Tips for detecting ransomware and other malware before it cripples your network
Before the prevalence of mobile phones and caller ID, there was an urban legend about a babysitter receiving frightening calls. Long story short: When an operator runs a trace, the babysitter is told to her horror, “The calls are coming from inside the house!”
Such is the case with cybersecurity today. Threats are not just coming from without, they also are coming from within. Cybercriminals might be trying to crack through a healthcare organization’s outer defenses, or, they may already be inside an organization’s network. Either way, the horror they can wreak upon a healthcare organization is considerable, including not just holding data hostage but bringing patient care to a standstill.
Consequently, healthcare executives must know how to detect malware in order to prevent the heinous software from executing and doing damage.
“There is a measure of security effectiveness called dwell time, which refers to the length of time a piece of malware or a hacker is in an organization before the organization detects them,” said Peter Firstbrook, a research vice president at Gartner who specializes in security. “When you look at the incident investigation reports from major firms like Verizon and Mandiant, dwell time can be measured in hundreds of days, and this is because many organizations do not have effective detection capabilities. If an organization’s protections do not alert staff, they assume they are safe. You should always assume the opposite.”
The first steps
To successfully detect malware, healthcare CIOs, CISOs and other executives must create a strategy, a plan of attack – or in the case of malware, counterattack.
“There are various components that comprise a detection program: network-level detection, end-point detection, content security detection, malware analysis, appliances for detection and employee education,” said Jeff Pollard, a principal analyst at Forrester Research Inc. who specializes in advanced threats, forensics and incident response. “Executives begin the process of going to the security and IT teams, which decide on the technologies, the processes and the people that will bring a security strategy to life, and then investments are made appropriately.”
One important part of an effective detection strategy, Pollard added, is the underlying assumption that an organization’s protection layer has failed.
“When you are focusing on detection of malware, you in part are building a strategy that can find malware when all your prevention controls have failed – and that should play a big part if you are relying on similar technologies to detect and to prevent,” he said. “You have to make sure if your technologies fail in prevention that you are not also relying on the very same technologies for detection because they may not be able to do that.”
John Fowler, deputy information security officer at Henry Ford Health System, said that when healthcare executives are formulating malware detection strategies, they need to channel ancient Chinese general and military strategist Sun Tzu, who famously said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
“You have to understand the threat landscape from an external and internal perspective,” Fowler said. “If you understand the threats and your inside information, that greatly assists you with detection.”
A good place to start when creating and effecting a malware detection strategy is to inventory all hardware and software within a healthcare organization, Chuck Kesler, chief information security officer at Duke Health, recommended.
“You need to know what is out there, who’s on it, where it’s at,” he said. “If you do detect something malicious, you need to be able to track it down and get it off the network. Not knowing what you have can really slow you down, as opposed to having that crucial information readily at hand. That dictates how you go about detecting as well as how quickly you can respond to an incident.”
Kesler added another detection tip: Never run a flat network, in other words, a network that is built in only one segment.
“Have multiple zones in your network, where you group like systems together so you can apply certain rules internally that say a particular system will only be functioning in this zone and should not be talking with systems in other zones,” he said. “You don’t just allow any communication, you define what legitimate communications are and block things that don’t fit those rules.”
Another tip for detection strategy may seem like an obvious one, but in practice (pun intended), it is not.
“One thing we unfortunately see is organizations not even following security best practices, and that gets them in trouble,” said Kevin Haley, director, Symantec Security Response, at Symantec Corp. “The basics. For example, you should never allow executables to come through your mail gateways as attachments. That’s a best practice. You should be detecting and stopping executables like screen-savers, which are very popular. In research we’ve seen 10 percent of organizations allowing screen-savers in. You’re just asking to be infected.”
There are a variety of security technologies that healthcare organizations can use to detect malware at a time when defenses need to be stronger than ever.
“Organizations need good intrusion detection software and intrusion prevention software, which are very good at detecting indicators of malware and compromises and can generate alerts to staff – and with the prevention systems, take action on alerts,” Duke Health’s Kesler said. “Sometimes IDS and IPS systems are bundled in with next-generation firewalls. These IDS systems incorporate behavioral characteristics as opposed to just straight signatures and as a result are very good at finding those needles in the haystack.”
Kesler added security incident and event monitor systems go hand in hand with IDS and IPS systems. “SIEM systems collect all of the log information from systems within a network in one place and apply algorithms to the information to pop out those needles in the haystack,” he said.
Robert Pierce, chief information security officer at Carolinas HealthCare System, recommended installing security appliances that can help detect malicious communications from malware on a network.
Source: Healthcare IT News and HIMSS Analytics Quick HIT Study: Ransomware, April 2016
“We have put up several security appliances at the Internet gateway to study egress traffic, to be aware of what exactly is trying to ‘call home,’” Pierce said. “Tools such as FireEye can detect traffic as it is trying to leave your network. The tools have databases of known command-and-control malware servers, large lists of known attackers. The tools block traffic heading for these servers and correlate that information back to a machine so you can figure out what is going on.”
And CIOs and CISOs can play in the sandbox, a newer way of detecting malware.
“Automated malware analysis appliances, also known as sandboxes, are technologies that sit either inline or out of band,” Forrester’s Pollard said. “An organization can carve off traffic from a network and send it to the sandbox, which detonates files in a virtual environment that resembles an OS so an organization can detect the kinds of changes a file would make to a system and discover if, in fact, the file is malicious.”
