1

Looking Towards the Future with Teachings from the PastCybersecurity Forum – Opening Keynote, February 11, 2019

Ron Mehring, CISSPVP Technology & Security, CISO, Texas Health Resources

Axel Wirth, CPHIMS, CISSP, HCISPPDistinguished Technical Architect, Symantec Corporation

2

Ron Mehring, CISSP has no real or apparent conflicts of interest to

report.

Axel Wirth, CPHIMS, CISSP, HCISPP is employed by Symantec, a

cybersecurity vendor, but has no real or apparent conflicts of

interest to report.

Conflict of Interest

3

• Identify how cyber-attacks were actually executed and

understand cyber-attack trends

• Explain how effective response to cyber-attacks can mitigate

the impact and damage

• Discuss what we may expect in the coming year regarding

cyber-attacks in the healthcare space

• State lessons learned from the past to assist with the present

and what is anticipated in the future

Learning Objectives

4

1. Evolution of Cyber-Attacks

2. Effective response and impact mitigation

3. What we may expect in the coming year

4. Lessons learned and anticipating the future

5. Discussion / Q&A

Agenda

5

Cybersecurity – Historic Timeline

Ancient History (1940 – 1980s)

Middle Ages (1980s – 2000’s)

Modern Age (2000’s – today)

Theory of self-replicating

code (J von Neumann)

1949

“Creeper” concept demo

(ARPANET, PDP-10)

1970

First fully-functional virus

(V Risak, TU Vienna, Siemens)

1972

“A Disease of Machinery”

(Westworld, MGM)

1973

Analogy to biological virus

(J Kraus, U of Dortmund)

1980

“Core Wars” game

(Bell Labs)

1950s

“Computer virus” general

definition (F. Cohen, UC)

1984

“Brain” tracking copyright

violations (MS-DOS)

1986

“SCA” leads to first virus

checker (Amiga, est. 40%)

1987

“AIDS” first ransomware

(MS-DOS)

1989

“Concept” first macro

virus (MS Word)

1995

“Elk Cloner” released

(15 yo, Apple II)

1982

“Melissa” 1st social eng.;

20% of world’s computers

1999

“Stuxnet” sabotage of

Iranian nuclear program

2010

Multiple highly sophisticated

viruses (e.g. Duqu, Flame)

“CryptoLocker” ransomware

“Darlloz” IoT virus

2013

“Mirai” highly disruptive

IoT DDoS, up to 1TBit/s

2016

“Conficker” infects

est. 15M computers

2008

“WannaCry” & “Petya”

cause $B+ losses

2017

“ILOVEYOU” million+

infections in hours

2000

“SQL Slammer”

fastest worm

2002

Reports of Cyberwarfare

(Syria, Ukraine, Georgia)

2007/08 2011/12

6

• Conficker (W32.Downadup) computer worm:

– 5 variants produced (Nov. 2008 – April 2009) – Win2k, XP, Server 2003 & 2008, Vista

– Multiple purposes: open backdoors, spam bot, keylogger, download other malware, …

– Multiple propagation methods: Internet, LAN, shared folders, mapped drives, peer-to-peer

networking, portable media (USB)

– Estimated to have infected up to 15 million computers (compare: WannaCry: 350,000)

• Advanced capabilities and highly resilient:

– Hides and replicates before becoming active

– Scans network for machines with the same vulnerability

– Has the capability to protect itself (e.g. disable AV and Windows updates)

• Still prevalent – but limited impact:

– No active C&C servers

– Fewer infections as target OS’s are declining,

may have run its course by 2020

– Latent infections residing on legacy systems,

e.g., leading malware in healthcare (June 2016)

• Other noteworthy facts:

– $250,000 bounty still available!

