Too often in the security industry, we hear of solutions or tools that will help make your business become “more compliant” or “improve your security.” Those vague claims, however, are generally difficult to back with hard metrics. So when Illumio, a leading provider of segmentation for workload security, approached us with the opportunity to quantitatively demonstrate the benefits of micro-segmentation, we jumped at the opportunity to develop a testing methodology that could be used by any organization that wished to assess the applied security controls on their environments.
In this post, we’ll walk through the structure of our industry-first testing methodology and how we demonstrated that micro-segmentation increases the difficulty of an attacker to reach their target anywhere from 300-950%.
Lateral movement occurs in the vast majority of breaches. An attacker first breaches the perimeter, often compromising a low-value target, and then, on average, spends 80% of their time moving laterally across the network until they reach their target trophy. And if an attacker is able to secure administrative privileges, malicious lateral movement can be very difficult to detect.
Micro-segmentation, which follows a "least privilege” or whitelisting approach to defining policy on endpoints, plays an essential role in limiting this lateral movement to impede an attacker from essentially breaking into a network and bouncing around from endpoint to endpoint and stealing anything of value. It effectively forces attackers to work harder and gives defenders more time to react to and mitigate threats.
But how much harder? Exactly how effective are different types of micro-segmentation policies in obstructing an attacker and do they force any changes in behavior? Which ones should you implement first and in what areas of your infrastructure? These are the questions that Bishop Fox and Illumio partnered together to answer.
Starting with a “control” scenario without any segmentation and increasingly applying a more granular micro-segmentation policy for each new round, the Bishop Fox red team was tasked with finding a pair of “crown jewel” assets. They performed a succession of attack simulations across three unique use cases:
The initial four tests (control and each use case) were performed on a 100-workload environment. Use Case 2 was repeated at 500 and 1,000 workloads. To limit bias during testing, the red team had no prior knowledge of the test environments and the environment was rebuilt for each use case.
For the attack simulations, the red team developed a methodology based on the main components of the MITRE ATT&CK® framework, mapping their activities against documented tactics, techniques, and procedures (TTPs) used in real-world scenarios (see full report for methodology details).
The results of the assessment highlight the importance of implementing micro-segmentation in real-world environments.
Results of testing 100 workload environments
Results of testing 100, 500, and 1,000 workloads environments on Use Case 2
As the size of the protected estate increases, the attacker’s ability to access the crown jewels increases in difficulty by:
Overall, the Bishop Fox red team identified that the time needed to access the crown jewels increases as more strict micro-segmentation controls are put in place. Or put another way, the tighter the micro-segmentation policy, the more difficult for the attacker to move laterally across the network.
So many companies are led to believe that a perimeter breach will always result in data loss - that once an attacker has a foothold, progression to a critical compromise is inevitable. Most attackers count on and prey on this misconception, targeting the easiest entry point and expending the least amount of effort necessary to achieve their goals. Any friction or barriers placed in their way vastly reduces the scope or impact of compromise or may move them on to the next target. These findings demonstrate that even a little effort – a simple micro-segmentation security control – can go a long way and could mean the difference between a single perimeter server getting popped and paying for identity theft coverage for hundreds of victims and a lot of brand damage.