Subscribe to DeepL Pro to translate larger documents.

Visit www.DeepL.com/pro for more information.

This is the published version of the bachelor thesis:

Ballart Cabanas, Nil; Ortega Gil, Marc, dir. Practical evaluation of mi-
crosegmentation in a cloud environment : A holistic approach. 2023. (Enginyeria
Informàtica)

This version is available at https://ddd.uab.cat/record/298935

under the terms of the license

TFG IN COMPUTER ENGINEERING, ESCOLA D` ENGINYERIA (EE), UNIVERSITAT AUTO` NOMA DE BARCELONA (UAB)

An holistic approach to microsegmentation:

A practical evaluation of microsegmentation
in a cloud environment.
Nil Ballart Cabanas
1 July 2024

Abstract- This project is based on the analysis and implementation of a micro-segmentation

technology in a cloud infrastructure. Micro-segmentation allows a greater granularity in the segmentation
policies, improving the resilience of the environment when the attacker has managed to penetrate
the perimeter defenses and has infected an internal machine.Following this Zero Trust security
strategy, we greatly reduce the attack surface area by offering a high level of real-time control. This
project provides a general analysis of the capabilities of this technology, its impact on the devices
and the advantages in an environment with a high level of perimeter segmentation.

Key words- Microsegm

,entatio
S
negmen,tationGuardicore, Zero Trust, AWS, R e s i l i e n c y , Cybersecurity

Abstract- This project is based on the analysis and implementation of a microsegmentation tech-
nology in a cloud infrastructure. Microsegmentation allows for greater granularity in segmentation
policies, improving the resilience of the environment when the attacker has managed to penetrate
the perimeter defenses and has infected an internal machine. Following this Zero Trust security
strategy, we greatly reduce the attack surface by offering a high level of real-time control. This
project provides a general analysis of the capabilities of this technology, its impact on devices, and
the advantages over an environment with only perimeter segmentation.

Keywords- Microsegmentation, Segmentation, Guardicore, Zero Trust, AWS, Resilience, Cy-

bersecurity.

✦
The company has a wide range of very effective and
constantly improving technologies that allow to provide a
wall of protection against attacks coming from outside the
1 INTRODUCTION company or organization.
Although these perimeter protection technologies are
L Infrastructure protection[1] is based on securing
business application infrastructures and protecting a
company's technology, systems and assets. The systems
highly effective, no protection is perfect and there will
always be vulnerabilities, discovered or not, that allow an
range from wireless networks to connect to the Internet to attacker to perform malicious actions. That is why in recent
cloud solutions, servers, mobile devices, years, especially in view of the great digital transformation
etce`tera. underway and, together with the transition to a hybrid cloud
Infrastructure security has always been one of the most infrastructure and the high proliferation of ransomware, it
important pillars of cybersecurity. This area is part of the has started to become more and more common, the search
so-called "Blue Team". The main objective of infrastructure has begun for complementary solutions to this perimeter
protection is to protect a company's internal network and defense, which protect the internal network on the same
its assets from attacks, unauthorized access and other scale against these attacks, all with a minimal impact on
malicious actions aimed at harming the organization. system performance and adaptability to change.
Nowadays, there is a great deal of ven-
• Contact e-mail: [email protected]
1.1 State of the art
• Mention made: Information Technologies
• Work supervised by: Marc Ortega Gil (Department o f
Currently, this added protection can be achieved through a
Information Engineering and Communications) Zero Trust security model [2]. This model is relatively
• Curs 2023/24 complex and costly to implement and maintain, and these
two are the main reasons why they are not

July 2024, Escola d'Enginyeria (UAB)

