CaseCase Study Study

Medical Device Hijack (MEDJACK) Targets Portable C-Arm X-Ray System

Attack at Major Hospital Network Reveals Security Vulnerabilities in Network-Connected Devices

Project Background This case study reviews the deployment of TrapX’s Deception technology within a major hospital network. The hospital’s IT team included several IT-security specialists, as well as an outsourced security consultant. The organization had already deployed a typical suite of cyber defense products including firewall, intrusion detection, endpoint security, and anti-virus solutions.

Medical Device Hijack (MEDJACK) Uses C-Arm X-Ray Unit to Penetrate Hospital Network The compromise of a medical device connected to a network is known as a Medical Device Hijack (MEDJACK). MEDJACK activity targets vulnerabilities of medical devices to establish a persistent presence within healthcare networks. These are sophisticated attacks that threaten hospital operations as well as patient data, and can potentially impact patient safety. MEDJACK attacks usually begin within a single compromised endpoint or IoT device and can propagate in various ways throughout a network before detection. Long dwell time gives the attackers plenty of opportunities to access critical care systems and medical records. Indications of Compromise After deploying DeceptionGrid® from TrapX, the IT team received an alert indicating a persistent attack within the hospital network. By reviewing the alert details, they were able to identify the presence of an active human attacker and his specific actions. In this specific example, a portable C-arm X-ray unit was the point of attack. The X-ray unit gave the attacker repeated opportunities to create a point of entry, and then pivot to other valuable network resources. The hospital’s existing cyber defenses were not able to scan or remediate anything within the X-ray system. In addition, the C-arm X-ray is designed to be used with patients who can’t easily move. Therefore the machine was being transported though the hospital, connecting to various VLANs to transmit the data to centralized systems. This provided easy attacker access to new VLANs and became an ongoing point for lateral movement across the healthcare enterprise.

TrapX Security I Case Study I Medical Device Hijack (MEDJACK) Targets Portable C-Arm X-Ray System Page 1  Case Study

Attack Remediation Once the source of the compromise was identified, the offending C-arm X-ray system was removed from the network, and the IT team contacted the system’s vendor to re-provision the software. This process has become a necessary regular occurrence. It’s relatively easy to clean email-based malware with standard security software, but malware can still find safe harbor within IoT devices such as a C-arm unit until it’s detected and then manually removed. DeceptionGrid Deployment TrapX DeceptionGrid delivers a full suite of Deception techniques, including Tokens (lures) and medium and high-interaction Traps (decoys). To defeat attackers, DeceptionGrid can be deployed with a variety of devices and IT assets and maintained automatically, with no changes to existing healthcare network infrastructure. To a cyber attacker, the DeceptionGrid X-ray system Traps appear virtually identical to the actual device. A wide range of other medical devices can also be emulated, including PACS systems, blood gas analyzers, PET/CT scan and MRI systems, and more. DeceptionGrid even creates convincing network traffic among the Traps to further enhance the illusion and deceive cyber threats. When an attacker penetrates an enterprise network and attempts to compromise any X-ray system, the DeceptionGrid Traps will respond to the attacker in the same way a real X-ray system would, occupying his time and resources. As soon as an attacker starts the attack, the security team is immediately alerted, and remediation actions can be taken. The emulated X-ray system will continue to keep the attacker engaged while our TSOC is providing analytics on methods and techniques being used.

Unlike traditional security methods, which generate alerts with varying probabilities, DeceptionGrid alerts identify attacks with nearly 100 percent probability, sparing IT analysts the need to handle false-positives.

One touch of a Trap is all that’s needed to identify an attacker and generate a high-confidence alert. DeceptionGrid integrates with key elements of the network and security ecosystem to contain attacks and enable a return to normal operations. Unlike traditional security methods, which generate alerts with varying probabilities, DeceptionGrid alerts identify attacks with nearly 100 percent probability, sparing IT analysts the need to handle false-positives.

TrapX Security I Case Study I Medical Device Hijack (MEDJACK) Targets Portable C-Arm X-Ray System  Page 2  Case Study

BENEFITS OF DECEPTIONGRID FOR HEALTHCARE ORGANIZATIONS

Unparalleled visibility. Deception creates new levels Comprehensive visibility and coverage. of visibility into specialized healthcare devices that are Deception-in-Depth provides comprehensive visibility otherwise impossible to monitor for threats. into internal networks, revealing attacker activity and intentions, and terminating the attack.

Targets the new breed of cyber attackers. Improves compliance with PCI and HIPAA Deception technology finds sophisticated attackers data-breach laws, along with other regulatory that may already be inside your network, undetected requirements in various countries. by existing security products.

Reduces or even eliminates economic losses. Lowest cost of implementation. Deception-in-Depth Rapid, accurate detection reduces the risk of destruction provides the greatest breadth and depth of deception of enterprise assets, data theft, and overall impact on technology at the lowest cost. business operations.

Reduces time to breach detection. Highly accurate, Compatible with existing investments. Deception real-time forensics and analysis uniquely empowers your technology can integrate with your existing operations security operations team to take immediate action to and defense-in-depth vendor solutions. disrupt all attacks within your network perimeter.

DIFFERENTIATION

 Real-time detection of cyber attacker movement anywhere in your network and cloud environments  TrapX’s alerts are more than 99% accurate  Complete automated forensic analysis of captured malware and the attacker tools though an integrated Active Defense Scorecard  Automated deployment of thousands of DeceptionGrid Traps with minimal resources  Powerful emulation technology: Traps can be camouflaged as specific healthcare devices, including PACS systems, blood gas analyzers, X-ray machines, PET/CT scan and MRI systems, and more  Deception-in-Depth architecture integrates the benefits of Tokens, emulated Traps, FullOS Traps, and our Active Networks feature in one integrated multi-tier architecture, for rapid detection, deep attacker engagement, and comprehensive threat containment  Comprehensive integrations create end to-end integration in the ecosystem: from early threat detection to remediation, and increase the value of your existing ecosystem investments

TrapX Security, Inc. About TrapX Security 303 Wyman Street TrapX Security is a pioneer and global leader in cyber Deception technology TrapX DeceptionGrid rapidly detects, deceives, Suite 300 and defeats advanced real-time cyber-attacks and human attackers in real-time. The DeceptionGrid provides automated, Waltham, MA 02451 highly accurate insight into malicious activity unseen by other forms of cybersecurity. By deploying DeceptionGrid, users can create proactive security to fundamentally halt the progression of an attack. This strategy shifts the economics of +1–855–249–4453 cyberattacks to cost the attacker instead of the victim. TrapX Research Labs clients include several Forbes Fortune 500 www.trapx.com commercial and government customers worldwide. Sectors include defense, healthcare, finance, energy, consumer products, and other key industries. Learn more about this cybersecurity solution at www.trapx.com. [email protected] TrapX, TrapX Security, DeceptionGrid and CryptoTrap are trademarks or registered trademarks of TrapX Security in the United [email protected] States and other countries. Other trademarks used in this document are the property of their respective owners. [email protected] © TrapX Software 2021. All Rights Reserved.

TrapX Security I Case Study I Medical Device Hijack (MEDJACK) Targets Portable C-Arm X-Ray System  Page 3