In the wake of a number of devastating ransomware attacks against hospitals, our experienced threat hunters discuss why ransomware is on the rise, and how health systems can protect themselves.
Today’s episode of In Scope is a unique episode, host Mike Murray interviews a couple members of the Scope Security team rather than an external expert in the healthcare security field. Mike speaks with the Head of Threat Intelligence, John Daniele, and the Chief Architect, Jeremy Richards, about what they’re seeing today in terms of ransomware and threat intelligence in the healthcare space. This conversation is particularly relevant in light of recent attacks and news that has circulated about them.
As the conversation gets underway, Mike asks John to describe and provide his thoughts on the landscape of healthcare security as he’s observed it in the news over the past few months. John specifically shares about the recent UHS attack, which may have involved Ryuk ransomware, and explains both how he’s found he didn’t know as much about Ryuk as he thought he did and how the interconnectedness inherent to a healthcare system makes a Ryuk attack potentially devastating. John goes on to talk about the ability of live threat actors to maneuver through an environment as a necessary factor to incorporate into threat assessment.
Jeremy continues this line of thought, sharing about the evolution of intelligent ransomware. A major difference between the attacks of today and of the few years or so prior is that it now feels like things are becoming specifically targeted. And there have been plenty of attack samples to consider, as recent weeks have seen a string of attacks. Further, attack evolution has brought with it the development of double extortion. As Jeremy explains, attacks often involve three different aspects working together; first, an initial infection employs something like Emotet. Next, Trickbot may be used to move laterally across a network and perform data exfiltration. Then, ransomware such as Ryuk is deployed and a ransom note sent.
Attacks have grown in their complexity, which makes protecting against them more complicated. With modular and extensible platforms now available to attackers, and with the increasingly polymorphic nature of ransomware, there is a need for more evolved tactics and techniques from a blue team perspective. There is already a playbook for recognizing and dealing with compromised machines, and healthcare leaders need to make maintaining visibility into their environments a high priority.
Looking ahead, John explains that he expects we are on the cusp of an increase in campaigns; he’s concerned that attackers are seeing room to extract significant revenue from hospitals, which have a high incentive to deal with ransomware attacks quickly in order to get back online. Unfortunately for hospitals, they are also unable to recoup time lost in the same way as other businesses. Mike wonders what he and Jeremy would suggest to a CISO looking to prepare for a possible attack, and they touch on such necessary priorities as detailed forensics, asset discovery, inventory management, and passive vulnerability scanning. Overall, the two recommend visibility of all three healthcare environments.
As the conversation moves toward a close, Mike asks his guests to look ahead five years and predict how things will play out on the stage of healthcare security. Jeremy and John have mixed opinions; Jeremy thinks things are trending in a favorable direction. However, John has concerns about what will come in the future – concerns rooted in such issues as a perceived deficiency in CISO succession plans. Listeners may not know what will come, but they are left with much insight to work now for a secure healthcare space.
0:24 – Mike introduces the episode and his guests.
1:36 – What is John seeing out there and what does he think about it?
5:24 – Jeremy comments on the evolution of ransomware and how different elements of an attack work together.
10:33 – There is increasing complexity within attack platforms, and this calls for new methods of protection.
16:34 – There is a playbook to follow, as well as a need for visibility.
18:18 – What will happen in the months ahead?
22:53 – John and Jeremy provide ideas for how a CISO can prepare for possible attack.
29:56 – What will things look like five years from now?
Learn more about John Daniele and follow him on Twitter
Learn more about Jeremy Richards
Learn more about Mike Murray and follow him on Twitter
Learn more about Scope Security and read its new whitepaper
Connect with Scope Security on LinkedIn and Twitter
If you have ideas for the show, send an email to [email protected]