A New Approach To Threat Detection Helps Get Ahead Of Cyberattackers

Cyberattacks in the healthcare industry represent an enormous social, governmental and operational challenge, with potential financial, privacy and reputational costs that can be massive. The consequences and costs can be extensive and can impact patients, healthcare providers, device manufacturers, pharmaceutical companies, insurance providers and government entities.

By Tushar Kothari, Chief Executive Officer, Attivo Networks

Cybertheft of PHI (protected health information) is on the rise. Ponemon Institute reports in its Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data nearly 90 percent of all healthcare organizations have suffered at least one data breach in the last two years.

In addition to increasing sophistication of cyberattackers, many healthcare organizations lag behind retail and financial organizations when it comes to creating hardened, multilayered security defenses. The cybersecurity challenges facing the healthcare industry are significant and growing in both number and complexity. However, there is a new generation of solutions that can contribute significantly to discovering, analyzing, and mitigating these threats.

With the amount of stored healthcare data increasing, it is critical healthcare facilities have superior security solutions in place. Even one file lost can be a major problem; in June 2016 alone, more than 11 million patient records were stolen. Today’s cyberattackers know access to healthcare files often yield much more information than breaching financial data, making healthcare facilities and organizations the target of choice.

The healthcare industry’s vulnerability to cyberattack is only likely to get worse with initiatives around connected health, and as an increasing number of medical devices are connected to the internet and become part of the Internet of Things (IoT). PWC estimates the market for internet-enabled products will total $285 billion by 2020. While IoT architecture increases efficiencies and empowers information sharing, it also creates many new points of vulnerability. An increase in connected devices combined with more sophisticated threats, such as ransomware, call for a new approach to protecting healthcare networks.

A prevention-only defense is no longer enough to keep data and patients safe. Adaptive defense is a new approach that assumes an organization’s endpoints and perimeter have or will be breached at some point by attackers. It is designed to stop attackers in their tracks by adding real-time detection of threats that have bypassed prevention security systems to an organization’s security posture. In addition to a balance of prevention and detection, an adaptive defense provides analysis and forensics that can accelerate incident response, neutralize the attack and provide protection against future cyberattacks.

Going On The Offensive

Healthcare organizations must shift from a defensive to an offensive strategy to gain the upper hand against cyberattacks. More and more organizations are turning to deception technology to defeat attacks inside the network before they can cause damage. An effective deception and decoy solution must address all threat vectors and enable organizations to accomplish two goals.

The first goal is to quickly identify and stop attacks during all phases of an attack, which includes multiple components. The solution must be attractive and lure attackers into revealing themselves as soon as they begin reconnaissance or begin to move laterally across the network. It should reduce attack detection time to real-time by accurately identifying infected systems, including sleeper and time-triggered agents, thus enabling full analysis of an attack before it causes damage. Stopping attacks through real-time notification of a healthcare organization’s theft prevention infrastructure is another component. It should generate only substantiated actionable alerts and not false positives or noisy alerts, which can significantly distract IT and security teams. Finally, it should utilize the most authentic decoy, which would be based on real operating systems and be customizable to match the production environment. These attractive targets will misdirect the attacker providing a highly efficient trap for zero-day attacks and higher detection accuracy since it is not dependent on knowing an attacker signature or attempting to identify one through database lookup.

Accessing forensic data and building a defense against future attacks is the second goal the deception and decoy approach must achieve. This includes capturing actionable information by identifying infected systems and analyzing information on the time, type and anatomy of an attack. Look for a threat intelligence dashboard and Indicators of Compromise (IOC) reports that provide detailed attack information to prevention systems through UI, PCAP files, Syslog, IOC and CSV report formats.

When researching potential deception solutions, it is important that they offer the following critical capabilities:

