Network Segmentation and How it Can Prevent Ransomware
Ransomware is on the rise. In 2020, ransomware attacks surged by 150%, with the average attack extorting as much as $170,000 (although cybercriminal groups such as Maze, Egregor, and RagnarLocker extorted much higher amounts of $1-2 million). Ransomware has even been dubbed “the face of cybercrime in 2020.” Clearly, this is a lucrative crime, but what is considered ransomware?
Ransomware is any number of malicious programs launched by bad actors who then gain unauthorized access to a system. Once they’ve gained access, these criminals then encrypt the victim’s files, denying access until the victim pays a ransom. As you can no doubt imagine, ransomware can be very, very devastating, especially when the attackers target healthcare systems and financial firms, gaining access to medical and PCI data.
To mitigate the risks of ransomware and boost their IT security, many organizations are adopting something known as network segmentation. In this article, we will explore various aspects of network segmentation, including:
- What network segmentation is,
- What the different types of network segmentation are, and
- The benefits of network segmentation.
What is Network Segmentation?
Network segmentation refers to dividing a larger network into smaller sub-networks with limited inter-connectivity between them. By controlling traffic flows between various sub-networks and by restricting attacker lateral movement, network segmentation prevents unauthorized users from accessing the organization’s intellectual property and data. In other words, a large, open network can be easily traversed by a user, but if the network is segmented – and the “doors” between these segments are limited and locked – it becomes much more difficult for an attacker to navigate his or her way through the network.
Types of network segmentation
Network segmentation VLAN
Segmenting by VLAN is already a common practice for most businesses and organizations, because segmenting a network into subnets, in addition to preventing free lateral access, helps speed up network performance. We’re willing to bet that your business already has subnets in place.
Firewall Segmentation
Firewalls are another common method of preventing unauthorized access to various parts of a network. Firewalls work by using a predetermined set of rules to either allow or deny certain traffic into and out of a network. These rules can be signature-based, anomaly-based, or a whole host of other custom parameters.
Least Privilege Segmentation
In IT, we don’t typically think of Least Privilege rules as a form of segmentation, but they are. “Least Privilege” is a common practice that restricts access to certain areas within a network, based on a user’s credentials and job requirements. For example, a custodian in a hospital would have access to patient rooms, but would not have access to medical records. Likewise a CSO for a company may have root privileges within a network, but the accountant would not.
What are the Benefits of Network Segmentation?
We would argue that network segmentation is a critical security measure for any network, because it works on multiple levels to protect data and endpoint devices, as well as reduce and remove attack vectors. Think of it like a neighborhood. In a place where each house is separate, it would be very difficult to break into one house and move to the next house from the bedroom window of the first house. To break into a second house would require the thief to leave the first house and move, in the open, to the next, increasing his or her chances of being caught. Contrary, in a set of row houses, where each house is connected to the next – say, with a common shared attic – moving from one home to the next without being caught or stopped is much easier.
However, as we noted earlier, ransomware is a growing threat within cyber security. So while segmentation is good for the overall security of a network, how does segmentation protect a business, specifically, from ransomware?
Using Network Segmentation to Stop Ransomware
Ransomware is a malicious code that does one of two things:
- Identifies and encrypts important files, or
- Locks access to the computer/network.
The attacker then holds the files/devices “ransom,” only unlocking the devices after his demands have been met. As we also noticed, the ransom amounts can reach into the billions.
Threats from Ransomware
Without network segmentation, lateral movement within a network is extraordinarily simple. Think about printing from your computer at home: that is a lateral movement between your computer and the printer, and it’s as easy as a click of a button. Network segmentation divides the network, preventing this lateral movement, and therefore preventing access to sensitive data. Instead of one security perimeter around the entire network, you’ve essentially set up multiple security perimeters within the network.
Here are a few examples of networking segmentation:
Secondary Switches
By allowing users to connect securely to the network through secondary switches, you are adding another layer of security, as each switch can be configured with several different options, including firewalls and DHCP Snooping.
RAID Configurations
There are several kinds of RAID configurations. While only a few apply in this situation (e.g., RAID 0), what RAID configurations do is divide the data between two or more servers, each with its own layer of protection. This way, should an attacker gain access to one server, he or she will be unable to move (or at least have great difficulty doing so) between these servers.
Network Segmentation Best Practices
Extranets
One attack vector that is becoming popular is to gain access to a network through a vendor. A common practice when working with vendors is to establish an extranet: an access portal with limited access to the network. By establishing an extranet for vendors, you are once more tightening the attack surfaces between the compromised vendor and your own network.
Least Privilege
As we noted above, practicing the principle of Least Privilege will help prevent lateral movement within a network. For example, if Bob’s account is compromised by an attacker, but Bob has no access to any sensitive data at all, then the attacker has, essentially, wasted his own time.
Perform Regular Network Audits
Audits are one of the best ways to make sure a network is being regularly inspected for threats and risk assessments. They can be time-consuming, but they well-worth the effort.
Automated Security
Lastly, using an IDP/IDS is a vital part of protecting any internal and external network. Make sure your baseline traffic is established and alerts are set, and you will have a vital layer of protection.
Conclusion
One other good practice that we should definitely mention, however, is regularly backing up your data (this is where RAID configurations also come in handy, as some of them include disc parity). In the event of a successful attack, one of the worst things you could do is actually pay the ransom. Why? Because paying the ransom alerts the attacker – and his or her colleagues – that you are an easy target. Once your organization is labelled as such, you can expect to receive more breaches and more ransom demands. Secondly, the attacker may not even give you your data back. He or she can simply destroy it, leaving you both several thousand dollars poorer and without your data. By having data backed up on a separate storage device – preferably one not connected to the main network – you can simply remediate the infected machines and use the back-ups to restore business.
While none of the practices we’ve mentioned is enough on its own, together, these network segmentation practices will help prevent bad actors from moving and spreading across your organization’s network as they search for valuable files. As an organization, you have a responsibility to protect data, whether it is patient, customer, or employee. Following these guidelines will help you do just that.
