Defeat Ransomware Attacks with Network Segmentation

by Mark G. Graff, BlackRidge Senior Technical Advisor and CEO of Tellagraff.com

When your network defenses fail — when attack software has sneaked its way through your firewall and is ravaging your critical systems — you're going to wish you had built internal segmentation into the network. That’s the single best way to keep infections from jumping from one system to the other, and really tearing your network apart.

Dividing your network into segments just means that you group similar systems into virtual neighborhoods, and exercise intensified control over what passes between the neighborhoods. Maybe you group all the systems in the Finance Department into one segment, the Engineering systems where software development is done into another, and the computers used by the executive suite in a third. Then you can use common sense policies, implemented by smart technology, to restrict which software developers can connect to the finance databases, at what time, and how often.

That’s good cyber hygiene, and it’s sure to pay off. But the day you will really appreciate network segmentation is when your company gets hit with a ransomware attack. To see why, let’s look at the threat.

The Threat from Ransomware

Heard of “WannaCry”? [1] How about “NotPetya”? [2] How about this, from theHow Ransomware Works New York Times on May 12th, 2017?

Hackers exploiting malicious software stolen from the National Security Agency executed damaging cyberattacks on Friday that hit dozens of countries worldwide, forcing Britain's public health system to send patients away, freezing computers at Russia’s Interior Ministry and wreaking havoc on tens of thousands of computers elsewhere. [3]

In a ransomware attack, bad guys pry a way into your network (often with fake emails) and, once they get a foothold, start spreading infectious malware. Their goal is to identify, and then encrypt, your critical files. They’ll then make you pay a ransom in the hopes of getting a decryption key allowing you to use your files again.

It’s bad out there. In a 2016 report, the FBI estimated that more than 4,000 ransomware attacks occurred daily in the U.S. [4]

When bad guys start using stolen tools from the National Security Agency to launch worms through your firewall and into your network, it’s past time to minimize and protect the interconnections between functional parts of your network, with a network segmentation solution.

Let’s cover the defensive basics first. Then I’ve got a pro tip for you about how to add network segmentation to your ransomware defensive strategy.

Basic Ransomware Defensive Maneuvers

There are certain basic steps to take to make it difficult for ransomware attackers. Here’s the FBI’s list, from a different 2016 report. [5]

Prevention efforts:

  • Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
  • Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
  • Disable macro scripts from office files transmitted over e-mail.
  • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).

Business Continuity Efforts:

  • Back up data regularly and verify the integrity of those backups regularly.
  • Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

Do you see where they advocate “access controls” and tell you to “secure your backups”? Key advice, and a great place to use segmentation.

Isolate Key Assets with Network Segmentation

The best way to stop any network-wide compromise (and to shield key assets like your assets from systems that have become infected) is to group your enterprise network into enclaves, by function. Examples would be Accounting, Engineering, Sales, Administration, and so forth. Then, moderate access between the enclaves with a segmentation solution, tuned to allow only traffic (a) from the “right” parts of the network, (b) on allowed ports, and (c) with reasonable content. This is the access control part of your defensive strategy.

(By the way, there’s no need to hardwire all the segments on a physical layer. We pioneered the concept of network segments at Sun Microsystems back in the late 90s, when I was Security Architect there. Even back in ’97, we implemented virtual segmentation, implementing a logical set of enclaves with specialized Virtual Private Networks on top of a much more integrated physical network. It saved us then, and I’ve used it in intervening years to protect elements of this nation’s critical infrastructure such as nuclear secrets, power plants, and stock markets.)

Now, how about securing access to your backups by preventing attackers from including them in the mass of storage they encrypt and render useless? Yes, that happens to thousands of U.S. companies each year; and if your backup systems are continually online, and you don’t segment your network, you could be next.

All in all, today, network segmentation is in my view a key part of due-diligence, an everyday, should-be-taken-for-granted practice. I testify to that effect; and, I am by no means alone.

Stepping Back

It’s amazing to me how many businesses welcome the vast array of connection types and protocols in a modern network, maintaining at the same time a full range of many-to-many connection potentials. Ten thousand systems, each capable of reaching out to the other, make for a promiscuous one hundred million possible connection paths. Each path carries a risk. Why does every system in Engineering need to be able to connect to the accounting systems again?

One of the best arguments I’ve seen for network segmentation, with the clearest metaphor, is in a presentation by Paul Francis of Cornell University from 2006. He argues succinctly that perimeter-based firewall-into-a-monolith model merely amounts to “door-chain security.“

IP packets enter the OS before a decision to accept them or not is made! A malicious sender can deny you service. And scan your machine for security holes. [6]

Francis continues, “The apartment doorman is a better model.” Hey, even better, how about a “doorman” on every floor? I’ve worked in high-security government installations that has just that.

Now the best technology I’m aware of today to implement a scheme like this – to ensure that a system only “talks to” the computers and users it’s supposed to -- is from BlackRidge Technology, where I am a senior member of the technical advisory board.  BlackRidge Transport Access Control  conceals systems from network scanning and discovery and allows only identified, authorized systems to talk to each other. Sometimes we call it, “Caller ID for your network.” It’s a great way to shield an enclave. I think BlackRidge’s technology would make you a pretty good doorman.

BlackRidge brings identity to the network, operating at TCP session establishment. This means that any infected machine, when trying to identify other machines to infect, would not only be unable to infect your protected resources—they couldn’t even see them. [7] BlackRidge also calls this “cloaking” technology.  It was developed in conjunction with the US military, and has been tested by various government agencies including the Department of Defense, as well as top-tier financial institutions.

Wrapping Up

Network segmentation should be taken for granted today; but still, not everybody does it.

It’s the easiest way I know of to ensure that nobody – including your employees, or intruders pretending to be your employees – saunters across your network into areas (like Finance) they have no business in.

My advice? If you’re still segment-less, get moving. Break up that monolithic network (if only virtually) and implement a network segmentation solution. That’s your best hope to inhibit the spread of the mighty malware that’s heading your way in years to come.

Resources for Further Reading

  1.  “Cyber ‘Worm’ Attack Hits Global Corporate Earnings,” Fortune online August 2, 2017. http://fortune.com/2017/08/02/cyber-worm-attack-corporate-earnings/
  2.  “Massive cyberattack hits Europe with widespread ransom demands,” Andrew Roth and Ellen Nakashima. Washington Post, June 27, 2017. https://www.washingtonpost.com/world/europe/ukraines-government-key-infrastructure-hit-in-massive-cyberattack/2017/06/27/7d22c7dc-5b40-11e7-9fc6-c7ef4bc58d13_story.html?utm_term=.1649d7ed3993
  3. “Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tools,” Nicole Perlroth and David E. Sanger, New York Times, May 12, 2017. https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html
  4. “Incidents of Ransomware on the Rise”, Federal Bureau of Investigation, April 29, 2016. https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise.
  5. “Ransomware Prevention and Response for CISO’s,” FBI technical report, 2016. https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf.
  6. “Firebreak: An IP perimeter defense architecture,” Paul Francis, Cornell University, 2006. http://www.cs.cornell.edu/people/francis/firebreak/firebreak-june-04-v2.pdf.
  7.  “Stopping Malware Like WannaCry From Spreading Through Your Network,” BlackRidge Technology International, Inc., 2017. https://www.blackridge.us/blog/stopping-malware-like-wannacry-from-spreading-through-your-network.