Summary

The National Cyber Coordination and Command Centre (NC4) has observed a rise in malware campaigns that rely on network traversal and lateral movement as their primary method of escalation. Environments lacking effective segmentation suffer disproportionately, with attackers able to pivot from low-privilege endpoints to critical infrastructure within hours. Targeted entities include financial, telecommunications, energy, and public sector environments.

Attackers are consistently exploiting:

• Flat network topologies without enforced zone isolation
• Open administrative ports across user and server subnets
• Shared credentials and services bridging multiple trust zones
• Overly permissive firewall rules allowing cross-zone movement
• Legacy protocols and unmonitored traffic paths

Technical Details

NC4 incident responders have documented the following patterns across real-world intrusions:

• Malware spreading over SMB, RDP, or PsExec across user networks
• Compromise of admin interfaces exposed in mixed-use VLANs
• Ransomware encrypting both production and backup environments due to lack of isolation
• Credential reuse across IT/OT or prod/dev networks enabling cross-domain access
• Legacy segmentation using VLANs without enforced firewalling or ACLs

Attackers also leverage poorly secured internal services such as Windows Remote Management (WinRM), WMI, and NFS/Samba shares as propagation channels.

Indicator of Compromise

Indicators of Poor Network Segmentation

The following artefacts are commonly observed during assessments and incidents:

• RDP/SMB open between workstation and server VLANs
• Same local admin credential hash found reused across multiple zones
• Hosts in DMZ or exposed services able to initiate outbound connections to core systems
• Shared service accounts used across dev/test/prod or IT/OT boundaries
• Malware alerts appearing across unrelated business units or segments simultaneously

Mitre ATTACK And Techniques

Mitigations

To contain the propagation of malware and prevent complete network compromise, NC4 recommends a segmentation-first strategy with strong network access controls, monitoring, and validation.

Mitigation strategies are outlined below by domain:

1. Network Segmentation Baseline

Design Principles:

• Zero Trust Zoning: Divide networks into trust zones (e.g., user, server, admin, dev, prod, OT) with explicit allow rules.
• East-West Firewalling: Apply access control lists (ACLs) or NGFW policies between all zones — not just North-South traffic.
• Role-Based Access: Limit which zones users, systems, or services can reach based on their operational function.
• No Flat VLANs: VLANs alone are not security boundaries — enforce segmentation using firewalls, ACLs, or microsegmentation platforms.

2. User and Endpoint Zones

Access Controls:

• Block lateral protocols (SMB, RDP, WMI, WinRM) between endpoints.
• Prevent direct access from user subnets to server or management zones.
• Route privileged access via jump boxes with logging and MFA.

Segmentation Example:

3. Server and Application Zones

Isolation Practices:

• Create separate subnets for different application tiers (e.g., frontend, middleware, DB).
• Enforce firewall rules for only necessary inter-tier communication.
• Block outbound internet access from internal application zones unless explicitly required.

Zone Hardening:

• Disable unused services and legacy protocols (e.g., NetBIOS, Telnet).
• Apply host-based firewalls to reinforce network policies.
• Monitor traffic anomalies within the zone to detect lateral movement attempts.

4. Management and Administrative Zones

Critical Segmentation Requirements:

• Isolate admin interfaces (e.g., vCenter, backup consoles, AD, SIEM) from general-purpose networks.
• Only permit access from designated Privileged Access Workstations (PAWs) over secure, audited channels.
• Disable any cross-zone trust relationships or fallback credentials that could bridge security zones.

Example Restrictions:

5. Internet-Facing and DMZ Zones

Key Controls:

• Deny all inbound access to internal zones unless explicitly permitted via reverse proxy or API gateway.
• Apply strict egress filtering from DMZ to internal networks.
• Monitor traffic for tunnelling, callback attempts, or beaconing from DMZ workloads.

Network Defense-in-Depth:

• Use web application firewalls (WAF) to inspect incoming DMZ traffic.
• Limit the use of dual-homed hosts or systems bridging internal and DMZ zones.
• Separate DNS, mail relays, and NTP services per zone to prevent abuse.

6. OT and Critical Infrastructure Segmentation

Segregation Standards:

• Physically and logically isolate OT from IT networks.
• Permit communication only through hardened conduits (e.g., unidirectional gateways or ICS DMZs).
• Regularly audit firewall rules and enforce no direct access from IT zones to control systems.

OT Network Recommendations:

• Remove unnecessary IP paths between IT and OT.
• Enforce jump server access with MFA and session recording.
• Deploy passive IDS to detect unusual activity without disrupting critical systems.

Validate Segmentation Effectiveness

Organisations should regularly test and validate their segmentation and access controls:

• Perform network flow audits to identify unauthorized or legacy traffic paths.
• Use red team simulations to test lateral movement across trust boundaries.
• Apply segmentation validation tools or microsegmentation platforms to map real-world connectivity.
• Confirm alerting is enabled for any failed or denied access between zones.

Conduct firewall rule reviews quarterly, removing outdated or overly broad policies.

Reporting

All NCII entities are required to report incidents involving mass malware propagation, lateral movement, or segmentation failure to NC4 immediately as mandated by the Cyber Security Act 2024 [Act 854]. Timely reporting ensures coordinated threat intelligence sharing and effective cross-sectoral response.