In 2020, ransomware attacks surged by 150%, with an average extortion amount of $170,000. Groups like Maze, Egregor, and RagnarLocker extorted as much as $1-2 million. Clearly, the business of ransomware, dubbed “the face of cybercrime in 2020” is booming.
To mitigate the risks of ransomware and boost their IT security, many organizations are adopting network segmentation. In this article, we explore various aspects of network segmentation, including:
- What is network segmentation?
- What are the types of network segmentation?
- What are the benefits of network segmentation?
What is Network Segmentation?
Ransomware is malicious software that gains unauthorized access to a system to encrypt a victim’s files and deny access until they pay a ransom.
Network segmentation is an effective way to protect IT systems from ransomware attacks. It refers to dividing a larger network into smaller sub-networks with limited inter-connectivity between them. By controlling traffic flows between various sub-networks and by restricting attacker lateral movement, network segmentation prevents unauthorized users from accessing the organization’s intellectual property and data.
Types of network segmentation
- Network segmentation VLAN: This involves creating segments in networks with VLANs or subnets using IP addresses for partitioning. All hosts are connected virtually to each other as if they were part of the same LAN. This method improves network performance and prevents threats from spreading beyond a VLAN, but it requires re-architecting networks and managing numerous access control list (ACL) rules on various network devices.
- Firewall segmentation: Firewalls inside a network segment limit the attack surface and prevent threats from spreading. Since this method requires thousands of firewall rules, it introduces considerable complexity and cost into the system.
- Segmentation with Software-defined Networking: SDN-based network segmentation supports greater automation and programmability. However, it focuses less on security visibility, and more on network policy implementation.
- Host-based Segmentation: With workload telemetry, a map of environments and applications is created to visualize what must be protected. Human-readable labels create and implement an automated segmentation policy.
- Micro-segmentation: This technique uses the host workload to enforce a segmented network, and whitelist models to block all traffic except what is permitted.
What are the Benefits of Network Segmentation?
Many IT professionals believe that network segmentation is a business-critical security measure. Here’s why:
- Protect endpoint devices: Network segmentation can protect vulnerable devices by stopping harmful traffic from reaching them.
- Reduce attack surface, and limit the damage: Segmentation keeps attacks in one section from affecting the systems in another, thus limiting its spread, and minimizing damage.
- Improve data security: Separating servers containing sensitive data makes it easier to protect them and reduce the risk of loss or theft.
- Implement a “Policy of Least Privilege”: It restricts user access to sensitive information and systems and provides effective protection if access credentials are compromised.
- Improve Network Performance: By containing specific traffic only to those segments that need to see it, segmentation reduces network congestion and improves performance.
- Reduce compliance scope: Segmentation limits the scope and cost of compliance requirements and audit processes.
Using Network Segmentation to Stop Ransomware
To spread infectious malware, malicious actors may exploit a Remote Desktop Protocol, send fake emails with nefarious links or attachments, or embed ransomware code within trusted applications. The goal is to identify and encrypt critical files and demand a ransom from the victim to decrypt and release them.
Threats from Ransomware
Without network segmentation, an attacker, after breaching the security perimeter, can move laterally across the system, infect devices with ransomware, and access valuable information to hold for ransom.
Network segmentation separates the network into enclaves to prevent network-wide compromise, and shield assets from infected assets. Even if an attacker does breach the security perimeter, they can’t move laterally since that would require them to breach security perimeters for each system. This limits their attack scope and minimizes damage.
Segmenting your Network
Here are some networking segmentation examples to improve security, performance and reliability.
- Servers between Segments: This network configuration places a performance burden on two servers, each of which has two NICs. The servers provide standard user services, and also route packets between network segments. Placing a bridge between the two segments can maximize performance.
- Switched Environments: In a switched-to-the-desktop setup, a switch is on the central backbone of the network and allows users to securely connect to the network through secondary switches.
- Segmenting via Routers: Routers can be used to segment local networks, although bandwidth between routers is usually limited and expensive.
- Multi-NIC, multi-protocol environments: This environment delivers better network performance if machines are grouped by protocol and if unnecessary protocols are unbound from each server’s NICs to prevent them from sending unnecessary broadcasts.
- Restrict third-party access: For organizations with multiple third-party vendors, creating separate access portals for each vendor can minimize the possibility of spreads if a vendor is breached.
- Inventory and combine similar resources: Combining similar network resources into individual databases enables network admins to enact security policies quickly, and better protect more sensitive data.
- Restrict traffic: It’s best to implement granular control according to the principle of least access required to complete tasks and to limit source, destination, and service traffic from each other.
- Perform regular network audits: Frequent network audits and risk assessments are a good way to identify exploitable information and security gaps in current assets.
- Monitor network segments: Configure the IDS/IPS to monitor internal network segments and the external network. Also, monitor the event and audit logs created by network devices and analyze them for suspicious behaviours.
Network segmentation prevents attacks from spreading across a network. It also allows for easier policy creation and network maintenance. With proper planning and maintenance, organizations can proactively strengthen their cybersecurity posture, which can be a game-changer in the modern threat landscape.