Fewer than 5% of the organizations MOXFIVE helps through breaches had meaningful network segmentation before the incident. This has helped ransomware operators gain easy access to sensitive systems on the network. Time and again, we find that a client is completely down due to encrypted servers, encrypted or deleted backups and have little to no choice but to negotiate with the threat actor. While that is bad enough, in almost all circumstances part of the business restoration process is to restore systems and services into a segmented known-good network, which can create even more of a business interruption. But what qualifies as a “known-good network” and why is it only considered in a post ransomware event situation? Can the known-good network concept be used proactively to help reduce the impact of ransom situations? To help answer these questions, let’s consider the role of network segmentation.
Legacy Network Segmentation
Traditionally, when network segmentation is discussed, IT professionals immediately think of firewalls, routers, and switches. Firewalls are essential, but they only protect the perimeter and are not usually a practical solution on complex networks. Routers and switches allow the creation of virtual networks to segment traffic flows and limit connectivity between segments, but they can become complex to manage with dynamic or granular configurations and often go stale with neglect. While this legacy approach still provides value, more can be done to make it harder for a threat actor to move laterally within an environment once initial access is made and even help limit the scope of potential data theft.
Enter Host-Based Microsegmentation
Today segmentation is not just relegated to network devices. Host-based microsegmentation, through the use of installed agents, offers a wide range of advantages over legacy counterparts; these centrally managed tools can apply much deeper granularity because they can operate at host, user, or application levels. Great use cases of host-based segmentation include:
Protecting the Crown Jewels
Limit Endpoint-to-Endpoint Communications
Apply Host, User, or Application Specific Restrictions for Increased Visibility
The Power of Labels
An implementation of host-based segmentation starts with building a real-time dependency map that visualizes existing communications between nodes and defining labels for each. This serves as a baseline for connectivity and access rules.
Labels simplify segmentation; they can reflect the asset’s name, where the asset is located, and which users need to interact with it. These labels are then mapped to data flows that allow you to build rulesets around their interactions. A few examples of this are noted below:
A primary use-case for labels is role-based access control and can be leveraged either by the user’s identity attributes or through Active Directory group memberships. In any network breach, a threat actor usually needs to leverage user accounts to move laterally, elevate privileges, and access sensitive data. Restricting user labels to only communicate with only those segments that are needed can go a long way in making a threat actor’s job harder.
Applications are another easy point of entry for threat actors through exploiting vulnerabilities in operating systems or application code. By applying labels to an application, you can then build a fence around it, limiting access from the operating system, hypervisor or container, or by user interaction.
MOXFIVE often finds that backup solutions are tied to Active Directory and accessible from anywhere in the network. Given the significant investment most organizations put into their backup capability, it is critical to ensure that they are protected. Labels allow for the capability to isolate backups from everything else on the network to ensure that they will be there when you need them.
We often see web servers, database servers, and Active Directory servers targeted by threat actors as primary pivot points. Server labels can be applied to divide segments by role to prevent lateral movement between them, allowing only what is explicitly authorized.
How Can MOXFIVE Help?
MOXFIVE partners with best-in-class agent-host segmentation vendors for rapid deployment to manage attacker containment and service recovery. But these solutions are most effective when applied proactively, often thwarting an attacker’s attempt to steal or destroy sensitive data in the first place. If you would like to hear more about what host-agent segmentation can do for your organization, we would highly recommend leaning on us or another party that can develop and provide the right solution that will align with the business long term and ensure it is implemented in a secure manner.
Grant is a cyber security leader with decades of success helping clients navigate complex security investigations and building proactive security programs to mitigate risk. As a technical advisor at MOXFIVE, Grant assists clients in managing forensic investigations, recovering their networks from cyber security attacks and providing valuable insight on proactive controls that can make their networks more resilient.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.