A U.S.-based natural gas facility shut down operations for two days after being hit with a ransomware infection that prevented personnel from reading and aggregating real-time operational data from control and communication equipment, according to the US Department of Homeland Security earlier in February.

The attack started with a malicious link in a phishing email that allowed attackers to pivot from the facility’s IT network to the facility’s OT network, which is the operational technology hub of servers that control and monitor physical processes of the facility. With that, both the IT and OT networks were infected with what the advisory described as “commodity ransomware.”

An advisory from the DHS’ Cybersecurity and Infrastructure Security Agency, or CISA, pointed out several lapses in the facility’s security protocols, including a failure to implement robust segmentation defenses between the IT and OT networks. As a result, the infection was able to “traverse the IT-OT boundary and disable assets on both networks.”

Segmentation is a powerful tool for controlling communication flows and restricting access to sensitive parts of the environment, which helps defend against lateral movement attempts by attackers, like the one experienced at the natural gas facility. Micro-segmentation helps us accomplish this by creating segmentation policies down to the application-level. This allows us to define how flows between applications occur and alert upon or block flows that don’t meet defined policies. After we’ve gained the visibility we need, micro-segmentation becomes a key part for controlling and securing an environment.

This attack was more than a simple intrusion, but had the team at the natural gas facility better segmented their infrastructure and applications, the likelihood of lateral movement into operational networks would have significantly decreased.

To detect and contain breaches faster, it’s become increasingly important to go beyond the typical malware detection capabilities and invest in the ability to detect and react to lateral movement within the environment. Lateral movement is a core piece of an attacker’s strategy once he’s gained a foothold within the environment. As the attacker is moving from system to system, we have an opportunity to detect that movement early on and take steps to not only prevent the attack but learn from the attacker by redirecting that lateral movement into isolated deception environments where we can analyze their tools and methods.

Limit the impact of breaches by restricting lateral movement. To help stop lateral movement focus on security measures that minimize dwell time, including:

  1. Automate security analysis.
    Leverage tools to automate analysis in order to collapse the time it takes to accurately identify and prioritize security incidents and affected systems. This is especially important given the high cost of third-party breach investigation and remediation processes.
  2. Stop Unsanctioned Lateral Movement.
    Prevent attackers from moving freely within the flow of east-west traffic with technology that enables security administrators to create and enforce scalable security policies at the application level. While many organizations invest heavily in perimeter security, today’s true security battleground is inside the firewall. The volume of “east-west” traffic now exceeds “north-south” perimeter traffic by a wide margin. Stop attackers from using an individual point of compromise as a starting point for lateral movement by improving visibility into your infrastructure and tightly controlling communication between your IT assets.

    By doing so, we can visualize expected application behavior to see how applications function and communicate under normal conditions; explicitly block unsanctioned activity and implement precise policies that block attackers from moving laterally if they compromise a trusted asset; and mitigate and learn from attacks with rapid response to active attacks and a review of the findings to continuously improve security policies.
  3. Detect and Respond to Threats Quickly.
    Draw from multiple techniques to proactively identify potential breaches and mitigate them quickly. Seek out integrated threat detection and response capabilities including reputation-based detection, file integrity monitoring and dynamic deception. Using these methods, teams can uncover and respond to threats quickly and proactively refine security policies to reduce attack surface. Techniques that actively seek out, identify, engage, redirect and effectively take control of attacks in progress, ensure that possible breaches and lateral movement are detected quickly, and security operations teams receive actionable information and guidance.

These measures give security teams the ability to monitor all data center traffic, distinguish genuine breaches and respond more quickly and decisively.