Remote Access Attacks & Threat Actor Profiling: Sign of the InfoSec Times
The latest Community Health Systems Inc. breach shows an increase in remote, sophisticated attacks from overseas vs. physical theft of locally-saved data and devices, while a maturing information security industry has allowed us to gather the intelligence needed to profile threat actors.
One interesting fact about the breach is that the hacker group accused of doing the hacking may or may not have been looking for personal information at all - they’re said to be the same group from China that typically seeks intellectual property from manufacturers, such as that of medical device and equipment development data, as HealthcareITNews.com reports. However, personal information happens to be all they stole.
The breach also happens to be the second largest in the history of reported healthcare breaches when it comes to the number of personal records stolen or lost. The first can be attributed to the U.S. Defense Department’s healthcare program for soldiers and veterans, TRICARE, in which 4.9 million health records on physical backup tapes were stolen out of a vendor employee’s car while left unattended.
That was back in 2011, as the U.S. Depart. of Health & Human Services’ (HHS) Wall of Shame reports. The third highest number of breached records in the healthcare industry can be attributed to Advocate Health Care’s incident in which four million unencrypted records stored locally on four desktop computers were stolen from their administrative office, as reported by ModernHealthcare.com.
The contrast of local, physical theft to an international, sophisticated attack is marked. According to the SEC Form 8‒K filing by Community Health:
The Company [Community Health Systems] and its forensic expert, Mandiant (a FireEye Company), believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Company’s systems.
Yesterday, TrustedSec reported to Reuters that a few anonymous sources told them the attackers exploited the OpenSSL Heartbleed vulnerability to get the credentials from the memory of a CHS Juniper device, using them to effectively log into the CHS VPN network and access their databases.
This report hasn’t yet been confirmed by CHS or Mandiant.
However, being able to infer who to attribute blame to without direct causation may be a sign of the times. Even just a few years ago, physical theft was chalked up to irresponsible and unknowing employees, with the recommendations mainly centered around stronger security awareness programs and a migration of physical backups to virtual storage and archives.
Nowadays, the security industry has grown significantly - as securitycurrent’s Executive Editor Richard Stiennon pointed out in a recent keynote at a Converge Detroit conference, How the Surveillance State Changes IT Security Forever, the industry has grown seventeen-fold to $3 billion from 2003, with the prediction it will increase another tenfold over the next 10 years to $639 billion.
That type of growth has enabled the security industry to garner the resources needed to accurately profile the different threat actors and diverse attack methods. Creating personas can help narrow down the suspects, particularly in a scenario that involves a high number of personal records.
Moving in the same direction, the 2014 Verizon Data Breach Investigations Report (DBIR) categorized and profiled threat actors by type of threat, listing nine patterns of attacks and the types of attackers associated with them. One example is cyber espionage, usually carried out by state-affiliated actors targeting the professional, manufacturing and transportation industries.
Just a few years ago, we didn’t have those personas to help us identify and gather the intelligence needed to make informed decisions about threat attribution. And not too long ago, the healthcare industry had little to no insight into breaches, which could be partially attributed to the healthcare industry’s lag in adopting technology as a whole. In order to get healthcare organizations to move from paper records to digital, the government had to incentivize the use of EHR (Electronic Health Records) systems.
Additionally, the move from physical records to virtual presents a different IT model, where data and networks can be accessed remotely by employees, letting them work wherever and whenever, but also opening healthcare organizations up to potential risks from abroad.
In order to protect against remote attacks, those in healthcare may want to read up on best practices in the HIPAA Security Rule’s guide on Remote Access (PDF). One of the easiest and most effective ways to protect user accounts against unauthorized remote access is with the use of two-factor authentication. Learn more in Why Two-Factor? and find out how to find a quality solution in our Two-Factor Authentication Evaluation Guide.
And check out the HIPAA Security Rule for more guidance on security recommendations for the healthcare industry, although it’s considerably more open-ended than other industry data standards, such as PCI DSS.
Read more about healthcare security in:
Lax Healthcare Vendor Security Leads to Data Breaches & Tax Fraud
Healthcare Data Breaches Increase in 2013; Errors Traced to Admin Passwords