– The end goal of Conficker has never become clear

• Other long-living malware: Sality (2003), MyDoom (2004), Zeus (2011), Mirai (2016)

Conficker – Happy 10th Birthday

7

• Mealybug Cyber Crime Actor:

– Active since at least 2014

– Initially targeting banking industry in Europe

– Custom malware Trojan.Emotet (network worm)

– Brute force attack via password list

• Started shifting focus in 2017

– Providing delivery services for other threat actors

with Trojan.Emotet functioning as a “loader”

– Europe U.S. (Canada, Mexico, China)

• Key modules per direction of C&C server:

– Banking module – steals banking details from network traffic

– Email client infostealer – email credentials

– Browser infostealer – browsing history and passwords

– PST infostealer – email addresses

– DDoS module – carry out DDoS attacks

• Mealybugs, as a evolving threat actor, has been refining their techniques:

– Shifted from few regional banking attacks to a global distributor for other groups

– Maximizing returns based on core competency and tools available

Emotet – Rolling with Opportunities

Source: Symantec ISTR

8

High Impact MalwareCare Delivery, Supply Chain, Privacy

• EternalBlue exploit (NSA leak)

• WannaCry (May 2017):

• faulty Ransomware, ~$4-$8B global impact

• Petya (June 2017):

• cloaked Ransomware (Wiper), ~$10B impact

• WannaCry - care delivery impact:

• 81 of 236 hospital trusts; 595 of 7545 GP’s

• 1000+ systems, 19,000 appts., ~£92M loss

• Root Cause: Underinvestment, patching

• Leading to £21M security investment

• WannaCry still active!

• Petya – healthcare supply chain

• Global pharma company - ~$310M loss,

global drug and vaccine availability

• Transcription service provider - ~$68M loss,

impacted hosted transcription service

WannaCry, Petya

• Largest national HC provider, SE Asia• July 2018 attack

• 1.5M records, incl. Prime Minister

• Post mortem report:• Breach identified, but no action taken

• Missing Risk Assessment

• Lack of training, awareness, and concern

• Lack of vulnerability scans and pen testing

• Missing patch, poor password policies

• 16 recommendations (7 critical):• Enhance security structure

• Review and assess cyber security stack

• Improved staff awareness - prevent, detect,

and respond to security incidents

• Enhanced security checks

• Tighten privileged admin account controls

• Improve incident response processes

• Private/public partnerships around security

Trojan.Nibatad

9

Summary – Threat Landscape TrendsCybercrime continues to follow money and opportunity

Top 10 Malwares 12/2018

• Emotet

• Kovter

• ZeuS

• NanoCore

• Cerber

• Gh0st

• CoinMiner

• Trickbot

• WannaCry

• Xtrat Source: CIS

Worms are back:• Hitting networks today, expect next generation IoT worms

Targeted attacks are hitting diverse targets:• Profiling, targeting, and execution continue to improve

• E.g. Orangeworm group - healthcare

Email malware rates are increasing again:• Dropped 50% in 2017, back up in 1H 2018

BEC scams continue to be profitable:• Business Email Compromise: $12B loss in 6 years

Ransomware numbers are stable:• Crowded market, some have moved on

Cryptojacking remains popular• But – rises and falls with Cryptocurrency value

IoT devices are the soft target:• Patching, default credentials, forgotten

• 159% increase of attacks (7/17-7/18)

10

1. Evolution of Cyber-Attacks

2. Effective response and impact mitigation

3. What we may expect in the coming year

4. Lessons learned and anticipating the future

5. Discussion / Q&A

Agenda

11

Effective Response

Preparation is the key to

managing the incident response

cycle and reducing impact.

1. Preparation

Getting Organized

Response activities must

account for multiple conditions

and complexity of organization.

2. Execution

Detection and

Response

Timely escalation to peering

response groups and

leaderships teams.

3. Communication

Escalation and

Peering

12

Effective Response: PreparationPreparation Analysis/Detection Containment Eradication Recovery Post Incident Activity

Identity InventoryAccurate inventory of identities and entitlements across technology and application

portfolio.

Tool ManagementInventory of analytics and response tools.

ExercisesIncident exercise plan tailored to

unique environments and playbooks.

