June 29, 2022

Minimizing the Impact: Network Segmentation

Fewer than 5% of the organizations MOXFIVE helps through breaches had meaningful network segmentation before the incident.  This has helped ransomware operators gain easy access to sensitive systems on the network.  Time and again, we find that a client is completely down due to encrypted servers, encrypted or deleted backups and have little to no choice but to negotiate with the threat actor.  While that is bad enough, in almost all circumstances part of the business restoration process is to restore systems and services into a segmented known-good network, which can create even more of a business interruption.  But what qualifies as a “known-good network” and why is it only considered in a post ransomware event situation?  Can the known-good network concept be used proactively to help reduce the impact of ransom situations?  To help answer these questions, let’s consider the role of network segmentation.

Legacy Network Segmentation

Traditionally, when network segmentation is discussed, IT professionals immediately think of firewalls, routers, and switches. Firewalls are essential, but they only protect the perimeter and are not usually a practical solution on complex networks. Routers and switches allow the creation of virtual networks to segment traffic flows and limit connectivity between segments, but they can become complex to manage with dynamic or granular configurations and often go stale with neglect. While this legacy approach still provides value, more can be done to make it harder for a threat actor to move laterally within an environment once initial access is made and even help limit the scope of potential data theft.

Enter Host-Based Microsegmentation

Today segmentation is not just relegated to network devices. Host-based microsegmentation, through the use of installed agents, offers a wide range of advantages over legacy counterparts; these centrally managed tools can apply much deeper granularity because they can operate at host, user, or application levels. Great use cases of host-based segmentation include:

Protecting the Crown Jewels

  • Protect network traffic to business-critical apps (HR, manufacturing, etc.)
  • Protect and segment Active Directory
  • Protect and segment backups
  • Protect and segment internal assets from third party users or systems

Limit Endpoint-to-Endpoint Communications

  • Prevent ALL endpoint-to-endpoint communication
  • Deny all dubious traffic to endpoints(SMB, WMI, NetBIOS)

Apply Host, User, or Application Specific Restrictions for Increased Visibility

  • Only allow compliant endpoints to talk to your apps
  • Detect and see east-west traffic between segmentations
  • Allow only specific users to talk to specific segments
  • Lock down all network access with a simple click
  • Ring-fence apps from each other

The Power of Labels

An implementation of host-based segmentation starts with building a real-time dependency map that visualizes existing communications between nodes and defining labels for each. This serves as a baseline for connectivity and access rules.

Labels simplify segmentation; they can reflect the asset’s name, where the asset is located, and which users need to interact with it. These labels are then mapped to data flows that allow you to build rulesets around their interactions. A few examples of this are noted below:

  • User Labels

A primary use-case for labels is role-based access control and can be leveraged either by the user’s identity attributes or through Active Directory group memberships. In any network breach, a threat actor usually needs to leverage user accounts to move laterally, elevate privileges, and access sensitive data. Restricting user labels to only communicate with only those segments that are needed can go a long way in making a threat actor’s job harder.

  • Application Labels

Applications are another easy point of entry for threat actors through exploiting vulnerabilities in operating systems or application code. By applying labels to an application, you can then build a fence around it, limiting access from the operating system, hypervisor or container, or by user interaction.

  • Backup Labels

MOXFIVE often finds that backup solutions are tied to Active Directory and accessible from anywhere in the network. Given the significant investment most organizations put into their backup capability, it is critical to ensure that they are protected. Labels allow for the capability to isolate backups from everything else on the network to ensure that they will be there when you need them.

  • Server Labels

We often see web servers, database servers, and Active Directory servers targeted by threat actors as primary pivot points.  Server labels can be applied to divide segments by role to prevent lateral movement between them, allowing only what is explicitly authorized.

How Can MOXFIVE Help?

MOXFIVE partners with best-in-class agent-host segmentation vendors for rapid deployment to manage attacker containment and service recovery.  But these solutions are most effective when applied proactively, often thwarting an attacker’s attempt to steal or destroy sensitive data in the first place. If you would like to hear more about what host-agent segmentation can do for your organization, we would highly recommend leaning on us or another party that can develop and provide the right solution that will align with the business long term and ensure it is implemented in a secure manner.

For more information or if you need help with a current incident, contact MOXFIVE at ask@moxfive.com or use our Contact form.

Grant Warkins

Grant is a cyber security leader with decades of success helping clients navigate complex security investigations and building proactive security programs to mitigate risk. As a technical advisor at MOXFIVE, Grant assists clients in managing forensic investigations, recovering their networks from cyber security attacks and providing valuable insight on proactive controls that can make their networks more resilient.

Experts predict there will be a ransomware
attack every 11
seconds in 2021.
from Cybercrime Magazine
Our mission is to minimize the business impact of cyber attacks. 


Incident Response

MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.

Learn More

Business Resilience

With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.

Learn More