M1030: Network Segmentation
Network segmentation involves dividing a network into smaller, isolated segments to control and limit the flow of traffic between devices, systems, and applications. By segmenting networks, organizations can reduce the attack surface, restrict lateral movement by adversaries, and protect critical assets from compromise.
Effective network segmentation leverages a combination of physical boundaries, logical separation through VLANs, and access control policies enforced by network appliances like firewalls, routers, and cloud-based configurations. This mitigation can be implemented through the following measures:
Segment Critical Systems:
- Identify and group systems based on their function, sensitivity, and risk. Examples include payment systems, HR databases, production systems, and internet-facing servers. - Use VLANs, firewalls, or routers to enforce logical separation.
Implement DMZ for Public-Facing Services:
- Host web servers, DNS servers, and email servers in a DMZ to limit their access to internal systems. - Apply strict firewall rules to filter traffic between the DMZ and internal networks.
Use Cloud-Based Segmentation:
- In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules. - Apply AWS Transit Gateway or Azure VNet peering for controlled connectivity between cloud segments.
Apply Microsegmentation for Workloads:
- Use software-defined networking (SDN) tools to implement workload-level segmentation and prevent lateral movement.
Restrict Traffic with ACLs and Firewalls:
- Apply Access Control Lists (ACLs) to network devices to enforce "deny by default" policies. - Use firewalls to restrict both north-south (external-internal) and east-west (internal-internal) traffic.
Monitor and Audit Segmented Networks:
- Regularly review firewall rules, ACLs, and segmentation policies. - Monitor network flows for anomalies to ensure segmentation is effective.
Test Segmentation Effectiveness:
- Perform periodic penetration tests to verify that unauthorized access is blocked between network segments.
Analyst context for executives and security teams
Network segmentation matters because it limits how far a compromise can spread and how easily sensitive systems can be reached. For leaders, the practical question is not whether segmentation exists on a diagram, but whether critical systems, public-facing services, cloud networks, administrative paths, and workload-to-workload traffic are actually separated and enforced by ACLs, firewalls, VLANs, VPCs, subnets, security groups, or equivalent controls.
Executive priority
Treat this as a resilience and risk-containment control. ATT&CK maps Network Segmentation to behaviors involving lateral movement, discovery, credential access, command and control, exfiltration, initial access, persistence, and impact. Priority should go to crown-jewel systems, internet-facing services, remote access paths, software deployment tools, cloud environments, and administrative protocols such as RDP, DCOM, and WinRM. Executives should ask for evidence that segmentation rules are reviewed, monitored, tested, and aligned to business-critical assets rather than only documented as architecture intent.
Technical view
SOC, IR, cloud, and network teams should validate that segmentation blocks unauthorized traffic between high-risk zones: DMZ to internal systems, user networks to servers, administrative networks to managed endpoints, production to corporate IT, and cloud segment to cloud segment. Relationship context highlights Windows remote management paths, remote services, public-facing applications, cloud and identity-related account activity, network sniffing, service discovery, non-standard protocols, and exfiltration over alternate protocols as areas where segmentation can reduce reachability and visibility gaps. Because ATT&CK provides no detection text for this mitigation, teams should focus on control validation, flow monitoring, rule review, and penetration testing evidence.
Likely telemetry
- Firewall, router, ACL, and security group allow/deny logs
- Network flow records between segments, including east-west traffic
- Cloud VPC, subnet, peering, transit gateway, and security group configuration records
- DMZ ingress and egress traffic records
- Remote administration traffic involving RDP, DCOM, WinRM, VPN, and similar remote services where present
Detection direction
- Do not rely on segmentation diagrams alone; validate enforced policy using flow logs, firewall decisions, cloud network configuration, and periodic test results.
- Tune monitoring for denied or unusual cross-segment attempts, especially toward critical systems, administrative services, public-facing service tiers, and cloud control paths.
- Review east-west traffic, not only internet ingress and egress, because several related techniques involve lateral movement, discovery, and internal remote service abuse.
- Correlate segmentation violations with identity and account events when related behaviors involve valid accounts, account creation, or cloud credential manipulation.
- Account for false positives from legitimate administration, software deployment tools, monitoring systems, and third-party trusted relationships; document approved paths and alert on deviations.
Mitigation priorities
- Identify and classify critical systems by function, sensitivity, and risk before designing enforcement boundaries.
- Place public-facing services in a DMZ and strictly limit their access to internal systems.
- Enforce least-permitted traffic between segments using VLANs, firewalls, routers, ACLs, and cloud-native segmentation such as VPCs, subnets, security groups, transit connectivity, or peering controls.
- Apply deny-by-default policies for both north-south and east-west traffic where operationally feasible.
- Use workload-level or microsegmentation approaches for environments where host, application, or cloud workload movement is a major risk.
Analyst notes and limits
This mitigation has broad decision value because it is mapped to many ATT&CK techniques across lateral movement, discovery, credential access, exfiltration, command and control, initial access, persistence, privilege escalation, and impact. The strongest use of this object for Glexia customers is as an assurance question: can the organization prove that critical paths are restricted, monitored, audited, and tested?
ATT&CK does not specify platforms or tactics for the mitigation itself and provides no official detection guidance. The related techniques indicate where segmentation may help, but local asset criticality, network architecture, cloud design, identity model, and operational exceptions are required to determine actual coverage and priority.
Network Segmentation
Network segmentation involves dividing a network into smaller, isolated segments to control and limit the flow of traffic between devices, systems, and applications. By segmenting networks, organizations can reduce the attack surface, restrict lateral movement by adversaries, and protect critical assets from compromise.
