Looking Towards the Future with Teachings from the Past Cybersecurity Forum – Opening Keynote, February 11, 2019 Ron Mehring, CISSP VP Technology & Security, CISO, Texas Health Resources Axel Wirth, CPHIMS, CISSP, HCISPP Distinguished Technical Architect, Symantec Corporation 1 Conflict of Interest Ron Mehring, CISSP has no real or apparent conflicts of interest to report. Axel Wirth, CPHIMS, CISSP, HCISPP is employed by Symantec, a cybersecurity vendor, but has no real or apparent conflicts of interest to report. 2 Learning Objectives • Identify how cyber-attacks were actually executed and understand cyber-attack trends • Explain how effective response to cyber-attacks can mitigate the impact and damage • Discuss what we may expect in the coming year regarding cyber-attacks in the healthcare space • State lessons learned from the past to assist with the present and what is anticipated in the future 3 Agenda 1. Evolution of Cyber-Attacks 2. Effective response and impact mitigation 3. What we may expect in the coming year 4. Lessons learned and anticipating the future 5. Discussion / Q&A 4 Cybersecurity – Historic Timeline “Core Wars” game First fully-functional virus Analogy to biological virus (Bell Labs) (V Risak, TU Vienna, Siemens) (J Kraus, U of Dortmund) Theory of self-replicating “Creeper” concept demo “A Disease of Machinery” “Computer virus” general code (J von Neumann) (ARPANET, PDP-10) (Westworld, MGM) definition (F. Cohen, UC) 1949 1950s 1970 1972 1973 1980 1984 Ancient History (1940 – 1980s) “Elk Cloner” released “SCA” leads to first virus “Concept” first macro “ILOVEYOU” million+ (15 yo, Apple II) checker (Amiga, est. 40%) virus (MS Word) infections in hours “Brain” tracking copyright “AIDS” first ransomware “Melissa” 1st social eng.; “SQL Slammer” violations (MS-DOS) (MS-DOS) 20% of world’s computers fastest worm 1982 1986 1987 1989 1995 1999 2000 2002 Middle Ages (1980s – 2000’s) “Conficker” infects Multiple highly sophisticated “Mirai” highly disruptive est. 15M computers viruses (e.g. Duqu, Flame) IoT DDoS, up to 1TBit/s Reports of Cyberwarfare “Stuxnet” sabotage of “CryptoLocker” ransomware “WannaCry” & “Petya” (Syria, Ukraine, Georgia) Iranian nuclear program “Darlloz” IoT virus cause $B+ losses 2007/08 2008 2010 2011/12 2013 2016 2017 Modern Age (2000’s – today) 5 Conficker – Happy 10th Birthday • Conficker (W32.Downadup) computer worm: – 5 variants produced (Nov. 2008 – April 2009) – Win2k, XP, Server 2003 & 2008, Vista – Multiple purposes: open backdoors, spam bot, keylogger, download other malware, … – Multiple propagation methods: Internet, LAN, shared folders, mapped drives, peer-to-peer networking, portable media (USB) – Estimated to have infected up to 15 million computers (compare: WannaCry: 350,000) • Advanced capabilities and highly resilient: – Hides and replicates before becoming active – Scans network for machines with the same vulnerability – Has the capability to protect itself (e.g. disable AV and Windows updates) • Still prevalent – but limited impact: – No active C&C servers – Fewer infections as target OS’s are declining, may have run its course by 2020 – Latent infections residing on legacy systems, e.g., leading malware in healthcare (June 2016) • Other noteworthy facts: – $250,000 bounty still available! – The end goal of Conficker has never become clear 6 • Other long-living malware: Sality (2003), MyDoom (2004), Zeus (2011), Mirai (2016) Emotet – Rolling with Opportunities • Mealybug Cyber Crime Actor: – Active since at least 2014 – Initially targeting banking industry in Europe – Custom malware Trojan.Emotet (network worm) – Brute force attack via password list • Started shifting focus in 2017 – Providing delivery services for other threat actors with Trojan.Emotet functioning as a “loader” – Europe U.S. (Canada, Mexico, China) • Key modules per direction of C&C server: Source: Symantec ISTR – Banking module – steals banking details from network traffic – Email client infostealer – email credentials – Browser infostealer – browsing history and passwords – PST infostealer – email addresses – DDoS module – carry out DDoS attacks • Mealybugs, as a evolving threat actor, has been refining their techniques: – Shifted from few regional banking attacks to a global distributor for other groups – Maximizing returns based on core competency and tools available 7 High Impact Malware Care Delivery, Supply Chain, Privacy WannaCry, Petya Trojan.Nibatad • EternalBlue exploit (NSA leak) • Largest national HC provider, SE Asia • WannaCry (May 2017): • July 2018 attack • 1.5M records, incl. Prime Minister • faulty Ransomware, ~$4-$8B global impact • Post mortem report: • Petya (June 2017): • Breach identified, but no