industry unlocked
the operating environment, using their
captured machine to perform scans of
networks and file stores to identify useful
resources and information.
As attackers learn more and gain
enhanced privileges they will move
laterally through the network towards
their targets. The most common sign
of lateral movement in healthcare that
we detected was the use of Kerberos
authentication services and SMB file
share account brute-force attacks, which
aim to grant the attacker more privileges
in the network and access to higher
value systems and assets.
These moves are remotely orchestrated
by the attacker using stealthy Command
and Control (C&C) signalling.
However, C&C behaviours that indicate
these malicious actions can also be
very similar to the result of ordinary
network activity, making attacker
activity hard to detect. Detecting
the use of a remote access tool, for
example, could be a sign of a criminal
using C&C communications, but could
also be perfectly legitimate activity.
Common legitimate reasons for this
behaviour in healthcare include
communication with independent labs,
imaging centres and other service
providers such as IT support. Among
the most widespread types of C&C
behaviour we detected in the healthcare
sector was the use of hidden HTTPS
tunnels to hide command-and-control
communications (C&C).
Completing the data heist
With patient records representing a
reliable and lucrative payday for a
cybercriminal, data exfiltration is usually
the main priority for an intruder in the
network. We most commonly see this
being carried out through the use of
hidden DNS tunnels, and allowing
the intruder to covertly extract data
over time hidden inside the legitimate
everyday communications used to
resolve domain names.
Alternatively, attackers may opt for the
more overt ‘smash and grab’ approach
and extract a large quantity of data in
a short period of time. This will result in
an obvious spike in traffic to an external
destination, making it easier to detect.
However, there are once again legitimate
reasons for similar data spikes, such as
an IP CCTV uploading recordings to a
cloud host.
More connectivity, more risk
Medical IoT-enabled devices with weak
security controls can present attackers
with many opportunities to find a
way in and jump across subsystems.
Speed is of the
essence when a
threat actor is loose
in the network.
Connected devices also often provide
ideal cover for malicious activity. Many
healthcare devices will perform actions
such as automatically logging into the
network and will continuously attempt
to login if they fail to connect. This
generates a lot of noise that can conceal
the intruder’s activity.
No organisation is totally attack proof
and those in healthcare suffer from more
challenges than most as they deal with
tight budgets, legacy technology and
difficulty in managing downtime.
Once an intruder has successfully
infiltrated the network, detecting
them effectively relies on contextual
understanding. Most of the behaviours
that indicate an attacker at work can
just as easily be the result of perfectly
legitimate behaviour.
Prescribing visibility
and automation
Understanding the most common attack
paths and achieving visibility into the
traffic and behaviours used to identify
them is crucial if healthcare security
teams are to prevent intruders from
running amok in their systems.
Solutions powered by AI have become
increasingly powerful tools in providing
this capability thanks to their ability to
automate much of the analytical and
detection activity and produce results at
a speed and scope much greater than
the best human analyst test could.
These AI capabilities however are
optimised for their individual tasks and
so augment human security teams by
doing the heavy lifting; freeing teams to
perform high value security tasks. This
results in improved threat awareness
and incident response agility for the
healthcare organisation. Speed is of the
essence when a threat actor is loose in
the network and the ability to identify
suspicious activity quickly can prevent
an intrusion from becoming a breach
impacting millions of customers or
essential clinical services. With so many
attackers holding medical data in their
sights, any edge healthcare organisations
can achieve will make a difference. u
46
Issue 21
|
www.intelligentciso.com