2010年,我离开了金融行业,进入了网络安全咨询领域. My first consulting project was within the healthcare industry, and so was my next big project, and hundreds of projects in which I have participated since. 我很快就学会了感谢IT和网络安全团队为支持他们的医疗保健组织所做的辛勤工作. 我还了解到这个行业不同的优先级和独特的方法.
在过去的十年里,医院的网络安全已经成熟,变得更加完善. 然而,, 医疗保健领域的许多网络安全专家都是解决安全问题的优秀“消防员”, working on rolling out secure solutions quickly and efficiently. While there is a solid strategy for many, 通常没有足够的时间来检查遗留组件以确保所有系统保持安全.
As a cybersecurity professional, I also watch how ransomware reshaped our society, causing real harm to organizations of all kinds. 但在网络罪犯眼中,医疗设施一直是更理想的目标. 首先,有一种医疗设施恢复运作的紧迫性. Also, medical facilities did not have proper backups of everything. 除此之外,医疗数据一直被认为在暗网上更受欢迎. 像WannaCry和NotPetya这样的大规模勒索软件攻击波及了世界各地的卫生系统,严重影响了许多医院的网络.
因此, 在过去十年中, 我勤奋工作,帮助医院和其他医疗机构保持安全,打击网络攻击, 尤其是ransomware, 有时会走在对手前面,在部署勒索软件之前阻止攻击, 但不幸的是, 更经常, helping companies to recover from a successful attack.
当 COVID-19大流行, 我们利用我们对网络犯罪组织的了解,向美国执法部门警告勒索软件攻击目标医疗机构的感染情况. 一些网络罪犯甚至停止了对医疗设施的攻击, declaring moratoriums against attacking these types of targets. These “heart of gold” intentions were short-lived.
TrickBot僵尸网络至少从2016年就存在了,由讲俄语的网络罪犯操作, most of whom call Russia their motherland. 僵尸网络总是有两个方向:窃取凭证或财务信息等数据,以进一步滥用数据, 而且更具威胁性, installing ransomware from the Ryuk gang, which used Trickbot-infected devices as entry points into their networks. 在过去的几年里, TrickBot, 也被称为Emotet, established itself as the largest network of infected computers. In late September, the US Cyber Command and then, separately, Microsoft, attempted to take down the botnet to safeguard the victims along with protecting the US election system. But the takedown only had a partial success. TrickBot lost most of its connectivity to victimized systems, leaving a large cache of stolen data and a bunch of livid cyber crooks.
这次部分屠杀很可能成为了Ryuk团伙加强犯罪活动的导火索. Knowing that their easy crime streak is likely coming to an end, 他们继续在曾经强大的僵尸网络分散的遗迹中工作. In late October, the gang turned against healthcare. 在私人交流中, they taunted hundreds of targets within hospitals, 诊所, and other medical facilities. 他们预示着恐慌和恐惧. 虽然他们可能指的是大量的医疗地点,而不是数百个医疗系统, they have certainly delivered their malicious blow.
一个多星期了, 10月23日开始, 我每天都在寻找受害医院的名字和妥协的迹象,以便我们能通知他们. 不幸的是, Ryuk团伙不保留受害者名单,使用分散的团队,不共享他们的数据. We were able to identify and alert a number of victims, but some of the others that we did not see were not so lucky. 现在, looking at the aftermath and realizing that attacks are not over, 我们可以从这个经验中学到什么来使我们的医疗网络更加安全?
大多数攻击都是从网络钓鱼开始的,而且它们仍然有效! Detecting an average phishing email may not take a tech expert, but as our mailboxes are overwhelmed with messages, it is hard to keep your awareness constant. 然而, 持续的培训, 积极re-enforcement, 毫无羞耻地承认错误将使你的员工更不容易受到网络钓鱼的攻击. And when it comes to technology, how do you know that your filters are catching all malicious messages? 试着从外部测试电子邮件帐户向自己发送由他人识别的“去武器化”网络钓鱼邮件来测试它们. Will they all make it through? 50%? 10%? Test it; maybe your email filters need to be tuned up.
你的周边有保护吗?? 即使一封恶意的电子邮件通过了,你的EDR解决方案和/或反病毒软件能捕获它吗? 我们经常忘记确保我们对终端用户的设备有100%的保护, not only for those devices within your network, but all the devices used by your remote users to access your systems. 不仅覆盖率很重要,你的排除列表也应该最小化. 在当今的医疗保健领域, 有许多非常敏感的应用程序-不要让应用程序供应商决定您的反病毒策略. Nearly all software should be anti-virus friendly, it should be reputable and it should not behave like malware.
The next line of defense is your network. Cybercriminals have a wide range of tools to attack your network. 像Cobalt Strike和EmpireProject这样的攻击框架是首选,尤其是Ryuk团伙. 你的防御系统必须针对网络中未经授权的活动进行调整, 特权升级, disabling of anti-virus and other security tools, commandeering system accounts, 和更多的. 确保你不仅保护了自己,而且还设置了异常警报.
为了成功部署勒索软件,坏人会去找你的备份. 他们会试图删除它们,而你需要能够发现并阻止它们. 他们会试图破坏它们,改变它们的范围,甚至改变备份加密密钥. You need to be able to detect any changes in your backup processes!
一些勒索软件团伙的最新趋势是甚至不去加密部分. If they are able to exfiltrate sensitive data, they can try to blackmail you while threatening data disclosures. 确保您能够识别并迅速阻止任何企图的数据泄露. There are many additional targets for exploitation – from lack of MFA to weak passwords; system vulnerabilities to vulnerable third parties.
在当今世界, 你需要将防御勒索软件作为网络安全的首要任务之一. 如果你的任务是保护医疗机构,你应该保持高度警惕.
Here is a question for you: you conduct pen tests to test your system defenses; are you setting up tests to ensure that your red team will be detected in a ransomware test exercise?
As I leave you with more challenges than re-assurances, keep in mind that we are dealing with a cruel, ruthless enemy that will attack hospitals, 长者护理设施, emergency rooms and medical research institutions. 我们的防御应该是有效的,我们的决心应该在敌人面前毫不动摇.
编者按: For insights on governance best practice in healthcare, download ISACA’s GEIT for Healthcare white paper.