action taken • cloaked Ransomware (Wiper), ~$10B impact • Missing Risk Assessment • WannaCry - care delivery impact: • Lack of training, awareness, and concern • 81 of 236 hospital trusts; 595 of 7545 GP’s • Lack of vulnerability scans and pen testing • 1000+ systems, 19,000 appts., ~£92M loss • Missing patch, poor password policies • Root Cause: Underinvestment, patching • 16 recommendations (7 critical): • Leading to £21M security investment • Enhance security structure • Review and assess cyber security stack • WannaCry still active! • Improved staff awareness - prevent, detect, • Petya – healthcare supply chain and respond to security incidents • Global pharma company - ~$310M loss, • Enhanced security checks global drug and vaccine availability • Tighten privileged admin account controls • Transcription service provider - ~$68M loss, • Improve incident response processes 8 impacted hosted transcription service • Private/public partnerships around security Summary – Threat Landscape Trends Cybercrime continues to follow money and opportunity Worms are back: • Hitting networks today, expect next generation IoT worms Targeted attacks are hitting diverse targets: • Profiling, targeting, and execution continue to improve • E.g. Orangeworm group - healthcare Email malware rates are increasing again: Top 10 Malwares 12/2018 • Dropped 50% in 2017, back up in 1H 2018 • Emotet • Kovter BEC scams continue to be profitable: • ZeuS • Business Email Compromise: $12B loss in 6 years • NanoCore Ransomware numbers are stable: • Cerber • Crowded market, some have moved on • Gh0st Cryptojacking remains popular • CoinMiner • Trickbot • But – rises and falls with Cryptocurrency value • WannaCry IoT devices are the soft target: • Xtrat Source: CIS • Patching, default credentials, forgotten • 159% increase of attacks (7/17-7/18) 9 Agenda 1. Evolution of Cyber-Attacks 2. Effective response and impact mitigation 3. What we may expect in the coming year 4. Lessons learned and anticipating the future 5. Discussion / Q&A 10 Effective Response 1. Preparation 2. Execution 3. Communication Detection and Escalation and Getting Organized Response Peering Preparation is the key to Response activities must Timely escalation to peering managing the incident response account for multiple conditions response groups and cycle and reducing impact. and complexity of organization. leaderships teams. 11 Effective Response: Preparation Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity Threat Catalog Asset Inventory Catalog of potential threats Accurate inventory of with associated response Identity Inventory technology assets that includes playbooks. Accurate inventory of identities location, criticality and use. and entitlements across technology and application portfolio. Data Inventory Inventory of sensitive data and data flow. Exercises Tool Management Incident exercise plan tailored to Inventory of analytics and 12 unique environments and response tools. playbooks. Effective Response: Execution Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity 1. Protect Data Confidentially Regulated Data, Credit Card Data. Requirements may conflict with patient safety needs. • Effective incident 2. Protect the Enterprise response plans Control robustness must balance reliability and security. account for diverse Privacy operating environments and stakeholder Risk Based protection, Cybersecurity 01 02 03 Equilibrium detection and Response Playbooks response needs. Patient Safety • Reduction in time to 3. Protect the Patient respond and Medical devices and other critical care Response Plan Preparation Phase PreparationPlan Response device protection needs may conflict with remediate data confidentially requirements. 13 Effective Response: Playbooks Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity Example: Malware Attack Playbook Cyber Incident Response Phases Cascading Unique Playbooks • What type of Attack? • What type of Asset, Identity, Data Type? • Exposure? Treasury Privacy Patient Physical HICS/System JV/Business (PCI) Safety Security Preparedness Partners/Vendors Cyber/Technology Teams HTM Legal HR Risk Facilities Business Process (Medical Devices) Financing Owners 14 Effective Response: Communication Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity A robust communication plan that reflects the different cyber incident stakeholder groups is critical to controlling incident impacts. • The need to communicate effectively before, during and after incident should not be underestimated. • Preparation phase requirements and inputs should be well understood by technology/data custodians and system owners. • Timing of stakeholder involvement is important. • Balancing incident