Data InventoryInventory of sensitive data and

data flow.

Asset InventoryAccurate inventory of

technology assets that includes location, criticality and use.

Threat CatalogCatalog of potential threats with associated response

playbooks.

13

Effective Response: Execution

• Effective incident

response plans

account for diverse

operating

environments and

stakeholder

protection,

detection and

response needs.

• Reduction in time to

respond and

remediate

Pla

ybo

oks

Respo

nse P

lan

Pre

para

tio

n P

hase

Respo

nse

Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity

Privacy

Cybersecurity

Patient Safety

01 02 03Risk Based

Equilibrium

Regulated Data, Credit Card Data. Requirements may conflict with patient safety needs.

1. Protect Data Confidentially

Control robustness must balance reliability and security.

2. Protect the Enterprise

Medical devices and other critical care device protection needs may conflict with

data confidentially requirements.

3. Protect the Patient

14

Effective Response: Playbooks

Example: Malware Attack Playbook

Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity

• What type of

Attack?

• What type of Asset,

Identity, Data Type?

• Exposure? Privacy Patient

Safety

Physical

Security

Legal

HICS/System

Preparedness

Treasury

(PCI)

HTM

(Medical Devices)

Cascading Unique Playbooks

HR Risk

Financing

Business Process

Owners

Facilities

JV/Business

Partners/Vendors

Cyber Incident Response Phases

Cyber/Technology

Teams

15

Effective Response: Communication

• The need to communicate effectively before, during and after

incident should not be underestimated.

• Preparation phase requirements and inputs should be well

understood by technology/data custodians and system owners.

• Timing of stakeholder involvement is important.

• Balancing incident sensitivity classification and transparency must

be addressed up front.

Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity

A robust communication plan that reflects the different cyber

incident stakeholder groups is critical to controlling incident impacts.

16

1. Evolution of Cyber-Attacks

2. Effective response and impact mitigation

3. What we may expect in the coming year

4. Lessons learned and anticipating the future

5. Discussion / Q&A

Agenda

17

What to Expect for 2019The Big Picture / Broader and Continuing Trends

• A serious cyber event with socio-economic impact is increasingly likely

• Continued evolution of cyber conflicts for strategic and economic benefits

• Digitization (more data)

• Digitalization (more digital infrastructure)

• Technology adoption (IoT, cloud, 5G, AI/ML)

• Supply Chain as attack vector

• Data in Motion attacks

• We will continue to see big names in the headlines

• It will not just be about Confidentiality anymore

Consequently:

New and creative attack vectors:

Growing attack surface – attackers roll with opportunities:

Political cyber-conflicts will be a growing risk:

18

Us v

s. T

hem

What to Expect for 2019 – AI & ML

Let’s not confuse the two – AI/ML refer to the capability of a machine to:

ML = learn without explicitly being programmed (= learning)

AI = imitate intelligent human behavior (= perception, decision, autonomy)

Attackers will exploit ML/AI systems and use them to aid their assaults:

• Craft new attacks, uncover new vulnerabilities (zero days)

• Circumvent our ML/AI defenses through model extraction or poisoning

Defenders will increasingly depend on ML/AI to counter attacks and identify

vulnerabilities:

• Reliable and fast analysis of large, complex (and boring) data sets across

multiple internal and external security control points

• Analyze information with no apparent logical or discernable pattern

• Rapid identification of new exploits (threat intelligence)

• Predictive protection (automate identification and response)

• Augment human talent (or lack thereof)

19

What to Expect for 2019 – AI & ML

Attackers

Corrupt AI-based business systems

Support intelligence and reconnaissance

(network probing, vulnerabilities)

Sophisticated and tailored social

engineering attacks

Realistic disinformation campaigns

AI-powered toolkits and services

The “Terminator Wars” of the future will likely occur in cyber space

and play out at scale, speed, and cost that humans cannot match

Defenders

Identify new threats and provide better

(faster) threat intelligence

Uncover & fix new vulnerabilities

Advanced attack simulations

Better detection and response capabilities

Protect digital security and privacy

(UBA, ID protection, content monitoring)

