Hospitals Need Proactive Targeted Threat HuntingHere's how a proactive approach to targeted threat hunting can better prepare hospitals against cyberattacks By: Cliff Kittle
Threat actors are likely hiding in your network. They lurk in the background of your infrastructure accessing domain admin credentials, which enables them to remain undetected while gathering the intelligence necessary to steal your files and your money. An April 2016 SANS survey found that 86 percent of organizations are involved in hunting for these undetected threats, and 52 percent of respondents said threat hunting found previously undetected threats on their enterprise. Hospitals, in particular, are vulnerable because generally their networks aren’t well protected and their data is valuable. A 2016 Ponemon Institute study “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data” found that 50 percent of surveyed healthcare organizations, or, “covered entities” (covered entities as defined by HIPAA) had been breached in the past two years, and 45 percent had more than five data breaches in the same period.
A Hacker’s Mode of Operating
The underground hacker community is a marketplace of independent buyers and sellers. Hackers sell data to interested buyers in the underground online marketplace. In June, ZDNet published an article about a hacker claiming to have obtained more than ten million health records and selling the data to the highest bidder on the dark web. The largest batch of data, which the seller claimed to contain a little over 9.2 million health insurance records from U.S. patients, was for sale for 750 bitcoins, approximately $486,000. Like drug lords, cyber gangs can cut the product into smaller bits and sell that data in smaller increments at a higher price. Those dealers buy the cut data, make health insurance cards and sell it in smaller increments to people who will use it to get surgeries and/or obtain drugs they then can sell on the streets. The rightful health insurance cardholder might not notice fraudulent charges for a month or more.
Threat actors can also deny an organization access to its critical data and can demand a ransom for it. Healthcare IT News reported that as many as 75 percent of U.S. hospitals responding to a poll this past April could have been hit with ransomware in the last year and not even know it. That’s possible as attackers can stay hidden in networks, unleashing ransomware that doesn’t show up until someone tries to open a file. One organization contacted us after being infected with ransomware numerous times. Our incident response team discovered that the ransomware inside the network was designed so that once the attacker got money for releasing the encryption key to access the encrypted files, he could encrypt other files and demand another ransom.
Out, Spot, Out
The sooner you become aware of a threat in your network, the better the opportunity to limit the depth of the compromise. The SecureWorks Incident Response team has found the time from intrusion to detection averages 314 days. During that time threat actors use tools native to your environment to traverse the network, making it difficult for IT professionals to distinguish adversary activity from that of legitimate users. Traditional signature-based detection devices will not detect this activity. Behavior detection devices alone might alert you, but most often can’t determine whether the activity is just something strange and new to your environment or whether it’s a true threat. You can’t always block attackers, but you can break the kill chain so they’re not successful. Human behavior analysis is critical to detecting and responding quickly to this type of threat. That is accomplished by performing regular pro-active threat hunting to identify indicators of an attack.
As well as having access to a database that includes intelligence on current threat activity and threat activity patterns, hunters must know the locations to search in an infrastructure, the indicators of the various types of attacks and the tools an attacker might use. This skill set is most often found in professional security organizations. SecureWorks has never conducted a Targeted Threat Hunting engagement without discovering either an intrusion, malware or security vulnerabilities. If you want to know whether your organization is one of the 50 percent that may currently be compromised, you’ve got to hunt.