2014 Health Industry Threat Landscape Briefing

2014 Health Industry Threat
Landscape Briefing
Randy Hayes, Vice President for Predictive Intelligence,
Booz Allen Hamilton
HITRUST
Health Information Trust Alliance
Booz Allen Hamilton’s Cyber4Sight™ service provides cyber
threat intelligence for the HITRUST C3 portal
•  The Cyber Threat Intelligence & Incident Coordination Center (C3):
–  Distributes threat intelligence analysis and malware research reports and
facilitates collaboration via the HITRUST C3 portal
–  Participates in Department of Homeland Security Critical Infrastructure
Information Sharing and Coordination Program – bidirectional exchange of
threat information
–  Coordinates with Department of Health and Human Services for exchange of
threat intelligence and operation level information
Page 42
Page 42
The number of users and methods used to access
cyberspace have grown exponentially…
Exponential Growth
Growth in the developed world exploded
over the last 20 years…
1990
< 1 million
…and will accelerate as a result of new
technologies and reduced prices…
2012
1.6 billion
Internet Users
11 million
New Technologies
3 billion
Global Adoption
…fueling the adoption of cyber capabilities
in the developing countries
Internet Users in China
$100
laptops
Miniaturized
Smart
Devices
111m
2005
Cell Phones
100
Petabytes
1600
Exobytes
Digital Data
300,000
Internet Hosts
Page 43
700 million
IP v6
Ubiquitous
Wireless
Networks
660m
2020
Internet Users in India
21m
400m
2005
2020
…which has transformed business models, improving
productivity and driving economic growth
Massive Investment
Industry and government invest $4t in ICT
goods and services every year…
$400b
Computer
s
$360b
Software
$60b
Mission Enablement
…These investments have transformed business …while exposing substantial
models and military operations…
vulnerabilities and risks
Finance:
$3.2t per day in
foreign exchange
Health:
Electronic Health
Records
Energy:
300k kilometers of
lines carrying 3.8 b
kilowatts per year
E-Commerce:
$200b in on-line
sales
Servers
$100b
Network Equipment
$260b
Semiconductors
Page 44
Growing Vulnerabilities
Air Transportation:
741 million
passengers per year
Defense:
Network-Centric
Operations
Hackers steal 40 million
credit card numbers
Hackers steal 8.3 million
Health Records
Electricity grid in U.S.
penetrated by spies
Hackers break into FAA
Air Traffic Control
Systems
In this new environment, the threats are more diverse and
capable, increasing the frequency and magnitude of attacks
Capabilities
Cyber
Criminals
The sophistication of available
tools is growing
benign threats
Page 45
1985
1990
1995
2000
2008
While the sophistication
required of actors is declining
Over 500,000 web sites were
compromised in 2008
Malicious intrusions were up
40% in 2008
Over 500,000 web sites were
Symantecingenerates
>
compromised
2008
10,000
threat
signatures
a
day
Malicious intrusions were up 40% in 2008
compared to 1000 per week
Symantec generates >10,000 threat
just a few
years
ago to
signatures
a day
compared
High
Sophistication
Hate
Groups
Risks include both malign
and
1980
Sophistication
Hactivists
CERT Incident Reports
High
Low
Terrorists
…increasing both the frequency
and impact of attacks
Sophistication
Foreign
Intelligence
Services
… while growing in sophistication
with lower barriers to entry
Sophistication
The Threats have become more
diverse and distributed…
Greater Impact
More Capable
More Diverse
1,000 per week just a few years ago
Low
1980
1985
1990
1995
2000
2008
Economic impact from cyber
attacks range from $13-200b
Attention is increasingly being turned to healthcare as the
newest source of easily monetized information – PHI/PII
• 
• 
• 
94% of medical institutions polled by Norse were victims of a cyber attack in 2013
72% of victims were healthcare providers
–  33% of victims were small providers
Attacks were almost entirely by financially motivated criminals
Page 46
Page 46
Attack targets included networked medical devices, web
servers, printers, edge security devices, and others
• 
• 
The high percentage of edge security devices that were breached suggests that
the systems designed to protect the networks were misconfigured or themselves
infected
Hype notwithstanding, attacks have not (yet) targeted networked medical devices –
the reality is much more prosaic
Source: Threatpost
Page 47
Defenders have only minutes to respond to an attack, but
most attacks go undetected for weeks or months
•  While Advanced Persistent Threats (APT) may engage in “low-and-slow” attacks to
ensure long-term access, most criminals are of the “slash-and-grab” variety
•  And detection is most often by an outside organization rather than the victim itself
Source: Verizon DBIR Healthcare Industry Snapshot
Page 48
Current trends are likely to increase network and data
vulnerability – expanding the “attack surface”
•  EHR proliferation and networking
•  Mobile access and vulnerabilities
•  Networked devices (Internet of
Things)
Ø All of which are attracting
criminals
from other target sectors
Source: MIT blog
Source: Infosecurity Magazine
Page 49
Page 49
Adversaries are discovering attack opportunities by
exploiting a company’s “attack surface”
Page 50
Transaction Attack Surface
Intellectual Property Attack Surface
Supply Chain Attack Surface
People/Mobile Attack Surface
Programmable Logic Controller
Attack Surface
eCommerce Attack Surface
There has been a dramatic increase in the proliferation of
EHR and networking of health management systems
•  Which has expanded the “attack surface,” creating a “target-rich” environment
•  Health records themselves – “data at rest”
•  Inter-organization networks (e.g., hospital to PCP, PCP to pharmacy) – “data in
motion”
Page 51
Page 51
Mobile access to healthcare portals will continue to proliferate as
more portals come online, bringing new threats
•  Patients with infected mobile devices will present an increasing threat that is
hard to defend against
•  Mobile vulnerabilities and exploits continue to proliferate, too
Source: Healthinformatics
Page 52
Page 52
Networked medical devices – part of the growing Internet of
(vulnerable) Things – could be the “next frontier”
•  No known/observed criminal motivations
•  But hackers and terrorists are likely to emerge as real threats – low
probability but high potential impact
Source: electronicdesign.com
Source: Paranet
Page 53
Page 53
“Information leakage” occurs at every layer of a network –
the data can be reconstructed to yield new attack vectors
•  Information Leakage – Corporations leak
pieces of critical, seemingly disparate data on
the open internet.
