The Time for Microsegmentation is Now! 

Author

Venky Raju

Read Time

3 Minutes

Last Updated

May 13, 2024

table of contents

On May 9, Ascension, one of the largest private healthcare systems in the United States, reported that it attributed unusual network activity to a cybersecurity incident. Affected systems included electronic health record systems and various systems utilized to order certain tests, procedures, and medications. 

Healthcare organizations have been under constant attack for several years, and over 500 have been attributed to the Black Basta group and its affiliates. CISA, the United States Cybersecurity, and Infrastructure Security Agency released an advisory on May 10 under its ongoing #StopRansomware initiative to help organizations better prepare.

The advisory provides technical details using the MITRE ATT&CK for Enterprise framework.

Let’s review the tactics highlighted by the advisory.

Initial Access

The adversary is trying to get into your network. Black Basta associates use spearphishing and exploit weaknesses in public-facing web servers such as ConnectWise. Email security solutions and security awareness training are critical to defending against spearphishing, and organizations can also consider enterprise browser solutions that provide improved defense against malicious links. While multi-factor authentication (MFA) is often proposed to counter stolen credentials, password-less authentication is even better as it eliminates the fundamental threat—the password.

Discovery and Execution

The adversary is trying to figure out your environment. Black Basta affiliates appear to use network scanners and standard techniques such as masquerading and living off the land to evade detection. Modern Endpoint Detection and Response (EDR) tools should detect most of these attempts, but no solution can provide 100% guarantees. Over 500 organizations have been compromised, which indicates that adversaries have found ways around traditional endpoint controls. Among its many benefits, host-based microsegmentation can inhibit the adversary’s network discovery process. Egress controls on the compromised system prevent outbound packets from the network scanner, while ingress controls on other systems render them invisible to the adversary.

Lateral Movement

The adversary is trying to move around your environment. There are several techniques attackers can use to move from one system to another to achieve their objectives. These include session hijacking, internal spearphishing to gain credentials, and remote protocols like SSH and RDP, as well as Windows shares. Microsegmentation is the only proven technique to limit the spread of lateral movement and contain the adversary to a few compromised systems. Egress controls on the compromised system prevent the attacker from initiating lateral movement. However, it is equally essential to have ingress controls on all systems to ensure complete protection from lateral movement. We strongly recommend organizations implement microsegmentation pervasively.

Exfiltration

Most organizations focus on keeping bad actors from entering their networks. However, once inside, most adversaries can easily exfiltrate data using the enterprise’s network infrastructure. Black Basta affiliates have been found to use Rclone, an open-source program for migrating data between data stores. It is essential to implement egress filtering to prevent unauthorized outbound traffic. Organizations with hundreds of applications may find it challenging to create and manage egress controls in perimeter firewalls or web proxies. Implementing these controls using microsegmentation may be more straightforward, as each application or microsegment may have a relatively small set of outbound URLs or IP addresses to manage.

Conclusion

CISA has done an outstanding job in providing information on this #stopransomware advisory. It is time to take notice and implement microsegmentation now!

Please get in touch with us if you would like more information on how ColorTokens Xshield can help you implement microsegmentation at scale and provide tangible results in less than 90 days.