2 EE/UAB TFG INFORMA` TICA: AN HOLISTIC APPROACH TO MICROSEGMENTATION

companies do not have micro-segmentation [3]. security. This add-on is mainly focused on protecting on-
premises internal networks, since cloud environments
1.1.1 Zero Trust usually already have a basic applied micro-segmentation
(AWS: Security Groups, Azure: Network Security Groups,
The Zero Trust security model has been known for some OCI: Security Lists, and others).
time, appearing for the first time in 2010 [4]. This is based
on changing the way of thinking when protecting
infrastructures. We are moving from a strategy of "trust,
1.2 Context of the work
but check" to "never trust and always check". This means In practice, all these safety improvements and advances
that no user or device is trusted to access a resource until need to be accompanied by data that demonstrate and
its identity has been verified and it has been authenticated. exemplify the potential of their capabilities. This is where
This process applies to all connections, including those my work is focused. Starting from an operational
originating in the internal network. In order to carry out infrastructure in a cloud environment, in this project I seek
this strategy, there are several ways to achieve the expected to deploy and configure a software that allows to apply
results, but the main way that currently exists and is most this micro-segmentation in an environment and to reach
complete is by using a solution called Secure Access objective conclusions, deepening in the capabilities of re-
Service Edge (SASE) [5]. silience against attacks based on lateral movements as the
ransomware, ¨ısland hopping"[7] or l.living off the island"[8].
1.1.2 Secure Access Service Edge (SASE)
SASE will emerge as a security paradigm in the cloud that 2 OBJECTIUS
will link itself to traditional networks, offering a whole
range of functionalities to protect access to applications This paper seeks to perform a theoretical and practical
and data in a secure way, following this Zero Trust model. analysis of the capabilities, advantages and impact of a
A solution is considered SASE when it integrates the micro-segmentation technology on a network infrastructure
following capabilities, the first two being necessary and in a cloud environment where there is a flat segmentation.
the subsequent ones optional: Through the theoretical analysis of the capabilities of
micro-segmentation and the application to the functioning
• Secure Web Gateway or web proxy (SWG): This of an already deployed and operational infrastructure, we
solution acts as a protection between the intranet and seek to obtain objective data on the opportunities that this
the public Internet, filtering and controlling web technology can bring to improving the security and
traffic to prevent threats such as malware, phishing resilience of companies. In order to achieve this goal, a
and ransomware. By integrating with SASE, it series of basic objectives must be met:
becomes a centralized inspection point, offering
granular visibility and control over access to websites • Deploying and configuring micro-segmentation
and SaaS applications. technology.

• Zero Trust Network Access (ZTNA): This solution • To carry out a security test on the infrastructure
redefines network access, eliminating the traditional without micro-segmentation and to apply it, comparing
implicit trust in the internal network. It does this by and analyzing the results.
verifying the identity and context of each user and
• To deploy a Command&Control server of the
device before granting access to specific resources,
technology and other necessary elements for its
thus minimizing the attack surface and preventing
correct operability.
unauthorized access.
• Analyze the environment and the capabilities of
• Software Defined WAN (SD-WAN): This network
technology to design and implement micro-
architecture transforms the way companies connect to
segmentation policies.
their networks. SD-WAN separates the control plane
(which defines how traffic is routed) from the data • Automate the process of communications analysis
plane (which carries the actual traffic), thus enabling using a script that processes the data collected from
centralized and flexible network management. the technology API and generates an Excel document
with this data.
• Microsegmentation:

Micro-segmentation [6] offers several advantages over 3 M ETHODOLOGY AND PLANNING

more established approaches, such as the segmentation of
networks and applications using hardware components To achieve the objectives of the project, it has been
(routers, switches, etc.). Traditional methods rely heavily divided into two phases. The first phase has been a
on network-based controls, which are imprecise and often preliminary part based on the preparation and
difficult to manage. Micro-segmentation, on the other configuration of the cloud environment and the in-depth
hand, is a software-based segmentation element, which study of the operation and coding of the software to
offers flexibility to extend protection, visibility of the perform the security tests. This phase consisted in
systems at any location and, all of this, with a high level of deploying and configuring the necessary infrastructure
detail and granularity in the control of elements in AWS, in order to be able to install and deploy
later the necessary agents to the systems on which I
performed the tests.
NIL BALLART: AN HOLISTIC APPROACH TO MICROSEGMENTATION: A PRACTICAL EVALUATION OF MICROSEGMENTATION IN A CLOUD
ENVIRONMENT 3

On the other hand, the second phase has followed an

incremental methodology. This phase consisted of
carrying out the segmentation tests, analyzing the results,
applying policies and other micro-segmentation
configurations and, finally, carrying out the same
segmentation tests again in order to be able to maximize
the results.
The idea of this section was to follow the typical process
that is done in policy definition projects, which normally
consists of 4 phases:

1. Define which communications to enable, alert and

block according to infrastructure security needs and
objectives.

