Learnings From 3 Recent Cyberattacks Point to Zero Trust Segmentation
Recent cybersecurity incidents like those impacting MITRE, the Danish energy infrastructure, and the British Library are reminders of how important network segmentation is in reducing the impact of breaches and ransomware attacks.
Each of these attacks shows how Zero Trust Segmentation (ZTS) can help proactively defend against lateral movement and reactively contain attacks when they inevitably happen. This is reflected in the three attacks’ incident and response reports and aligns with guidance from the NSA’s newest Cybersecurity Information Sheet on network security.
What we’ve learned from 3 recent cyberattacks
News about breaches and ransomware attacks shouldn’t be a surprise. Today’s complex, hyper-connected networks mean there are always going to be new threats and undiscovered security gaps. What’s important is that organizations are prepared to limit the impact of attacks when they happen.
These three newsworthy breaches serve as excellent case studies for the importance of segmentation and its essential role in breach preparedness and survival.
MITRE: Segmentation stopped lateral movement
A fact of today’s threat landscape is that breaches are inevitable – and this is true even for organizations like MITRE which are known for their robust cybersecurity. However, MITRE was prepared for this reality in April 2024 when they confirmed they’d experienced a breach in their research and prototyping networks.
According to MITRE’s account of the incident, the unknown adversary “performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking.” MITRE’s identity technology wasn’t enough to prevent the attack.
Instead, quick breach containment resulting from segmentation policies was key to stopping the attackers’ lateral movement, isolating the infected areas, and limiting potential damage:
“We isolated affected systems and segments of the network to prevent further spread of the attack. Simply changing edge firewall rules was insufficient as this network had connectivity to labs across the enterprise, and effective containment required shutting down access infrastructure and isolating edge systems in a diverse set of laboratories. An accurate network inventory was critical to doing this in a timely way.”
It’s also important to note their finding that firewall rules weren’t enough to stop lateral movement and isolate the breach. Instead, microsegmentation, as part of their Zero Trust architecture, was essential to fully shutting down connectivity and communication between infected and uninfected systems based on their report.
Although MITRE suffered an attack, they were prepared to swiftly see, contain, and mitigate the impact of the breach. A Zero Trust strategy with network segmentation at its core was key to their response.
The British Library: Segmentation would’ve limited breach damage
In October 2023, the British Library suffered a ransomware attack in which nearly 600GB of data, including personal data of its users and staff, was copied, exfiltrated, and sold on the dark web. Once the Library didn’t agree to pay the ransom, attackers also encrypted data and systems and destroyed some servers, inhibiting recovery and data restoration.
The attack highlights the indiscriminate nature of today’s threat actors – even nonprofit charity organizations like the British Library can't assume they’re immune to attacks.
In their March 2024 report on the attack, the Library acknowledged that their security architecture, including a mix of modern and legacy systems, didn’t have a way to immediately stop lateral movement or contain the attack.
The report says that, moving forward, the Library must implement better cyber resilience strategies, including network segmentation: “No perimeter can be made entirely secure. Network segmentation is therefore essential in limiting the damage caused by a successful attack. The Library’s legacy network topology meant that the attack was able to cause more damage than would have been possible in a modern network design.”
Danish energy: A lack of visibility and segmentation led to widespread disruption
A coordinated, well-planned attack compromised 22 energy operators responsible for various aspects of the Danish energy infrastructure in May 2023.
Based on information from SektorCERT, a nonprofit organization that runs a sensor network to detect, identify, and research threats to the Danish critical energy system, many member operators lacked complete visibility and segmentation in their networks.
SektorCERT was able to successfully detect the attack before it spread further, but their research found that many member operators didn’t know of vulnerabilities in their individual networks — especially between IT and OT systems — or that their networks were attacked. With end-to-end visibility into application dependencies and workload traffic, operators could have seen and closed security gaps that allowed the attack to spread through their individual networks and across the national energy infrastructure.
The attackers also leveraged a remotely exploitable vulnerability on the operators’ perimeter firewalls as a jumping-off point for their initial breach. While many operators had firewalls in place at the network perimeter, they lacked effective segmentation inside the network interior. This allowed the attackers to quickly and quietly spread through the network after the initial breach. The report specifically calls out segmentation as key to proactively prepare for breaches and quickly respond to active attacks.
Zero Trust Segmentation is essential to prepare and respond to attacks
Amidst the uncertainty of today’s threat landscape, these three attacks make one lesson clear: the pivotal role of Zero Trust Segmentation (ZTS) in fortifying cyber defenses. In fact, the NSA’s new Cybersecurity Information Sheet, Advancing Zero Trust Maturity Throughout the Network and Environment Pillar, recognizes ZTS as an essential and foundational part of any Zero Trust architecture.
Proactively prepare for potential attacks
Traditional cybersecurity approaches, centered around perimeter-based defenses, are no longer enough to secure today's complex, interconnected networks. Instead of assuming it’s possible to prevent all cyberattacks, ZTS assumes breaches are inevitable.
By segmenting the network into smaller, isolated zones and enforcing strict access controls, organizations can minimize the attack surface and mitigate the risk of lateral movement by malicious actors. This proactive approach not only strengthens resilience against cyber threats but also enables organizations to contain the impact of security incidents when they occur.
Quickly respond to active attacks
ZTS also ensures resilience in the face of active attacks. In the event of a security incident, segmented networks act as virtual compartments, containing the damage and preventing it from spreading uncontrollably. This containment mechanism is especially important in today's interconnected enterprises where a single breach can have cascading effects across an entire network or even multiple organizations.
By limiting the blast radius of potential breaches and preventing lateral movement, ZTS enables organizations to minimize the impact of security incidents and maintain operational continuity.
Contact us to learn how the Illumio Zero Trust Segmentation Platform prepares your organization to proactively and reactively secure against the next potential cyberattack.