M1030 Network Segmentation
Network segmentation involves dividing a network into smaller, isolated segments to control and limit the flow of traffic between devices, systems, and applications. By segmenting networks, organizations can reduce the attack surface, restrict lateral movement by adversaries, and protect critical assets from compromise.
Effective network segmentation leverages a combination of physical boundaries, logical separation through VLANs, and access control policies enforced by network appliances like firewalls, routers, and cloud-based configurations. This mitigation can be implemented through the following measures:
Segment Critical Systems:
- Identify and group systems based on their function, sensitivity, and risk. Examples include payment systems, HR databases, production systems, and internet-facing servers.
- Use VLANs, firewalls, or routers to enforce logical separation.
Implement DMZ for Public-Facing Services:
- Host web servers, DNS servers, and email servers in a DMZ to limit their access to internal systems.
- Apply strict firewall rules to filter traffic between the DMZ and internal networks.
Use Cloud-Based Segmentation:
- In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules.
- Apply AWS Transit Gateway or Azure VNet peering for controlled connectivity between cloud segments.
Apply Microsegmentation for Workloads:
- Use software-defined networking (SDN) tools to implement workload-level segmentation and prevent lateral movement.
Restrict Traffic with ACLs and Firewalls:
- Apply Access Control Lists (ACLs) to network devices to enforce “deny by default” policies.
- Use firewalls to restrict both north-south (external-internal) and east-west (internal-internal) traffic.
Monitor and Audit Segmented Networks:
- Regularly review firewall rules, ACLs, and segmentation policies.
- Monitor network flows for anomalies to ensure segmentation is effective.
Test Segmentation Effectiveness:
- Perform periodic penetration tests to verify that unauthorized access is blocked between network segments.
| Item | Value |
|---|---|
| ID | M1030 |
| Version | 1.2 |
| Created | 10 June 2019 |
| Last Modified | 02 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1098 | Account Manipulation | Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
| enterprise | T1098.001 | Additional Cloud Credentials | Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
| enterprise | T1557 | Adversary-in-the-Middle | Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity. |
| enterprise | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity. |
| enterprise | T1612 | Build Image on Host | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
| enterprise | T1613 | Container and Resource Discovery | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
| enterprise | T1136 | Create Account | Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts. |
| enterprise | T1136.002 | Domain Account | Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts. |
| enterprise | T1136.003 | Cloud Account | Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
| enterprise | T1602 | Data from Configuration Repository | Segregate SNMP traffic on a separate management network.1 |
| enterprise | T1602.001 | SNMP (MIB Dump) | Segregate SNMP traffic on a separate management network.1 |
| enterprise | T1602.002 | Network Device Configuration Dump | Segregate SNMP traffic on a separate management network.1 |
| enterprise | T1565 | Data Manipulation | Identify critical business and system processes that may be targeted by adversaries and work to isolate and secure those systems against unauthorized access and tampering. |
| enterprise | T1565.003 | Runtime Data Manipulation | Identify critical business and system processes that may be targeted by adversaries and work to isolate and secure those systems against unauthorized access and tampering. |
| enterprise | T1610 | Deploy Container | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
| enterprise | T1482 | Domain Trust Discovery | Employ network segmentation for sensitive domains.3. |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.2 |
| enterprise | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.2 |
| enterprise | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.2 |
| enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.2 |
| enterprise | T1190 | Exploit Public-Facing Application | Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure. |
| enterprise | T1210 | Exploitation of Remote Services | Segment networks and systems appropriately to reduce access to critical systems and services to controlled methods. |
| enterprise | T1133 | External Remote Services | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
| enterprise | T1046 | Network Service Discovery | Ensure proper network segmentation is followed to protect critical servers and devices. |
| enterprise | T1040 | Network Sniffing | Deny direct access of broadcasts and multicast sniffing, and prevent attacks such as LLMNR/NBT-NS Poisoning and SMB Relay |
| enterprise | T1095 | Non-Application Layer Protocol | Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces. |
| enterprise | T1571 | Non-Standard Port | Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment. |
| enterprise | T1563 | Remote Service Session Hijacking | Enable firewall rules to block unnecessary traffic between network security zones within a network. |
| enterprise | T1563.002 | RDP Hijacking | Enable firewall rules to block RDP traffic between network security zones within a network. |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | Do not leave RDP accessible from the internet. Enable firewall rules to block RDP traffic between network security zones within a network. |
| enterprise | T1021.003 | Distributed Component Object Model | Enable Windows firewall, which prevents DCOM instantiation by default. |
| enterprise | T1021.006 | Windows Remote Management | If the service is necessary, lock down critical enclaves with separate WinRM infrastructure and follow WinRM best practices on use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.4 |
| enterprise | T1489 | Service Stop | Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions. |
| enterprise | T1072 | Software Deployment Tools | Ensure proper system isolation for critical network systems through use of firewalls. |
| enterprise | T1199 | Trusted Relationship | Network segmentation can be used to isolate infrastructure components that do not require broad network access. |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.007 | Container API | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
| enterprise | T1669 | Wi-Fi Networks | Network segmentation can be used to isolate infrastructure components that do not require broad network access. Separate networking environments for Wi-Fi and Ethernet-wired networks, particularly where Ethernet-based networks allow for access to sensitive resources. |
References
-
US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020. ↩↩↩
-
Microsoft. (2004, February 6). Perimeter Firewall Design. Retrieved April 25, 2016. ↩↩↩↩
-
Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019. ↩
-
National Security Agency/Central Security Service Information Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows Event Log Monitoring. Retrieved September 6, 2018. ↩