2. Configure the corresponding policies and, instead of

configuring the blocking policies directly, configure Fig. 1: Graphical display of the granularity of
them in alert mode during a test period, so as not to Guardicore Centra
block erroneously any communication.

3. Analyze the alerts of blocking policies that are being

tested and generate the appropriate exceptions. contract individually, but goes together with other
technology packages as an add-on, not a complete
4. After a test period, pass the defined warning policies solution.
to block.

This process is repeated until the desired objectives are

achieved and all security needs are covered.
Approximately each incremental cycle lasts 2 sets.
the first of which is the design and configuration of the
The second is the testing process and analysis of the results.
Thus, following all the previously defined sections, I
have been carrying out the tasks in defined cycles of one
set- mana, as can be seen in the Gantt chart of the project
(Appendix A1, Fig. 12).

4 MIC
-E
SR
G
O
ME
N
A
T
TECHNOLOGY
IO
T
N : GUARDICORE

4.1 What is m
?icro-segmentaion
When we talk about micro-segmentation we refer to
software-based segmentation. This software is installed on
the devices and is what allows incoming and outgoing
communications to be controlled in real time. By having
an agent installed on each device, we can define a
segmentation at the process level. In addition, we can add
different tags to each machine in order to structure and
Fig. 2: Gartner Magic Quadrant for Microseg- mentacio'
organize the whole set of assets, creating a logical
solutions
structure regardless of the location of each device
(physical, cloud or dynamic). With all this, we have that the
policies of micro-crosegmentation can be defined including The solutions l'ıders l'ıders actualment hi trobem Guardicore
groups of tags, labels, communication protocols, ports and
[10] (purchased a few years ago by Akamai Technologies)
processes both at source and destination level. and Illumio. The main difference between these two is that
Illumio [11] does not require the installation of an agent,
4.2 Solutions for micro esgmentaof ion the ıders along with its advantages and disadvantages, but this makes
them two quite different products. The other product that
Currently, most micro-segmentation solutions are still comes close to Guardicore is ColorTokens [12], but this
under constant development, so there are few complete one is focused on being a very simple micro-segmentation
solutions. For example, Cisco Secu- re Workload [9] is a based on agents that can run on any OS, establishing itself
Cisco solution, but it is not possible to as one of the most suitable solutions for cold
environments, where normally all the devices are old OSs
that are very difficult to update and/or modernize.
4 EE/UAB TFG INFORMA` TICA: AN HOLISTIC APPROACH TO MICROSEGMENTATION

