Segmentation is a fundamental architectural approach that involves segregating of assets, identities, applications, cloud services, etc. to mitigate the threats from lateral movement and reduce line of sight across zones. Many compliance initiatives mandate segmentation as a key control to protect and isolate data and other resources. Additionally, network segmentation, microsegmentation, and a zones approach to security are core principles for enabling zero trust environments and architectures.
In this blog we will explore segmentation, lateral movement, and how you can apply privileged access management (PAM) to achieve segmentation and improve your security posture.
How Segmentation Works
Segmentation is the process of dividing a “collection” into smaller, more defined groupings. It sections the “collective” based on similar characteristics such as geolocation, function, operating system, business process, and even ownership. In fairness, segmentation can be abstract based on any logical concept defined by the business and can have attributes that vary based on conditions. These can include traits for scalability, high availability, disaster recovery, development, quality assurance, etc., or technology, as previously stated. Therefore, there is no one way to define a logical grouping based on segmentation, but segmentation can occur at any time and be ephemeral or persistent. The easiest way to think of segmentation is as a logical group that has distinct boundaries.
Next, once you have the logical group, what is the commonality that makes them similar? Does the similarity require accounts or other administrative functions that are shared? Often, the answer is yes.
The segmentation model utilizes technology that must authenticate with other resources in the group and, ultimately, these tasks will have privileges that require authorization between resources. This is where segmentation with privileged access management can help prevent lateral movement—even when resources have been segmented.
The Lateral Movement Cyberattack Vector
Lateral movement is one of the key phases in cyberattack chains and can potentially enable a breach to grow from a single compromised asset, identity, etc., to encompass as much as an entire environment, particularly if concepts like segmentation and least privilege are not rigorously implemented. Over the past 18 months, the explosion of remote and hybrid work and the increased use of personal devices (BYOD), has opened up substantially more potential avenues for lateral movement. This is especially true with the perimeter further dissolving to support remote workers.
While lateral movement was once considered among assets only, prevailing technology stacks today can allow lateral movement to occur be between assets, identities, within applications, and even among cloud services. Lateral movement can also encompass resources that have multiple roles, ownership, and be subjected to governance from multiple companies, or have no security controls at all.
In all the above scenarios, lateral movement becomes the attack vector to explicitly monitor for and the one that can definitively indicate an intrusion, if inappropriate activity occurs. This threat has even a higher risk when privileged accounts are involved, whether being leveraged by human or non-human identities–-regardless of boundaries.
Segmentation Approaches with Privileged Access Management
Fortunately, there is a strategic method to help mitigate this risk in the form of segmentation using privileged access management.
Privileged access management includes the following disciplines:
- Privileged Password Management (also called Privileged Account and Session Management)– the ability to store, rotate, check in and check out secrets, and the ability to perform complete session monitoring for inappropriate activity.
- Endpoint Privileged Management (also called Privilege Elevation & Delegation Management) – the ability to remove administrative rights from almost any account (human or non-human), while enabling the calling application or user to perform those tasks—without explicitly providing administrative credentials.
- Secure Remote Access – the ability for an interactive session to be established from outside of the segmented zone for maintenance, upgrades, monitoring, auditing, or any other authorized tasks
Now, let’s revisit our lateral movement discussion. Without segmentation, all resources can freely interact with other resources. There is no logical isolation of resources or subnets, and there is no proxy brokering appropriate communication. If an exploit occurs or, more importantly, secrets for authentication are compromised, then one compromised resource can leverage every other resource with which it can openly communicate. This is the primary method ransomware spreads throughout an environment.
If we architect an environment with segmentation, and thus, create boundaries, we can contain communications to a small group of resources. However, this alone does not stop lateral movement within the zone. To do this, you must prevent any compromised secrets from being available, or being used, from one resource to another. (Of course, this is not accounting for the reality that you must patch vulnerabilities if an exploit is being used for lateral movement.)
Here’s where PAM comes into play with regards to segmentation:
Privileged Password Management: This solution creates unique secrets (password, keys, and certificates) per resource, frequently automates their rotation (changing), and directly injects the obfuscated credentials into the session for human and machine accounts. These practices ensure credentials do not become stale, and that they are invalidated if a compromise should occur. This helps prevent lateral movement within a segment by limiting the ability of a threat actor or malware to have the persistent secrets in the first place to navigate amongst resources.
Endpoint Privileged Management: Once authentication occurs, authorization follows. Entitlements and privileges may be granted. If the account is highly privileged, the risk for resource manipulation grows exponentially. Therefore, within a segment, all accounts should follow the model of least privilege. This entails assigning the least amount of privileges to an account, and nothing more, to perform a task. Ideally, this privileged access should also be just-in-time, meaning access is immediately revoked once context has changed or an amount of time has elapsed. Endpoint Privilege Management helps ensure an absolute minimum of administrative and root accounts within a segment, while enabling tasks that require high privileges to operate unhindered. This security control alone can effectively block most attack vectors utilizing lateral movement.
Secure Remote Access: When an environment is segmented, and approved users can be operating virtually anywhere, access to the segment for routine work must still be allowed. Secure Remote Access products (Privileged Remote Access, etc.) can provide secure connectivity—without breaking the segmentation model—by gating access into the segment and monitoring for inappropriate behavior. This treats the zone using a microsegmentation model and proxies all access to only those whom have verified access. This alone prevents lateral movement though traditional protocols, like RDP and SSH, and can contribute to an enclave model that supports zero trust. Everything is isolated, boundaries have been established, and all access is monitored for appropriate user behavior.
Privileged access management can be applied to create a zoned approach to complement segmentation. However, mitigating the risks of lateral movement within the segment itself requires privileged access management. PAM can stop unauthorized authentications, remove privileges used for lateral movement, and manage remote access to ensure activity originating outside of the segment is appropriately controlled and monitored when entering the segment.
Segmentation using privileged access management is one of the best defenses for security architecture and workers against inappropriate access and lateral movement. To learn more, contact BeyondTrust, or check out one of our resources below.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.