Barely six months after much of the United States shut down in 2020 as the pandemic swept across the country—the Department of Homeland Security and FBI issued a dire warning to American healthcare organizations. They were receiving “credible information” of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.
Shortly after the federal government issued its warning, a wave of ransomware attacks hit dozens of hospitals across the country, crippling operations and disrupting the delivery of critical services to patients. As breathtakingly malicious as these ransomware attacks were—crippling essential healthcare resources at the outset of one of the worst pandemics in history—they also shined a light on weaknesses in the healthcare industry’s cybersecurity practices. In the wake of the attacks, healthcare network administrators faced an immediate and stark mandate: improve the security of their networks and digital assets.
Take stock to formulate a proactive response
Our initial advice to customers in the industry was to assess the situation from a high-level vantage point through a series of questions.
What happened? How did the industry get in this position? It could have been a lack of awareness of shifts in the threat landscape. Or it could also have been a failure to plan for emerging threats. Was there evidence of internal actors, or were these attacks solely the work of external bad actors?
When did the incident happen—what was the underlying timeline? Many malicious cyberattacks proceed slowly over a period of weeks or months. The healthcare ransomware wave differed in that dozens of facilities were targeted in a relatively compressed time window. As part of addressing this question, postmortem efforts would need to establish: How long had this wave really been going on? Was the infection a chronic illness and systemic? Or acute and contained? What was the blast radius—how many and what types of devices were affected?
What can the industry do to prevent the incident from happening again? IT security admins have a handful of tools to immediately strengthen network defenses in light of widespread incidents like the ransomware wave. They can update firewall rules, implement DNS response policy zone (RPZ) methodologies to screen out known-malicious global identifiers, and patch any out-of-date applications. But what additional measures do the need to take?
Security pros must piece together as complete and accurate a picture of what happened in the wake of a cyberattack to implement more effective network defenses. But if IT security teams want to do more than take remedial actions, they'll need to modernize their security posture. On the technology side, modernization begins with visibility, threat intelligence, and the ability to act on that intelligence. Organizations can’t protect what they can’t see.
It’s not a coincidence that hospitals were hit with attacks precisely when many of these facilities transitioned to remote work policies for non-essential administrators and business employees. Remote work opened up a host of vulnerabilities as employees began to access network resources via personal devices and insecure home Wi-Fi. Where IT administrators previously could view and track devices and users within the firewall, now users were logging in remotely and administrators had little insight into or control over their devices and activities.
That lack of visibility into which devices are connected to the network and what those devices are doing was a critical shortcoming for many of the affected facilities. Just how critical is visibility to security? A recent Forrester survey of more than 400 global IT leaders found that 97% of them have recently invested, or plan to invest, in new visibility tools. But it’s rare to find that kind of near unanimity in security circles. Some 81% of surveyed decisionmakers realize that better network visibility would improve their security capabilities. Better network visibility also offers many other benefits, including stronger network performance/capacity planning, more audit compliance capabilities, and operational efficiency.
Source data at the DNS layer
Security teams have to determine the best route to gaining clear visibility into network operations, devices and users. It starts at the DDI layer, especially with IP Address Management (IPAM). A well-configured IPAM solution can deliver the who, what, where, and when for any system on your network: who authenticated to what system, when and where (on what port. When this information gets collected in one place, the team now has comprehensive visibility into nearly everything happening on the network.
More advanced IPAM solutions can make this data accessible through a RESTful API, which in turn can trigger automated capabilities. For instance, when events such as new devices being discovered for the first time arise, the system can launch a vulnerability assessment tool. Similarly, security teams can automatically send configuration management database information, or a NAC system can isolate a port based on a security event. In short, a high-quality IPAM system, when properly managed and deployed, becomes a powerful tool for the security and network teams.
Security products that leverage the data that DNS provides can also supply an early warning into suspicious or malicious activity on a network. And when combined with robust threat intelligence and other security solutions, security teams can use DNS security to automate critical security tasks, identify potential threats, and let IT teams see attacks at the earliest stages. Today’s DNS offerings are a way for security teams to collect, normalize, and distribute highly accurate, multi-sourced threat intelligence to strengthen the entire security stack and secure DNS operations. Additional capabilities empower SecOps to accelerate threat investigation and response by more than 60%.
Where or when the next wave of ransomware or DDoS attacks will occur, we just don’t know. But the wave that hit the U.S. healthcare community in 2020–2021 taught us several valuable lessons about security that will certainly help organizations better prepare for the future. The most important of those lessons being: DNS/IPAM data + threat intelligence + automated security steps = a much stronger security posture.
Rufus Coleman, director and general manager, US SLED, Infoblox