4.3 Com works Guardicore (Akamai 5.1 Attack processes and configurations
Technologies) The attack process performed by Infection Monkey [14] is
Guardicore technology has 4 main elements: simple to understand. It first attempts to perform lateral
movements from the machine where it is located by means
• Control server of a series of exploits (Log4Shell and Zerologon) and
It is the central server that serves to control and
brute force attacks on different processes (PowerShell,
manage all the devices with the installed agent. It can WMI, SSH, SMB, MSSQL, Hadoop, RDP and SNMP).
be deployed as an AIO (All in one) or as a distributed Once an attack is successful, the attack or attacks defined in
server both on-premise and in the Cloud. It can be the configuration are executed and then the binary is
managed both through the integrated CLI and through downloaded from the control server to launch the same
the locally hosted web service, which is recommended attack again from the infected machine. While micro-
to get the maximum benefit. segmentation is not responsible for protecting what happens
• Aggregators inside the machines, it is interesting to know what attacks
These machines are deployed in networks where both can be simulated in order to perform other security tests
the control server and the machines that have the with other technologies. The possible attack simulations
agent can communicate. These serve as are as follows:
intermediaries between the control server and the • Ransomware Simulation
agents. They can support up to 500 agents at a time. This scenario represents a ransomware attack on the
network. This ransomware performs totally secure
• Agents
actions on production environments, since it encrypts
This is the software that is installed on each machine
files found in a specific folder that we can select
in order to control communications. The machines
beforehand. To me, the encryption is a bitflip and the
need to have OS compatibility with the agent, which
addition of the extension ".m0nk3y", which is easily
can lead to problems with quite old machines. If the
detectable and reversible.
OS is not compatible, the agent can still be installed,
but it is named in visibility mode, without the ability • Network Breach
to apply policies. This scenario simulates the intrusion of an attacker into
the internal network and is responsible for carrying
• Col-lectors
out the lateral movements using known
These machines are installed when there are
vulnerabilities, brute force and other known exploits
machines that cannot have the agent installed. They
such as Mimikatz, which allows credentials to be
control communications at the network level, in a
stolen for use in lateral movements.
similar way to Illumio.
• Credentials Leak
5 EINA DE PROVES: I NFECTION MONKEY This scenario requires entering user or service
credentials and allows you to see what impact the
Infection Monkey [13] is an open source security tool theft of these credentials would have. In addition, it
owned by Akamai Technologies. This tool is installed on a allows to enable the attempt to steal SSH credentials
dedicated server from where it is possible to manage and embedded in the system.
control simulations of attacks that can be carried out. It
• Cryptojacker Simulation
also hosts an internal web server that can be accessed on
This scenario simulates the execution of a program
its front-end (its architecture and communications can be
designed to mine Bitcoin that has been installed in an
seen in Appendix A1, Fig. 13).
unauthorized manner. It does this by increasing RAM
The different attack simulations that the tool allows can be
and CPU usage to configurable levels and also
configured to determine the propagation range and the
generates network traffic identical to that of Bitcoin. We
machines with which we want to carry out the study, so that
must be careful with this scenario because we know that
in case of production environments or critical environments
it can affect the operation of critical or production
we can leave out certain machines in a preventive way.
machines.
This tool is divided into two components:
In Appendix A1, Figure 14 you can see the summary of
• Monkey Island this attack process and its methods.
Dedicated server to control and visualize attack
simulation progress within the network. By default,
the server has a self-signed certificate that it uses to 6 A N A ` LISI PR A ` CTIC IN AWS
communicate securely with the agents using HTTPS.
The objective of this section is to better understand the
• Infection Monkey Agent functionality and test the capabilities of micro-
This is the agent in charge of simulating attacks on segmentation. Therefore, I have deployed a series of
infected machines and reporting to Monkey Island. machines in AWS that will serve to represent a hybrid
The attacks can be initiated on the dedicated server or environment in which to perform the security tests.
by downloading the agent on a machine, simulating Before doing so, I will exemplify a micro-segmentation
the machine's infection. project and what is the goal that can be achieved with this
technology.
NIL BALLART: AN HOLISTIC APPROACH TO MICROSEGMENTATION: A PRACTICAL EVALUATION OF MICROSEGMENTATION IN A CLOUD
ENVIRONMENT 5

6.1 Example environment

Today most companies have started from a purely on-
premise infrastructure and are gradually migrating to the
Cloud, as it offers cost reduction, scalability, flexibility and
better accessibility. An environment where we find both
Cloud and On-premise infrastructure is called a hybrid
infrastructure, and this is the one we will use as an
example.
We manage a medium-sized company with the following
architecture:

