6 cyberthreat hunting best practices
As the number of cyberattacks in healthcare mounts, organizations are looking for better ways to reduce their vulnerability. Some are turning to highly skilled threat hunters.
Healthcare organizations are stepping up their cybersecurity programs in the wake a growing number of malware and ransomware attacks that have frozen network systems and forced hospitals to suspend routine services. In May, the massive WannaCry attack was detected in more than 104 countries and shut down most services at 40 hospitals in the United Kingdom. A different virus, a strain of Peyta, spread across Europe and hit U.S. targets in June, among them Nuance Communications and drugmaker Merck.
In August, cybersecurity experts identified a new ransomware virus called Defray, which specifically targets healthcare organizations. The strain spreads via a Microsoft Word attachment in emails sent to potential victims.
According to the Ponemon Institute, data breaches have cost the industry about $6.2 billion. The average cost to a provider of a data breach is about $2.2 million and $1 million for a business associate. Nearly half of organizations surveyed said they’d been hacked at least five times in two years.
“Today, the reality of breaches means you need to be assuming a breach is in your environment at all stages,” says Vincent Weafer, vice president of cybersecurity firm McAfee Labs.
A recent McAfee cyberthreats analysis found a 23% jump in the number of malware samples in the past year, to nearly 723 million. New ransomware samples increased even more sharply — up 47% to 10.7 million samples. And mobile malware rose 61% to 18.4 million samples.
A number of factors have combined to make healthcare a prime target for cyber criminals. Among them are the amount of legacy equipment that runs on old and unsupported operating systems, the failure to implement basic patches and updates and ongoing consolidation within the industry, which can expose security framework differences. And, of course, patients’ health records, which offer a potential treasure trove of information for sale on the Dark Web.
At the same time, there is a severe lack of security talent within the industry and an inability to attract and retain high-end security expertise. While the volume of data and complexity of IT infrastructures increases, the number of skilled threat hunters is not matching the demand, Weafer warns.
“As much as we talk about the latest technology and trends and complexity … it really is about finding the basic doors unlocked, the windows which have been not fully closed in the environment,” Weafer tells Healthcare Dive. “That’s what threat hunting is all about — trying to find those risks and mitigate them and bring them down as quickly as possible.”
For the threat hunter, the process includes a series of initial questions. What are the latest, greatest threats — those that pose a serious risk for their organization? What are the system’s vulnerabilities? If a cybercriminal does get inside, can they recognize it in their environment?
McAfee recommends human-machine teaming for best results. “Rapidly rising attack volumes and continuous attack evolution necessitate technology that detects attacks without human intervention and provides visibility and focus, enabling people to make more informed decisions,” the report says. “The proof of successful human and technology teaming will be seen in the ability to rapidly dismiss alerts and stop new threats.”
In fact, 71% of organizations with level 4 security operations center (SOC), closed cyberthreat investigations in less than a week, according to the survey. Threat hunters in these organizations were also three times more likely to automate parts of the investigation and devoted 50% more time to actual hunting than organizations with less robust SOCs.
Putting together a good threat hunting team doesn't have to break the bank. While large enterprises may have teams of 100 or more, this can effectively be done with a relatively small team that is highly trained, notes Weafer. Rather than build an in-house teams, many organizations will contract with a managed service provider that can provide the expertise for them.
Here are 6 threat hunting best practices to reduce your organization’s cyber vulnerability.
1. Have a conversation. Successful threat hunting doesn't begin with technology. It starts with a conversation: What data does the system hold? How important is it? How can it be protected?
Clearly, patient data is a healthcare organization’s most critical asset, but they may also be involved in research, biotechnology or patent work. Security teams need to know where that information is and ask how they’d recognize someone trying to access it.
2. Use the latest firewalls and web gateways. These events' endpoint solutions are rich in information that can be used to help identify if something is unusual in the environment. A threat hunter may be seeing hundreds of thousands or millions of suspicious events, so it’s impossible to pursue all threats. Identify those that pose the greatest likelihood of risk to the organization and isolate those for the team to examine.
3. Track DNS traffic. Looking at outbound domain name system requests can help to detect a hacker’s command-and-control activity since this type of malware generates new domain names frequently. These names also tend to be non-dictionary based and longer than normal, the report notes. “A simple script that takes the DNS request log file and sorts the requests by length provides useful clues for the hunter,” it adds.
Hunters can also look for abnormal user agents using least-frequent analysis: collecting user agents from HTTP requests, sorting from most to least common and scrutinizing any outliers. This process can also be used to hunt for persistence after the system has been breached. Unsigned binaries, unusually short of long filenames and other discrepancies, should be inspected.
4. Create early warning traps. One way to draw attackers out of the shadows is to create fake credentials and wait for them to use them, according to the report. The threat hunter can then write a scheduled task that checks for logon failure and alerts the team when the fake credential is used.
5. Sandbox. Security technologies — antivirus, firewalls, etc. — have to do a lot of things. They have to allow traffic in, have low false positives and be very conservative to ensure they don’t stop traffic altogether when a potential threat is detected. Sandboxing provides a rich source of threat information that can be fed back into the system to build a better picture of what’s going on.
The sandbox provides a hundred different attributes about what a suspicious file does, what it touches, the IP addresses it goes to, the URLs, all of which can be used in hunting activity, Weafer explains. “It’s not just about the needle in the haystack, but which needles of those hundreds of thousands of needles in that haystack do I really spend my time looking at,” he says.
6. Run attack simulations. The point is to test the robustness of cybersecurity defenses. If someone is outside trying to break it, how good are their chances? If someone is trying to breach the system from inside the organization, are defenses adequate there? Professional companies will do this, but organizations can do this internally as well.
“It really does come down to if I had a breach in the morning, do I have the capability to recognize that in my environment or am I still operating my environment in terms of counting the number of patches, counting the number of firewall events, counting the number of AV events,” Weafer says. “That is not sufficient in today’s world.”