Effective network segmentation leverages a combination of physical boundaries, logical separation through VLANs, and access control policies enforced by network appliances like firewalls, routers, and cloud-based configurations. This mitigation can be implemented through the following measures:
Segment Critical Systems:
- Identify and group systems based on their function, sensitivity, and risk. Examples include payment systems, HR databases, production systems, and internet-facing servers. - Use VLANs, firewalls, or routers to enforce logical separation.
Implement DMZ for Public-Facing Services:
- Host web servers, DNS servers, and email servers in a DMZ to limit their access to internal systems. - Apply strict firewall rules to filter traffic between the DMZ and internal networks.
Use Cloud-Based Segmentation:
- In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules. - Apply AWS Transit Gateway or Azure VNet peering for controlled connectivity between cloud segments.
Apply Microsegmentation for Workloads:
- Use software-defined networking (SDN) tools to implement workload-level segmentation and prevent lateral movement.
Restrict Traffic with ACLs and Firewalls:
- Apply Access Control Lists (ACLs) to network devices to enforce "deny by default" policies. - Use firewalls to restrict both north-south (external-internal) and east-west (internal-internal) traffic.
Monitor and Audit Segmented Networks:
- Regularly review firewall rules, ACLs, and segmentation policies. - Monitor network flows for anomalies to ensure segmentation is effective.
Test Segmentation Effectiveness:
- Perform periodic penetration tests to verify that unauthorized access is blocked between network segments.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1565.003 | Runtime Data Manipulation Sub-technique | Identify critical business and system processes that may be targeted by adversaries and work to isolate and secure those systems against unauthorized access and tampering. |
| Enterprise | T1613 | Container and Resource Discovery | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
| Enterprise | T1098 | Account Manipulation | Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
| Enterprise | T1136 | Create Account | Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts. |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Do not leave RDP accessible from the internet. Enable firewall rules to block RDP traffic between network security zones within a network. |
| Enterprise | T1190 | Exploit Public-Facing Application | Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure. |
| Enterprise | T1602.002 | Network Device Configuration Dump Sub-technique | Segregate SNMP traffic on a separate management network.CitationUS-CERT TA17-156A SNMP Abuse 2017 |
| Enterprise | T1136.003 | Cloud Account Sub-technique | Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
| Enterprise | T1563.002 | RDP Hijacking Sub-technique | Enable firewall rules to block RDP traffic between network security zones within a network. |
| Enterprise | T1489 | Service Stop | Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions. |
| Enterprise | T1210 | Exploitation of Remote Services | Segment networks and systems appropriately to reduce access to critical systems and services to controlled methods. |
| Enterprise | T1048 | Exfiltration Over Alternative Protocol | Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.CitationTechNet Firewall Design |
| Enterprise | T1612 | Build Image on Host | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
| Enterprise | T1482 | Domain Trust Discovery | Employ network segmentation for sensitive domains.CitationHarmj0y Domain Trusts. |
| Enterprise | T1098.001 | Additional Cloud Credentials Sub-technique | Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
| Enterprise | T1610 | Deploy Container | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
| Enterprise | T1046 | Network Service Discovery | Ensure proper network segmentation is followed to protect critical servers and devices. |
| Enterprise | T1563 | Remote Service Session Hijacking | Enable firewall rules to block unnecessary traffic between network security zones within a network. |
| Enterprise | T1571 | Non-Standard Port | Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment. |
| Enterprise | T1133 | External Remote Services | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
| Enterprise | T1072 | Software Deployment Tools | Ensure proper system isolation for critical network systems through use of firewalls. |
| Enterprise | T1669 | Wi-Fi Networks | Network segmentation can be used to isolate infrastructure components that do not require broad network access. Separate networking environments for Wi-Fi and Ethernet-wired networks, particularly where Ethernet-based networks allow for access to sensitive resources. |
| Enterprise | T1021.003 | Distributed Component Object Model Sub-technique | Enable Windows firewall, which prevents DCOM instantiation by default. |
| Enterprise | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Sub-technique | Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.CitationTechNet Firewall Design |
| Enterprise | T1557 | Adversary-in-the-Middle | Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity. |
| Enterprise | T1552.007 | Container API Sub-technique | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
| Enterprise | T1602 | Data from Configuration Repository | Segregate SNMP traffic on a separate management network.CitationUS-CERT TA17-156A SNMP Abuse 2017 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.CitationTechNet Firewall Design |
| Enterprise | T1095 | Non-Application Layer Protocol | Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces. |
| Enterprise | T1565 | Data Manipulation | Identify critical business and system processes that may be targeted by adversaries and work to isolate and secure those systems against unauthorized access and tampering. |
| Enterprise | T1602.001 | SNMP (MIB Dump) Sub-technique | Segregate SNMP traffic on a separate management network.CitationUS-CERT TA17-156A SNMP Abuse 2017 |
| Enterprise | T1557.001 | Name Resolution Poisoning and SMB Relay Sub-technique | Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity. |
| Enterprise | T1021.006 | Windows Remote Management Sub-technique | If the service is necessary, lock down critical enclaves with separate WinRM infrastructure and follow WinRM best practices on use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.CitationNSA Spotting |
| Enterprise | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol Sub-technique | Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.CitationTechNet Firewall Design |
| Enterprise | T1136.002 | Domain Account Sub-technique | Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts. |
| Enterprise | T1040 | Network Sniffing | Deny direct access of broadcasts and multicast sniffing, and prevent attacks such as Name Resolution Poisoning and SMB Relay |
| Enterprise | T1199 | Trusted Relationship | Network segmentation can be used to isolate infrastructure components that do not require broad network access. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | de4f21b785ab… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1030Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.