• Real-time threat detection — Effectively lure attacks away from devices that store high-value corporate assets.
• Authenticity — Run real operating systems with full network services, protocols and data elements, and upload “golden images” of server and endpoint systems to ensure effective deception of cyberattackers.
• Coverage — Provide threat detection for user networks, data centers and the cloud, such as VMware, OpenStack, Amazon Web Services, and Azure. Ideally, upstream and downstream business needs are covered and the same solution can be used for early detection of ICS-SCADA and IoT devices, eliminating the need for additional tools or training as coverage is deployed in more environments.
• Speed of discovery and alerts — Generate only positive alerts based on real-time engagement with attackers and automatically update prevention systems to shut down attacks promptly.
• Deployment flexibility and security — Should deploy easily and should not need to be in-line, eliminating the need for network or process redesign or additional computation systems required when using big data analytics, or signature or database lookup. The solution provides flexibility to be deployable as an appliance or on a VM. And, data should never leave the organization’s premise for external analysis or reporting.
• Scalability — Be able to scale to hundreds of subnets, be effective in networks, data centers, and private and public clouds, and provide centralized management for global deployments. East-west data center traffic threat detection is achievable with non-inline detection solutions.
• Interoperability and visibility — Include seamless interoperability with devices required to defeat breaches and prevent future attacks, as well as provide network VLAN visibility and analytics. The ability to predict an attacker’s path to critical assets will also help with early visibility to vulnerabilities and prevention of attack infiltration.
• Forensics and threat intelligence — Provide the containment environment to explode out exploits or phishing emails for post-compromise malware analysis, and be able to track back to command and control to analyze a hacker’s methodologies and intent. The solution should include a threat intelligence dashboard and IOC reports in multiple formats to simplify attack information sharing, executive reporting and, if required, reporting or cooperation with an FBI investigation.

Addressing The Emerging Ransomware Threat

It is easy for IT and security teams to think that because they have deployed multiple layers of security that they are immune to new, emerging threats, such as ransomware. In February 2016, Hollywood Presbyterian Medical Center paid a $17,000 ransom after hackers infiltrated and disabled its computer network. While the hospital reported that the hack did not affect patient care, it seriously disrupted its operations.

There are three fundamental reasons why organizations are deploying deception to detect and protect against ransomware.

1. Effectiveness: Deception does not rely on known signatures or attack patterns to detect inside-the-network threats. Instead, it uses a blend of deception lures, decoys and engagement servers to deceive an attacker into engaging. Once the attacker touches a deception system, there is no turning back. Security teams immediately have their information and through an analysis engine can immediately create the signatures for prevention systems to block, quarantine, and remediate against the attack. Specifically, in ransomware cases, deception drives are planted as traps so that as an attacker looks to infect or erase its next drive, he will be directed to the engagement server where alerts will be instantly raised and infected systems can be isolated off the network, preventing wide-spread damage.
    
2. Lateral Movement Detection: Many variants of today’s malware use sleeper or time-triggered tactics to evade detection and sandbox technology. This can make it very difficult to understand the magnitude of an alert, plus sandbox technology is not designed for long-term analysis. A cleverly timed attack plan can easily work around a sandbox’s limitations. Deception is different since it is designed to detect and analyze lateral movement inside the network. Whether the attack is directly detected through decoys or deception lures, or the IT and security team feeds information into the system for additional attack analysis, the deception platform can provide efficient detection of threats and attack analysis to block an intrusion before hackers have the time to complete their mission.
    
3. Efficiency of Incident Response: A healthcare network recently shared a story of a malware infection that was identified by their team. This malware had bypassed their anti-virus systems and every time they thought they had the attack contained it resurfaced in a different place. The deception platform created a full forensic analysis of the attack and this information enabled the IT and security teams to limit infections to 60 systems. During the attack analysis, the malware morphed multiple times and had multiple C&C addresses, which the security team had not been able to discover with either its sandbox or other detection methods. With the ability of the deception analysis engine to have extended engagement with the attacker, the IT and security team was able to study and contain the attack before the incident response team arrived at the provider’s site.

With the number and sophistication of cyberattacks on healthcare facilities predicted to increase, many facilities continuing to operate with legacy systems, and facilities incorporating cloud and IT architectures as part of their update strategy, deception is becoming an increasingly attractive solution to protect critical healthcare assets. Deception, as part of an aggressive adaptive defense, can be a vital solution to help IT and security teams stay one step ahead of ransomware, zero-day and other sophisticated threats.

Deception is at the forefront of a new generation of cybersecurity solutions and has demonstrated its effectiveness in many situations against many types of threats. Identifying and implementing a series of best practices for adaptive defense, that includes deception, will be the subject of the second article in this series.

About The Author

Tushar Kothari is a veteran of the high-tech industry with over 25 years of experience in building market leading companies. He joined as CEO of Attivo Networks in July of 2013, taking a modern approach to security by assuming that prevention systems are no longer enough and that the real battle against threats is occurring within the network. By changing the security focus to an assumed compromised posture, Attivo empowers F500 and other security conscious organizations to detect threats in real-time before damages from a data breach occur.