A Q&A with Tony Cook, head of threat intelligence at GuidePoint Security 

With the influx of attacks on the healthcare sector, we spoke with our head of threat intelligence, Tony Cook, to get his take on the threat landscape, supply chain risks, and how to improve visibility and ensure a better overall security posture.

Q: Tony, we’re seeing a surge of large security incidents reported across many industries, including the healthcare sector, tied to vulnerabilities involving third party providers of applications, IT infrastructure products and various devices. What are some common threads that stand in these incidents?

A: It’s much easier for attackers to compromise what used in your environment to actually get inside your environment. That’s the whole premise behind the supply chain attacks that we’re seeing, whether SolarWinds, Accellion or others. Attackers can squeeze out a middleman and attack organizations that are relied on and used every day to deploy malware and/or exfiltrate data from your environment.

Q: You mention SolarWinds and Accellion… these attacks have had an enormous impact on other organizations. What stands out as far as things healthcare organizations should do when it comes to their critical third parties?

A: Organizations must take a much more proactive approach to their security posture and try to understand exactly what those threats might be. The idea that you can just inherently trust any security vendor or any product that’s in your environment needs to come under the microscope. It’s a good idea to go through a possible scenario with a tabletop exercise, which can help you understand what it would look like if something bad did happen in your environment. You would see what the attacker could potentially do in the environment, build from there to understand your gaps and ultimately prioritize your actions.

Q: Tony, what steps should hospitals and healthcare organizations take to better vet third party vendors from a cybersecurity perspective? 

A: The first step is to understand your network. In many cases, when we come in to run an IR the organizations that we are supporting don’t have a good sense of what is in their environment. So, knowing what’s in your network is step one. Step two is once you have this visibility, determine how you can secure those devices and improve processes. There’s this idea of zero trust, where you don’t inherently trust anything in your environment. Every host could be a threat and looking at your security posture through that lens can help you ensure you have the right security controls and procedures in place. 

Q: Earlier in our interview you mentioned being more proactive. What advice do you have in terms of threat hunting?

A: In order to even consider threat hunting, you need visibility of your environment. So going back to what I was saying before – step one is to understand what’s on your network. Let’s go back to the concept of tabletop exercises, where you can walk through what an incident would look like. With this information you can formulate a hypothesis and then try to uncover that threat. Theoretically you’d walk through your hypothesis a few different times and see if you have visibility gaps.

Oftentimes, what we see is that many of the issues when we threat hunt is based around poor visibility where the level of logging or the level of visibility across the environment is lacking. In some cases, there aren’t even firewall logs that go back 30 days. In some cases, there’s no EDR solution or no logging posture across the entire environment. Even servers might have been misconfigured to have their logs be just way too verbose and are rolling over in a day and not being centrally logged anywhere. A lot of these issues will start to really add up when you try to do aggregate everything for a successful threat hunt.

Q: Are you seeing any other systemic issues with which healthcare organizations are challenged?

A: One thing that continually seems to be a common thread across our last few engagements was the presence of web shells in open web servers across their environments – whether it was because it was a shadow IT server that was out there or a public facing web server that is used every day, no one was really noticed these things and were looking at logs. A simple question of “what are all your open web servers?” Or “what are your public facing web servers?” and getting a list of those things, looking at the logs and then conducting some triage analysis, finding these web shells.  

Q:  Healthcare environments have lots of medical devices. What’s the level of visibility that organizations tend to have with their medical devices and how much of a potential risk do those devices pose?

A: Medical devices are a unique beast. Hopefully, they’re segmented off any internet facing portions of the network. Typically there’s not really a lot that’s usually done by system administrators on those devices. If there are, there’s usually some regulation or some policy to enable additional logging on those hosts. For example in some instances installing an EDR, endpoint detection response tool, on any of these devices is usually frowned upon. The concern here is that they don’t want anything to cause these devices to crash, which results in poor visibility on those systems. Again, hopefully, these devices are segmented off the network.

Q: Ransomware attacks have become fairly commonplace, especially in the healthcare sector. Are there any common issues that you’re seeing in these types of attacks and how these occur in the first place? 

A: Phishing has been a big vector as far as how these attacks begin. There are some groups that are trying to sell initial access into environments, such as Emotet which various government agencies have been working to shut down. However there are always more initial entry points such as leveraging open admin ports like RDP and SSH, that are just open to the world and which can be brute forced, or vulnerabilities such as Hafnium.

Once access occurs, moving laterally in the environment is almost just too easy nowadays. As soon as an actor obtains legitimate credentials to the environment, utilizing whatever tool they feel comfortable with, they will map out the network and attack their intended target. Usually the goal is to hit as many systems as possible, but it could also just be as targeted as hitting just the servers that they want in the environment. 

Q: Thanks Tony for your insights… any final thoughts?

A: While there are ransomware actors who have made public statements detailing how they will avoid targeting healthcare organizations, there will always be groups willing to take the opposite stance. To put forth an effective defense strategy of these organizations, focusing on the fundamentals is a great start to defense in depth strategy. Some of the most effective quick wins for securing these organizations are to:

1. Understand your network & the technologies in place
2. Ensure adequate visibility of the environment through logging and security tools
3. Continually monitor your environment while focusing on continuous improvement to fill gaps in your security posture