Tactical cybersecurity: Military war-gaming comes to healthcare
Hospitals are facing attacks from every angle, whether it be their domain name system or the connected medical devices keeping their patients alive. Compounding this issue is the fact that few specific healthcare guidelines for training and readiness exist beyond compliance checklists. Even the 2017 report from the Health Care Industry Cybersecurity Task Force stated that the NIST frameworks do not offer enough guidance specific to the healthcare industry.
The missing element in the healthcare industry’s approach is a focus on cybersecurity staff, according to Laura Lee. She knows quite a bit about this subject: Lee developed the first-ever “Cyber Protection Team Crew Operations Manual for U.S. Military Forces and National Guard Teams” for the Department of Defense.
From her experience with the military manual, Lee pointed to ways healthcare cybersecurity staff can stay current and nimble even as new threats emerge daily.
“The two ways I believe will help healthcare cybersecurity staff stay abreast and in front of emerging threats are to develop applied information-sharing mechanisms and perform war gaming using real-world threat actors and trends,” said Lee, who now is executive vice president of Circadence, a cybersecurity training firm.
First, when it comes to developing applied information sharing groups within the sector, information-sharing of cyberattack techniques and mitigation strategies is still uncommon today.
“There are two main reasons acknowledged for this lack of widespread adoption: first, it is difficult to anonymize the relevant data necessary to adequately describe events,” Lee explained. “Second, the entire concept is reactive and difficult to be interpreted by a broad enough set of cybersecurity professionals.”
She recommended using realistic scenarios in an exercise as the best information-sharing strategy. By creating generic networks in a virtual world that includes systems and policies used throughout the health sector, cybersecurity staff and their leadership should come together in exercises on a continuous basis quarterly.
“Healthcare organizations should create realistic scenarios using the typical threat actors seen in this sector,” she advised. “By discussing the issues on a generic healthcare network using common defense tools in the industry, the participants can work out the challenges they are seeing and discuss what is working or not, without the fear of releasing sensitive information.”
Those scenarios should also take into account known threats that are not necessarily targeting healthcare specifically, or at least not doing so yet.
When U.S. CERT issued a warning that the DragonFly group was launching advanced persistent threats against energy, aviation, nuclear, manufacturing and water sectors, for instance, HIMSS Director of Privacy and Security Lee Kim cautioned in her October 2017 report that nefarious cybercriminals would likely be watching.
Potential attackers might learn from such campaigns, Kim said, and add new tricks or techniques to threats they perpetrate against hospitals.
These exercises can, in turn, lead to crowdsourcing best practices among organizations and provide a safe mechanism to share ideas without sharing specifics about one’s own network.
“It is exactly this type of activity that gave me an opportunity to observe many teams across the military in order to determine what were the best approaches in terms of actions and tools, as the foundation for the Crew Operations Manual,” Circadence’s Lee added.
Lee’s second tactic is to regularly perform war games with recent threats, new procedures and advanced tools as the cyber-threat landscape continually evolve. Even during the height of the WannaCry ransomware attack on hospitals in May 2017, adversaries were altering and refining their techniques.
“The best cybersecurity defenders get ahead of threat evolution by practicing as a team against actual threat actors – Deep Panda, Anonymous – and share applied knowledge of best tactics, techniques and procedures,” Lee said. “By understanding trends in healthcare cyberattacks at the fundamental level, the defenders understand the detailed underpinnings and not just the signatures or indicators of compromise.”
Threat actors are organizations that frequently change tactics but also stick with many components from attack to attack. By developing war games with actual threat actors, defenders learn the nuances of each adversary family of tactics.“War gaming generally means a simulation or model is used where the events are affected by the decisions of players representing both sides,” Lee explained. “Frequently, this is referred to as Red team, the adversary, versus Blue team, the defender. The reality is that war gaming in cyber involves, or should involve, a much more multi-disciplinary team.”
Lee’s preference is to create a war game in a virtual environment in order to actually understand what the threat activity looks like, the timelines, artifacts and how the threat interacts with specific defense systems.
Healthcare cybersecurity staff can create war gaming scenarios for their specific environment and emulate threat actors they have encountered or understand are present in the sector. Unfortunately, there are plenty of real-world examples of recent attacks in the healthcare industry to use as a starting point.
“Healthcare business, at all levels of size and complexity, can first develop their mission impact model and then train their teams,” she said. “Finally, they can bring this knowledge together to share their policy templates, risk mitigation strategy and lessons learned in a proactive manner.”
If this had been done across the healthcare sector, perhaps staff would have recognized their key terrain or been involved in continuous exercises with others in their industry and discussed vulnerabilities and exploits as they evolved and avoided the numerous breaches over the past five years, Lee concluded.