ML / AI Utilization and Benefits - Examples

20

Technology Adoption as Opportunity

5G - from 1 Gbps to 10 Gbps, a $26B market by 2022 (IDG)

• 5G will drive other technologies and make

them even more attractive:

Cloud – any data anywhere

Mobile – slow consumer adoption may limit

penetration, but 5G will enable

cheaper devices (less storage)

IoT – new IoT devices will provide 5G “out of

the gate” and enable convenience and

new value-added services

• IoT (and other) device traffic will bypass

home routers and enterprise networks

• Crossover within a few years:

More 5G devices will connect directly to

public networks than via a Wi-Fi routers

• Expanded attack surface area

• Circumvent enterprise and home

security controls

• Direct attack on devices

• Leverage device as “bridgehead”

• Capture or manipulate “data in

motion” or poorly protected cloud

accounts

Source: Symantec ISTR

Technology Trends and Impact: Opportunity for Adversaries:

21

Technology Adoption as Opportunity

IoT (IoMT / Embedded Systems / Medical Devices)

• Business: improve efficiency, reduce costs, benefit from more data points, etc.

• Consumer: improve comfort, ease of use, quality of life

• Enable new business and service delivery models through physical devices

• Provide service where the consumer (patient) is

Technology Trends and Impact:

Source: Symantec ISTR

• Exploit poorly secured IoT infrastructure

• Bridge the virtual and physical worlds –

attacks that can do damage:• Kinetic attacks (e.g. cars, pacemaker)

• Critical Infrastructure: utilities, food supply, ports,

traffic control, finance, healthcare

• IoT-based events will move beyond massive

DDoS assaults (e.g. Mirai):• Ransom, blackmail, stalking, botnets, etc.

Opportunity for Adversaries:

22

Data-in-Transit Attacks:

• Gain access to routers and other network infrastructure:

– Steal credentials, account, or other confidential information

– Deliver compromised web page to capture confidential information

(a variation of “formjacking”)

– Manipulate data between sender and recipient

Other Relevant Threat Trends

Supply Chain Attacks:

• Deliver payload (malware) via trusted 3rd party software (e.g. Petya):

– Difficult to identify: Trusted domain, digitally signed, trusted update process

– Benefits: Rapid distribution within a targeted industry or region

– Circumvent traditional security controls, access with elevates privileges

• Potential to infect and utilize hardware supply chain in the future:

– Such attack would be highly sophisticated and difficult to detect

– Resistant to malware removal, reboot, reformatting, or reinstallation

23

GDPR (European General Data Protection regulation) set the Stage

• Other nations are following suit (Canada, Brazil)

Distinct drivers are evolving: compliance, security, privacy, safety

• U.S. has traditionally had a disparate approach (by State or by Industry):

– In 2018, California passed toughest privacy law yet

– Federal security and/or privacy laws may evolve over the next few years

– Revision of HIPAA Privacy Rule is under discussion

– FDA Guidance's on Medical Device Cybersecurity

– NIST Cybersecurity Framework

– NIST Privacy Framework (in progress)

– HHS Cybersecurity Working Group and resulting in Task Group Workstreams

– Multiple House and Senate bills in process (Med Devices, IoMT, IoT, certification)

• An uptick in legislative and regulatory security and privacy action is certain

– Improve consumer rights and protection

– Reduce the risk of breach or harm

– Harmonize requirements across regions and industries

– Balanced with the need for information sharing

Regulatory and Legislative Action

24

1. Evolution of Cyber-Attacks

2. Effective response and impact mitigation

3. What we may expect in the coming year

4. Lessons learned and anticipating the future

5. Discussion / Q&A

Agenda

25

What have we learned

1. Orchestration

Playbooks and

Automation

Response activities must

account for complex

environments.

2. Analytics

Detection and

Response

Risk Management and Root

Cause analysis provides an

important feedback loop.

