A higher security maturity level
Organizations typically employ traditional protection measures such as vulnerability management or penetration testing against cyberattacks; however, these are becoming increasingly difficult to detect. Advanced Persistent Threats (APT), for example, use their own tools with unknown signatures that an IPS (Intrusion Prevention System) or IDS (Intrusion Detection System) cannot detect.
Vulnerability management or penetration tests provide snapshots of the security of the system and configuration. In Vulnerability Management, the results are predominantly based on the data sets, and in Penetration Testing, the results are based on the expertise of the testers. Without broad expertise and quality, the root causes of attacks cannot be determined. Penetration testing is also invasive. Since failures and additional costs can occur, they are associated with high risks.
Neither method reveals whether existing vulnerabilities have already been exploited. Zero-day gaps are often overlooked: unknown vulnerabilities that can be exploited to cause damage. Even simple configuration errors such as overly generous authorization measures fall through the cracks: Windows Active Directory often contains accounts or groups with diverse authorizations and bad passwords. In an emergency, the entire infrastructure can be compromised.
Traditional or preventive measures are therefore not sufficient to raise the maturity level of the IT security infrastructure of hospitals, to detect attacks and acute threats and to react to them. Compromise assessment can be a valuable addition here: It is designed to find traces of attacks, the so-called IOCs – Indicators of Compromise. By analyzing and assessing them, compromised systems and the underlying vulnerabilities are discovered and clear recommendations for action are derived. The causes are eliminated in the Remediation phase and the desired target state is established in order to end ongoing attacks and prevent future ones. Compromise assessment is an evaluative, not a preventive discipline in hospital IT security. It looks at the entire infrastructure and provides a view into the past.
Finding the traces of current and past attacks
An attacker inevitably leaves behind forensic artifacts that can be used for evaluation. These can be, for example, log and dump files from attack tools, files with unusual obfuscated content, persistence generation tools, or simply tools in atypical directories or specific configuration keys. It can also be unusual network connections to suspicious servers, IP addresses and ports, or log files of interactions, logins and process starts. The number and variety of IOCs that can be detected in practice is quite frightening.
For example, the THOR APT Scanner tool from Nextron Systems GmbH alone currently contains around 18,000 IOCs in 26 different detection modules in its basic rule set. It is appreciated by threat hunters and incident responders worldwide.
Good tools and broad knowledge to detect attacks quickly
Studies show that it usually takes two to three months before an attack is even detected. The damage increases with each day that the attacker remains undetected. Using Compromise Assessment, the time to detect a successful attack can be reduced to a few days in the best case. Typically, attacks are detected shortly after the analysis begins because the events with the highest hit rate are started. The decisive factor is a sum of days, which is made up of the scan duration and the start of the analysis. This period can vary greatly depending on the scan configuration, the size of the system and the number of events returned. An approximate parameter is a week, since the scan duration can be between a few minutes and several days and the analysis is started directly afterwards. Events are sorted by severity, starting with the most severe. However, events with a low severity level can also be indicators of an attack. Therefore, it is important that the analysts have a broad knowledge of the structure and functioning of the systems: The result of the analysis can only be as good as the analysts’ know-how allows. The tools and the underlying rule set of the IOC scanners provide the right direction; the indications must then be correctly interpreted and put into context.
The need for Continuous Compromise Assessment
Even though a Compromise Assessment scan brings clarity to ongoing and past attacks and provides deep insight – it remains a snapshot in time. Any change to a hospital’s systems can fix attack vectors, but it can also create new ones. That’s why Continuous Compromise Assessment makes sense: scanning for attack traces and analysis on a recurring basis. The initial scan is quite time-consuming, as millions of forensic artifacts may need to be examined, which can take several days. The follow-up scans and analysis are significantly simpler, as only the changes need to be screened.
A Compromise Assessment Scan alone does not reduce the time it takes to detect an attack. This only happens if all measures from previous scans are implemented and systems are rescanned at regular intervals. These measures must be prioritized, implemented in a timely manner and tracked so that the security level increases in the long term. These measures can include, for example, introducing centralized log management or even SIEM, changing the domain policy and introducing authorization management. It also makes sense to replace systems if they are too old or the manufacturer has discontinued support. In this way, clinics can optimize their processes and achieve a level of security that will help deal with or prevent new attacks more quickly.
Compromise assessment is an excellent discipline for identifying and evaluating ongoing or past attacks on clinics and taking appropriate action to prevent them in the future. It can meaningfully enhance a hospital’s IT security, but is not sufficient on its own to increase its security maturity level. This is because Compromise Assessment is a passive discipline and must be performed manually. Only in combination with other tools and measures does a cosmos emerge that reflects the overall security level.