Soft segmentation: Easy mode ransomware defense
by Netography Detection Engineering Team
Ransomware is one of the greatest cyberthreats to organizations and continues to escalate. In 2024, thousands of attacks cost businesses nearly a billion dollars, according to Chainalysis researchers (who track ransomware payments by mapping and disentangling cryptocurrency transactions). Though the total paid out decreased in 2024, the number of ransomware payments was the highest volume since 2021 – and individual ransom payments hit record-setting levels.
Another constant about ransomware is that the same groups persist for years. A recent example is Ghost Ransomware, a group that multiple U.S. government agencies first issued warnings about back in 2021. The group is now experiencing a resurgence and has been described as opportunistic on multiple levels:
- They target indiscriminately, hitting critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses in more than 70 countries.
- They use well-known tools to exploit a handful of very specific vulnerabilities, some of which are very old. These include Microsoft Exchange servers still vulnerable to the ProxyShell attack chain, servers running Adobe’s ColdFusion for web applications, and issues in unpatched Fortinet security appliances.
- They act quickly, often deploying ransomware within 24 hours of initial compromise and moving on to other targets when they find their lateral movement blocked by network segmentation.
Despite variations in tools they use to exploit vulnerabilities, ransomware actors tend to move through the network and accomplish their missions in a similar fashion. Once a ransomware actor gains access by infecting a network, they (or their automated tools) move laterally to gain necessary access. They use discovery tools and techniques to identify collections of files to encrypt and exfiltrate.
Detecting ransomware
Network segmentation, robust authentication, and strict file controls are all part of defense-in-depth to protect against ransomware attacks. Unfortunately, many organizations lack comprehensive network visibility across hybrid or multi-cloud environments, which leaves them open to threats. They have little capability to see what their users, applications, data, and devices are doing to detect activities that shouldn’t be happening and respond to attacks.
Beyond their value in threat hunting and incident response, network flows provide the ground truth for what is occurring on networks and are a powerful tool to detect ransomware activity, especially when enriched with context information from each unique network environment. DNS transaction logs provide further visibility and another axis of data for investigating and detecting suspected ransomware attacks. The Netography Fusion® platform operates on network flows and cloud DNS transaction data to visualize data and help combat threats to networks without the burden of deploying sensors, agents, taps, or probes.
We’ve talked before about Netography’s Network Detection Models (NDMs). These models detect and stop anomalous data movement that could indicate a ransomware attack.
Our detections include the ability to alert users to:
- Large data access or movement within the network could indicate data harvesting and staging before encryption and exfiltration.
- Unauthorized lateral movement (east-west traffic) within the network and unauthorized access attempts, such as SSH brute force attempts to access restricted areas.
- Data exfiltration to different cloud storage or file sharing services, or statistically higher amounts of traffic leaving the network over Secure Shell (SSH) protocol or Domain Name System (DNS).
Protecting data with network segmentation
Netography’s NDMs can also define software segmentation policies, another effective deterrent against Ghost Ransomware.
Ghost actors operate similarly to smash-and-grab thieves, selecting ripe targets and moving on from more challenging ones. Once they compromise a device, they act fast to look for file shares and try to gain access to valuable data. But if they observe the network itself is well-defended, and the valuable resources are protected, they quickly move on.
The traditional hard segmentation model requires the ability to enforce policies on network devices and endpoints, so hardware or software must be deployed. However, due to cost, complexity, gaps in coverage, and the risk of interfering with legitimate traffic, getting policies in place using hard segmentation can be very challenging.
Soft segmentation: a pragmatic approach
Netography helps organizations overcome the challenges of traditional segmentation by ingesting ground-truth data sources (flow and DNS) and using that to inform soft segmentation through visualization, searching, and detection capabilities. In some cases, looking at visualized data is a form of detection – where a human “detector’s” tendency towards visual pattern matching calls something to their attention. The intersection of historical data and the human detector forms the basis for the creation of soft policy, as follows:
- Directionally tag networks to uniquely identify them during flow ingestion.
- Record historical data – network flows and DNS transactions.
- Search and visualize the data to understand how devices communicate over networks.
- Define soft segmentation using NDMs to reflect network policies on acceptable communication across networks.
- Fire an alert when activity is noncompliant so teams can investigate why that behavior has changed and take action as required.
Initial use cases
Soft segmentation is well-suited to protecting entire categories of devices that are often beyond the purview of security teams from becoming entry points for threat actors.
- Employee-owned devices. BYOD devices are usually not managed by the company and may not be protected to the same degree. BYOD segments serve as a tool to isolate employee-owned devices from the rest of the network. For example, security teams want to ensure these devices aren’t talking to production networks. A policy mistake could allow a BYOD segment to access something they never should or that’s not part of the BYOD network. Soft segmentation is a simple way to solve that problem because it can detect communication between parts of the network that should never be communicating, which could indicate ransomware activity.
- Additional endpoints not protected by EDR. Ransomware is commonly considered an endpoint problem, and EDR/EPP is the solution. However, smartphones, printers, wireless access points, and other devices typically can’t support an agent. There are also devices security teams aren’t aware of or don’t control, so they can’t put an agent on them. Ransomware operators may find devices on the network that don’t have EDR installed to gain initial access. Implementing soft segmentation to limit communication of devices to other segments blocks pathways for ransomware. While some point out that these are just network devices, many run underlying operating systems that may be vulnerable and can be exploited similarly to other endpoints.
The technical opportunity
When security teams put soft policies into practice, they get the security capability of segmentation in their layers of defense without the risk of breaking the business that traditional segmentation presents. Teams can:
- Propose policies and see the impact without having to deploy additional software or hardware
- Communicate the impact of the policies on security to gain support and help the business prepare for segmentation
- Avoid the blame game by testing policies in advance to ensure they don’t interfere with legitimate network traffic
Through our growing number of detections and soft segmentation capabilities, Netography collaborates with customers to combat ransomware on their networks and prevent costly disruptions to operations.
Interested in learning more? We are here to help. Contact us.