This post started as a reply to a great topic on LinkedIn, but I hit the character limit so now it’s a blog post!
Years ago I simulated attacks (authorized obviously for the people that have wild imaginations) on a customer which included a physical attack where I walked into a healthcare organization, armed with a suit a smile (and a USB key) I needed to gain access and attempt to move laterally and escalate privileges.
So after some planning, I suited up and walked in looking like I had somewhere to be! I then proceeded to locate a device in a secluded location where I could lock myself in a room and then gain network access and become a domain administrator, In say 15 minutes from entering the complex I was local admin on > 6000 machines and was also domain admin…. Yikes! But why does this matter?
Threat Intelligence and Offensive Security to Improve Cyber Defence
One thing I think people often get confused at is the angles of attack and how different threat profiles will attempt to gain access and for what purposes.
I’m not sure how new the model Forester is, but the approach of:
> Understand Threat Capabilities and behavior’s
> Understand attack surface
> Understand avenues of likely exploitation
> Understand how to move laterally and escalate
> Understand the controls in place and how effective they are
> Conduct exercises to assess coverage
> Remediate GAPs
well…. that’s everyday life for orgs that have active defence capabilities.
Sometimes people obsess over fancy Nation State and APT “Magic” but largely there’s this:
> If they am committed and well-resourced will try to get someone hired
> If they are well funded they can bribe or extort credentials/access
> They can pay off cleaners/staff etc. to inert malicious USB drives
and obviously other vectors… it’s important to understand these.. some of these are significantly hard to protect against.
then we have external attacks:
> Phishing is cheap
> Phishing is fast
> Phishing for Business Email Compromise (BEC) and CEO Fraud etc. is commonly used by criminal gangs
> Network based attacks are usually opportunistic
A good approach for testing your ability to protect, detect and respond to potential threats and risks is to adopt:
- An attacker mindset
- Adopt continual testing (CI/CD and human based)
- Embedded security into the heart of your SDLC, Product Teams and projects from the inception point
This isn’t something that most IT orgs can simply “just do”, they often are:
- Under resourced
- Do not have the time or specialist knowledge/skills.
Or a combination of all, the priorities for IT teams is a mixture between performance, availability, customer services, keeping the lights on and change projects, let alone needing to think about security from an offensive perspective.
Taking Healthcare Cyber Defence Forward
People (especially marketing can obsess over nation state and Holywood style risks) when we think about Nation State we need to think about a robust and holistic defence. Not surprisingly we also need to do this when it comes to cybercrime (organized crime as well as motivated and adventures groups which may not be so well resourced but can deliver effects – like LAPSUS have). Does healthcare need to have a two zero day defence model? Possibly not, but does it absolutely need to be able to defend against a single zero day and typical cybercrime capabilities deployed by ransomware actors? Absolutely. The only way we are going to be able to do that (in the current era at least) is to ensure current state defensive efforts inside healthcare networks are laser focused at reducing the likelyhood and impact of human operated offensive capabilities as well as ensuring there is strategic change in how healthcare approaches cyber security at the individual and organizational level. Since 2017 there’s been good progress in some spaces (The NHSD (now NHSE) team etc.) but when it comes to the whole sector there’s significant work to be done! We just need to be smart about how we approach the challenge!