Recently, an article was published on Wired about Rob Joyce, Chief of the NSA’s Tailored Access Operations, and his discussion on Disrupting Nation State Hackers. Here’s the link to the original video: Disrupting Nation State Hackers.
There are quite a few areas that Joyce discusses that make life miserable for the NSA. The things that make them the most miserable are the following: Security Information and Event Management (SIEM) tools analyzing logs, Indicators of Compromise (IOCs), out-of-band (OOB) devices to analyze traffic, and worst of all competent System Administrators that use these technologies.
Today, we are going to dive into logging, OOB devices, SIEM, IOCs, and monitoring your network with SIEM.
Technology creates a lot of information, and it typically leaves a record of what it has performed in log files. Whether it’s your router, switch, server, virtualization platform, cloud provider, smartphone, or printer a trail of events and information is created like a receipt you would get from grocery shopping.
Unfortunately, the logs are often forgotten, or commonly never analyzed unless there is a major problem. Even then, System Administrators grudgingly perform log analysis simply due to the sheer volume of data created. It’s like a scene out of The Matrix where the rebel crew members watch green characters scroll down the monitor, but slightly less exciting. However, there is a wealth of information contained in these logs, and like in The Matrix, System Administrators can use this information to observe what is happening in their infrastructure.
Now, there are specialized OOB devices that can analyze your network traffic. These are typically your Intrusion Detection Systems (IDS) that passively monitor your network from a tap or mirroring port. They are out-of-band because they are not directly in the path of the data and instead have data mirrored to them. This gives them a couple of advantages: if they break they don’t break your network, and more importantly when it comes to security, hackers cannot see the OOB device. You can think of it as having a concealed bodyguard in the dark with night vision when a mugger is trying to sneak up on you. Naturally, these OOB monitoring devices create a lot of logs which are then sent to your SIEM.
SIEM stands for Security Information and Event Management. The SIEM is a highly intelligent technology that views all of the logs coming from every device and correlates each piece of information. It sniffs out irregularities in data patterns and makes sense out of the mountains of information. The SIEM watching your logs and OOB systems is the scariest piece of technology in your arsenal to the bad guys because it can find the needle in the haystack. Fifty million events just happened on your network and it can find the handful of malicious actions stealing your data (or credit card numbers if you’re Target or Home Depot).
SIEMs need to be constantly updated for them to be effective. The information that updates the SIEM is called Indicators of Compromise (IOC). An IOC might be a system sending SPAM to the internet, a malicious website infecting anyone who lands on their homepage, malware traversing your network, the intern down the hall accessing HR data to which he shouldn’t have access, or data going to an inappropriate or unauthorized destination such as a country like Russia or China. IOCs enable System Administrators and Engineers to remain vigilant and stay abreast of new threats on the horizon.
As Joyce says, “If you’re looking at the Nation State hackers, we’re going to be persistent. We’re going to keep coming and coming and coming, so you’ve gotta be defending and improving and defending and improving and evaluating and improving. The static person is going to float to the back of the pack.”
And, when a bear is chasing you, you don’t have to be the fastest in the pack, just don’t be the slowest.
Finally, we get to the most important part of defending your company or organization’s jewels: the System Administrator. You can have the best network security, the best SIEM, the best IDS, and the best awesome security gadget in the world, but all of it is worthless if your System Administrator isn’t qualified and constantly monitoring, analyzing, and improving.
The responsibility doesn’t stop at them watching the bad guys do bad things. As Joyce says, the System Administrators must have clear policies and procedures on how to act once a threat has been detected. If at any point the Detect → Analyze → Remediate → Repeat approach fails, then your data will be compromised and the hacker wins.
Last week there was quite a bit of discussion in the news concerning the Hollywood hospital hack. So, this week we’re going to take a brief break from our NSA Watch Your Back series to discuss why this attack is more important than most people realize.
As a quick refresher, on February 5th, 2016 Hollywood Presbyterian Medical Center experienced a large breach in security when ransomware hit the medical center’s network. Note: Many news organizations were referring to Hollywood Presbyterian Medical Center as Hollywood Hospital and so we will do so as well for familiarity to the reader. NBC Los Angeles was one of the first news organizations to report the breach.
For those of you who haven’t heard of ransomware, it is one of the new evolutions of viruses that is now being regularly seen on the internet. Typically, what happens is that the ransomware will do one of a couple of things: lock the user out of their computer until they pay a ransom, or the ransomware will encrypt all of the files on the computer (and reachable network drives) and then require the owner to pay a ransom in Bitcoin. In the end the Hollywood hospital hack cost the medical center $17,000 (40 Bitcoins).
Ransomware is a (dis)reputable business from the criminal hacking world. Disreputable in that what they’re doing is just plain wrong. But, reputable in that if you pay the ransom then the attackers will release your computer from being held hostage. It’s just business to them. The attackers want everyone to know that if you pay the ransom then access to your data will be restored. The executives in charge were probably informed of this and so made the decision to simply pay the ransom in the Hollywood hospital hack.
