time-consuming, but they well-worth the effort.

Automated Security

Lastly, using an IDP/IDS is a vital part of protecting any internal and external network. Make sure your baseline traffic is established and alerts are set, and you will have a vital layer of protection.

LIMIT THIRD-PARTY ACCESS

Over 50% of organizations have suffered a data breach caused by third parties that misused sensitive/confidential information. Data breaches caused by third-parties also take longer to find and cause more damage. If you need to provide data  to third party services, create isolated channels for them so that they can access only what is required and nothing else. Additionally, it is essential to assess the security and privacy practices of the third parties you do business with.

COMBINE SIMILAR NETWORK RESOURCES

Combining similar resources into independent databases can save time and reduce security overhead. By segmenting your network this way, you can implement security measures more quickly while also protecting your data more efficiently. 

NETWORK VIRTUALIZATION

In the modern-day organization, perimeter-based segmentation is not enough. With the introduction of the cloud, remote working, and mobile devices, the perimeter is disappearing with no clear boundaries. Network virtualization is the delivery of network and security services independent of the physical infrastructure. This allows for deeper segmentation and better security and network performance. 

DON’T SEGMENT TOO MUCH

Creating too many zones or over-segmenting makes it more difficult to manage your whole network. The complexity of the network and the policies that need to be managed increase with the number of zones. This can make security management tedious, expensive, and ineffective.

THE IMPACT OF ZERO TRUST ON NETWORK SEGMENTATION

Network segmentation is rooted in the fortress model. The fortress defense, with its layered fortresses and boundary-centric protection, has proven insufficient in the face of evolving threats. While it may temporarily impede current attacks, new threats quickly emerge, rendering the fortress approach inadequate. The complexity and expense of reinforcing the front door continuously grow, leaving vulnerabilities that attackers exploit. 

Zero trust on the other hand adopts a different strategy. The concept of zero trust is to assume that threats are always present within the network as well, not just outside. It is built on the principle of 'never trust, always verify.' So, instead of relying on a perimeter defense to protect the network, it focuses on every individual user and device on the network, continuously verifying their identity, and intent before granting access to the network. 

According to the research paper 'Network Segmentation and Zero Trust Architectures' by William R. Simpson and Kevin E. Foltz,

"Combining segmentation and ZTA results in problems from a security perspective. The key issue is how to handle secure communication at segment boundaries. Segmentation requires breaking it and ZTA requires preserving it. Because of this fundamental difference, it is not possible to fully implement both approaches in the same enterprise." 

The same paper explores two different approaches to combining segmentation and zero trust architectures. Here's a quick summary of each approach:

Combining network segmentation and Zero Trust Architecture (ZTA) has its challenges and opportunities. Let's explore two approaches: full security combination and a hybrid approach.

FULL SECURITY COMBINATION

Implementing segmentation on an existing ZTA is difficult because the security components of segmentation can compromise the end-to-end security of ZTA. Adding ZTA to an existing segmentation means compromising active entity communication security at each segment boundary. While a complete implementation is not possible, ZTA can be applied within individual segments. However, fully combining segmentation and ZTA faces obstacles due to conflicting requirements.

HYBRID APPROACH

A complete combination of both approaches is impractical, but a hybrid solution is achievable by applying micro-segmentation within the overall segmentation. Micro-segments can be converted into local ZTA solutions, allowing for a combination of larger and smaller segments. This approach provides a migration path from the traditional model to ZTA using segmentation.

OTHER CONSIDERATIONS 

While segmentation and ZTA cannot be fully combined for security, they offer additional benefits. Dividing network traffic between segments can improve performance by reducing overall network congestion. Using virtual networks (VLANs) instead of hardware can save costs and enhance flexibility. Software-defined networks can optimize network traffic performance. These advantages demonstrate that while segmentation may not directly enhance ZTA security, it can provide other valuable benefits.

In summary, integrating network segmentation and ZTA requires careful consideration. While a complete combination for security purposes is challenging, a hybrid approach using micro-segmentation within the overall segmentation can provide a path towards ZTA. Additionally, recognizing the non-security benefits of segmentation, such as performance improvements and cost savings, is important.

NETWORK SEGMENTATION USE CASES

Enterprise-wide network segmentation is commonly employed in various use cases to enhance security, improve network performance, and meet compliance requirements. Here are some of the most common use cases:

SECURITY AND THREAT CONTAINMENT

Network segmentation helps contain security threats by isolating sensitive assets or critical systems from the rest of the network. It limits lateral movement for attackers, reducing the potential impact of a breach or compromise.

REGULATORY COMPLIANCE

Many industries have specific regulatory requirements for data protection and privacy. Network segmentation assists in achieving compliance by isolating regulated data or systems, ensuring they are accessed only by authorized individuals or devices.

PROTECTION OF INTELLECTUAL PROPERTY

Companies with valuable intellectual property or proprietary information can use network segmentation to safeguard their assets. Separating networks and controlling access reduces the risk of unauthorized access or data exfiltration.

GUEST NETWORK AND PARTNER ACCESS

Enterprises often need to provide controlled access to external entities, such as guests, contractors, or business partners. Network segmentation allows for the creation of guest networks or isolated segments where external users can connect without compromising internal systems.

INTERNET OF THINGS (IoT) SECURITY

With the proliferation of IoT devices, network segmentation becomes crucial to secure these devices and prevent them from being used as entry points for attackers. Segmenting IoT devices from the main network limits their potential impact on critical systems.

APPLICATION AND SERVICE ISOLATION

Enterprises may segment their networks to isolate specific applications or services for enhanced security, performance, or compliance purposes. For example, separating development and testing environments from production systems helps protect sensitive data and prevent disruptions.

PEFORMANCE OPTIMIZATION

Network segmentation can improve network performance by reducing broadcast traffic and optimizing bandwidth usage. It allows for better resource allocation and prioritization, ensuring critical applications operate efficiently.

RISK MANAGEMENT

Implementing network segmentation lets organizations proactively manage risks and minimize the potential impact of security incidents. Segmentation helps to compartmentalize risk, allowing for targeted mitigation strategies.

One other good practice that we should definitely mention, however, is regularly backing up your data (this is where RAID configurations also come in handy, as some of them include disc parity). In the event of a successful attack, one of the worst things you could do is actually pay the ransom. Why? Because paying the ransom alerts the attacker – and his or her colleagues – that you are an easy target. Once your organization is labelled as such, you can expect to receive more breaches and more ransom demands. Secondly, the attacker may not even give you your data back. He or she can simply destroy it, leaving you both several thousand dollars poorer and without your data. By having data backed up on a separate storage device – preferably one not connected to the main network – you can simply remediate the infected machines and use the back-ups to restore business. 
  While none of the practices we’ve mentioned is enough on its own, together, these network segmentation practices will help prevent bad actors from moving and spreading across your organization’s network as they search for valuable files. As an organization, you have a responsibility to protect data, whether it is patient, customer, or employee. Following these guidelines will help you do just that.