Following the news about attackers steal 600K records from health care firms – details how thieves exfiltrated 600,000 US patient records and offered for sale more than 3 terabytes of associated data. Here is a link to the source report “Healthcare Under Attack” from InfoArmor. Security experts from Balabit and STEALTHbits Technologies commented on this attack below.
Balázs Scheidler, Co-Founder and CTO at Balabit:
“With staffs increasingly on the go, remote access to internal IT services is commonplace. We access our virtual desktops, applications or even servers interactively from outside the firewall with protocols such as Microsoft Remote Desktop or Citrix ICA.
“These communication channels allow complete access to these systems, as if users were sitting in front of them. But as they can be accessed any time & from anywhere, and visibility on what exactly happens there is often lacking. Certainly application logs can reveal some insight, but more often than not, these do not contain enough details or their use is very inefficient. This remote access ability is especially problematic when it involves Privileged Accounts. The “root” and “Administrator” account of server systems allow unconstrained access to its user to any data or applications running on the servers in question. This includes the ability to terminate logging functionalities, making IT and security completely blind in the case of security breaches.
“In the case of the health care firms in question, attackers initially used a normal user account and then acquired superuser privileges using Local Privilege Escalation. This means that even though the initial access was for a normal user account, they gained privileged access after logging in. A very similar attack vector was used in the famous Target breach. The initial entry to the Target network was an access to HVAC systems operated by a third party, whose credentials were compromised.
“Best-of-breed session monitoring solutions offer CCTV like recording of user sessions, complete with screen contents, mouse movements-, clicks and keystrokes, without using agents deployed on the server or the client. With intimate knowledge of a user’s daily activities, behavior analytics can be applied to find the interesting data: just as with actual CCTV footage, IT and security want to focus investigations on sections where something noteworthy actually occurred, and User Behavior Analytics enables that. It returns a list of ranked sessions that list the most suspicious ones on the top.
“Monitoring these kinds of remote access sessions is important in order to gain visibility and identify misuse. It is important to build coverage of remote access to desktops, applications and data into security strategies to avoid such breaches.”
Adam Laub, Senior Vice President of Product Marketing at STEALTHbits Technologies:
“This is another perfect example of the fact that attackers are after two things, and in this order: credentials and data. If an attacker was trying to rob your home without being detected, the best thing they could do would be to obtain the keys to your doors. In the absence of an alarm system with streaming video cameras, they could run rampant around your house, taking whatever they please without detection or record of what was stolen. In the case of this breach, if the keys (user credentials) weren’t so easy to compromise and the stolen assets (data) were being monitored and recorded, it could not have been so easy to exfiltrate 600,000 records and over 3 terabytes of data without sounding an alarm. While perimeter and endpoint defenses have their place and are part of the healthy breakfast that is information security, organizations need to spend a lot more time and focus on the underlying cause of their data breach dilemma: poorly secured credentials and data that are largely unchecked, under-governed, under-monitored, and under attack.”