All PHI, Personal Health Care information falls under HIPAA guidance. There are stated rules of practice for enterprises who handle PHI to follow. When a breach occurs and PHI is determined to be exfiltrated to non-permissioned users, an investigation can and usually does occur - conducted by the OCR, the U.S. Government's Office of Civil Rights. They will determine if the proper practices of data governance have been followed.  Often, they determine that these practices have not been followed and fines are put in place, such as when Athens Orthopedic was fined $1.5M in 2020 and Lifespan Health System fined $1.04M in 2020.

Data Governance starts with the HIPAA-prescribed regular access reviews, examining each reviewer who has access to data and applications, what data access privileges have changed, and who approved such changes in the last audit period.

The effects of this attack are serious enough: stopping 2.5 million barrels per day of refined products from the Gulf Coast to the eastern and southern United States. But is additionally alarming is how the attack group, surmised by researchers as the "Darkside" group hailing out of Russia, is now operating.  (Darkside is selective in their targets and avoids ex-Soviet Union enterprises.)

According to Cybereason, Darkside has created an affiliate program - where Darkside creates the malware and others are financially motivated via an embedded "affiliate" code to other hacking groups for a successful delivery of the malware.

This means that there's not just one threat vector to close off, but dozens if not more attack entries to block.

How to protect against such attacks?

Darkside has often created malware targeted domain controllers - so traditional hardening approaches are crucial, including patching and a fanatical lockdown of admin and service accounts. We must not only be performing regular access reviews of our key admin accounts, but also have instantaneous alerts on any attempts at privilege escalation on these accounts.

It’s important to remember that the attack mechanisms hackers are using are not all new. They succeed simply because of their ability to quickly access our weaknesses through massive and constant vulnerability scanning and then select or craft the best malware available to inject the payload of choice. The actions of the payload may be different - especially with the rise of encrypting ransomware tied to crypto payments - but the actual entry and lateral movement across our enterprises are consistent with known cyber kill chain mechanisms.

We just need to be diligent on our system hardening and patching, and have real-time alerts on identity and changes, especially around identity privilege escalation - which hackers use to move around our systems and exfiltrate data.

Brian Krebs once again did a great service to the IT security industry by revealing the flaw in the Experian API.  His mission to improve the security posture of the internet is valued. An important takeaway on this is just how vulnerable all data is with ubiquitous on-line scanning an penetration efforts. It is no longer an option but a must that our systems be re-evaluated to insure that not only data but users and user privileges are validated, with a zero-trust concept in mind - to insure that the only access that is allowed is what is intended.

Ransomware is just the same distribution of malware as many other attack types, utilizing the same attack mechanism and most of the same vulnerabilities, but with a different payload. The payload is an executable that usually encrypts the desired data and then plants a "ransom" message to the enterprise with a promise to unencrypt the data for a monetary exchange - usually in some form of cryptocurrency. One variant is where the data is not encrypted, but snippets are sent to prove the hacker has stolen the data and will make it public if money is not sent. That snippet typically contains sensitive PII or PHI to up the ante.

The important fact is that the hack itself, the scanning, the enumeration, the vulnerability assessment, the escalation of privileges and the lateral movement across the enterprise all follow the classic Cyber Kill Chain steps. As enterprises defending against these attacks, we must adhere to practices and procedures that are known to mitigate these attempts.  

 A key is to stop credential stealing and privilege escalation of stolen credentials. Privilege escalation allows the hacker to obtain access to more network and data segments, and to execute the commands to communicate back to their C2s for exfiltration of data or downloading of ransomware payload.

Knowing who has access to what and at what privilege level is paramount for the enterprise.

The message is serious because the situation is serious. My fear as an identity professional for 30 years is that more regulation will occur because of the threat. Every one of these hacks occurred to enterprises that were under some sort of regulation - be it SOX, PCI-DSS, HIPAA, or self-mandated regulations like ISO 27001 or HITRUST. The problem in today's environment is that the audit/compliance process is NOT adding enough value to the overall security posture of the enterprise.  

Audit/compliance is seen as a data-gathering activity in most enterprises. It's gathering information on the changes and the reason/justification of the changes. This is a complete misappropriation of resources - both time and money. The change information should be automatically formatted into a compliance conducive format - where no effort is needed at "audit time" to search/retrieve records. 

That's why one of the first features YouAttest did for companies is "Automatic Attestation" of user events - including escalation of privilege - both malicious and benign. We have to map these audits, especially the identity audits, into the cyber kill chain. That is, insure that the procedures/practices that we are doing as check-boxes for the compliances ALSO ensure our institutions are more resilient to these attacks.

What is easy to miss when we see a breach of this magnitude of a global corporation is that the hackers are NOT targeting the large brand names like Facebook. There is no question that Advance Persistent Threat (APT) hacks are devised and targeted at the "brass ring" enterprises like Facebook - but we have to remember that the hackers are running scans across all of our systems.

To this end, we all have to be diligent that we are monitoring our system and implementing best practices. As the Cyber Kill Chain details, hackers will be executing reconnaissance on our systems and enumerating our assets. Once this occurs, the hacker will then penetrate our systems and attempt lateral movement and privilege escalation. It is in these steps where a comprehensive and updated identity governance practice can spot an attacker who is attempting to change account privileges to enable the compromised accounts to move around the enterprise, find crucial PII/PHI data, and then exfiltrate it.

Products and practices that can identify and then alert the enterprise about account breaches are crucial to meeting not only compliance, but to achieving enterprise security.

There is nothing new about hackers hiding payloads inside of images. Steganography, the practiced of concealing a message within another message or a physical object - has been around for years.   What has changed is the sophistication of the payloads inside the map.  The executables now inside the images aren't just password loggers - they can also be APTs (Advanced Persistent Threat) executables that can morph in functionality, enumerate all systems in an enterprise and lateral move through an infrastructure.  These APTs can be defended by not just educating users, but by mitigating the steps the hack executes on the Cyber Kill Chain.  

Steps in mitigation include conducting regular and triggered access reviews to detect privilege escalation.

The attack on medical institutions for health care identity data has reached crisis proportions. The information is coveted by hackers because of the valuable PII (personal identification information) that can be used to create lines of credit and other valuable financial instruments.   

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that enforces federal civil rights laws has been issuing substantial fines for not adhering the practice and procedures outlined in the HIPAA regulations. These include:  $2.3m fine to Community Health Systems for a 6.1m data record breach and a $6.85m fine to Premera for a 10.4m breach in records.  Both were cited for failures concerning risk management and access controls.

The alert warns a "HUGE" amount of data was exfiltrated from Kia Motors America.   This is usually a sign the hackers were in the system for a long time, e.g. the hackers had a long "dwell-time." (Dwell-time is the amount of time during which an attack goes undetected.) According to one report from Booz Allen Hamilton, cybersecurity dwell times may last between 200-250 days before discovery.

Hackers are going to use some mechanism to enter or systems, be it phishing, social engineering, weak passwords, default admin passwords, etc. They might even be a trojan horse inside a legitimate agent (e.g. SolarWinds).   The logical defense is to detect their actions once they penetrate the system.  We know that in the Kill Chain, the attacker is going to attempt lateral movement and escalation of privileges. This is the point where we have to identify and stop the attack. 

One key mitigation method is enforcing the NIST PR.AC-6 principle of least privilege and attest to every privilege escalation to key security groups that legitimate users and hackers attempt. Organizations need to adopt solutions that force an immediate review of the account escalation attempts using IT audit and security access review products.