By Steve Akers, CISO and CTO, Clearwater
LinkedIn: Steve Akers
In 2023, 128 million healthcare records were breached, increasing 127% since the year prior. And while business associates new to the healthcare marketplace may be met with higher skepticism, even seasoned business associates like Perry Johnson & Associates, which has been providing medical transcription services since 1982, can fall victim to a cyberattack, exposing almost 9 million records and affecting multiple covered entities.
One of the best defenses against a cyberattack is 24/7 threat detection and response. Whether you build this team internally or leverage a healthcare MSSP, this team actively hunts for threats in your network to mitigate the danger before it becomes a material incident. What does it look like to identify a cyber intruder and chase them out? The following is a play-by-play from an organization providing patient engagement and billing services to healthcare organizations.
Here’s what happened initially:
- Attackers somehow obtained employee credentials, either through phishing or a similar method of credential theft, or they leveraged the cyber black market.
- The organization had two-factor authentication (2FA) in place, and it worked as intended—but the attackers were persistent.
- The employee received repeated push notifications asking for 2FA verification, even though they had not initiated the request.
- Initially, the employee thought it was a technical issue and ignored the notifications. But the notifications continued until finally, annoyed by the repeated requests, the employee relented and approved.
Land and Expand
After utilizing the employee credentials, with authorization, the attackers began to conduct internal recon and attempted to gain additional access to other systems. However, this organization had a healthcare MSSP watching and threat hunting within their network. Immediate detection of anomalous behavior triggered a security event and investigation.
The company only had protection on what it considered “operational” assets. This attack quickly took advantage of Dev. systems outside threat detection and response service management. Initial detection was delayed, and it is unknown what reconnaissance details were obtained.
Testing Tactics
As the attackers continued moving through the network, they repeatedly set off security events on the managed systems. While they attempted lateral movements and tested their tactics, MSSP security analysts gained additional insight into what their next move might be.
The analysts found code that was similar to what was used by a Russian-based advanced persistent threat (APT) group. In-depth research with threat intelligence into the tools and tactics being observed served as a calling card or fingerprint that helped identify the patterns and potential attack targets. It was time to declare a security incident to contain the risk, and the organization decided to halt operational services.
During the next week, the forensic investigation continued. Analysts put systems into quarantine, careful not to tip off the attackers that their intrusion was known. Doing so could have increased the chance of triggering a data exfiltration or, worse, a full-blown ransomware attack.
Patiently Waiting
This cautious approach provided responders more insight into the extent of the breach while they simultaneously took actions to reduce the potential attack surface, limiting the tactics the adversary could take. Systems were scrutinized and even shut down for a full forensic investigation. When they were brought back up, they were configured for the highest level of threat detection. Within 24 hours, the operational systems for this company were no longer exploitable by the attacker.
However, the bad actors wouldn’t give up and found another path to exploit. The attackers took advantage of the development assets that IT didn’t routinely manage and successfully exploited a shadow system that enabled remote access. The attackers used this to deploy payloads to several other machines in this environment and began their lateral movement.
Over the next few days, the attackers played a game, making a move, while the security analysts countered. Eventually, the attackers went dark and stopped triggering security events and setting off detection alarms. It was likely they had gathered enough intel about the systems they accessed and were aware the security team was on to them.
Three days later, they made their move—an attempt to deploy ransomware.
A Close Call
Fortunately, the MSSP detected and stopped all attempts and successfully contained the ransomware risk. Actions were monitored, and targeted endpoints and servers were immediately quarantined, blocking the ability to advance. Orchestration across network devices and logs captured the active threat indicators and behavioral signatures. These are now part of the MSSP’s threat intelligence, ensuring any attack using these threats again will be thwarted and detected.
This was a close call. The attackers had not exfiltrated or accessed sensitive data. Still, the recovery process extended over several months and included the development of a post-breach event action plan that included implementing endpoint detection on all environments, privileged account access, and more.