Security pros need to double down around prevention of lateral movement by attackers, especially if IoT devices are connected to the network.

Ori Bach, CEO of TrapX Security

June 3, 2020

4 Min Read

Even before the world began shutting down and sheltering in place, attackers had set their sights on medical records and other valuables they could leverage for cash. As early as 2018, top security researchers had identified the vulnerabilities the healthcare industry faces because attackers crave the private data kept at medical facilities.

Now, take that already worn-out security team and provide them with the current crisis, and what we have is a recipe for disaster. Just like everything else in a fight, survival is going to be a team effort. Luckily, the threat intel teams have really brought their A-game. 

Using the Mitre Att&ck framework, we can track the common techniques used by adversaries. From this information, we can get an idea of what weaknesses have already been exploited in these networks that attackers will likely hit. In the end, lateral movement is the tactic that needs to be shut down. With so much business volume going on it will be almost impossible to stop initial access, so any further footholds need to be closed off. Unfortunately, one of the most successful targets for lateral movement are Internet of Things devices that have revolutionized our medical world.

Attackers choose their targets after careful research and commonly use phishing or social engineering to gain initial access. Once they are on the network the next stage of an attack is finding the IoT devices that will grant them unrestricted lateral movement throughout the environment. 

Another issue that complicates this further: Many hospitals do not separate their IoT devices from other resources, such as databases storing patient records. The lack of separation simplifies discovering the prime targets. Attackers will then either steal the information or launch a ransomware attack.  

The first thing we need to do is to take a play from the fight against COVID-19 and start practicing proper device distancing. We know IoT devices are going to be vulnerable, so why have them on the same nets? Create choke points where traffic and endpoints are heavily monitored where the two sectors meet. At least analysts know where to look, and early triage teams know the probabilities of true positives are going to be high.

Many times, IoT devices use protocols that are not encrypted. This is a serious problem that should be rectified immediately, because anyone tapping those communications will learn everything they need to own that environment. Think of encryption like wearing your mask when going grocery shopping. Now let's make sure our devices are wearing their masks too. 

The final step that unfortunately only now many people finally started adopting is proper sanitization. IoT devices are notoriously behind when it comes to the operating systems they are using, and many more are unpatched. In fact, 83% of IoT devices are no longer running supported software. That would be similar to trying to wash your hands without indoor plumbing. 

Another flaw in the response to COVID-19 is a lack of visibility due to no testing in the community at large. Medical devices do not provide proper logging techniques that would allow SOCs to recognize when attacks happen. Due to FDA requirements, the devices are sad black boxes that must not be altered. Other methods to indirectly monitor network activity and traffic analysis need to be implemented. Just like with COVID-19, you need testing to know if the patient is infected. 

These are serious problems, and unfortunately, a lot of them will not be fixed unless we show the willpower the world has only seen with successful social distancing. But what is the point of beating COVID-19 if our hospitals allow our cyber diseases to erase any of those gains?            

Related Content:

 

 

 

 

 

 

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

About the Author(s)

Ori Bach

CEO of TrapX Security

Bach is a veteran of the fight against fraud and cybercrime, working for leading companies such as IBM Trusteer, NICE–Actimize and government entities such as the Israel Ministry of Justice and the Israel Defense Force (IDF). Prior to joining TrapX, Bach served as a Senior Security Strategist at IBM Trusteer where he helped drive innovation and knowledge sharing in the cyber security space. Prior to working for IBM, Bach served as Director of Product Management at Actimize, contributing to the rapid growth of its fraud business and eventual acquisition by NICE systems. During his career Bach has worked with some of the world's leading institutions to strengthen their fraud and security controls and published dozens of research reports, white papers and blogs on managing cyber security and fraud. Bach has extensive experience in cyber security, threat intelligence, compliance and product management. Bach earned a LLB degree from Tel-Aviv University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights