In a post COVID-19 world the security landscape of many organisations has been radically realigned. In particular, the healthcare sector was facing significant challenges prior to the pandemic, so the current situation has only added to the security burdens they face. During the course of 2018-2019 the sector suffered a number of significant data breaches. The question most CISOs face is how they can radically improve the security controls in an environment where they, above all sectors, will probably face a greater number of attacks from a diverse range of threat actors. Not only is patient data valuable, but the scientific research currently being conducted to find an active treatment for COVID-19 means that nation state and organised criminals will probably have shortlisted healthcare researchers and providers as organisations to target. To begin with, let us take a look at the state of affairs over the last 2 years both from a European and US perspective.
Data Breaches 2018-2019
2018 saw 15 million patient records breached in the US. According to the Protenus Breach Barometer, by the midpoint of 2019, the figure had increased to 25 million. During 2018 there were 503 data breaches, which does beg the question as to why the trend was still an upward one by the time we had got to 2019. There is a regulatory framework in place called HIPAA, which covers the storing and protecting patient data, and which does provide for the levying of financial sanctions if the regulatory framework has been breached. There is a mandated 60-day period within which data breaches are supposed to be reported. The 2019 Healthcare Data Breach Report disclosed that 12.55% of the population of the US had had their healthcare records exposed or stolen. One of the interesting findings of these reports is that the most common vector used by attackers to gain access to the networks was either through the use of phishing attacks or third-party vendors. In a previous blog post, we covered the topic of spear phishing attacks being used to gain access to a network and how deception technology can be used to ensure that your security control set is effectively aligned to mitigate such attacks.
Medical Research Labs
Hammersmith Medicines Research is a London-based company that carries out clinical trials for new medicines. Recently they suffered a hack of their network. This attack dovetailed with talks that the company was conducting with other organisations about testing a potential vaccine for COVID-19. Malcolm Boyce, the MD, had these words for his peers: “My message to other companies is to do everything possible to safeguard yourself because they are quite capable of putting companies out of business, and they are totally without conscience”. What is interesting is that research into these types of attacks points to the fact that organised crime groups are at the forefront of this activity. That said, state-sponsored attacks should not be ruled out either. These attacks are not limited just to the private sector either. Earlier last month, the second largest hospital in the Czech Republic was hit with a cyber-attack. The attack resulted in COVID-19 test results being delayed, not to mention the difficulty of ensuring that attackers were not still within the hospital network.
Finally, moving back to the US, there have been attacks against biotech companies too. 10X Genomics, which produces gene sequence equipment used by partners and customers in COVID-19 research, has also suffered breaches of its internal systems with potentially over 1TB of data compromised. So, what can we do?
Defence in Depth
This is not a new concept but one that often gets overlooked on many occasions. There is one element that should underpin the concept that is more often than not missing. Before you deploy your defence in depth blueprint you need to undertake a risk mapping exercise. Why? You need to understand what threat type represents the greatest risk to your network. Does it come from spear phishing or does it come from APT groups? Once you have sufficiently granular and organisational specific data sets to answer that question, you can then begin to understand what the defence in depth strategy should be composed of. It should mitigate those threats that are targeting your organisation. You have a scarce budget, and by adopting this methodology you will be in a better position to deploy your scarce resources far more efficiently and mitigate the greatest amount of risk. Delivered to your board, you would sum this up as the ability to deliver the most robust cyber resilience model that can be delivered with the budget that has been allocated.
Pyramid of Pain
An integral part of your depth-in defence strategy in 2020 should include threat intelligence. A challenge that is often brought up about consuming threat intelligence is that it can be very resource intensive and lack actionability. Once again, what you should be looking at is what intelligence can you acquire that is specific to your organisation and addresses the threats that you have mapped out as having the biggest impact on your organisation. With this thought in mind, let’s bring the concept of the pyramid of pain into the discussion. The bottom of the pyramid encapsulates the parts of an attacker’s infrastructure that are the simplest to change. Therefore, consuming that type of intelligence will be of little value to you, as they can swap that part of the attack out so that by the time you receive intelligence about it, it may be out of date. So, how to get ahead of the threat actors? By focusing on the upper two echelons of the pyramid. These are TTPS and Tools. By receiving intelligence on what potential adversaries are using to attack you, you will save an inordinate amount of time, money and resources. So, if the intelligence is delivered in real time and it has detailed information about what tools and TTPs are being used against your organisation, you will have the right data to understand if your security controls are aligned to detect and mitigate these types of tools and TTPs. All of this intelligence, if delivered in an automated manner, delivers cost savings, but above all it delivers enterprise intelligence that is actionable to that part of your organisation where it is needed the most. And that is delivering cyber resilience to your organisation on an ongoing basis and not as a one off. Now is the time to move the concept of cyber resilience away from something that is static and a point in time to a concept that evolves and adapts to the threat landscape aligned against your organisation. Ask yourself: Are my security controls aligned correctly to prevent my network being breached? Do I have the data sets to hand to answer that question? It’s a prerequisite to a defence in-depth strategy.
The CounterCraft Cyber Deception Platform can protect healthcare and pharmaceutical organisations, as well as laboratories, against data breaches, by detecting adversaries before they can do any real damage and getting threat intelligence to react to the attacks. Do you want to know how? Join our 30-min On-Demand Webinar and to get started with your first deception campaign, email [email protected] to talk to one of the team about setup and implementation.
Author: Nahim Fazal, Head of Cyber Threat Intelligence