By Mackenzie Gryder, with Ben Taylor
This blog is part of Gate 15’s Summer of Security: Ransomware Resilience Series, highlighting the essential considerations for organizational leaders and cybersecurity professionals.
Introduction:
Network segmentation involves dividing a network into smaller, isolated subnetworks to limit the spread of malware. By segmenting critical systems from less sensitive areas, organizations can contain a breach and prevent it from affecting the entire network. This strategy minimizes potential damage and aids in faster recovery by restricting ransomware’s ability to move laterally across systems.
Types of network segmentation:
Physical Segmentation:
- Uses separate physical hardware (switches, routes, cabling) to isolate network segments
- Pros: Strong isolation, prevents cross-segment traffic
Virtual Local Area Networks (VLANs):
- Uses switch configurations to logically segment networks within the same physical infrastructure
- Pros: Flexible, cost-effective scalable
Firewall-Based Segmentation:
- Uses firewalls to enforce access control between segments
- Pros: Granular traffic control with rule-based policies
Software-Defined Networking (SDN) Segmentation:
- Uses centralized controllers to create dynamic, policy-driven segmentation across the network
- Pros: Highly flexible, scalable, adaptive to workloads
Micro Segmentation:
- Applies granular segmentation down to the workload or application level, often within data centers or cloud environments
- Uses host-based firewalls or software agents to control east-west traffic
- Pros: Limits lateral movement even if an attacker gains access
Zero Trust Segmentation:
- Extenders micro segmentation with identity-based policies, verifying all users, devices, and applications before allowing connections
- Pros: Enforces least privilege access everywhere
Demilitarized Zone (DMZ) Segmentation:
- Separates externally facing services (e.g., web servers) from internal network, allowing limited and controlled access to public-facing systems
- Pros: Protects internal assets while allowing external access
Why network segmentation matters for ransomware containment:
Network segmentation divides a network into smaller, isolated subnetworks, restricting how far ransomware can spread if it enters an environment. Without segmentation, ransomware can move laterally across connected systems, encrypting, or exfiltrating data organization-wide. By isolating critical systems (such as backups, operational technology (OT), or financial servers) from less sensitive areas, segmentation creates “digital firebreaks” that contain infections, limit business disruption, and simplify recovery. It also helps security teams monitor traffic within each segment for suspicious activity, potentially facilitating faster detection and response. Segmentation helps to transform a flat, high-risk environment into a layered defense structure making it harder for attackers to achieve large-scale impact.
In the 2017 NotPetya ransomware incident on Maersk, their global shipping operations were crippled because ransomware spread rapidly across flat, unsegmented networks. The lack of segmentation allowed the malware to infect 45,000 laptops and thousands of applications within hours. Recovery required reinstalling their entire IT infrastructure. Illustrating why network segmentation is critical to contain ransomware spreading.
Implementation Best Practices:
To implement segmentation effectively:
- Begin with asset discovery and risk management
- Identify and prioritize critical assets
- Classify assets by sensitivity, criticality, and compliance requirements
- Map data flows to understand dependencies and access needs
- Define clear trust boundaries
- Assign systems to zones based on their function and trust level
- Utilize policy-based segmentation where only explicitly allowed traffic can pass
- Separate network zones using VLANs or subnets, and enforce controls between them with firewalls to restrict traffic flows
- Implement least privilege and access control
- Only allow necessary communication between segments, using principles of least privilege and enforcing MFA for administrative access across segments
- Monitor east-west traffic
- Deploy internal monitoring and intrusion detection to watch for unusual lateral movement within and across segments, allowing quick identification and isolation of suspicious activity
- Utilize SIEM or network traffic analysis tools to log and monitor inter-segment traffic
- Regularly test segmentation controls
- Run tabletop exercises and red team assessments to verify segmentation effectiveness and identify misconfigurations before an attack exposes them
- Document and maintain your segmentation strategy
- Keep clear diagrams and documentation of your segmented architecture, including authorized communication paths, to support rapid containment during incidents
- Reassess segmentation regularly- especially after mergers, infrastructure changes, or cloud migrations
By following these practices, organizations create digital firebreaks that confine ransomware to isolated areas, minimize operational disruption, and enable faster recovery.
Insights from our Weekly Ransomware Report.
Each week we publish our Weekly Ransomware Report (along with other all-hazards reports) through Gate 15’s Resilience and Intelligence Portal (GRIP). Contact us if you are interested in receiving the full report. Highlights from this week include:
- Most Active Threat Actors (victim number): Qilin (5), Cloak (3), and Akira (2).
- Adiantes Co., Ltd., Leather Product Manufacturing, Thailand
- Go********l
- Update: Data Leaked Acetificio Andrea Milano SRL, Food and Beverage Manufacturing, Italy, First seen: 2025-07-16 13:47:54 UTC
Coming Up Next: “Hack Yourself First: Pen-Testing for Prevention.” Why it matters: Simulated attacks help uncover vulnerabilities before real attackers do, allowing organizations to fix flaws proactively. Regular pen-tests help uncover weaknesses in systems, networks, and applications before attackers can take advantage of them. By proactively addressing these security gaps, organizations strengthen their defenses and reduce the likelihood of a successful ransomware breach.
Gate 15 has worked across the Critical Infrastructure environment to develop cybersecurity plans and tabletop exercises for trade associations and owner/operators. We are pleased to offer 10% off ransomware exercises to new clients that are booked before 30 September 2025. Send out an email and mention this blog, and let’s discuss how to boost your organizational resilience together.
Join the GRIP! Stay informed of what’s new in all-hazards homeland security by joining the Gate 15’s Resilience and Intelligence Portal (GRIP). Join the GRIP! and join us in securing America’s people, places, data, and dollars. To join the GRIP, click the link above or here, scroll down and select the “Join the Grip!” button, or email our team at Gate15@Gate15.global.
The GRIP is one year old and to celebrate, we’re running an anniversary sale!!
Join the GRIP in July and use promo code HOTJULY2025 to receive a 20% discount!
Gate 15: Technology-enhanced, human-driven, homeland security risk management.
Understand the Threats.
Assess the Risks.
Take Action.