Using Network Segmentation to Combat Ransomware

Using Network Segmentation to Combat Ransomware
Author: Faizan Mahmood, CISSP, PMP
Date Published: 14 May 2020

In the latest ISACA® Journal issue, we published a two-part article titled “Avoid Having to Run Somewhere from Ransomware.” The article included a deep dive on what ransomware is, how it infiltrates most systems, our suggestions for the top 10 ways to prevent it, and some insights into what options someone has if they have been attacked. In this blog post, I want to discuss the 11th step that was left on our editing room floor: network segmentation.

In network segmentation, the basic idea is to simply divide your larger network into smaller subnetworks with only limited and controlled connectivity between them. There is a legitimate argument to be made that network segmentation could be number one on our prevention list, yet somehow it did not make the cut. The reason for that is singular: implementation. 

We just did not believe that segmentation, as it is being implemented in the real world, is truly preventative. 

In an ideal version of network segmentation, each subnetwork would be completely divided, existing in completely different security and IP zones, and only connecting at very limited points, on very limited ports, through clear points of monitoring. However, based on my experience in the real world, even the best-intentioned networks have succumbed to time, user requests, limited capacities and, ultimately, the intention to just make things work. 

Zones still exist but often in name only. There are often wide swaths of IPs and ports open to domain controllers living across the network or a high-priority internal finance server being connectable from a web application open to the Internet. These are the realities of real-world scenarios. Fixing these issues quickly with limited user disruption and overworked staff is often not realistic for many networks, hence it was left off our list. Our goal was to push as much actionable information to teams that they could quickly implement rather than a project that may take several weeks to complete. 

All of this notwithstanding, I would like to make a simple plea to the cyber and network professionals out there living with these realities: If this traffic between zones cannot be limited, monitor it extremely closely. It is likely your best shot at limiting damage from a possible attacker.

Editor’s note: For further insights on this topic, read the recent Journal article: Avoid Having to Run Somewhere From Ransomware,ISACA Journal, volume 2, 2020.

ISACA Journal