Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Healthcare Breaches – The Next Digital Epidemic Tim Parisi, Senior Consultant.

Published byLionel Pope Modified over 8 years ago

Similar presentations

Presentation on theme: "1 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Healthcare Breaches – The Next Digital Epidemic Tim Parisi, Senior Consultant."— Presentation transcript:

1 1 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Healthcare Breaches – The Next Digital Epidemic Tim Parisi, Senior Consultant

2 2 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Introduction Tim Parisi  Senior Consultant  Three years at Mandiant -Incident Response -Forensics

3 3 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Mandiant Consulting o Trusted Partner to Organizations Worldwide o Clients include over 33% of Fortune 100 companies o Expert Responders to Critical Security Incidents o Over a decade of experience responding to headline breaches o Renowned, published experts o Frequently summoned to deliver Congressional testimony and media “expert opinion” o True Thought Leaders o First to codify advanced attacker behaviors o First to scale forensic analysis using enterprise tools o Industry educators (Reports on advanced threat groups, M-Trends) o Assist With All Stages of Incident Response and Preparedness o Global footprint with over # consultants and offices in # countries. Responding to the most critical cyber-security incidents and empowering organizations to protect their most critical assets.

4 4 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Agenda  By the numbers  Threat landscape overview  Breach readiness  Healthcare breach case study  Key takeaways/outlook

5 5 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL BY THE NUMBERS 2014

6 6 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Who’s a Target?

7 7 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL How Compromises Are Being Detected

8 8 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Dwell Time 24 days less than 2013 Longest Presence: 2,982 days

9 9 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Phishing Emails

10 10 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL THREAT LANDSCAPE

11 11 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Breaking Down the Threat Data TheftCyber CrimeNuisance Hacktivism Objective Example Targeted Character Access & Propagation Economic, Political Advantage Financial Gain Defamation, Press & Policy Botnets & Spam Advanced Persistent Threat Credit Card, PHI, and PII Theft Website Defacements    Automated Persistent Financially Motivated Conspicuous Network Attack Escalation, Destruction Destroy Critical Infrastructure  Conflict Driven

12 12 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Why Are Targeted Attacks Different? Can be a nation-state or state-sponsored Division of labor for different stages of attack Utilize change management processes Escalate sophistication of tactics as needed They have specific objectives Their goal is long-term occupation Persistence tools ensure ongoing access They are relentlessly focused on their objective There’s a human at a keyboard Highly tailored and customized attacks Targeted specifically at you Effective at bypassing preventive controls It’s a “Who,” Not a “What”… They are Professional, Organized, and Well Funded… If You Kick Them Out, They Will Return…

13 13 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Threat Actors Targeting Healthcare Data  Cyber criminals -Target PII and PHI data -Sell information for profit  Advanced Persistent Threats (APT) -Target technologies, processes, and expertise -Focused on improving domestic industries/abilities -More recently targeting PII

14 14 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL How Lucrative is the Stolen Data?  Espionage -Stolen data can be correlated with other sources to create profile on potential targets  Profit Type of DataGoing Rate Credit Card$1 - $20 Social Security Number$1 Medical Information$50 Packaged Data for Individual$500 - $1300 http://www.secureworks.com/resources/blog/general-hackers-sell-health-insurance-credentials-bank-accounts-ssns-and-counterfeit-documents/ http://www.emc.com/collateral/white-papers/h12105-cybercrime-healthcare-industry-rsa-wp.pdf

15 15 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL ATTACK READINESS

16 16 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Security Grades by Industry IndustryGrade Level Aerospace and DefenseB+ Financial ServicesB High-tech and ITC+ RetailersC+ HealthcareC-

17 17 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Healthcare Industry Observations  Historically, security was lacking -Starting to improve  Difficult challenges to overcome -Peoples’ lives at risk -Doctors’ needs often put first -Large remote user base  Rapid expansion and network interconnectivity -Security often an afterthought

18 18 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Healthcare Industry Observations  Limited security technology -Focus has been more on preventative products (anti-virus, firewalls, etc.) -Few detection/response tools -Limited understanding of the tools  Limited security staff -Small security teams -Often times limited management support  Reactive security model -Very little “hunting” for suspicious activity -Immature incident response programs

19 19 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL ATTACKER TACTICS Healthcare Industry

20 20 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Gain Initial Access Into Target Strengthen Position within Target Steal Valid User Credentials Identify Target Data Package and Steal Target Data Establish Foothold Escalate Privileges Internal Recon Complete Mission Initial Compromise Move Laterally Maintain Presence Anatomy of a Targeted Attack

21 21 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Anatomy of Targeted Attacks Against Healthcare  Initial Point of Compromise -Vulnerability on external facing servers -Single factor remote access (Citrix, VPN, etc) -Spear phishing emails to internal users -Drive-by downloads  Establish Foothold / Escalate Privileges -Initial focus on installing backdoors Custom backdoors Publically available backdoors -Dump passwords on systems Target local admin, domain admin, and database administrator accounts