Fig. 4: Logical Segregation

Source Destination Enforcement

Department:IT Application:AD Allow
Port 3389
mstsc.exe (RDP)
ANY Application:AD Block
Deprtment:IT ANY Allow
Fig. 3: Example architecture 22,80,443,3389
TCP
In this one we find the current typical elements. On the Department:IT ANY Block
one hand, we have the internal network with its DMZ, ANY Department:IT Block
which contains two services exposed to the Internet such ANY ANY Block
as web services, and then different VLANs with
workstation computers, internal servers and control and TAULA 1: EXAMPLE POLICIES
management servers, which are critical to me. On the other
hand we have two AWS EC2 machines and a firewall
configured to allow VPN connections for employees encompasses many devices, it is very difficult to work on
working remotely. the interactive map and the log file is disproportionately
large and, in these cases, it is when the automation script
6.1.1 Physical segmentation of this process comes in, which I'll talk about later.
Although this hybrid environment could significantly
reduce the attack surface area of the late movements with 6.2 Example based on a real project
segmentation, the lack of control that is emerging with the
migration of infrastructures to the Cloud, SaaS The ability to segregate internal communications in such a
applications and other services in the Cloud, makes it very granular way (down to the process level) allows for great
difficult to control all elements of the organization and milestones in certain current scenarios. To understand
increases the attack surface to which companies are these improvements a little better, here is an example
exposed. In my opinion, with the high proliferation that has based on a real project case:
- One company has deployed Microsoft EDR on all of its
taken place lately, it is clear that once an internal service is
infected, most of the time it ends up with critical results, devices (Microsoft Defender for Endpoint), which is one
affecting the entire organization. of the methods used in environments where purely
Windows machines are used. This agent is installed on all
machines just like Guardicore and also reports and
6.1.2 Logical segmentation
receives communications from an internal server. This
Following the previous example and the typical procedure control is done through RDP (port 3389), so that all
to apply micro-segmentation, we could define the following machines must have this connection enabled, as we can
labeling methodology to deploy agents on all devices, see in the requirements on the official website [ToDo Ac-
creating the following logical segregation by labels: tualitzar refere`ncia]:
This is the basis for analyzing communications and
defining policies. To simplify this, it is possible to create
e-groups.
tickets, labels of the style: "Environment: Development", proj Aixo`
"Environment: Production", etc. All defining what ect
segmentation is to be configured. For example, some
micro-segmentation policies on the IT server of the
example, could be the following:
This part of the communication analysis and policy
definition can be done by using the visual map provided by
the web or by exporting the logs in CSV format. If the
6 EE/UAB TFG INFORMA` TICA: AN HOLISTIC APPROACH TO MICROSEGMENTATION

means to have in all the machines open the port

Process Protocol Port From To

RDP TCP 3389 Defender for All
Identity Sensor

TAULA 2: EXAMPLE POLICY

NIL BALLART: AN HOLISTIC APPROACH TO MICROSEGMENTATION: A PRACTICAL EVALUATION OF MICROSEGMENTATION IN A CLOUD
ENVIRONMENT 7

3389 in order to be able to receive and send And finally, an aggregator, to which they will have to
communications of this kind with security purposes. This communicate and receive communications from machines that
exposition have
can be mitigated by defining a policy that allows for a more the installed agent. This communication es fa mitjanc¸ant
effective
to this process the communication in the machines where this HTTPS(443) with SSL and a self-signed certificate by
software is installed. default, although this can be changed.

6.3 Entorn desplegat 6.3.2 Represented

environment
The deployment that I have done is divided into 2 parts.
On the one hand we have the distributed control server of The machines of the real environment that I am
Guardicore and, then, a series of Windows Server and representing are images of different OS, except for a
Linux Red Hat machines, on which I will fill in the attacks Windows Ser- ver 2019 where I have installed the
and sideways movement attempts. Guardicore Centra, program to carry out the simulations of the attacks, which
which is what the control server is called, is on a single I will go into detail later. These OS are:
AWS VLAN, which is called VPC. The rest of the
machines are split between this and another VPC. It is • Windows Server 2022
important to understand that the Guardicore server is found • Windows Server 2019 (Monkey Island)
together with the rest of the machines, but this is outside
the scope of the security tests I have performed. • Linux Red Hat 8.6 amb SQL

6.3.1 Control server distribu¨ıt • Linux Red Hat 9

It consists of 8 EC2 installations, where each machine is Although these machines are located in AWS, I have
responsible for different functions of the solution. configured them following the first example of a hybrid
environment (Fig. 2: Example architecture). The Windows
Ser- ver 2019 represents a server in the DMZ exposed to
the Internet and, therefore, to attacks from the outside. The
remaining machines can communicate via SSH (22) or
RDP (3389), HTTP/HTTPS (80, 443) and FTP (20, 21)
with each other.
To all these machines I have installed the Guardicore
agent and generated lateral movements between them both
via SSH and RDP.