When it comes to detection and general security technologies, the latest acronym to hit the scene is EDR, which stands for end-point detection and remediation. The two biggest names in the EDR market today are Carbon Black and Tanium, said Firstbrook of Gartner.
“The end-point is your last line of defense – while network security is great, end-points need to be self-defending, in part because many often go out of the network, like laptops, and that might be where infection takes place,” Firstbrook explained. “Anti-virus traditionally has been the defensive technology here, but we have trained anti-virus vendors to be quiet. They used to ask users or administrators if they want to do a certain function, but people started saying you’re bothering me with all these alerts, just do your job. So that’s what the anti-virus vendors did.”
[Special Report: Tips for protecting hospitals against ransomware as attacks surge]
Firstbrook explained this led to anti-virus software – which remains important – containing many security controls that are not deterministic.
“EDR systems are verbose and use much more fuzzy technology for detecting malicious things,” he said. “They do not always produce 100 percent accurate results, but they give an organization a strong and helpful indicator. For instance, an EDR might say that it’s 75 percent certain this is a severe threat, and thus the organization should put a human on it and focus on this stuff that matters.”
EDR systems are newer, and only the most advanced organizations with well-staffed security operations centers have so far invested in the technology, Firstbrook said. EDR systems cost between $20-40 per end-point per year, he added.
The human factor
In the arena of information security, people can be the biggest problem – and the biggest defense asset.
“When it comes to defenses for detecting security threats, the big one, the one where you get the most bang for your buck, is training end users – they are your front line of defense,” said David Finn, health IT officer at Symantec Corp. “In healthcare, we spend a lot of time teaching employees how to wash their hands, but we do not teach them how to recognize a spear-phishing attack.”
Pierce of Carolinas HealthCare System wholeheartedly agrees that while people can be the source of security problems, they also are the best assets in fighting security threats.
“Vendors ask me what keeps you up at night – 45,000 employees keep me up at night,” Pierce said. “They each are making dozens of security decisions on a daily basis. Are they logging out? Are they remembering not to use their administrative accounts for common activities? We get 70,000 e-mails a day from the outside. That’s 70,000 times an employee can make a right or wrong choice.”
So to help train employees how best to negotiate the sometimes hostile e-mail terrain, Carolinas stamps every incoming e-mail with a message atop that cautions employees it is an external e-mail. Also as part of its employee training, every quarter Carolinas conducts a fake e-mail phishing campaign purposefully designed to trick employees into clicking on a link within an e-mail. If an employee clicks on what would under other circumstances be a malicious link, a message pops up informing them of their poor choice, and information security staff are informed so they can follow up.
“Not too long ago, a good employee, who knew not to click on things, received a social engineering phone call that said they were helping to support our copier company and they understood we were having problems with our copiers,” Pierce said. “Well who isn’t having problems with their copiers? So this caller said they would follow up with an e-mail and there will be instructions in it. And this great employee clicked on it. So there was some clean-up to do after that. These attackers are getting very intelligent.”
In the first quarter of 2016, Duke Health conducted more than 100 information security training events on a variety of cybersecurity topics.
“It is time-intensive to do this, but that personal touch really helps,” said Kesler of Duke Health. “We also use every communications vehicle available – electronic newsletters, e-mail blasts, training modules in learning management systems, screen savers with security reminders – and keep the message simple. And we make it easy for anyone to contact us, via a simple e-mail address, security@. And we let everyone know we would rather them over-communicate rather than miss something because someone thought something was not a big deal.”
When it comes to cybersecurity training, CISOs and other experts strongly agree on a big point – once or twice a year is not enough.
“Doing something twice a year is not going to make someone an expert,” Forrester’s Pollard said. “Most businesses are battling this intersection of ‘Go fast and improve the experience and collaborate better’ and ‘Don’t click on things you don’t know.’ Security teams have to understand doing training twice a year does not make someone an expert and they must be real sensitive to that.”
Sign up for the Healthcare IT News Privacy & Security Update newsletter.
Security executives must keep training current because of the speed of change in the threat landscape and the number of mutations that come out in a given year, said Finn of Symantec.
“When a new threat shows up, there needs to be immediate training,” Finn said. “Most of the healthcare executives I’ve spoken with recently have reported an uptick in ransomware attacks, but I never heard any of them talk about training their end users. And that is what it will take. You can only change technologies so quickly, so at some point you have to get the users involved to become the front line of defense.”
Many organizations have given up on users, saying users are untrainable, said Haley of Symantec. “But while you can fool some of the people some of the time, if you give those people high-quality awareness training, you cannot fool all of the people all of the time. That is a critical piece organizations have been missing.”
The big three
In the end, healthcare CIOs, CISOs and other executives responsible for detecting the seemingly endless barrage of malware among the legitimate incoming traffic and among the legitimate content already within a network point to the tried-and-true triumvirate of policy, process and technology – in that order.
“Your policy sets the stage for the organization for acceptable use and unacceptable use, it defines what the organization finds valuable from a data perspective, it gives the IT and end users that scope in which they can operate effectively,” Henry Ford’s Fowler said. “Then process, you develop process that supports that, technologically and administratively. And last, technology, if I do not have policy and process nailed down, how do I know what technology to implement and how to implement it correctly?”