Proper network segmentation is the most critical proactive step in protecting networks against targeted attacks. It is also important for organization to properly identify and categorize their own users and the networks they access. This is an important task as it allows an administrator to properly segment both user privileges and network traffic. Some users will have limited access to sensitive company networks; similarly some networks can be meant for more widely distributed data with other networks. This makes the task of protecting an organization's most important data - a topic we've frequently discussed - much easier. This can come hand in hand with a broader assessment of the threats an organization faces. Some risks are not applicable to all organizations - a defense contractor faces different threats than a mom-and-pop bakery, for example. An organization needs to understand what risks are applicable to it, as well as what already goes on within their networks. This latter task can be particularly difficult, and even large organizations face challenges at this step. It is important, however, as before an organization can improve its security posture it needs to understand where it stands first. In previous times this task may actually have been easier, since all devices were under the control of the IT department and connections were only wired networks. This meant that the IT department was in charge of everything - and IT administrators, generally a logical group of people, would be able to arrange things in a logical manner that could be easily secured. However, today, that is less true. Mobile devices and BYOD policies mean that enforcing "correct" network segmentation and division is much more difficult. Similarly, ever-changing and more flexible roles can mean that the data employees require on a regular basis can change frequently. In addition, the scale of the data that passes through corporate networks has increased significantly. While segmenting users and networks is a difficult task, it is still a necessary one. In the face of today's targeted attacks, it is essential to identify legitimate traffic as well as users. More familiarity with "normal" traffic and users is extremely useful in detecting unusual network activity that may be a sign of a targeted attack. So what are some of the criteria that can be used to identify and categorize networks? Here are some examples. What data is on the network? Different segments of any network should be set up to handle data of differing amounts of confidentiality. We earlier discussed how data can be categorized according to how they can harm an organization if they are exposed. Similarly, different branches of a company may require access to different aspects of the company's information. Simply put, different parts of the company's network should only have access to the data they need in their day-to-day operations. In addition, for legal or contractual reasons some pieces of corporate information may need to be restricted to certain employees. The requirements surrounding this can be complex and result in contradictory requirements. Nevertheless, some sort of network segmentation is necessary to help reduce the risk of targeted attacks. What devices are being used to access the network? In today's multiple device computing environment, a far larger number of devices will have access to networks than ever before. While company-owned devices are in a "known" state for IT administrators, the same cannot be said for other devices. BYOD introduces an entire level of complexity in this area. Some of these devices lend themselves to remote management, while others do not. One possible method is to place non-IT controlled devices on a more restricted segment of the corporate network. Any potential security risks on these devices could be isolated relatively quickly and with little effort, preventing any issues from spreading across the network. Who is connecting to the network? Not all users to a network require the same access. Executives are privy to more confidential information than lower-level employees; engineers require access to operational information that even the CEO does not see on a regular basis. This, too, has to be considered in segmenting networks. Different roles require access to different portions of the corporate network; a breach in a lower-privilege segment of the network should only be able to access higher-privilege segments if this is required for business purposes. Benefits of network segmentation Proper segmentation of networks can help defend against targeted attacks in various ways. Broadly speaking, they make the task of lateral movement within a targeted organization's network more difficult: network segmentation makes movement within an organization more difficult. More machines may have to be compromised, or more credentials obtained. Network segmentation serves as a defense-in-depth strategy that increased the effort than an attacker has to expend to successfully compromise an organization. Segmentation does not necessarily require binary has access/no access decisions; restricted access (such as read-only access) may be possible. Protecting against third-party vendor attacks Attacks targeting third-party vendors are a known risk for any sufficiently large organization. However, proper network segmentation would limit vendor access to the IT network to only what they needed. Any compromise on the part of these vendors would face additional obstacles before it could access any further portions of a corporate intranet. A large organization needs to work together with its vendors to minimize the potential risks from these vendor networks. Protecting against insider attacks Defending against insider attacks is a difficult task. After all, they are already within the organization and are in an excellent place to know how the response to an attack would go, what information is most valuable to an organization, etcetera. However, an insider attack does not always have to be a high-privilege one. Not all insiders necessarily have access to all of a company's secrets. It's possible that an insider attack may have more limited goals, resources, or capabilities. In such a situation, internal network segmentation can help prevent an insider from gaining access to other parts of the network. While this is not foolproof, it does make the attack more difficult. Conclusion Network and user segmentation is a difficult task in today's modern network, but it is still a necessary step to secure the networks of large organizations. However, it needs to be part of an integrated approach to evaluating the threats an organization is facing. The following steps are a reasonable way for any organization to start their own risk assessment:
- Identify assets/data that needs to be protected, and what controls are in place for these to be visible in your security infrastructure.
- Once these have been identified, identify what networked services are in use and if appropriate controls are in place.
- Determine how the assets/data are accessed (i.e., HTTP/HTTPS, SMB, etcetera) and how they are stored (SQL databases, plain-text, on a NAS or SAN, etc.)
- Using the existing security controls, identify past and current threats to establish a baseline of current threat activity. Once this has been established, move forward and identify what the industry sees as threats to similar assets you hold. For example, our annual report on targeted attacks contains information about trends that may be useful in determining current threats.
- Rate these threats so that appropriate risk rating can be assigned. Design the network and other defenses with these threats and the risk levels in mind.