Illumio Field CTO Raghu Nandakumara and Bishop Fox Principal Researcher Rob Ragan discuss the efficacy of microsegmentation in this interview.
Raghu: Hi everyone, I am Raghu Nandakumara, one of the field CTOs at Illumio, and today I have the pleasure of being joined by Rob Ragan principal researcher and Red Team specialists at Bishop Fox. Rob thanks for being with us today.
Rob: Thanks for having me.
Raghu: So tell us about yourself and Bishop Fox.
Rob: Absolutely. So I help a lot of our customers design security solutions help evaluate their goals from a security perspective and for the last 15 years Bishop Fox has been very focused on offensive security and adversarial simulation.
Raghu: Ok, so you got engaged with Illumio to do some testing. Can you tell us a bit about what you were testing and the tests you ran?
Rob: Absolutely, we were really focused on testing the effects of segmentation, on deterring or delaying an attacker, and we designed a methodology from scratch to evaluate this that had both a control and an ever-increasing levels of segmentation in place to see what the
effect was on our ability to to pivot within a network.
Raghu: So before we get into some of the tests he tell us about highlights of the findings please.
Rob: Form an highlights perspective, we really did prove that segmentation matters. The stricter the roles are, the harder it is for an attacker to move around and get to a trophy target. All of our tests did have a trophy target in mind in the form of some PII and a secure database; but we eventually had to find ways to even discover a route to access that data.
Raghu: Are you able to share maybe one or two sort of key stats about how much more difficult it became?
Rob: It got increasingly difficult in the magnitude of 300, 600, 900 percent increases over the levels of controls that we had for each simulation.
Raghu: Did you have to change your tactics to deal with the way the segmentation was restricting your access and why?
Rob: Yes, we decided to adapt at one point it's directly related to mitre attack framework TTP's that network scanning was one that was significantly impacted by the micro segmentation controls. The way that we had to adapt was: rather than trying to scan the broader ranges we looked more closely at the hosts and what was defined in the IP tables. It was essentially an allowed list of ranges that it can talk to and we shifted to scanning those and only those instead of the broader network that we observed to be on.
Raghu: What are your views on micro segmentation as a security control?
Rob: I think overall, it is a really effective measure to slow down attackers in a compromised network or where there's been hosts that have been breached through malware or through some other means, then the attacker has to discover what is on the network that is available to them. Segmentation and using allowed or denied lists can be really effective at at mitigating the risk of where these attackers can go.
Raghu: So as Red Team specialist thsen, in future engagements where you're called in with from clients, how are you gonna be using this activity in those future engagements?
Rob: We identified this type of control in our future adversarial simulations. We really I'd say explored a lot of other angles where we tried to disable the agent on the host which that was found not to be effective that actually forced us to be locked down even more. We would have to adapt our approach to studying the the hosts a bit more to see if there are these types of software-defined network controls in place and then deciding more carefully what we do for our next steps of discovery but I'd say all around it was an effective way to slow us down and let me know really what worked as advertised.
Raghu: So finally Rob, what would be your recommendation to the blue team to defend the enterprise?
Rob: I'd say overall network segmentation is a really effective control. A team should have visibility into the trust relationships between their assets and especially where they're their crown jewels or their trophy targets are. This can network segmentation ultimately, when implemented well, is going to greatly greatly increase the amount of time and effort an attacker has to spend in order to achieve their goal. I think blue teams are all looking for an easier way to manage their segmentation.
Raghu: Rob, thank you very much for your time today and for everyone who's watching this. If you're interested in finding out in more detail about the report go to Illumio.com and download it thank you very much.