3. Post Incident

Lessons

Learned

Threat models will need to

have dynamically assigned

actions with predefined

escalation.

26

What have we learned: Orchestration

Advancing Orchestration

capabilities will be key in

handling current and future

threats. People training will

be key!

Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity

27

What have we learned: Analytics

John Boyd’s OODA Loop

Event Obs

erve

Incident

Speed and quantity of attacks are increasing. This will require data

to become a stronger factor in

reducing friction within response

processes

Improving system to system interfaces and automation to

reduce response dwell time.

Artificial intelligence and behavioral analytics are required

to help better inform analysts and

improve response cycle.

Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity

28

What have we learned: Integration

• AI and analytics will need to be considered to help drive orchestration / automation and

analyst practices to help improve time to detection, time to respond performance.

• Security architecture planning, reliability engineering and development of performance

measures will be critical.

• Integrating analytics into a continuous controls testing model and security architecture will

be necessary to keep up with the changing business, architectures, and development

cycles.

Advanced Cyber Operations

Orchestration Platform and

Processes

Event -Analytics SystemsAI/Behavioral

Analytics An

aly

st

Tim

e C

onsum

ption

Number of Event/Alerts to be acted

Opportunity for AI and behavioral

analytics

Village elders, rule of thumb, heuristics

Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity

on

Low quantity,

minimal time and

high fidelity

29

What we have learned: Post Incident

Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity

RiskProvides transparency for

executive leadership and defines

risk tolerance, policy and

remediation investment priorities.

OperationsCoordinates root cause analysis of

bad outcomes (incidents or control

performance issues). Operations

consumes risk decisions and

advances or corrects processes

and technologies.

FeedbackA control architecture review

helps define the requirements

and control robustness

signaling between risk and

operations.

30

1. Evolution of Cyber-Attacks

2. Effective response and impact mitigation

3. What we may expect in the coming year

4. Lessons learned and anticipating the future

5. Discussion / Q&A

Agenda

31

Axel Wirth, CPHIMS, CISSP, HCISPP

617-999-4035

axel_wirth@symantec.com

@axel_wirth

Questions

“There's a clear pattern here which suggests an analogy to an

infectious disease process, spreading from one area to the next. …

I must confess, I find it difficult to believe in a disease of machinery."

From the Movie Westworld (1973)

Ron Mehring, CISSP

682-236-8282

ronaldmehring@texashealth.org

@mehringrc

32

Scientific American: “When and how did the metaphor of the computer 'virus' arise?”,

https://www.scientificamerican.com/article/when-and-how-did-the-meta/

Richard Clarke: “Cyber War: The Next Threat to National Security and What to Do About It”,

April 2012, https://www.amazon.com/gp/product/0061962244

Bruce Schneier: “Click Here to Kill Everybody: Security and Survival in a Hyper-connected World”

Sept. 2018, https://www.amazon.com/dp/0393608883

The Conficker Working Group, http://www.confickerworkinggroup.org/wiki/pmwiki.php

Magnolia Pictures: “Zero Days”, July 2016, https://www.imdb.com/title/tt5446858/

ISE: “Hacking Hospitals”, Feb. 2016, https://www.securityevaluators.com/hospitalhack/

UK Health and Social Care System: “Lessons learned review of the WannaCry Ransomware Cyber

Attack”, Feb. 2018, https://www.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-review-

wannacry-ransomware-cyber-attack-cio-review.pdf

AAMI: “Medical Device Cybersecurity – A Guide for HTM Professionals”, June 2018,

http://www.aami.org/productspublications/ProductDetail.aspx?ItemNumber=6489

Symantec: “Internet Security Threat Report”, annual, http://www.symantec.com/threatreport

HIMSS Privacy & Security Committee, https://www.himss.org/library/healthcare-privacy-security

NIST SP 800-61, “Computer Security Incident Handling Guide”,

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

Ponemon Institute: The value of AI in Cybersecurity: July 2018, https://www-

01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=41017541USEN

Further Reading