6.4 Initial safety tests

6.4.1 Simulation of an attack on the DMZ machine
The simulation represents an attack that has bypassed the
perimeter defense of the firewall and has managed to
infect a machine in the DMZ, which was exposed to the
Internet by publishing a web service or similar.
This has been configured to perform the following actions:
Fig. 5: Architecture of the machines deployed on AWS • Network scan to the two subxarxes (VPC-1 and VPC-2)

First we have the core of the distributed server, which is • That all exploits of lateral movement, credential
the Management Control Server. Then, we have 2 extraction and brute force attacks are attempted.
Workers, which basically serve to balance the load of the
main node. • That the Infection Monkey spreads with a maximum of
The rest of the machines are in charge of map 2 lateral jumps.
processing, log and data storage and other functions that I
will not go into detail. These machines are:

• RabbitMQ

• InfluxDB

• ElasticSearch

• 2x PostgreSQL (with 1TB of storage for each node)

• 2x MongoDB (configured in high availability)

8 EE/UAB TFG INFORMA` TICA: AN HOLISTIC APPROACH TO MICROSEGMENTATION

Fig. 6: Graphical result of the simulation.

NIL BALLART: AN HOLISTIC APPROACH TO MICROSEGMENTATION: A PRACTICAL EVALUATION OF MICROSEGMENTATION IN A CLOUD
ENVIRONMENT 9

On the one hand, it is possible to observe that the entire In contrast, with micro-segmentation we can apply a much
internal network is fully visible. On the other hand, 2 SSH more granular approach, defining origin and destination
communications (by stealing credentials) and one RDP down to the process level. This is useful to define, for
communication have been breached. example, policies that block SSH communications unless
they are performed using the PuTTy application (or any
6.5 Ana`lisi de les comunicacions other that performs this function). To me's to me's, we can
define if this program can be installed in any directory or
Now, once we have the traffic of both lateral leg in the default directory where the program or process is
movements and those generated by Infection Monkey, we located.
can analyze this to see what we have to block and what we Therefore, in order to allow legitimate movements and
can allow. This point is quite critical and, in real projects, block malicious ones which, in the majority of cases, as
you have to do a lot of research and really understand they are automated, will not be executed by using these
what`s going on, as it will never be as simple as the case programs that we have mentioned.
I`m working on. Here we can see the configured policies, where we have on
the one hand general blocks of communications and then
the explicitly allowed communications that I have started.

Fig. 8: Policies allow SSH communications over PuTTy

Fig. 7: Unplotted map showing Guardicore Centra

In addition, I have also blocked the ICMP protocol, so that
Mainly, as can be seen in the previous section, the to avoid visibility of the machines that we do not want
successful exploits of the attack have been through RDP from within the network.
and SSH. The Powershell exploit is a remote shell
execution, but its name exists once the machine has been Once these policies have been activated, I have verified
compromised, so we will leave it aside as we want to focus that communications via SSH console cannot be re-
on mitigating as much as possible the vulnerabilities in the established and connections through PuTTy are lost.
lateral movements. We have to keep in mind that in real projects these
To better understand what happened and where the policies would not have to be created directly in
vulnerability came from, by analyzing the report generated blockchain mode, but would have to be created in alert
by the monkey infection and the communications between mode in order to analyze the communications and generate
machines, we can see how, first, it manages to steal the the policies in the most granular way possible.
SSH credentials of Windows Server 2019 (the one located
in the DMZ and from where the attack started). It then
uses these credentials to exploit both RDP and SSH 6.7 Final safety tests
communications by brute force.
6.7.1 Simulation of an attack on the DMZ machine
Once we have analyzed what has happened, having these
unwanted communications and those that we want to Once the micro-segmentation is applied in the
allow so that our company can continue to function, we environment we can simulate what would happen if one of
have to configure policies that will allow what we the ex-internet machines located in the DMZ is infected.
consider to be legitimate. First of all, we see notifications that some communications
are being blocked.
6.6 Policy configuration
This is where the layers of micro-segmentation versus
segmentation can really be observed. Without micro-
segmentation, a movement such as we have been able to
observe in the simulated attack through SSH or RDP from
one machine to another could be blocked or allowed if the
machines were in different VLANs and the infrastructure
where they were deployed allowed it. While we can
perform this control, we have the option to block or allow all
communications, without going into detail. Fig. 9: Message that warns that there are outgoing
communications that are being blocked.
10 EE/UAB TFG INFORMA` TICA: AN HOLISTIC APPROACH TO MICROSEGMENTATION

