It’s been about a year since the initial wave of WannaCry outbreaks spread across the world. In the UK, the NHS was affected to such an extent that it exposed how far cyber security practices and infrastructure planning had faltered.
In Part 1 of this series of blog posts I discussed a variety of steps that may be appropriate to improve resilience to ransomware, and in this part I continue focusing on some further topics including network segmentation.
As we covered in Part 1, there are many factors that often make the security management of obsolete platforms challenging and far more complicated than might appear at first glance.
End User Devices (EUDs) are one piece of the puzzle, but connectivity should not be overlooked.
Network segmentation is the design of a network to ensure a proportionate and cost-effective separation into separate sub-networks. Communications between sub-networks is demarcated using network design, filtered using packet filters or more advanced platforms, or prevented using the same technologies.
The primary issue encountered through a lack of segmentation is lateral movement, which can be exploited by an insider threat and an external attacker that has penetrated border security controls such as firewalls. While a lack of segmentation has the advantage of increasing organisational agility and reducing costs, the result is an inelastic defence strategy.
A further challenge that emerges in an inelastic defence strategy is the ease with which an attacker can conduct earlier parts of the cyber kill chain, particularly reconnaissance. Even behind a border firewall, once one vulnerable endpoint is infected by ransomware, lateral movement across the network is unimpeded.
Segmentation presents stealthy attackers with hurdles to overcome, and the security supporting entities that demarcate the segmentation strategy provide the opportunity for the organisation to establish detective control regimes. Put simply, segmentation can (if implemented correctly) improve detection of attacks leading to a better security framework and better cyber defence.
Definitions of segmentation vary, and some advocate switch ports are individual segments. In a strict sense, the terminator to terminator wire is technically a segment.
From an infrastructure perspective this is accurate, but from a security perspective it is possible to extend segmentation to a much greater extent to higher levels of the OSI model, including to the application layer.
A simple example of a segmented network is a suitable firewall with endpoints connected on a port-by-port basis, with no use of Layer 2 switches. A policy is established on the firewall to limit or prevent endpoint to endpoint communication within the network.
In reality most networks make use of switches or routers as a firewall-based segmentation model is usually beyond cost limits. In most circumstances it becomes important to apply segmentation in a sensible way, for example fully-segmenting critical services but having more flexibility in other areas.
In modern networks, where consolidation between previously separate networks is now common, a number of newer approaches to segmentation are typically used. The use of VLANs is one segmentation technique that is used extensively in some enterprises (however in some security applications the use of VLANs may not be adequate). Extended further into virtualised environments, a number of options are available.
How can segmentation be achieved? This falls within the classic business analysis domain, and requires a project-managed assessment of information flows, business processes, and security relevance of information assets. There may or may not be an obvious solution at the outset. In some use cases, segmentation is clearly sensible: guest user access over 802.11, preventing EUD-to-EUD communication, separating employee 802.11 access, implementing web proxies, protection of financial systems, defensive controls around senior executives, and so on. Implementing an ISO 27001 standard, or a protective marking scheme, can pay dividends.
With careful configuration, it may be possible to completely prevent the spreading of ransomware within a heavily segmented network, buying time until other security controls can become effective (e.g. AV and IPS).
Segmentation is also beneficial in terms of network performance, and by reducing the number of communicating devices within segments performance gains can be secured. Layer 1 segmentation is recommended to be limited to 20-50 devices. Segmentation at higher layers can accommodate greater segment sizes. The results from segmentation in terms of performance is intertwined with device types and hierarchy used.
Not all ransomware solutions are technical, and a combination of physical, procedural and technical controls is very valuable in achieving an optimal strategy. One procedural solution is good policy and procedure for incident management.
In the event of an outbreak, which is an eventuality that must be considered, the formation of an Incident Management Team (IMT) to execute the Incident Management Plan (IMP) is essential. This should include all key stakeholders, including senior executives and subject matter experts.
An IMT can become very effective if it can take actions to prevent further damage to corporate systems. Ensure the organisation has mechanisms (including procedural) to apply restrictive security policies on the fly, and ensure they are practiced through incident management procedures.
For example, being able to apply a temporary block on a particular port or to and from a specific IP address range quickly, or to isolate a network segment (e.g. finance department systems) or even an outbound network link.
The foundation for good IMP response is practice combined with good processes. Can the appropriate network personnel be reached in the event of an emergency? Are procedures documented? and so on.
In Part 3 I’ll be taking a look at some further ransomware oriented security controls that can deliver higher resilience in the event of infection.