Project Overview
Illumio Inc. engaged Bishop Fox to measure the effectiveness of micro-segmentation using the Illumio Adaptive Security Platform (ASP) as a control in limiting lateral network movement. The following report details the findings identified during the course of the engagement, which started on March 16, 2020.
GOALS
- Create a repeatable testing methodology that can be leveraged by third parties looking to replicate testing in their own environment
- Record time required to reach the trophy in each use case test
- Review the level of detectable network traffic generated as a result of increased micro-segmentation
- Determine the overall efficacy of micro-segmentation as it relates to the generation of detectable events and time investment required for an attacker to traverse the network
Abstract
Attackers spend a great deal of time on lateral movement during a breach — as they surf a network, attempting to find the ‘trophies’ they are after — and networks with little or no control over this movement provide an easy pathway for an attacker to their intended target. This means that once an adversary enters a network through a beachhead, a weak or insecure target used as a launching point (be it an endpoint, a workload, a server, etc.), they act as a burglar in a building where all the doors are open, calmly moving from room to room, picking up anything of value.
Lateral movement is also why malware and, in particular, ransomware can have such a crippling effect on an entire organization. All high-profile ransomware attacks exploit that same freedom of lateral movement around the network in order to spread at a devastating pace and bring a network to its knees.
Zero Trust, and specifically micro-segmentation as a capability in a Zero Trust security framework, is focused on hindering this freedom of lateral movement. Micro-segmentation forces attackers (and malware) to work harder and smarter. In the best case, micro-segmentation can nullify the threat, and in the worst case, all that increased activity leads to increased opportunity for detection by the defender.
It is widely understood that micro-segmentation controls hamper lateral movement, but by how much? How effective are various types of micro-segmentation policy in thwarting an attacker, and do they force any changes in behavior? This is precisely what this assessment looked to measure.
The results of this engagement highlighted the importance of implementing micro-segmentation in real world environments. Overall, the team identified that the time needed to gain access to sensitive information (i.e., obtain the “crown jewels”) increased quantifiably as more strict micro-segmentation controls were enabled on the tested environments, showing a clear, measurable benefit by forcing the attacker to exhaust more time in order to access sensitive information and resulting in the generation of more detectable events, providing a blue team with a better opportunity to detect the attack.