Once the attack is over, we can observe a totally To do this, for the moment, there are two options. Either
different result. you can do it using the interactive map, which allows you
to select a communication and create a rule from a
communication, or you can download the logs and, using
excel or some CSV data processing tool, make an
exhaustive analysis.

It is true that the interactive map option is very simple and

it is the one I usually use, but when we have environments
with a large number of devices (more than 500) this map
and all the communications, which are represented with
charts, is very difficult to handle. That's why in these cases we
choose the second option. This is where currently, at least in
Fig. 10: Graphical result of the attack once the micro- the projects that I have visibility, you have to work with
segmentation is applied. these CSV data (more than 200,000 lines) of all the
communications of certain machines for 30 days, which is
We can see how the network scan executed by Infection a very tedious and difficult process that can take up to
Monkey this time has detected only the Guardicore seven weeks.
aggregator, but without being able to access it as in the last
attack. The rest of the machines that were detected in the To automate and speed up this process, I have created a
initial attack do not appear as possible targets of lateral small script that communicates with the Guardicore API.
movements since they were not detected, at least by Once authenticated with a read name service user that I
Infection Monkey. have created for this purpose, I make some queries and
allow the user to choose which tag to get the
Since the idea of the attacks is to be able to demonstrate communications on. Once this is done, I request through
how micro-segmentation is able to significantly reduce the API all the incoming and outgoing communications of
side attacks, I have disabled the blocking of the ICMP this tag in the map that has been created with the
protocol to see if, even if the malware that has infected the information of the time interval that has been expected
DMZ machine detects all the machines in the internal (normally 30 days) and I make a simple data processing to
network, it is not able to breach them as it did before. have a very understandable and compact base to be able to
understand the communications and define the policies
that are to be applied.

Fig. 11: Graphical result of the attack once the micro-

segmentation is applied and the ICMP blocking is
disabled.

Fig. 12: Diagram of the functioning of the developed program

and where in the project cycle it enters into
7 SCRIPT FOR DATA ANALYSIS AND DE funcionament
PROCESSING A
U
O
T
MA
IO
T
N

Currently, one of the most manual sections when carrying

8 OTHER CAPABILITIES
out a micro segmentation project is the analysis of
communications and the definition of what policies are to
8.1 Real time communication map
be created. I'm all about understanding the workings of all
the machines in an organization (servers, laptops, printers, As you can already see in the photos of the co-location maps
d e s k t o p computers, thin clients, dis- generated by Guardicore, this device, apart from the
IoT positius, etc.) also. each one of them is to to apply micro-segmentation, it allows us to have a map in
understand
incoming and outgoing communications from the real time of all the communications that are being carried
machines to be protected with micro-segmentation. out. This feature alone brings a lot of value since
companies normally do not have this visibility. With
NIL BALLART: AN HOLISTIC APPROACH TO MICROSEGMENTATION: A PRACTICAL EVALUATION OF MICROSEGMENTATION IN A CLOUD
ENVIRONMENT 11

