Feb 10, 2021
The Incoming Threat Part 2: How Healthcare Providers Can Defend Themselves Against Ransomware
What does a typical ransomware attack looks like; how does it progress; and how can it be defended against?By Marc Moring, Director of Strategic Accounts, Tanium
Ransomware is a complex, multistage attack.
There is no silver bullet that will defend healthcare providers.
Instead, they must develop a comprehensive suite of security controls against this threat.
And they must develop these capabilities fast.
This article will show healthcare providers how to do just that.
This blog post is Part 2 of a three-part series about the ransomware threat against healthcare.
In Part 1 of this series, we explored:
- Why criminals target healthcare providers with ransomware.
- Why the current approach to combating ransomware does not work.
- Why healthcare providers must adopt a proactive response to ransomware.
In this article, we will explore:
- What a typical ransomware attack looks like and how it progresses.
- What tactics a provider must perform to resolve ransomware without paying.
- How providers can build an effective defense against ransomware in five steps.
Let’s continue our conversation.
Understanding ransomware: looking beyond the ransom note
On the surface, a ransomware attack looks simple.
A healthcare provider tries to log into their workstation.
Their systems are locked up. They cannot log in. Instead, they see a notification.
The notification is from an attacker. The message informs the provider they can restore their systems and save their data if they pay the attacker a ransom.
The provider either pays the ransom or attempts to restore services from a recent backup, which presents additional challenges, e.g., age of last backup or recoverability.
This form of a ransomware attack is common, but the approach can evolve as the attacker may have to perform a significant number of alternative steps to achieve their end-goal.
In some cases, we’ve witnessed attackers extend their attack campaign even after they’ve been paid the requested ransom.
A more detailed picture of a ransomware attack looks like this.
Before the Attack “Low & Slow”
The attacker develops the intelligence, control, and leverage they need to put the provider in a challenging position.
To do so, they:
- Scan the provider’s network for vulnerabilities.
- Launch standard attacks — like phishing — or exploit known vulnerabilities — like unpatched assets.
- Move laterally through their vulnerable systems.
- Develop a foothold in their environment.
- Gather intelligence on their critical systems.
- Exfiltrate as much sensitive data as they can.
- Develop the ability to take control of their systems.
During the Attack
The attacker creates as many problems for the provider as possible and sends the provider their ransom note.
To do so, they:
- Lock every critical system they gained control over.
- Threaten to dump the sensitive data they stole.
After the Attack
The attacker may launch additional attacks. In many cases, paying a ransom makes an attacker more likely to strike again.
To do so, they:
- Maintain a hidden foothold in the environment.
- Exploit other vulnerabilities they found in the network.
- Exfiltrate more data.
- Eventually, lock systems again, threaten to dump data and demand another ransom.
In short: By the time an attacker demands a ransom, it is often too late.
They have already spent days, weeks, or even months preparing for that moment.
And at that moment, the healthcare provider must face a harsh truth.
They lacked visibility to gain insights on how to defend themselves during the attack’s progression.
They most likely do not have the visibility or actionable data to evict the attacker confidently.
And they will have to pay up and hope the attacker doesn’t strike again.
Here’s how healthcare providers can prevent this from happening.
Defending against ransomware: There’s no silver bullet
No single tactic can defend against ransomware.
Any effective defense must be as complex and multistage as the attack itself.
Healthcare providers must establish and leverage a wide range of offensive and defensive controls at every step of the attacker’s campaign.
An effective anti-ransomware security posture must include the following:
Before the Attack
The provider must raise the barrier to entry into their network and reduce the chance of suffering an opportunistic attack.
To do so, they must:
- Establish visibility into all endpoints — including their applications — and all activity on them at all times.
- Remove all known vulnerabilities on all assets by regularly patching, updating and configuring them.
- Proactively hunt for indicators of compromise to in-progress attacks before they develop too far.
During the Attack
They must remediate the attack and evict the attacker fast enough not to feel compelled to pay the ransom.
To do so, they must:
- Investigate the attack to identify its root cause, its lateral spread and everything the attacker touched.
- Close all remaining vulnerabilities in the environment to contain the attack’s further spread.
- Remediate the attack, evict the attacker and regain control of their systems without significant data loss.
After the Attack
They must harden their environment and ensure the attacker is truly gone and can never compromise their network again.
