I told you so: why network segmentation may actually keep you out of the unemployment line
They're coming for you, as a matter of fact they're already at your door. Now we've entered an era where it's not a matter of if, but when. Despite the historical breaches that have cost some companies in the billions of dollars, which resulted in a near equal number of terminations for those CISOs, we’re still not learning from history, which will continue to repeat itself until we do. Welcome to the thankless job of being a CISO where you're not appreciated for keeping the network secure, are tolerated for keeping the business running, and terminated when the business is breached. But what if instead you were applauded for detecting the breach sooner and limiting the cost of it?
No one likes "what if" conversations. But "what if" the narrative had changed from a what if conversation right in front of you and you didn't even realize it? I'm here to tell you that you're fourteen years late for the prom and that it changed from what ifto it will back in 2005 without you even realizing it. It turns out what you don't know can in fact hurt you -- at least put you in the unemployment line.
What if Target would have had implemented segmentation and isolated their PCI environment from the HVAC systems? What if all of these other breaches where pivoting was involved from a lower security level network, had implemented network segmentation? Would the cost have been so high? Would the CISO have kept their job? Would they have caught it earlier?
The fall guys and fall girls for these breaches no matter how that question is answered are your friends and colleagues at other companies, such as Ron Bell at Yahoo!, Maria Agren at the Swedish Transport Agency, Mignon Hofman at San Francisco State, Joe Sullivan and Craig Clark at Uber, Susan Mauldin and Dave Webb at Equifax, Amy Pascal at Sony Pictures, Cory Weech at Four Seasons, and Jim Cummings at JPMorgan -- all of whom lost their jobs as a result of their cybersecurity action or inaction as it were. And that's only just a few of the many that have taken the fall for lapses in cybersecurity at their companies. After all, we're not dealing with skript kiddies defacing web sites anymore, these are highly intelligent, sophisticated business tycoons running multimillion dollar enterprises that want to keep their revenues coming in. Take for example the botnet industry which rakes in a staggering $20 Mn a month from click fraud for bot masters. I assure you, your biggest mistake will be underestimating the lengths your adversary will go to in order to keep their businesses alive and thriving.
He told me network segmentation wasn't necessary
So I'm in the middle of a penetration test for a multinational corporation and I warn them that their CCTV cameras are reachable from the user VLAN of their network. I wish I could tell you that this story ended there, but it doesn't. The CISO who we'll call Jim, told me that segmenting the network didn't make sense because of how difficult it would be for a network so large to be segmented and that they don't know which applications users need access to and over what ports that many of the applications listen on. Jim further rationalized it by saying if an adversary got a foothold on the internal network, it would be a bad day anyway. I explained to Jim that he was looking at it in a contorted way and he needed to understand how bad it was that the IoT devices in the building were on the same network as their staff workstations, ERP systems, and data lakes.
I delivered the penetration test report with bold, underlined text cautioning them on the flat network and that action needed to be taken lest that what if scenario ended up coming and being far worse than they anticipated.
Can you tell me what happened next? You guessed it -- no more than 2 months later, the company was breached and the sensitivity and quantity of the data that was exfiltrated would make even Equifax and Target blush. I was involved in that incident response effort, can you tell me what the ingress point was? Someone drove up in the parking lot of the company where some of the CCTV cameras were placed, hacked one of the cameras in the parking lot from the safety of their car in the guest parking lot, then pivoted over to a vulnerable Apache Tomcat installation and ultimately gained DA credentials. Unfortunately, suffice to say, Jim lost his job shortly thereafter as the executive committee and board quickly tried to implement their own version of damage control armed with my penetration test report, which was now sitting on the CEO's desk.
So what if I told you that it was possible to limit the amount of economic damage a breach would ultimately cost you while also leading the adversary to a "mouse trap" that will allow you to catch her sooner? What if I told you the dwell time of the breach could be lowered so you don't repeat Jim's same mistake?
To Catch a Thief
You'll hear the concept of reducing dwell time more and more by vendors out there in the marketplace as their latest wares comes to market and more venture capital is poured into the cybersecurity industry. The leader in my opinion in this space is Attivo Networks who have created an enterprise-grade decoy system that unlike honeypots, actually are decoys of real production systems giving the perception the attacker is on a mission-critical endpoint and not a decoy. The technology also allows you to sprinkle credentials and files that point back to the decoy servers attempting to stop pivoting in its tracks and alert you quickly to the decoy trap going off. Had Target, Equifax, and my client among others deployed decoys on their network, it’s without contestation that the dwell time in those breaches would have been far less and cost much less than they did.
Don't Get Caught With Your Pants Down
Once upon a time, before software-based segmentation existed, network administrators had to take networks that had existed for decades and try and segment it, moving servers to their own VLAN, creating VACLs or firewall rules to determine who can access them over which protocols and which ports as well as move users to their own VLAN using the switches alone. This has since changed with the market availability of software-defined network segmentation such as products like Stealth from Unisys. Stealth enables organizations to no longer have to figure out how to do this at layers 1-3, instead moving microsegmentation to layer 7. Added icing to the microsegmentation capability is the ability to segment IoT devices that can't run the agent as well as to "cloak" devices making them unreachable from endpoints you define.
Had my client implemented network segmentation as I had suggested, he would have been able to limit the damage of the breach to just the CCTV cameras rather than the rest of their internal network and instead of the unemployment line, would have been in the lunch line gaming new what if scenarios and how to respond.
Additionally, using an IoT security solution that would have detected and prevented this pivoting even with the flat network, such as SentinelOne Ranger, the ending would have also been far different for Jim.
In summary, take network segmentation and micro-segmentation seriously. Take the security of your IoT devices seriously as clearly, something as simple as CCTV cameras can be used for something far more devastating than the DDoS attacks we saw in 2016.
Having users, servers, printers, and IoT devices on their own VLANs does not in of itself equal segmentation unless there are firewall rules or some other filtering being done that limits what devices in one VLAN can talk to in the other.
And finally, remember that it’s no longer realistic trying to prevent the breach from occurring, rather, how quickly you can detect it and how much you can limit their movement within your network once they’re there. But then again.. you may just tell me it’s not necessary and you’re not interested in what if scenarios..