Defending against dark web-fueled attacks calls for research, strategy
Unlike the visible web, what most people experience as the internet, there is the deep web – a part of the internet not indexed by search engines and without registered web sites and domains. The deep web is much larger in content than the visible web, as most data in existence is not indexed by search engines.
And within the deep web is another domain that's become the source of many problems for healthcare CIOs and CISOs today. The dark web is a subset of the deep web that requires special software to access it and is specifically designed to use encryption technology and complex routing to provide anonymity. In short, the dark web is designed not to allow one to find identities, locations, users, web sites or domains. And this is where many a cybersecurity problem brews.
"The dark web hosts a variety of data posted for sale in forums, discussion groups and catalog-style sites," said Michelangelo Sidagni, chief technology officer at NopSec, a vendor of cybersecurity technology. "These include zero-day exploits with proof-of-concepts that never were disclosed and are for sale for hefty prices in bitcoins; one-day exploits for vulnerabilities that currently have patches but have no public exploits disclosed yet; custom malware, bot-as-a-service, DDoS-as-a-service, all for sale; and personally identifiable information such as credit cards, Social Security numbers, and login information that can be used in phishing attacks."
All of these vulnerabilities, exploits and custom malware can be used to compromise healthcare organizations. Specifically, cybercriminals can hit healthcare organizations with unpatched vulnerabilities for which, for a very low price, they can buy an exploit for an existing vulnerability with a patch and then install some form of custom undetectable malware into a network.
As a result, dark web data can affect a healthcare organization's vulnerability management.
"A strong security program that looks at security in a holistic way across the enterprise and applies best practices in risk management will provide a more complete defense against the dark web," said Bryan Hurd, senior executive, security strategy, at Versive, an artificial intelligence-based cybersecurity technology vendor. "Trust is at the core of every healthcare organization's brand, and the confidentiality and privacy, integrity, and availability of medical data must be continually managed."
Further, embracing innovation in the healthcare industry should include a strong set of community requirements for security from start to finish of a product or service lifecycle, Hurd added.
Ultimately, there are a variety of strategies and tactics healthcare CIOs and CISOs can deploy to protect against dark web-fueled cyberattacks.
"CIOs, CISOs, and security managers and analysts should monitor and fix those vulnerabilities present in their networks that currently have one-day exploits on sale in the dark web," Sidagni said. "They should also monitor current dark web forums and black hat hacker sites indicating that a particular healthcare organization has been compromised through monitoring of log-ins, credit cards, Social Security numbers and other PII for sale in the dark web."
Healthcare leaders also should pay particular attention to new ransomware and other malware for sale in the dark web if they think they have been compromised, as well as related workarounds to remediate an infection, he added.
To protect against dark web-fueled attacks, CISOs should engage their core stakeholders among executive leadership, physicians, patients, medical device manufacturers and service providers to make security a strategic priority for their organization, Hurd said.
"Healthcare CISOs need to make a call to collective action," Hurd said. "The recent ransomware attacks, continuing compromises of medical records, and specific targeting of healthcare organizations will continue and likely increase.
"Instead of individual hospitals and healthcare companies trying individually to monitor the dark web for vulnerabilities or indicators of their medical information up for sale, they should consider collective action and threat information sharing via the National Health Information Sharing and Analysis Center (NH-ISAC) and other trusted communities," he added.
This model is a best practice used by the financial and critical infrastructure communities.
"While running the intelligence program at the Microsoft Cybercrime Center, we shared critical vulnerability and compromised IP addresses from our botnet takedown operations to these central groups via these trusted communities," Hurd said.