Analysis of Situation
There are security professionals on both sides of the fence on whether the ransom should have been paid in the Hollywood hospital hack (or any other ransom attempt). From a business actuarial perspective I agree with their decision to pay the ransom. Here is why: This is conjecture, but I’m guessing their decision was guided by several basic assumptions:
As a medical center the first and foremost mission is to ensure the safety of the patients and those under their care.
It is both costly and dangerous to transport patients to other medical institutions (in spite of the fact that they had to do this).
If the computer systems are inoperable for more than one day patients in critical care must be transported to other medical institutions.
The medical center is a business, and must be operationally functional in order to be financially successful.
The operational costs of the medical center for one day exceed the ransom by some amount X.
The medical center’s security is inadequate to repel this attack.
Restoring the infrastructure will take longer than one day.
These assumptions enable the business to perform a basic cost/benefit analysis to determine whether they should pay the ransom or restore service via standard IT recovery procedure. To demonstrate why I say that what they did makes financial sense we can do a quick calculation. According to item 17 on Becker’s Hospital Review the cost of a for profit bed is $1,629 per day. Let’s assume that 20% (I don’t actually know the actual number) of their 434 beds were being utilized, so 87 beds. That means their per day cost is: $1,629 * 87 = $141,723. Now, if we add in the cost of an $800 ambulance ride for 10 patients (while it was reported that some patients were moved the number wasn’t specified) that must be moved after one day: 10 * $800 + $141,723 = $149,723.
Note, this calculation doesn’t take into account the cost of administration fees to move the patients, or the negotiations involved in the cost for other medical institutions to accept the patients. Nor do we make any attempt to a calculate necessary network cleanup or brand reputation damage. Finally, it was claimed that care was not disrupted for patients (although I find this claim suspect due to the fact that they had to move patients to other medical institutions). So, we’ll be charitable and say that the Hollywood hospital hack resulted in the reduction of 20% effectiveness to perform their mission, leaving us with the cost of one day at .2 * $149,723 = $29,944.60. By paying the ransom the medical center would save $29,944.60 – $17,000 = $12,944 for the first day alone ($29,944.60 would be added to the cost for each additional day of delay).
Please be aware that the above calculations are simply an exercise (albeit realistic) to determine why it made business sense for them to pay the ransom. All in all, this was a cheap lesson for them; well, it is if the Office of Civil Rights (OCR) doesn’t ask the Department of Justice to investigate their organization for HIPAA violations. And, due to the fact that their Electronic Health Records were at significant risk during the compromise I don’t think that an investigation is out of the question. According to the 2015 Cost of Data Breach Study: the United States by the Ponemon Institute the cost per capita for a healthcare record breach in 2015 was $398. Let’s say that we later discover that 10,000 patient records were breached. The Hollywood hospital hack could cost the organization up to 10,000 * $398 = $3,980,000. You read that right; it could cost them up to $3.9 million dollars. Let me be clear: no one has said that any records have been breached, but if a breach in records is discovered through forensic study then this situation could turn very nasty for the medical center.
But wait, I said that all in all paying the ransom was a cheap lesson. $3.9 million definitely doesn’t sound like a cheap lesson. Here’s why I said it’s cheap: so far as the only costs we know the medical center has suffered have been the following (not limited to): ransom, costs associated with transporting patients, forensic recovery experts from a security firm, cost of lost effectiveness, cost of having to turn patients away during the outage, the cost of remediating the infiltrated infrastructure, and brand reputation damage. Yes, that number is easily going to be north of $80,000 in total, but it’s a heck of a lot better than $3.9 million if the records weren’t breached.
The Important Lessons Learned
Okay, so we now understand why the lesson was cheap, but what was the lesson? What should they have learned during this experience? I would suggest that they and every other healthcare organization should begin by recognizing the fact that they must take security seriously and readily allocate more than an adequate budget to cover their needs. The hospital’s security must be prevalent in every aspect of the organization. The reason is simple: the electronic equipment in a hospital is responsible for keeping patients alive, and yet the standards to protect hospital networks are infantile in comparison to the standards protecting simple credit card data theft.
The security issue becomes terrifying once you realize that many life support systems are built on Microsoft Windows or Linux, and both of those two operating systems are the largest malware targets. An attacker doesn’t have to be intentionally attempting to harm someone like in the show Homeland where the attackers targeted the Vice President’s pacemaker. Instead, malware and viruses simply need to do what they do best: infect entire networks, move laterally, and render the user’s computer unusable.
Except, in this case, the user’s computer could be a blood transfusion device or an IV infusion pump. No one would be the wiser until a nurse or doctor visually inspected and confirmed that the equipment was or wasn’t working exactly as expected. Here’s another possibility: the malware infects the IV infusion pump and the monitoring station and simultaneously locks them. A patient could very possibly die during the time it takes to resolve the malware issue.
There are many more cases where viruses, malware, and ransomware could do catastrophic damage to patients and yet no one would be the wiser. According to the Online Trust Alliance (OTA) over 90% of data breaches could be easily prevented. So, how can you minimize the bull’s eye on your organization? Begin with a Security Assessment; not a HIPAA assessment. HIPAA assessments help you check boxes and pass muster with auditors; Security Assessments take a holistic view of your organization’s security posture. I recommend that a third party performs the Assessment simply because they look at your organization with fresh eyes, and they will definitely see things to which the internal staff is blind.