To do so, they must:
- Find all instances of each vulnerability the attacker exploited, and close them on all of their assets.
- Find any remaining foothold the attacker might still have in their environment and fully evict them.
- Continuously improve the overall health and security of their endpoint environment to prevent new attacks.
In short: healthcare providers have a lot of work to do to defend against ransomware.
Many healthcare providers can’t perform at least a few of these tactics.
Some healthcare providers can’t perform any of them.
But all healthcare providers must — at the very least — take a few moments to make sure they have every capability they need to defend against ransomware.
Here’s how healthcare providers can start that process.
What to do: Five steps to building effective ransomware defense
If you follow these steps, you will:
- Identify the gaps in your current ransomware defense capabilities.
- Fill in the most critical gaps that you might uncover.
- Develop a strong ransomware defense strategy, even if you start from nothing.
Step One: Assess Your Current Ransomware Defenses
First, ask yourself a few questions to determine your current ability to defend against ransomware threats at every stage of their attack.
- Do we have an accurate catalog of every asset in our environment?
- Can we monitor those assets and search for specific IOCs on them?
- Are these assets fully patched, updated and configured at all times?
- How quickly can we detect a compromised asset or other threat?
- Can we determine every asset and piece of data an attacker touched?
- How quickly could we contain and remediate an incident?
- Can we evict an attacker with 100% confidence they are completely gone?
- How fast could we harden our environment against similar attacks?
Finally — ask yourself:
- Could we detect and remediate a ransomware attack before it compromised our ability to provide patient care — or would we have to pay the ransom?
Step Two: Develop Comprehensive Visibility Into Your Assets
In terms of priority, you must first fill any visibility gaps that you identify.
Visibility provides a foundation and force multiplier for all other activities.
Practically speaking, you must develop the visibility to:
- Identify all endpoints in your environment and the software on them.
- Identify the current status of patches, software versions, configuration settings, administrative rights, and known vulnerabilities on each of those assets.
- Continuously monitor the behavior of those assets and your users.
- Define each asset’s measurable risk and map the potential trajectory and impact if a successful ransomware attack did occur.
You must develop the ability to do this for both managed and unmanaged assets and all assets regardless of whether they live on-premises or remotely.
Step Three: Button Up Your IT Hygiene
Next, you must focus on improving your IT hygiene.
Most ransomware attacks exploit known vulnerabilities in the environment.
You must maintain good IT hygiene and a high barrier to entry.
Practically speaking, to maintain good IT hygiene, you must be able to:
- Maintain high-patch compliance and rapidly apply new patches to all assets.
- Keep all software and operating systems up to date with the newest versions.
- Enforce policy, access rights and configurations on all assets.
- Maintain compliance with all of your regulatory requirements.
An organization must perform these actions remotely and at scale and within a closed-loop verification system that ensures your controls are appropriately applied.
Step Four: Establish Your Incident Response Capabilities
Next, ensure your visibility and control mechanisms extend beyond prevention.
You must also be able to leverage them to stop attacks and evict attackers rapidly.
Practically speaking, to respond to a ransomware incident, you must be able to:
- Implement healthy hygiene standards to help improve monitoring of all systems for potential indications of initiated attacks.
- Combine real-time and long-term data to define complete attack chains.
- Remediate incidents before the attacker locks systems and exfiltrates data.
- Learn from incidents and proactively raise defenses against similar patterns.
You must be able to perform each of these actions in near-real-time to respond effectively to the rapid spread of most modern ransomware attacks.
Step Five: Re-Evaluate Your Tooling
Finally, take a hard look at your endpoint tools.
Your tools are the fundamental driver for every capability discussed in this article.
If you have a gap in any of these capabilities, then you most likely:
- Have not deployed any tool to deliver that capability.
- Have deployed the wrong tool for your modern environment.
Look at the tools you deploy to deliver visibility, IT hygiene and incident response.
Make a list of any tools that do not deliver value during your day-to-day work.
Then — for each tool — ask yourself one final question:
“If these tools cannot deliver value under normal circumstances, will they deliver the value I need in the middle of a ransomware incident?”
Any tool that receives a “no” for an answer is ripe for replacement.
Deploy the right tools to stop ransomware attacks
In the next — and final — article in this series, we will discuss tools in depth.
We will explain why legacy tools typically fail to stop ransomware and what type of tools you must leverage to defend yourself against this modern threat effectively.