Analysis of high-profile cyber breaches often reveals how intruders gain their initial footprint in the targeted organizations and bypass perimeter defenses to establish a backdoor for persistent activities. Such stealthy activities may continue until intruders complete their ultimate mission—claiming the “crown jewels” of the victim organization.

“Lateral movement” is a term increasingly used to describe penetration activities by intruders (more information on lateral movement is available in Verizon’s 2014 Data Breach Investigations Report[1]). These activities begin with network reconnaissance, typically leading to compromises, hijacking of user accounts and ultimately privilege escalation to access sensitive data. Organizations may go to great lengths to detecting and stopping the initial breach and final data exfiltration as well as establishing more intelligence at their ingress/egress perimeters. But how can you minimize the damage caused by an intruder’s lateral movement once your network is already compromised?


Some government agencies referenced below outline strategy and best practices to combat such infiltration activities[1]. Network segmentation has been identified as one of the key elements to prevent unnecessary communication from one network to others. Cisco TrustSec extends traditional network segmentation by controlling communication between individual endpoints based on their roles.

User-and-device or server level segmentation with Cisco TrustSec provides:

  • Protection against network level reconnaissance, preventing vulnerability scanning from a compromised host
  • Protection against possible exploitation to vulnerable network services and applications
  • Network-edge access control to block network ports used for remote privilege escalation attack such as “Pass-The-Hash” attack, while allowing client-and-server traffic for legitimate maintenance purpose
  • Protection against peer-to-peer malware propagation within organizations

TrustSec provides a different way to implement network segmentation. With Security Group Tags, we can dynamically authorize systems, apply an appropriate tag to traffic from a host based upon the role of that host. Network devices, such as switches, routers, Wireless LAN Controllers and Firewalls then use the topology-independent tag to determine the segmentation policies to apply to traffic. This can be used to restrict malware scanning and propagation from user devices to other user devices, whilst not impeding user to server traffic flows. TrustSec provides a layer of abstraction for segmentation rules which makes it simpler, more flexible, and less expensive to operate.

To learn how TrustSec can help your organization minimize damage caused by persistent attacks, please go to www.cisco.com/go/trustsec.

[1] http://www.verizonenterprise.com/DBIR/2014/

[2] http://www.asd.gov.au/publications/csocprotect/network_segmentation_segregation.htm



Kevin Regan

Product Manager

Secure Access and Mobility Product Group