This article is part of a series unpacking the NSA and CISA’s Top Ten Cybersecurity Misconfigurations through the lens of real-world breaches and assessment findings.

This entry covers Misconfiguration 3: Insufficient Internal Network Monitoring, with a focus on how the absence of segmentation and well-placed monitoring allows attackers to blend in with legitimate traffic. It examines how campaigns like Salt Typhoon and APT40 exploited flat architectures, unmonitored East–West flows, and poorly tuned detection systems to persist for months without raising an alert.

TL;DR

Many networks are still built as if the firewall is the final line of defence. Once traffic crosses the perimeter, it can often move without encountering another inspection point. Network and host level segmentation creates choke points that restrict attacker movement and make abnormal flows stand out. When combined with full internal intrusion detection and prevention systems (IDPS), these choke points become high-value visibility points, catching activity that would otherwise blend into background noise. If that level of segmentation is not feasible due to budget, operational disruption, or internal politics, then the answer is not to do nothing. Monitoring must still be placed where it can detect lateral movement and suspicious flows. This monitoring is not a replacement for segmentation, but without it, defenders are blind to the kinds of tactics and attack patterns seen in the campaigns that follow.

The 2024 “Salt Typhoon” espionage campaign proved how dangerous this is. According to a Department of Homeland Security intelligence report, Chinese linked operators infiltrated a U.S. state’s Army National Guard network between March and December 2024, collecting network configuration files, administrator credentials, and diagrams of interconnected state and territorial networks, moving freely for months without detection (DHS, 2025).

Aotearoa New Zealand has seen similar patterns. In 2021, the NCSC supported the response to a compromise of the Parliamentary Counsel Office and Parliamentary Service by PRC linked APT40. The actors used compromised small office or home office devices, many unpatched or end of life, to route malicious activity through normal looking network flows. By blending in with legitimate traffic, they avoided scrutiny, exploited newly disclosed vulnerabilities within hours or days, and persisted across poorly segmented and monitored networks (NCSC, 2024).

When Malicious Traffic Looks Normal

Attackers do not always need advanced stealth to avoid detection. In many breaches, they succeed simply because their activity looks legitimate. Campaigns like <strong>Salt Typhoon and APT40 show how flat networks, minimal East–West inspection, and poorly tuned monitoring make it easy to hide in plain sight.

In the case, a U.S. state’s Army National Guard network was quietly traversed for months while adversaries collected administrator credentials, network diagrams, and configuration files. In the APT40 compromise here in Aotearoa New Zealand, malicious traffic was routed through compromised small office/home office devices, blending seamlessly with legitimate flows to exploit high-value systems like Microsoft Exchange and Atlassian Confluence within hours of vulnerability disclosure.

Attack Flow When Internal Visibility Is Weak:

The Five Pillars of a Mature Network Defence

Strong internal visibility comes from multiple layers working together. Each pillar addresses a different aspect of the problem, and the more of them you implement, the harder it is for attackers to hide or move freely. At the same time, most teams are balancing budgets, time, and internal politics. It is rarely feasible to roll out everything at once, so start with the highest‑leverage controls for your environment, build in increments, and be clear about trade offs so monitoring still catches what matters while you work towards the rest.

1. Network Segmentation

Separates environments, business units, or trust zones using VLANs, routing rules, and internal firewalls. Effective segmentation is not limited to the perimeter or DMZ, it should extend inside the network to control East–West traffic as well. This forces flows through monitored choke points where inspection tools can operate effectively, and makes encrypted traffic inspection more practical by concentrating it at a few high value junctions.

2. Microsegmentation

Adds fine grained policy at the workload or application level, often enforced by host based firewalls or software defined networking. Restricts communication to only what is explicitly needed. Even if you cannot deploy commercial platforms such as Illumio, Guardicore, or Cisco Tetration, you can start by applying host based firewall rules to critical infrastructure. When combined with network segmentation, this significantly reduces the paths an attacker can take and improves the accuracy of monitoring.

3. Intrusion Detection and Prevention Systems (IDPS) and Network Detection and Response (NDR)

IDPS actively monitors for malicious patterns and policy violations, blocking or alerting on suspicious traffic. NDR provides behavioural monitoring of East–West traffic, detecting suspicious connections, data transfers, and covert channels such as DNS tunnelling. Where legally and operationally possible, intercepting SSL/TLS traffic at these inspection points can reveal threats that would otherwise be hidden inside encrypted sessions. Both are most effective when positioned at segmentation points where malicious flows are easier to identify.

4. Traffic Access and Retention

Ensure network taps, span ports, and log storage are in place so NDR, IDPS, and SIEM have sustained access to meaningful network data such as DNS query and response logs, DHCP logs, SSL/TLS handshake metadata, HTTP header logs, and NetFlow or IPFIX session records. Full packet capture can be valuable for targeted investigations but is rarely practical for sustained monitoring. Without complete feeds or adequate retention, long term or slow burn intrusions such as data exfiltration hidden in DNS tunnelling or beaconing over HTTPS can go unnoticed.

5. Security Information and Event Management (SIEM) with Baseline and Anomaly Detection

Aggregates and correlates data from IDPS, NDR, firewalls, VPN gateways, identity systems, and cloud services into a single view. Without segmentation it can still operate, but it will be buried in background noise. With segmentation, the signal is cleaner and anomalies stand out faster. A mature SIEM practice establishes and tunes behavioural baselines for normal traffic patterns, authentication behaviour, and service usage. This way, deviations such as unusual login times, protocol use in unexpected segments, or a sudden spike in data leaving a trusted service become visible even when wrapped in trusted protocols or otherwise routine looking traffic.

Final Takeaway

Internal network visibility is not just a technical luxury. It is what turns a breach from a months long covert operation into a short lived incident. Campaigns like Salt Typhoon and APT40 show that once attackers are inside, they count on our lack of segmentation, sparse inspection points, and shallow baselines to move quietly.

Most teams face budget constraints, competing priorities, and operational realities that make it hard to deploy every control at once. Start where you can, build gradually, and focus on the areas that give you the clearest line of sight. The goal is to steadily reduce the space attackers can hide in and make the rest of it brightly lit.