The past few years have seen a major shift in security strategies from looking outward for external threats to detecting and defending against adversaries that have already breached the network.
One of the biggest dangers is that, after having gained a foothold into an enterprise network, a careful threat actor can gradually move laterally through it and escalate their access and privilege while staying under the radar. This means that attackers need only to steal or force access to a single set of user credentials in order to start an attack that may result in massive data theft or malware infection. Additionally, an effective phishing attack may allow an attacker to establish a beachhead without any credential theft.
Implementing a least-privilege approach has proven to be a successful counter to this threat, forcing the intruder to do much more work to access critical data and systems. Better still are zero trust policies that require every user or system to be verified based on risk factors like location and device.
Network micro-segmentation plays a central role in the realization of zero trust strategies by severely limiting the lateral movement of an attacker and obstructing their ability to navigate the network. Dividing up environments effectively shrinks the attack surface available to adversaries and provides extremely granular control of all cloud and data centre environments, down to being able to segregate individual workloads. The more difficult it is for the threat actor to move around, the longer they will need to dwell in the network before reaching their goal, ultimately increasing the likelihood that they will be detected.
Some early adopters have already seen great success with micro-segmentation and have mature strategies in place. Still, we find many organizations are on the fence about the method, so we set out to gain some quantitative insights into just how effective zero trust measures can be.
Slowing lateral movement to a crawl
To determine just how effective micro-segmentation can be, Illumio conducted a red team exercise with Bishop Fox. The team was tasked with finding “crown jewel” assets in a test environment, and while they did not face a defensive blue team, they were pitted against increasingly tight micro-segmentation policies.
The first and lowest level policy tested was environmental separation. This is a fairly course-grained approach where workloads in different environments, such as production, testing, or development, can only connect with others in the same environment. It quickly became clear that even this simple level of separation could cause attackers to take at least three times as long to reach their target. This 300-percent increase in difficulty for the intruder meant defensive tools and security personnel had much more time to detect and investigate signs of unusual activity.
The next level of micro-segmentation, application ringfencing, proved to be even more effective, creating a 450-percent increase in difficulty for the attacker. At this stage, only workloads associated with specific applications could talk to each other (e.g., payment processing or human resource management applications).
Aside from the increased time needed to reach the target assets, both scenarios also led to a large number of blocked connection attempts. For example, application ringfencing resulted in roughly four times as many blocked connection attempts. Unless the attacker is extremely cautious and spreads attempts out over a long period of time, this spike in activity should trigger security alerts in the SOC and prompt analysts to investigate.
The final scenario deployed tier segmentation, one of the most fine-grained approaches. Here, restrictions were extremely tight: only workloads associated to specific tiers such as web or database within a specific application in a specific environment could talk to each other.
The tier segmentation was so restrictive that we observed blocked connection attempts drop significantly as the attacker was forced to try other methods. This resulted in a huge slowdown of their efforts, with the time it took to reach the prize increasing by around 950 percent.
The results of our exercise couldn’t be clearer: even the most basic level of micro-segmentation turns lateral movement into an uphill struggle for attackers, while the most restrictive policies mean they might as well be trying to summit Everest.
Micro-segmentation is a must-have for any security strategy
The ability for even a simple environmental separation policy to drastically slow the progress of network intruders means micro-segmentation should be an essential part of any security strategy. As the segmentation becomes more extensive and complex, attackers will take more time to navigate the network.
As the policies themselves become more granular, like with tier segmentation, intruders will need to try different approaches to get anywhere at all. This significantly increases their chances of making too much noise and getting the attention of the security team, which can intervene before the attacker inflicts any damage.
Attempting to enforce micro-segmentation across an entire enterprise, particularly one that is a largely brownfield environment, can seem like an arduous task. However, our experience has shown that breaking the problem down and iterating through manageable chunks can lead to success. Organizations should start with segmenting their most important assets and aim to eventually cover their entire estate.
Implementing micro-segmentation policies alongside existing security measures will greatly mitigate the risk posed by threat actors that have been able to infiltrate the network, essentially locking them in a box. For those organizations storing critical, highly sensitive data, this will be an invaluable approach to shrinking the attack surface and keeping hackers away from the crown jewels.