How To Mitigate Risk In A Flat Network — An Attacker's Paradise
This article was originally published on Forbes.com.
Flat networks have become so prevalent because they are typically simple to architect, cheap to construct and easy to operate and maintain. However, it turns out that malicious actors love flat networks, too. That's because once a single host on a flat network has been compromised, the integrity of the rest of the network starts to resemble a house of cards. Once an enterprise is penetrated, the flat network delivers the uninvited and unwelcome guest unfettered network access to scan, identify and target high-value assets. Unfortunately, many organizations fail to mitigate or even fully recognize these risks.
The security risks of a flat network
Organizations tend to focus primarily on securing their network perimeter defenses. However, investments in perimeter security can only do so much. According to the Verizon Data Breach 2018 Report, there were 2,216 confirmed breaches last year. The report finds that 73% of those breaches were perpetrated by outside actors. Hacking and malware remain prevalent.
These statistics underscore that despite our best efforts at securing the perimeter with ever stronger and higher “walls,” those measures don't keep out bad actors that are tenacious and have the full capability and resources to get into a network. A new mindset is required. You have to “assume breach,” which requires leading with the assumption that your network defenses will be compromised. Furthermore, if you have a flat network, malicious actors can use a single compromised system or device – the beachhead – as the launch pad for moving laterally across your network en route to your most valuable assets.
In a flat network, your default policy is to allow all devices and applications to talk to each other, making it difficult for security to determine which connections and data flows are legitimate. For example, an office-issued laptop is able to connect and "talk" to the company’s print servers so you can quickly and easily print a document – that type of connection is flat. Your desk IP phone may be on the same flat network, but does it make sense for that IP phone to be communicating with those print servers? Security systems struggle to detect whether such traffic and connections are anomalous and could be indicators of a breach.
Flat networks also make it easier to stay hidden as attackers attempt to quietly traverse the network. This period of time – known as dwell time – averages out to 101 days globally. And we don't have to look back too far to find high-profile attacks where hackers went undetected for far longer – up to several years.
Threats can also come from the inside
Flat networks also act as a potential playground for (would-be) malicious insiders. The first thing an insider would try to do is gather more credentials or use their existing elevated permissions to access systems that are outside of the remit of their roles. Two-factor authentication (2FA) or multifactor authentication (MFA) are solid responses to address stolen credentials in the hands of users.
However, mobile and machine-to-machine (M2M) devices are two primary reasons that data traffic is on the rise inside your network and every other network. More business systems need to interact with each other, and this type of traffic requires authentication, which cannot simply be solved by 2FA or MFA. This problem exists across a range of connected devices and puts critical assets such as customer data repositories and payment systems at risk.
How to mitigate the risk in a flat network
As I mentioned above, you need to start off with an "assume breach" mentality. Sooner or later, even the best perimeter defenses will be breached. This mindset allows you to think like an attacker and enables the CISO to ask pertinent questions, such as:
- What are our high-value assets that an attacker is going to try to navigate to once they get a foothold in our network?
- What do we have in place to prevent the free movement and persistence of an attacker within our flat network?
If the answer is “nothing” or – perhaps just as bad — “a handful of firewalls and VLANs,” then the CISO knows they need to drive action to reduce that risk.
- Identify Your Most Important Assets: While it might seem obvious, the classification of your high-value assets may be different depending on who you ask. This is why it's important to bring together key stakeholders (i.e., your CISO plus legal and financial teams, etc.) to map the risk of the assets and applications within the company’s infrastructure. A good way of doing this is to leverage the NIST Cybersecurity Framework (CSF).
- Determine The Best Protection Or Control: There are many layers to protecting a crown jewel application, which include identity and access management (IAM), vulnerability management and segmentation. Segmentation is one control that fits into the NIST CSF – it ensures that applications can only be accessed from authorized devices and that those devices only have access to specific business processes on the critical applications.
- Identify Potential Solutions: Determining a set of solutions begins by identifying key stakeholders (e.g., security engineering, network engineering and application teams, etc.) to look at the solutions that are available in the market. I highly recommend that they look at different segmentation approaches from different vendors and keep in mind that segmentation is an emerging market.
The net-net is that the popularity of flat networks is increasing, and unfortunately, so are malicious attackers’ appetites. This makes for a dangerous mix. Recognizing the risks of flat networks is the first step. Changing to an “assume breach” mindset kicks off the process of mitigating that risk. Last, but not least, implementing a zero-trust strategy – one based on the assumption that you’ve already been breached but don’t know it yet – helps ensure organizations with flat networks don’t end up becoming attackers’ playgrounds.