Crunchy on the Outside, Soft in the Middle
Over the past several weeks, the NJCCIC has received numerous reports and responded to a number of incidents in which bad actors breached organizations’ perimeter defenses and, once inside, were able to move throughout the organization unhindered, eventually compromising a large number of systems throughout the impacted organizations’ networks. Perimeter defenses are common, well known, and typically a de facto standard for any organization. They include firewalls, email filtering technologies, intrusion prevention systems, access control systems, and a host of other controls that provide organizations with a hardened perimeter.
While organizations implement numerous perimeter defense technologies and tactics, a common theme that the NJCCIC continues to see, is that once the crunchy exterior is breached, defenses implemented on the internal networks are much less robust. Many organizations configure their internal networks and systems to implicitly trust other systems within the network. As such, an attacker who has breached the perimeter is free to wreak havoc throughout the organization.
Defense-in-depth and compartmentalization strategies provide the same protections and limit damages to internal networks, just as they do in ships. A breach of a ship’s hull may flood a compartment, but if the hatch between two compartments is secured, then the breach is well- contained and the likelihood of the ship sinking is reduced. Similarly, enterprise networks can be segmented based on the criticality and sensitivity of information and systems within a network segment using Virtual Local Area Networks (VLANs), firewalls, and other partitioning controls to prevent an attacker’s ability to move laterally throughout the network, thereby limiting the damage the attacker could cause.
The NJCCIC strongly advises organizations to review their network designs and segment networks, as appropriate, to mitigate the risks of a breach of perimeter defenses from causing widespread damage. Additional information on network segmentation includes: A Framework to Protect Data Through Segmentation and Network Segmentation for a Reduced Attack Surface.