© 2016 The MITRE Corporation ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-
4033)
Practical Cyber Threat-Based Defense for Healthcare Networks
March 1, 2016 Denise Anderson, Executive Director, National Health Information Sharing and Analysis Center (NH-ISAC)
Julie Connolly, Principal Cybersecurity Engineer, The MITRE Corporation
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Conflict of Interest
Denise Anderson, NH-ISAC, MBA Julie Connolly, MITRE, B.S.
Have no real or apparent conflicts of interest to report.
2
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Agenda
• Current cybersecurity threats to healthcare
– What, who, why, how
• A threat-based approach to cybersecurity defense
– Definition
– How it differs from “traditional” cybersecurity
– Why it is effective
• Practical approaches to implement a threat-based cybersecurity defense
3
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Learning Objectives
• Describe the new type of cybersecurity threats in the healthcare domain including the potential damage that can result from a successful attack
• Recognize what a cyber threat–based defense is and how it is effective in combatting sophisticated cyber adversaries
• Identify strategies for maximizing the effectiveness of cybersecurity defenses within limited-resource environments
4
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Accurate,
available PHI
Via a reduction in #
cybersecurity incidents
on healthcare
networks 5
Clinical accuracy
& timeliness
By ensuring the integrity
and confidentiality of
patient data
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
2014
2015
10,000
9,900
7,000
Presbyterian
Anesthesia
Holy Cross
Hospital
Medical University
South Carolina
2013 4,500,000
500,000
400,000
Community
Healthcare
The Harley
Medical Group
St. Joseph
Health System
80,000,000
11,000,000
1,100,000
Anthem
Premera Blue
Cross
CareFirst Blue Cross
Blue Shield
In the past two years of hospitals and health
insurance companies have had a data breach 81%
The Trend is Not Good
Record High Exfiltration
6
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
The Problem
Anthem 80 million
7
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Environment Challenges
– Open Environments
– Diverse Base
– Internet Connections
– Lack of:
• Security Education
• General Situational Awareness
• Threat Intelligence
• Cyber Strategy
• Cyber Security
• Skilled Staff
• Maturity of Programs
8
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Who is targeting healthcare?
9
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Motivation
10
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Tactics: Ransomware
Examples include: Crytolocker CryptoWall
CryptoDefense Torrent Locker
Darkleach
Top infections: US AU
Canada UK
India Also saw Singapore trend
11
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Tactics: Distributed Denial of Service (DDoS)
Examples include:
Sony PlayStation – Lizard Squad
Operation Ababil
Las Vegas – Gaming Industry
Israel
DD4BC
World Cup
12
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Tactics: Spear Phishing
Examples include:
Court Notice
Invoice/Statement
Shipping Themes: DHL, Fedex, UPS
EZ Pass
Bank Phish – Swift Transfer
Dhgate invoice
eFax
Salesforce
Reward themes
Airline – Delta
WhatsApp – You’ve got a voicemail
13
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Tactics: Drive-by Downloads, Watering Holes, and Malvertising
Examples include:
Forbes.com
Energystar.com
AusPost-tracking.com
VA.gov
NBC.com – Citadel 2013
14
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Other Tactics
• Vulnerability scanning
• Call Center – Phishing
• Mobile
• Social Media – Sony Executive on American Airlines
• Industrial Control Systems - Havex
• Espionage – VirusTotal testing for malware
15
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Traditional Cybersecurity Defense
16
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Cyber Threat-based Defense
17
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Tenets of a Cyber Threat-Based Approach
1. Knowledge of your enterprise
network
2. Knowledge of your enemies and
how they operate
3. Making risk-based defensive
decisions based on threat
18
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Practical Threat-based Defense Tools
• Cyber Threat Intelligence
• User Awareness
• Basic Security Hygiene
19
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Cyber Threat Intelligence
20
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Threat Intelligence Sharing
How can my detection today aid your prevention tomorrow?
21
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Threat Intelligence Sharing Enablers
Standardized Language
Standardized Exchange Mechanism
22
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
What is Cyber Threat Intelligence? 8 Constructs of STIX
Strategic
Atomic
Tactical
Operational
What threat activity are we seeing?
What can I
do about it?
What threats should I
look for on my networks
and systems and why?
Where has this
threat been seen?
Who is
responsible for
this threat?
Why do they
do this?
What do
they do?
What weaknesses
does it exploit?
23
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
• Best Practices:
– Repeated targeted messaging: building a “Don’t Click” culture
• Teach email SOS: Check Sender, hover Over links, Determine if the message makes Sense
• Communicate current threats with examples
– Identify and engage users that receive the most spear-phishing emails
– Encourage their active participation and make it easy, e.g., [email protected]
– Personal Engagement – 1-1 follow-up from suspicious email, proactively briefing frequently targeted users, follow-up on incidents, etc.
24
User Awareness Program
41%
41%
18%
Attack Vectors
Email Attachment
Email URL
Other
24
Motivation: Users are the biggest
target
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
User Awareness: Building Your Human Sensor Network
25
• What is a human sensor network?
– Employees as cyber defenders, human “sensors”, and a source of cyber intelligence for network defense
• MITRE’s employees detect 10% of delivered APT email ahead of sensors
• Creating human sensors
– Develop skills to identify potentially malicious email
– Increase awareness through communications of cyber threats
– Provide practice for “mindful” processing of email
– Respond to suspicious email reports
Motivation: Adversaries are changing targeting and
tactics
Desired outcomes • Increase self-reported clicks
• Increase in reporting of “bad” emails
• Increase chances of reporting APT
attacks
• Increase in cyber threat intelligence
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Basic Security Hygiene
26
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
With More Resources, also consider:
• Building a resilient network defense
– e.g., segmentation
• Putting more eyes on your network: sensor up!
• Hiring [more] good threat intelligence analysts
27
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
By building and sharing knowledge of our opponents and watching
the plays develop, we can make the saves that protect our networks.
28
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Accurate,
available PHI
Via a reduction in #
cybersecurity incidents
on healthcare
networks 29
Clinical accuracy
& timeliness
By ensuring the integrity
and confidentiality of
patient data
© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)
Questions
• Denise Anderson, Executive Director, NH-ISAC
www.nhisac.org
• Julie Connolly, CISSP, MITRE
For more information on Medical Device Cybersecurity, see our FDA and MITRE partners’ presentation: Systemic Management of Medical Device Cybersecurity Session 159, Wednesday March 2nd, 2:30 – 3:30 PM Sands Expo Convention Center, Marcello 4401
30
available at the
Cybersecurity Command Center
Booth 9908 in Exhibit Hall G