It’s a tall order to keep your entire enterprise free of ransomware. The perpetual headlines concerning such attacks over the past couple years are a constant reminder of that. While you should implement a cybersecurity strategy that aims for the stars, a strong emphasis should be place on the containment of an attack (some might say an inevitable one). There are multiple benefits to implementing network segmentation strategy in regards to ransomware.
Containing a malware attack is about restricting its lateral spread. According to the Department of Homeland Security, “network segmentation” means separating components based on criticality and trustworthiness. This type of network segmentation cannot be achieved at the layer 2 level. While a router does offer some segmentation abilities, only a next-generation firewall can provide the segmented filtering required to contain a serious malware attack.
DCs are high value targets for threat actors. These servers contain detailed information about all the user and computer accounts within your network. They can be used to seize privileged accounts or reconfigure permissions and policies.
Bringing down your Active Directory (AD) infrastructure is also a good way to bring enterprise operations to a halt, thus increasing the odds of a handsome extortion payment. The problem is that every user account is constantly connecting to DCs for authentication purposes throughout the workday. Hosting your DCs in the same segment as your users exposes them to the lateral spread of an attack.
For those networks that utilize a single perimeter firewall, your best option is to create a dedicated zone for your DCs and other support servers or high value assets. This is the same concept as a DMZ.
Congregating your DCs in a protected zone allows you to segment them from the general network. While it’s still important to limit port availability to required traffic such as LDAP, Kerberos, DNS, etc., you need the power of a next-generation firewall to implement the ample measures required to securely segment your DCs. This includes the creation of policies to scrub all incoming traffic of known malware and enable intrusion prevention systems to monitor, report, and block suspicious traffic.
Of course, the weakness with the above design is that it places all your DCs in one basket. A far better approach is to bring additional firewalls into the LAN itself to adhere to a zero-trust design.
By dispersing your DCs across your network into distinct firewall protected zones throughout the LAN, you can restrict users of a given site or department to assigned DCs, limiting any possible malware exposure to only those servers. The multiple firewalls can also be configured to communicate with one another, allowing them to take automated measures to further segment an infected area.
The days of congregating DCs and other support servers within the same broadcast zone as your users is over. Security is now paramount. A well-conceived network segmentation strategy provides a highly effective means of mitigating a ransomware attack on your AD infrastructure.
Keep in mind, though, that as effective as it is, it’s but one more element of a defense-in-depth strategy that is necessary to win the war on ransomware.