It’s a tall order to keep your entire enterprise free of ransomware. The perpetual headlines concerning such attacks over the past couple years are a constant reminder of that. While you should implement a cybersecurity strategy that aims for the stars, a strong emphasis should be place on the containment of an attack (some might say an inevitable one). There are multiple benefits to implementing network segmentation strategy in regards to ransomware.
- Contain the infection area of an attack to mitigate its damage to the enterprise at large
- Buy time to analyze the scope and nature of the attack in order to eradicate it
- Access to logging information that can be used to gather information about the attack and combat it
- Protect high-value assets such as databases, sensitive information, and key servers such as domain controllers (DCs)
Containing a malware attack is about restricting its lateral spread. According to the Department of Homeland Security, “network segmentation” means separating components based on criticality and trustworthiness. This type of network segmentation cannot be achieved at the layer 2 level. While a router does offer some segmentation abilities, only a next-generation firewall can provide the segmented filtering required to contain a serious malware attack.
The Need to Segment Active Directory Assets
DCs are high value targets for threat actors. These servers contain detailed information about all the user and computer accounts within your network. They can be used to seize privileged accounts or reconfigure permissions and policies.
Bringing down your Active Directory (AD) infrastructure is also a good way to bring enterprise operations to a halt, thus increasing the odds of a handsome extortion payment. The problem is that every user account is constantly connecting to DCs for authentication purposes throughout the workday. Hosting your DCs in the same segment as your users exposes them to the lateral spread of an attack.
Creating a High Value Asset Zone
For those networks that utilize a single perimeter firewall, your best option is to create a dedicated zone for your DCs and other support servers or high value assets. This is the same concept as a DMZ.
Congregating your DCs in a protected zone allows you to segment them from the general network. While it’s still important to limit port availability to required traffic such as LDAP, Kerberos, DNS, etc., you need the power of a next-generation firewall to implement the ample measures required to securely segment your DCs. This includes the creation of policies to scrub all incoming traffic of known malware and enable intrusion prevention systems to monitor, report, and block suspicious traffic.
Bringing your Firewalls into the LAN
Of course, the weakness with the above design is that it places all your DCs in one basket. A far better approach is to bring additional firewalls into the LAN itself to adhere to a zero-trust design.
By dispersing your DCs across your network into distinct firewall protected zones throughout the LAN, you can restrict users of a given site or department to assigned DCs, limiting any possible malware exposure to only those servers. The multiple firewalls can also be configured to communicate with one another, allowing them to take automated measures to further segment an infected area.
Keep Ransomware Away from Active Directory
The days of congregating DCs and other support servers within the same broadcast zone as your users is over. Security is now paramount. A well-conceived network segmentation strategy provides a highly effective means of mitigating a ransomware attack on your AD infrastructure.
Keep in mind, though, that as effective as it is, it’s but one more element of a defense-in-depth strategy that is necessary to win the war on ransomware.