Thus, we can easily detect existing and potential REFERE` NCIES

segmentation problems that have nothing to do with what
we are mitigating with micro-segmentation. [1] https://www2.deloitte.com/se/sv/pages/risk/articles/infrastructure-
protection.html [Online; acce's on 09/03/2024].
8.2 Dynamic system isolation [2] https://www.ibm.com/es-es/topics/zero-trust [Online;
acce's on 03/17/2024].
Another capability of the technology is, taking advantage
of the fact that we have an installed agent checking all [3] https://www.coherentmarketinsights.com/market-
communications, to constantly monitor internal processes insight/microsegmentation-market-4235 [Online;
to try to find, through AI, anomalies and potential acce's on 06/22/2024].
malware. Once some of this behavior is detected, the
process is sent to a virtualized machine to act as a honeypot [4] https://www.zscaler.es/resources/infographics/brief-
while analyzing the behavior. This can help prevent 0- history-zero-trust.pdf [Online; acce's on
days and ransomwares. 06/23/2024].
[5] https://www.netskope.com/es/security-defined/que-
8.3 Simple segmentain
ion xarxes plans es-sase [Online; acce's on 06/23/2024].
It is very common to find small and medium-sized [6] https://www.akamai.com/es/glossary/what-is-
companies in the cybersecurity field that, for one reason or microsegmentation [Online; acce's on
another, have a flat internal network, this being one of 09/03/2024].
their main critical points in the face of attacks. Normally, a
reorganization of the internal architecture is costly and [7] https://www.cybertalk.org/2023/04/06/what-is-an-
complex, but if you want to have good security and island-hopping-attack-and-attack-how-to-stop-one/
mitigate the impact of an intrusion to the internal network [Online; acce's on 03/17/2024].
this is the first thing to do.
[8] https://www.crowdstrike.com/cybersecurity-
This can be quickly solved by applying a basic 101/living-off-the-land-attacks-lotl/ [Online; acce's on
segmentation, without reaching the level of processes or 03/17/2024].
ports. This software-based segmentation offered by [9] https://www.cisco.com/site/us/en/products/security/secure-
Guardicore can solve this problem very simply and, in my workload/index.html [Online: acce's on 06/23/2024].
opinion, leave room for improvement in order to apply
micro-segmentation in the future. [10] https://www.akamai.com/es/products/akamai-
guardicore-segmentation [Online; acce's
on 10/03/2024]
8.4 Logical segregafor
tion audits
They facilitate the auditing of machine communications to a [11] https://www.illumio.com/solutions [Online; acce's on
certain extent. 06/30/2024].
[12] https://colortokens.com/solutions/xassure-managed-
9 C ONCLUSIONS microsegmentation-and-monitoring/ [Online; acce's on
06/30/2024].
Microsegmentation is little known and relatively new, but it
is a solution that increasingly has more potential in the face of [13] https://www.akamai.com/infectionmonkey [Online;
today's segmentation problems. acce's on 10/03/2024]
Understanding what micro-segmentation is and what the [14] https://github.com/guardicore/monkey [Release
benefits of segmentation are, can help a lot to add value
v2.3.0]
and improve the segmentation of companies. It is true that
this has not been the case in the past.
It is far from being a unique solution, since it must always
be accompanied by other protections such as perimeter
protection (firewalls, Web Application Firewalls and
similar) and local protection (antivirus, EDR and similar),
but it is important to understand and take into account the
capabilities of this technology, especially with the
proliferation of ransomware and the migration to SaaS
applications and Cloud environments that is taking place.
With micro-segmentation we can not only define in a very
granular way what lateral movements and communication
are allowed from each device, but it also allows us to have
a control and an almost total visibility of what is
happening within the organization, something that
nowadays is almost never found anywhere.
It is for this reason that to be able to see exemplified the capacities and mi-
The security features that micro-segmentation provides is
the principle to have the most secure environment
12 EE/UAB TFG INFORMA` TICA: AN HOLISTIC APPROACH TO MICROSEGMENTATION

possible, all following a Zero Trust security model.

NIL BALLART: AN HOLISTIC APPROACH TO MICROSEGMENTATION: A PRACTICAL EVALUATION OF MICROSEGMENTATION IN A CLOUD
ENVIRONMENT 13

APE` NDIX

A.1 Figures

Fig. 13: Project Gantt Chart

Fig. 14: Infection Monkey architecture and communications.

14 EE/UAB TFG INFORMA` TICA: AN HOLISTIC APPROACH TO MICROSEGMENTATION

Fig. 15: Diagram of the attack process using exploits and

simulations of the Infection Monkey.