22 22 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Anatomy of Targeted Attacks Against Healthcare  Lateral Movement -Valid credentials to access additional systems -Standard Windows methods RDP, network shares, etc -Administrative tools PsExec  Internal Reconnaissance -Network documentation -Privileged users -Databases containing sensitive data

23 23 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Anatomy of Targeted Attacks Against Healthcare  Maintain persistence -Deploy additional backdoors -Switch to remote access with legitimate credentials Citrix virtualized environments VPN access  Complete mission -Harvest data -Transfer stolen data out of the network

24 24 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL HEALTHCARE INDUSTRY BREACH Case Study

25 25 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Critical Investigation Questions  Questions you should have answers to during the investigation -How did the attacker gain initial access to the environment? -How did the attacker maintain access to the environment? -What is the storyline of the attack? -What data was stolen from the environment? -Have you contained the incident?

26

27 27 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Damage Assessment  Attacker was active in the environment for three months  Compromised over 300 systems  Obtained password hashes for every user in the environment  Obtained PII data for a large number of patients

28 28 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL THREAT HORIZON Healthcare Industry

29 29 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Healthcare Industry Threat Horizon  The healthcare industry is likely to continue to face cyber threats -Valuable access to research and manufacturing data -Troves of personally identifiable information and other sensitive data.  Digitization of medical health records and the increasing connectivity of medical devices -Will likely increase organizations’ attack surfaces, making the industry more vulnerable to threat actors.  Technological and medical innovations -Will likely spur threat activity from APT groups seeking to obtain related intellectual property and proprietary information to benefit associated state-owned or indigenous companies.

30 30 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Healthcare Industry Threat Horizon  Countries’ efforts to improve their own healthcare services and products to reduce health costs -Likely lead to increased targeting from associated APT groups seeking to obtain intelligence that could assist in their efforts.  Sale of counterfeit drugs -May result in greater activity from cybercriminals attempting to steal drug formulation information and related corporate secrets to facilitate their development and sale of counterfeit drugs.  Any perceived involvement in controversies (medical care, drug-testing processes, etc) -May result in targeting from hacktivists seeking to call attention to the issues and embarrass organizations that they view as responsible.

31 31 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL A Note on Chinese Threat Actors  Targeting has changed over the last few years -Historically did not intentionally target large amount of PII -Over the last two years, Mandiant observed China-based groups targeting large amounts of PII  Possible motivations -Assist in targeting individuals for espionage operations -Circumvent an organization’s ability to verify its users’ identities and appropriately manage their network and information access

32 32 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL LESSONS LEARNED Healthcare Breaches

33 33 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Lessons Learned From Healthcare Breaches  Identify and secure critical data -Data encryption -Minimize access -Detailed logging and alerting  Two-factor authentication for external access -Token based second factor a must -Asset verification  Network segmentation -Reduce the attacker’s ability to move throughout the environment

34 34 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Lessons Learned From Healthcare Breaches  Application white-listing on critical systems -Domain controllers, email servers, file servers, etc  Protect privileged accounts -Unique passwords for all local administrator accounts -Enhanced control over domain administrator accounts and database accounts  Proactive “hunting” for evidence of compromise  Enhanced incident response processes

35 35 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Public Disclosures  Breaches are inevitable -Have an effective communication strategy available  Consistent communication is key -Based on factual investigative findings  Public speculation will happen -Avoid distracting the investigation CAUTION Investigation Hazard

36 36 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL QUESTIONS

Download ppt "1 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Healthcare Breaches – The Next Digital Epidemic Tim Parisi, Senior Consultant."

Similar presentations

© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.

© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.
David Cronkright Chuck Dudinetz Paul Jones Corporate Auditing The Dow Chemical Company February 16, 2012 Auditing Protection of Intellectual Property.

David Cronkright Chuck Dudinetz Paul Jones Corporate Auditing The Dow Chemical Company February 16, 2012 Auditing Protection of Intellectual Property.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Learning to Live with an Advanced Persistent Threat

Learning to Live with an Advanced Persistent Threat
Who Is Attacking You? Distinguishing Motivation to Prioritize Threats John Hultquist Senior Manager, Cyber Espionage Threat Intelligence iSIGHT Partners.

Who Is Attacking You? Distinguishing Motivation to Prioritize Threats John Hultquist Senior Manager, Cyber Espionage Threat Intelligence iSIGHT Partners.
ECE-6612 Prof. John A. Copeland 404 894-5177 Advanced Persistent Threat Material.

ECE Prof. John A. Copeland Advanced Persistent Threat Material.
STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.

STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.
RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer.

RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer.
© 2014, FireEye, Inc. All rights reserved. 1 Tobin Sears, FireEye Zero-Days, Ghost Malware, and Other Current Trends.

© 2014, FireEye, Inc. All rights reserved. 1 Tobin Sears, FireEye Zero-Days, Ghost Malware, and Other Current Trends.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Ken Paiboon 214.274.3436 ken@exabeam.com User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon 214.274.3436 ken@exabeam.com.

Ken Paiboon User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Similar presentations

Ads by Google