There has recently been a noticeable increase in cyber-attacks targeting health care organizations (details are available here). Given this new information, it is imperative to identify whether your environment is susceptible to these types of targeted attacks and can you identify the Indicators of Compromise (IoC).
In many of these successful attacks, IoC’s were present however were either overlooked or not acted upon. As a result, many of these attacks that could have been prevented weren’t. While there are several ransomware/malware variants used in these targeted attacks many of the IoC’s can be identified early in the attack process providing you know what you’re looking for. Many of the variants are only days or weeks old meaning it’s very hard to detect these without using some form of automation and integration in your security posture.
In addition to utilizing integrated security technologies such as firewalls, anti-virus, etc., to protect your environment, here are three suggestions that we recommend being followed as soon as possible to improve your defense mechanisms:
1. Continuous Activity Monitoring
Continuous Activity Monitoring is vitally important to be in constant awareness of activities and traffic traversing your environment including data access, authentication, file installations, application & process activity & access, activity logging, privilege account activities/escalations, etc. In addition to continuous monitoring, once a questionable activity is detected, ensuring that your security team is properly enabled to identify the potential threat and take immediate corrective actions. For example, can you detect nefarious activity including DNS Traffic as well as encrypted traffic patterns and stop these 24/7? Attackers don’t limit their attacks to the business day.
2. Backup Protection
Ensuring your backups are not only active and working but also separated or insulated from attackers. For example, once dropped, almost all ransomware attacks will use AES-256 to encrypt files and an RSA public key to encrypt the AES key. The next typical step in the attack process is for the attacker to then drop files and processes that are designed to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows) preventing the target systems from recovering encrypted files without the decryption program. Consequently, it’s vitally important to protect your backups from these types of attacks by separating them from your infected systems.
Performing reviews of the environment as well as testing the levels of access available (think typology) in your environment will indicate the ability for nefarious activities to traverse your environment and either be detected and stopped or undetected. This can be accomplished in a variety of ways including penetration testing to determine areas of opportunity to traverse the environment or gain access to sensitive data along with password cracking of administrative accounts.
These recommended steps will help you lower your overall risk of a successful cyber-attack and take your business off-line.