© 2016 The MITRE Corporation ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-

4033)

Practical Cyber Threat-Based Defense for Healthcare Networks

March 1, 2016 Denise Anderson, Executive Director, National Health Information Sharing and Analysis Center (NH-ISAC)

Julie Connolly, Principal Cybersecurity Engineer, The MITRE Corporation

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Conflict of Interest

Denise Anderson, NH-ISAC, MBA Julie Connolly, MITRE, B.S.

Have no real or apparent conflicts of interest to report.

2

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Agenda

• Current cybersecurity threats to healthcare

– What, who, why, how

• A threat-based approach to cybersecurity defense

– Definition

– How it differs from “traditional” cybersecurity

– Why it is effective

• Practical approaches to implement a threat-based cybersecurity defense

3

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Learning Objectives

• Describe the new type of cybersecurity threats in the healthcare domain including the potential damage that can result from a successful attack

• Recognize what a cyber threat–based defense is and how it is effective in combatting sophisticated cyber adversaries

• Identify strategies for maximizing the effectiveness of cybersecurity defenses within limited-resource environments

4

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Accurate,

available PHI

Via a reduction in #

cybersecurity incidents

on healthcare

networks 5

Clinical accuracy

& timeliness

By ensuring the integrity

and confidentiality of

patient data

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

2014

2015

10,000

9,900

7,000

Presbyterian

Anesthesia

Holy Cross

Hospital

Medical University

South Carolina

2013 4,500,000

500,000

400,000

Community

Healthcare

The Harley

Medical Group

St. Joseph

Health System

80,000,000

11,000,000

1,100,000

Anthem

Premera Blue

Cross

CareFirst Blue Cross

Blue Shield

In the past two years of hospitals and health

insurance companies have had a data breach 81%

The Trend is Not Good

Record High Exfiltration

6

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

The Problem

Anthem 80 million

7

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Environment Challenges

– Open Environments

– Diverse Base

– Internet Connections

– Lack of:

• Security Education

• General Situational Awareness

• Threat Intelligence

• Cyber Strategy

• Cyber Security

• Skilled Staff

• Maturity of Programs

8

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Who is targeting healthcare?

9

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Motivation

10

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Tactics: Ransomware

Examples include: Crytolocker CryptoWall

CryptoDefense Torrent Locker

Darkleach

Top infections: US AU

Canada UK

India Also saw Singapore trend

11

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Tactics: Distributed Denial of Service (DDoS)

Examples include:

Sony PlayStation – Lizard Squad

Operation Ababil

Las Vegas – Gaming Industry

Israel

DD4BC

World Cup

12

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Tactics: Spear Phishing

Examples include:

Court Notice

Invoice/Statement

Shipping Themes: DHL, Fedex, UPS

EZ Pass

Bank Phish – Swift Transfer

Dhgate invoice

eFax

Salesforce

Reward themes

Airline – Delta

WhatsApp – You’ve got a voicemail

13

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Tactics: Drive-by Downloads, Watering Holes, and Malvertising

Examples include:

Forbes.com

Energystar.com

AusPost-tracking.com

VA.gov

NBC.com – Citadel 2013

14

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Other Tactics

• Vulnerability scanning

• Call Center – Phishing

• Mobile

• Social Media – Sony Executive on American Airlines

• Industrial Control Systems - Havex

• Espionage – VirusTotal testing for malware

15

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Traditional Cybersecurity Defense

16

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Cyber Threat-based Defense

17

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Tenets of a Cyber Threat-Based Approach

1. Knowledge of your enterprise

network

2. Knowledge of your enemies and

how they operate

3. Making risk-based defensive

decisions based on threat

18

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Practical Threat-based Defense Tools

• Cyber Threat Intelligence

• User Awareness

• Basic Security Hygiene

19

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Cyber Threat Intelligence

20

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Threat Intelligence Sharing

How can my detection today aid your prevention tomorrow?

21

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Threat Intelligence Sharing Enablers

Standardized Language

Standardized Exchange Mechanism

22

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

What is Cyber Threat Intelligence? 8 Constructs of STIX

Strategic

Atomic

Tactical

Operational

What threat activity are we seeing?

What can I

do about it?

What threats should I

look for on my networks

and systems and why?

Where has this

threat been seen?

Who is

responsible for

this threat?

Why do they

do this?

What do

they do?

What weaknesses

does it exploit?

23

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

• Best Practices:

– Repeated targeted messaging: building a “Don’t Click” culture

• Teach email SOS: Check Sender, hover Over links, Determine if the message makes Sense

• Communicate current threats with examples

– Identify and engage users that receive the most spear-phishing emails

– Encourage their active participation and make it easy, e.g., suspicious@yourorganization.com

– Personal Engagement – 1-1 follow-up from suspicious email, proactively briefing frequently targeted users, follow-up on incidents, etc.

24

User Awareness Program

41%

41%

18%

Attack Vectors

Email Attachment

Email URL

Other

24

Motivation: Users are the biggest

target

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

User Awareness: Building Your Human Sensor Network

25

• What is a human sensor network?

– Employees as cyber defenders, human “sensors”, and a source of cyber intelligence for network defense

• MITRE’s employees detect 10% of delivered APT email ahead of sensors

• Creating human sensors

– Develop skills to identify potentially malicious email

– Increase awareness through communications of cyber threats

– Provide practice for “mindful” processing of email

– Respond to suspicious email reports

Motivation: Adversaries are changing targeting and

tactics

Desired outcomes • Increase self-reported clicks

• Increase in reporting of “bad” emails

• Increase chances of reporting APT

attacks

• Increase in cyber threat intelligence

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Basic Security Hygiene

26

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

With More Resources, also consider:

• Building a resilient network defense

– e.g., segmentation

• Putting more eyes on your network: sensor up!

• Hiring [more] good threat intelligence analysts

27

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

By building and sharing knowledge of our opponents and watching

the plays develop, we can make the saves that protect our networks.

28

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Accurate,

available PHI

Via a reduction in #

cybersecurity incidents

on healthcare

networks 29

Clinical accuracy

& timeliness

By ensuring the integrity

and confidentiality of

patient data

© 2016 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for Public Release; Distribution Unlimited (15-4033)

Questions

• Denise Anderson, Executive Director, NH-ISAC

www.nhisac.org

• Julie Connolly, CISSP, MITRE

jconnoll@mitre.org

For more information on Medical Device Cybersecurity, see our FDA and MITRE partners’ presentation: Systemic Management of Medical Device Cybersecurity Session 159, Wednesday March 2nd, 2:30 – 3:30 PM Sands Expo Convention Center, Marcello 4401

30

available at the

Cybersecurity Command Center

Booth 9908 in Exhibit Hall G