Examining healthcare cyber threats and how to better prepare your organization

A Q&A with Tony Cook, head of threat intelligence at GuidePoint Security

With the influx of attacks on the healthcare sector, we spoke with our head of threat intelligence, Tony Cook, to get his take on the threat landscape, supply chain risks, and how to improve visibility and ensure a better overall security posture.

Q: Tony, we’re seeing a surge of large security incidents reported across many industries, including the healthcare sector, tied to vulnerabilities involving third party providers of applications, IT infrastructure products and various devices. What are some common threads that stand in these incidents?

A: It’s much easier for attackers to compromise what used in your environment to actually get inside your environment. That’s the whole premise behind the supply chain attacks that we’re seeing, whether SolarWinds, Accellion or others. Attackers can squeeze out a middleman and attack organizations that are relied on and used every day to deploy malware and/or exfiltrate data from your environment.

Q: You mention SolarWinds and Accellion… these attacks have had an enormous impact on other organizations. What stands out as far as things healthcare organizations should do when it comes to their critical third parties?

A: Organizations must take a much more proactive approach to their security posture and try to understand exactly what those threats might be. The idea that you can just inherently trust any security vendor or any product that’s in your environment needs to come under the microscope. It’s a good idea to go through a possible scenario with a tabletop exercise, which can help you understand what it would look like if something bad did happen in your environment. You would see what the attacker could potentially do in the environment, build from there to understand your gaps and ultimately prioritize your actions.

Q: Tony, what steps should hospitals and healthcare organizations take to better vet third party vendors from a cybersecurity perspective? 

A: The first step is to understand your network. In many cases, when we come in to run an IR the organizations that we are supporting don’t have a good sense of what is in their environment. So, knowing what’s in your network is step one. Step two is once you have this visibility, determine how you can secure those devices and improve processes. There’s this idea of zero trust, where you don’t inherently trust anything in your environment. Every host could be a threat and looking at your security posture through that lens can help you ensure you have the right security controls and procedures in place. 

Q: Earlier in our interview you mentioned being more proactive. What advice do you have in terms of threat hunting?

A: In order to even consider threat hunting, you need visibility of your environment. So going back to what I was saying before – step one is to understand what’s on your network. Let’s go back to the concept of tabletop exercises, where you can walk through what an incident would look like. With this information you can formulate a hypothesis and then try to uncover that threat. Theoretically you’d walk through your hypothesis a few different times and see if you have visibility gaps. Oftentimes, what we see is that many of the issues when we threat hunt is based around poor visibility where the level of logging or the level of visibility across the environment is lacking. In some cases, there aren’t even firewall logs that go back let’s say 30 days. In some cases, there’s no EDR solution or no logging posture across the entire environment. Even servers might have been misconfigured to have their logs be just way too verbose and are rolling over in a day and not being centrally logged anywhere. A lot of these issues will start to really add up when you try to do it at six Physical threatened. 

Q: Are you seeing any other systemic issues with which healthcare organizations are challenged?

A: One thing that continually seems to be a common thread across our last few engagements was the presence of web shells in open web servers across their environments – whether it was because it was a shadow IT server that was out there or a public facing web server that is used every day, no one was really noticed these things and were looking at logs. A simple question of “what are all your open web servers?” Or “what are your public facing web servers?” and getting a list of those things, looking at the logs and then conducting some triage analysis, finding these web shells.  

Q:  Healthcare environments have lots of medical devices. What’s the level of visibility that organizations tend to have with their medical devices and how much of a potential risk do those devices pose?

A: Medical devices are a unique beast. Hopefully, they’re segmented off any internet facing segments of the network. Typically there’s not really a lot that’s usually done by system administrators on those devices. if there are, there’s usually like some regulation or something to even put additional logging on those hosts, like being able to put EDR on our endpoint detection response tool on any of these devices is usually either frowned upon, or they don’t want anything to cause these things to crash visibility on those systems sometimes, are just nil. Again, hopefully, these devices are segmented off the network. We don’t see very much logging outside of normal system administration, whether it’s on and off things of that nature for medical devices, which hopefully can turn around with new regulations, but it’s a hit or miss.

Q: Ransomware attacks have become fairly commonplace, especially in the healthcare sector. Are there any common issues that you’re seeing in these types of attacks and how these occur in the first place? 

A: Phishing is a big vector as far as how these attacks begin. there’s usually some groups that are trying to sell initial access into environments, whether even attack just took a big hit with the government trying to shut down a lot of that. But there’s always someone else out there doing the exact same thing, trying to sell this initial access to ransomware workers or ransomware, or just doing phishing themselves. Another vector for ransomware is by leveraging open admin ports such as RDP and SSH, that are just open to the world and which can be brute forced – we still see this quite often.

Once access occurs, moving laterally in the environment is almost just too easy nowadays. As soon as an actor obtains legitimate credentials to the environment, utilizing whatever tool they feel comfortable with, they will map out the network and attack their intended target. Usually the goal is to hit as many systems as possible, but it could also just be as targeted as hitting just the servers that they want in the environment. 

Q: Thanks Tony for your insights… any final thoughts?

A: