Security giant McAfee to healthcare CIOs, CISOs: Know your enemy
The healthcare industry is up against an increasingly difficult challenge: Deliver high-quality care and rein in costs while consistently assuring safe data handling. As has been obvious with the large healthcare breaches that seem to occur every few months, this challenge continues to get more difficult.
Outside of the larger breaches, including Augusta University Medical Center and Anthem BlueCross BlueShield, last month’s disclosure of Justin Bieber’s medical information was yet another reminder of the depth of sensitive personal information held within healthcare organizations.
So just how vulnerable is the healthcare industry? Quite, according to the new “McAfee Labs Threats Report: September 2017” study from security giant McAfee, which not only identifies threats but suggests ways healthcare CIOs and CISOs can protect themselves from the threats.
McAfee Labs’ quarterly analysis of publicly disclosed security incidents found the public sector to be the most impacted North American sector over the last six quarters, but healthcare overtook it in the second quarter of 2017 with 26 percent of incidents.
While overall healthcare data breaches are most likely the result of accidental disclosures and human error, cyberattacks on the sector continue to increase. The trend began the first quarter of 2016 when numerous hospitals around the world sustained ransomware attacks. The attacks paralyzed several departments and, in some cases, the hospitals had to transfer patients and postpone surgeries.
In the second quarter of 2017, account hijacking led disclosed attack vectors, followed by DDoS, leaks, targeted attacks, malware and SQL injections, the report found.
For CIOs and CISOs, McAfee lumps solutions to active threats into three buckets: Know the enemy, know your network, know your tools.
“As a defender, you are not fighting binaries, you’re fighting attackers with a strong motivation, whether financial, political or military,” said Ismael Valenzuela, principal engineer for Foundstone Services at McAfee. “So, get in their head and think – what is the driving force behind their attack? You can’t just base your defense solely on indicators of compromise, and the fact that someone has already seen them does not mean that you are going to see them.”
Attackers can quickly change their IPs, domains, hashes and more, sometimes even hundreds of times per minute, with little effort.
“Therefore, effective hunters must focus on the high-level tactics and techniques that allow them to profile attackers and understand how their motivations affect their behavior, all while searching across the network for evidence of those behavioral patterns, augmenting your knowledge of the enemy,” Valenzuela said.
Healthcare CIOs and CISOs also must know their networks inside and out. Attackers sometimes know their victims’ networks better than the organizations do.
“With many companies still putting the focus on keeping bad guys outside their network perimeter and off their end-points, they do not spend enough time on continuous monitoring, detection and on fast response,” Valenzuela said. “So, think like an attacker and make a conscientious effort to know the ins and outs of your network better than anyone else. That means knowing what normal looks like on the network, in order to spot abnormal patterns.”
Knowing one’s network relates to knowing one’s enemy: Defenders must profile which threat actors are most likely to pose a serious threat to their networks – based on industry, geolocation, public profile, etc. – to understand which particular data they would go after and therefore which segments of their network and systems need attention, Valenzuela explained.
“Focusing on targets and motivations allows security teams to narrow the kind of tactics and techniques attackers are most likely to use and to prioritize the hunt for those,” he added.
And finally, CIOs and CISOs need to know their tools in order to best defend against today’s cyber threats.
“Effective attackers use a variety of tools, which means defenders must do the same for success,” Valenzuela said. “This entails learning when your tools are at their best and when they tend to fail, without relying too much on any one of them.”
When there is no effective tool to parse and analyze data, effective threat hunters often write their own tools (i.e. scripts) or adapt those at hand through the use of automation, integration and orchestration, he added.