•  Persistent Threat Actors – Attackers will use
any means to exploit a corporation s network,
and have the entire Internet worth of research
and endless time and tools to accomplish their
goals.
•  Continuous Reconnaissance – Even the best
discovery practices will require continuous
checks to ensure the network surface area has
not changed, evolved, or exposed too much.
•  Continuous Attack Surface Understanding –
Malicious hackers can discover more substance
and context around network vulnerabilities.
Multiple pieces of seemingly disparate
information, when linked with threat intelligence,
can point to a previously undetected attack
vector.
Page 54
We scanned a hospital group’s network from the adversary’s
point of view and quickly discovered numerous attack vectors
• 
Primary website resolves to an IP address that
hosts more than 100 other domains
–  Disruption of that IP address could take down
the entire network
–  More than a dozen of those domains do not
resolve to a working website
•  Instead, users are presented with the login page for
the network’s content management system
•  The CMS is not secured (e.g., no SSL or TLS
enabled), making it vulnerable to credential
compromise
–  The webserver itself is running outdated
software with numerous published
vulnerabilities
–  And at least two publicly accessible servers
are un-configured
Page 55
Page 55
Hacktivist campaigns often spill onto unrelated targets
because they are high profile or have high traffic volumes
•  Government, political, news, and
healthcare websites all present
attractive targets offering increased
visibility for the hacktivist cause
•  June 2013: St0rmyw0rm
hacktivists breach Beypazari state
hospital website, leaking
usernames and passwords
Page 56
Collateral Damage
Healthcare sites become targets of opportunity for
hacktivists simply because they are often easier to breach
than others
• 
Prior to February 2014, the handle UGReaper had no significant Internet
presence; this suggests the individual currently using the UGReaper handle no
prior activity or operated under a currently unknown identity. Conversations
between UGReaper and other hacktivist suggest a desire to focus malicious
intent towards the government, financial, and technology sectors. Frequent
mentions in conversations of the now defunct UGNazi hacking group,
notorious for leaking government affiliated information, also support this claim.
The healthcare sector breaches, along with the other outliers suggest targets
of opportunity rather than intent.
Known UGReaper Leaks Publicly Available
Top
Targets:
Government
Technology
Financial
25 February: The Reaper
joins Twitter
(@UGReaper)
Industry
Financial
Healthcare
Government
Technology
25 February: Initial Pastebin career begins with three
separate posts. The three posts represent the
compromise of 17 different entities across eight
industries. Of those, two compromises belong to the
healthcare sector: St. Anthony Hospital and a
Malaysian In vitro Fertilization domain. Disclosed
information included usernames and passwords.
3 March: U.K. Green Energy
Eco Merchant database
leaked
1 April: Compromise of the
Bangladeshi police domain
11 March: Leak
of Salaam
Somali Bank
database
Page 57
15 April: All previous Pastebin leaks have been deleted. A ‘new’
Pastebin account surfaces created by a “Ali Saed Bin”
31 March: Leak of Pakistani
Intelligence Job search engine
domain database
Hacktivism does more than steal PII: it can shed light on poor
compliance and cause reputational damage
•  March 2012: James Jeffrey of
Anonymous breaches the
British Pregnancy Advisory
Service (BPAS). Steals the
personal details of 10,000
women to include names,
addresses, dates of birth and
telephone numbers.
•  BPAS was fined 335,000
USD because of improperly
secure data and breaching
data retention guidelines.
Page 58
Healthcare insider attack: Jesse William McGraw (aka
Gh0stExodus); actually leader of Electronik Tribulation Army
Achieves employment
with the future victim
company as a security
guard
Installs LogMeIn to
maintain remote access
and control zombie
machines
Uses company issued
credentials to gain entry
to the building
Infects computers with
malware, creating a
botnet to target rival
hacking groups (e.g.
Anonymous)
Selects target computers
and uses open source
software OphCrack to
bypass security
Uninstalls anti-virus
programs to avoid
detection
No anomalies for physical
breaches. Just an employee
going to work
Page 59
No desktop anomalies, the
anti-virus was disabled
Video tapes the entire
process, posts video to
YouTube which sparks
an investigation, and is
caught shortly after
However, what if the
self-incriminating
evidence didn’t exist?
What would have been
observed to prevent
this? Could it have been
prevented?
Network perimeter devices won’t
help since the attack began
inside the perimeter
Questions?