The attack on medical institutions for health care identity data has reached crisis proportions. The information is coveted by hackers because of the valuable PII (personal identification information) that can be used to create lines of credit and other valuable financial instruments.   

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that enforces federal civil rights laws has been issuing substantial fines for not adhering the practice and procedures outlined in the HIPAA regulations. These include:  $2.3m fine to Community Health Systems for a 6.1m data record breach and a $6.85m fine to Premera for a 10.4m breach in records.  Both were cited for failures concerning risk management and access controls.

The alert warns a "HUGE" amount of data was exfiltrated from Kia Motors America.   This is usually a sign the hackers were in the system for a long time, e.g. the hackers had a long "dwell-time." (Dwell-time is the amount of time during which an attack goes undetected.) According to one report from Booz Allen Hamilton, cybersecurity dwell times may last between 200-250 days before discovery.

Hackers are going to use some mechanism to enter or systems, be it phishing, social engineering, weak passwords, default admin passwords, etc. They might even be a trojan horse inside a legitimate agent (e.g. SolarWinds).   The logical defense is to detect their actions once they penetrate the system.  We know that in the Kill Chain, the attacker is going to attempt lateral movement and escalation of privileges. This is the point where we have to identify and stop the attack. 

One key mitigation method is enforcing the NIST PR.AC-6 principle of least privilege and attest to every privilege escalation to key security groups that legitimate users and hackers attempt. Organizations need to adopt solutions that force an immediate review of the account escalation attempts using IT audit and security access review products.

It's important to note that the malware that is being implanted into these browsers can also contain multiple payloads. That is the payload may not just be confined to malvertising material - but can also contain more traditional enterprise attacking payloads where corporate and other credentials are collected and directed back to the command and control center. These traditional credential collectors can be used to attack BOTH individuals and enterprises.

This is why enterprises need to insure that they are able to monitor their accounts and account privileges for nefarious usage and for nefarious privilege escalation that may result from these browser based attacks or other identity manipulation means.

The key here is to note that hackers are usually INSIDE the enterprise, undetected for a long time. F5 reported in 2021 the average time it takes to discover a ":credential spill"  is 327 days.

By this time, we have to assume that an attacker is going to penetrate our network, servers, applications in some form or another. Billions of scans are running daily - looking for known, published vulnerabilities.  Chances are one of our systems is not fully patched or even SHIPPED w/ a vulnerability (e.g. SolarWinds). Thus what's our defense? We have to be able to detect the actions of these attackers.  

It is known conduct  in the attacker's kill chain that the hacker will usually do the two following actions:  conduct lateral movement across the enterprise (to find valued resources) and to escalate their own privileges (say to admin account) to help move to all resources have the privileges necess to exfiltrate the data.

These privilege escalations are detectable if the enterprise is conducting regular and triggered access and privilege reviews. This is what a cloud identity governance product can do for the enterprise.  It is imperative to an enterprise to have regular reviews and be dynamically triggered when privilege escalations are occurring.

The report states: ‘Organizations are also poor at detecting breach attempts: median time to discovering a credential spill between 2018 and 2020 was 120 days, while the average time to discovery was 327 days.’

I think this is the key point.  Hackers are going to find a vulnerability somehow, someway - we are all being scanned.  And once that flaw is found, e.g. an unpatched server, a weak password, an open network device - the hacker will be on our systems.   From there, we MUST be able to detect their actions.  The known pattern of behaviors of attackers makes identifying compromised credentials (hacked accounts) possible.   We know that a hacker is going to want to move around the network (lateral movement) and escalate their privileges of the overtaken account (privilege escalation). This latter action, privilege escalation, is what hackers use to take normal "user" accounts and turn them into "admin" accounts.   This allows them access to more networks, more servers, and more data.

These privilege escalations are detectable if the enterprise is conducting regular and triggered access and privilege reviews, and is what cloud identity governance does for the enterprise.