Network Segmentation: Breaking the Cyber Kill Chain

Hacking attacks at Equifax, Target, & Yahoo! have proven that corporations cannot solely rely on network firewalls for data security. When outer network perimeter defenses such as firewalls are breached by hackers, corporations often have few resources available internally that can monitor network traffic and data transfers in real-time to detect hostile or unauthorized lateral activity.

Network segmentation is now frequently implemented by IT pros to break the cyber kill chain in enterprise data center management, but these methods need to be further augmented by application segregation and fine-grained micro-segmentation of web server processes in order to secure corporate data with a higher degree of defense in live production, especially for high-traffic websites and mobile applications.

The Cyber Kill Chain: Common Hacking Methods

Lockheed-Martin is a leading military-industrial defense contractor with corporate requirements for the highest level of data security against the most advanced organized international hacking attacks targeting “top secret” information. Security researchers at the company have identified seven stages of the intrusion kill chain that represent the most common techniques used by sophisticated hackers to penetrate networks and steal corporate or military defense data.

The seven stages of the cyber attack kill chain with their antidotes are:

Reconnaissance: Security defense must detect malicious intruders that have penetrated firewalls and are actively beginning surveillance activity on a secured network.

Weaponization: Internal request scanning and AI/ML exploit analysis must be used to prevent hackers from planting viruses, malware, or worms on data center hardware.

Delivery: The means of dissemination of malware, viruses, packet sniffing software, and worms must be automatically disrupted by internal network defense mechanisms.

Exploitation: Network security software must degrade the ability of intruders with unauthorized access to install triggers which exploit remote code vulnerabilities.

Installation: Deception must be employed against intruders that attempt to build “backdoor” access to secure networks for repeat connection to data center resources.

Command & Control: Hackers that manage to maintain persistent access to a secure network for remote code execution with permission escalation must be contained.

Actions on Objective: Corporate executives, IT security managers and software developers must combine to deny hackers the ability to destroy, steal, or corrupt data.

The common theme of defense security measures across all stages of the cyber attack kill chain is that reliance on perimeter defense is not enough. Network segmentation introduces multi-tiered permission regulation, password authorization, and user verification that can still be spoofed by sophisticated hacking teams. The most advanced data security techniques for military-grade requirements implement real-time traffic analysis of all network user requests with AI/ML evaluation of behavior patterns that can even be used to counter insider attacks.

Network Firewalls: Perimeter Defense & Internal Controls

Security research from intelligence organizations, academic experts, and the largest enterprise corporations all confirm that firewall perimeter defense methods are not sufficient to provide the required counter-measures to advanced hacking attacks. IT pros need to operate with the understanding that even the most complex firewall techniques, permission controls, and authorized user verification methods will ultimately fail against “zero day” exploits. This requires backup planning that is even more extensive than the external controls to target active internal network security breaches when they occur. Where network segmentation is used to create chains of ringed islands with more concentrated security controls and user authentication at higher levels of information, application-layer and micro-segmentation techniques add an extra three tiers of verifiable security measures to data defense that are based on internal controls.

Mega Breaches: A Staggering Cost for the Fortune 500

While the loss of military-industrial defense project secrets to highly advanced State-sponsored hacking attacks is considered to be a matter of the highest national security, enterprise corporations have also seen staggering financial losses from the theft of sensitive customer information from their web servers and data centers.

Published research by IBM recently estimated that security breaches involving more than 50 million consumer records, such as the Equifax, Yahoo!, and Target hacks, cost Fortune 500 companies more than $350 million USD per occurrence on average. Each stolen record costs a company around $148 in damages and reparations. Because hackers spend an average of 200 days in surveillance and reconnaissance of a network before beginning large-scale data theft, corporations can save millions of dollars by identifying and eliminating intrusions within the first 30 to 60 days of an attack. For military-grade network security, real-time analysis of network data packet requests combined with AI/ML scanning techniques for hostile activity patterns has proved the most efficient in defense, although the major organizational reliance is still on encrypting data in transit to verified sources.

Long Dwell Times: Hacker Reconnaissance & Intrusion

Similar to the IBM report targeting mega-breaches in the Fortune 500, new research from FireEye on global security trends across the Europe, Middle East, and Africa (EMEA) regions showed that the average dwell time on these servers by malicious hackers was around 100 days. The average time to intrusion detection for these companies was 24.5 days, compared to 83 days in previous surveys. The FireEye survey targeted mainly financial (24%), government (18%), and professional service (12%) organizations.

These groups increasingly rely on cloud data center outsourcing for hardware and software resources over private data centers, where greater utilization of open source code or SaaS products may also improve security over previous generations of legacy software applications in production. In each instance, the increase in speed of intrusion detection is the single leading cause in the reduction of harm for these organizations when mitigating the effects of data theft, malware, remote code execution, or other cyber attacks.

Advanced Micro-Segmentation Solutions

Network segmentation is used to break the cyber kill chain through the establishment of cascading higher levels of security verification and data control techniques. Application segmentation is more finely grained than network-level software and these utilities can work with load balancers in isolation from other data center processes, although the process is still talent intensive. Micro-segmentation based on real-time scanning of data packet transfer requests and AI/ML analysis of network user patterns can prevent hackers from escalating their attacks more quickly and is fully automated.

Research studies across academic, corporate and military institutions have all shown that speeding up the time of malicious intruder recognition is the single greatest cause in reducing the organizational harm caused by cyber attacks.