Based on network traffic monitoring and metadata of more than three million workloads and devices, they found that attackers blend with existing network traffic behaviors to hide their intentions and carry out a number of approaches that set off risks for businesses and disastrous data breaches.
They include:
• Using hidden Hypertext Transfer Protocol Secure (HTTPS) tunnels to high command-and-control communications in healthcare networks. This enables external communication of information in multiple sessions for long periods of time that appears to be normal encrypted web traffic.
• Hiding data exfiltration behaviors through hidden domain name system (DNS) tunnels. The most common method of attack, actions consistent with exfiltration can be caused by IT and security tools that use DNS communications.
• Internal reconnaissance in the form of internal Dark Net scans and Microsoft Server Message Block (SMB) account scans. This behavior occurs when internal host devices search for internal IP addresses that do not exist on a network, while SMB account scans are due to a host device quickly using multiple accounts through the SMB protocol typically used for file sharing.
Despite these risks, the report did find a lower number of ransomware attacks in the second half of 2018. It still, however, insists that such attacks be caught early, before files are encrypted and clinical operations are disrupted. Botnet attacks in healthcare were also lower in general, compared to other industries.
"When you factor in the time it takes a lean security team to discover a data breach, it becomes apparent that healthcare organizations must be more vigilant about what happens inside their networks," said Morales. "It's critically important to know the difference between an attack in progress versus network traffic that is associated with business as usual. It's unacceptable (and embarrassing) to find out weeks, months or years later that a breach occurred. I believe the answer lies in 360-degree visibility inside the network, real-time attacker detection, and the prioritization of all detected threats - from cloud and data center workloads to user and IoT devices."
Some tips he recommends for protecting one's organization against threats include "eliminating the manual, time-consuming work of security analysts; lowering the skills barrier needed to hunt down cyberthreats; considering that everything is connected, which makes for an easy target; and providing visibility inside the network to see attackers and what they're doing."