Next, realize that operationally the traditional IT security paradigm won’t protect you. I won’t go into depth on these as each on their own could be multiple multipage articles. Here are the highlights: Antivirus, perimeter firewalls, and sacrificing chickens DO NOT PROTECT YOUR INFRASTRUCTURE! You need to move to application white-listing, malware hunting, unified firewall orchestration, IDS/IPS, and SIEM to watch everything going on in your network. I would argue these newer approaches are fundamental to IT security, but they are not all-encompassing. There are many solutions that provide these types of functionality, and each solution has its pros and cons. It’s important to weigh those pros and cons carefully, and if your staff doesn’t have direct experience working with those types of technologies find a solution provider who can help you.
The Hollywood hospital hack was just the tip of the iceberg. I hope it serves as a wakeup call to the medical industry that what happened was simply an inconvenience. Furthermore, losing patient medical records isn’t good either, but it’s nothing compared to the fact that at some point in the next year or two patient lives will be held for ransom. Sadly, the hacker on the other side of the world probably will not realize that they are potentially harming or killing innocent people by their actions. They’ll just know that they’ve had another successful day of collecting Bitcoins, and then will proceed to build even more dangerous malware variants. Remember, it’s nothing personal; it’s just business.
Protect your healthcare organization by contacting Cybriant, your competent security solution provider.
Part 1 of the Watch Your Back series: Why you Must Have a SIEM
Recently, an article was published on Wired about, Rob Joyce, Chief of the NSA’s Tailored Access Operations, and his discussion on Disrupting Nation State Hackers. Here’s the link to the original video: Disrupting Nation State Hackers. There are quite a few areas that Joyce discusses that make life miserable for the NSA. The things that make them the most miserable are the following: Security Incident and Event Management (SIEM) tools analyzing logs, Indicators of Compromise (IOCs), out-of-band (OOB) devices to analyze traffic, and worst of all competent System Administrators that use these technologies. Today, we are going to dive into logging, OOB devices, SIEM, IOCs, and monitoring your network with SIEM.
Technology creates a lot of information, and it typically leaves a record of what it has performed in log files. Whether it’s your router, switch, server, virtualization platform, cloud provider, smartphone, or printer a trail of events and information is created like a receipt you would get from grocery shopping. Unfortunately, the logs are often forgotten, or commonly never analyzed unless there is a major problem. Even then, System Administrators grudgingly perform log analysis simply due to the sheer volume of data created. It’s like a scene out of The Matrix where the rebel crew members watch green characters scroll down the monitor, but slightly less exciting. However there is a wealth of information contained in these logs, and like in The Matrix, System Administrators can use this information to observe what is happening in their infrastructure.
Now, there are specialized OOB devices that can analyze your network traffic. These are typically your Intrusion Detection Systems (IDS) that passively monitor your network from a tap or mirroring port. They are out-of-band because they are not directly in the path of the data and instead have data mirrored to them. This gives them a couple of advantages: if they break they don’t break your network, and more importantly when it comes to security, hackers cannot see the OOB device. You can think of it like having a concealed bodyguard in the dark with night vision when a mugger is trying to sneak up on you. Naturally, these OOB monitoring devices create a lot of logs which are then sent to your SIEM.
SIEM stands for Security Incident and Event Management. The SIEM is a highly intelligent technology that views all of the logs coming from every device and correlates each piece of information. It sniffs out irregularities in data patterns and makes sense out of the mountains of information. The SIEM watching your logs and OOB systems is the scariest piece of technology in your arsenal to the bad guys because it can actually find the needle in a haystack. Fifty million events just happened on your network and it can find the handful of malicious actions stealing your data (or credit card numbers if you’re Target or Home Depot).
SIEMs need to be constantly updated in order for them to be effective. The information that updates the SIEM is called the Indicator of Compromise (IOC). An IOC might be a system sending SPAM to the internet, a malicious website infecting anyone who lands on their homepage, malware traversing your network, the intern down the hall accessing HR data to which he shouldn’t have access or data going to an inappropriate or unauthorized destination such as a country like Russia or China. IOCs enable System Administrators and Engineers to remain vigilant and stay abreast of new threats on the horizon. As Joyce says, “If you’re looking at the Nation State hackers, we’re going to be persistent. We’re going to keep coming and coming and coming, so you’ve gotta be defending and improving and defending and improving and evaluating and improving. The static person is going to float to the back of the pack.” And, when a bear is chasing you, you don’t have to be the fastest in the pack, just don’t be the slowest.
Finally, we get to the most important part of defending your company or organization’s jewels: the System Administrator. You can have the best network security, the best SIEM, the best IDS, and the best awesome security gadget in the world, but all of it is worthless if your System Administrator isn’t qualified and constantly monitoring, analyzing, and improving. The responsibility doesn’t stop at them watching the bad guys do bad things. As Joyce says, the System Administrators must have clear policies and procedures on how to act once a threat has been detected. If at any point the Detect → Analyze → Remediate → Repeat approach fails, then your data will definitely be compromised and the hacker wins.
