Achieving evidence-based security with threat-informed defense
With the current geopolitical climate creating a heightened risk of cyber conflict, it is more important than ever that hospitals consider that cybersecurity is a key component in patient safety. Cyberattacks have been demonstrated to lead to delays in patient care and any delay in patient care has the ability to lead to adverse outcomes for patients.
Hospitals and other healthcare delivery organizations need to begin to take stock of their cyber postures and ensure that they have mechanisms in place to mitigate the risks of a cyberattack. In addition to the standard recommendations of having an incident response plan, verifying backup and restore capabilities, reducing vulnerabilities at the perimeter, and other such controls, HDOs need to begin to adopt a more threat informed defense approach to securing their organization.
While the compliance-based framework approaches that hospitals have traditionally used are not without merit, it is important to remember that compliance frameworks need to be viewed as minimum acceptable standards and not as end goals. It is oftentimes very easy to be compliant with a framework and still be highly insecure.
Most compliance frameworks will check for the existence of a control but do nothing to actually assess or measure the efficacy of the deployed control. Take for instance a control such as a firewall.
It is one thing to have a firewall deployed and check a compliance box, but just having a firewall deployed is a far cry from ensuring that proper egress filtering is in place, DNS traffic is properly locked down, and other critical configurations are actually present in the firewall. HDOs need to begin to look past buying a few security tools and appliances, deploying them and assuming they are secure because they checked off all the boxes.
HDOs need to begin to take more evidence-based approaches to security and need to begin to actually measure and quantify the efficacy of their controls and this is something that threat informed defense excels at.
Figure 1: The Pyramid of Pain:
A crucial principle of threat informed defense is that of the pyramid of pain in which the higher up the pyramid a control operates that harder it will be for an attacker to bypass. At the bottom of the pyramid are defenses that operate at the hash and IP address level, which are things that it is relatively easy for an attacker to change.
At the top of the pyramid are defenses that operate at the Tactic, Technique, or Procedure, or TTP, level and are controls that are very difficult for an attacker to bypass, because changing TTPs is not a trivial process for an attacker as it directly impacts their attack strategy and mode of operation. For example, fine grained network segmentation is a control that will make many of the techniques used to achieve lateral movement extremely difficult for an attacker to successfully pull off.
Likewise, proper egress filtering in your firewall will make some of the techniques used for command and control and some of the techniques used for exfiltration significantly more difficult. When one begins to look at security from the perspective of threat informed defense, it also becomes easy to see why many healthcare organizations fail to withstand ransomware and other attacks.
While tools can help to put controls around some TTPs, many of the controls that are most effective at the TTP level come down to the presence of hardened architectures and configurations and principle of least privilege which are weak points in many organizations.
Figure 2: A sample of MITRE ATT&CK TTPs
While knowing that we can be more effective in stopping attacks if we target our controls at the TTP level is a great start, the pyramid of pain does not answer the question of how do we know what TTPs we need to focus on? This is where the existence of the MITRE ATT&CK Framework comes into play.
The MITRE ATT&CK framework is a listing of all of the TTPs observed in real world attacks and mappings of these TTPs back to the threat actors that deploy them.
Thus, if an HDO is worried about the Darkside and Ryuk ransomware groups, they could use MITRE ATT&CK mappings to see what TTPs these threat actors use and begin to take measures to ensure that proper detective and preventive controls are deployed against these TTPs. While a qualitative assessment might be a good way to start to identify any control gaps, HDOs need to begin to make security much more of a quantitative process.
Security needs to become measurable and have meaningful metrics put around it that actually measure the efficacy of security controls against real-world TTPs.
While traditional methods of putting metrics around security like KPIs and KRIs are not valueless, they often over simplify the security picture and are often not sufficient to identify actionable insights that will actually result in security improvements.
They are often too high level to identify the root causes that lead to control being bypassed or a detection being missed. More direct methods of measuring control efficacy are needed. For example, having a goal of improving your mean time to detection is great, but it doesn’t address the more fundamental issue of first ensuring that you even have the capability of detecting with high efficacy all of the TTPs that you actually need to detect.
This is where more evidence-based approaches to information security are needed that incorporate the principles of threat informed defense, whereby organizations begin to take a more quantitative approach to security via the following steps:
- Use a quantitative risk assessment framework to identify which threats pose the biggest risks to your organization and identify the TTPs associated with those steps.
- Develop metrics to quantify the impact the above threat could have on your organization. Also, develop metrics to quantify the efficacy of your controls in combating the threat as well as metrics to quantify the efficacy of your incident response process with regards to the threat.
- Develop a way to simulate the threat so the metrics created above can be assessed without exposing the organization to a real cyber-attack. Breach and Attack Simulation (BAS) tools and internal red team capabilities can be key components of this.
- Simulate the threat and collect the metrics you developed to get real-world insight into the damage a particular threat could do as well as the efficacy of various controls.
- Analyze the data to identify any deficiencies and possible changes that could be implemented to improve security.
- Remediate the deficiencies and put your security improvements in place.
- Repeat the testing to demonstrate that the changes quantifiably improved security.
By taking a more evidence-based approach like this which explicitly tests control efficacy and response processes we are able to gain much more granular insight into how security and response processes can be improved.
For example, after completing a ransomware simulation in a NYC hospital it was clearly demonstrated that controls like network segmentation were highly effective at stopping an attack, but that same simulation also showed that the granularity of segmentation which was present at the time was also not fine grained enough to prevent operations from being impacted.
A critical control was present, but when tested did not have the desired efficacy and pointed out an area that was in need of improvement which led to the adoption of zero trust architecture. Likewise testing may show that even some advertised protections of certain tools may work, but may not always work at a high enough efficacy.
For example, endpoint security testing of a popular EDR showed the EDR had detection and protections against malicious PowerShell scripts but that these detections and protections did not consistently protect against attacks that invoked fallback to PowerShell 2, which resulted in the HDO hardening their configuration by disabling PowerShell 2 to improve protections against these types of attacks.
As security professionals we need to begin to move away from treating security as an art form and begin to treat it more like a science. Security needs to be made measurable and made measurable in a meaningful way that directly correlates to how well we can detect and prevent the threats that we face.
We need to stop deploying security tools and then assuming we are secure and start taking the time to ensure that effective combinations of properly configured tools, security architectures and hardened configurations exist to give us a quantitatively demonstrated and meaningful chance at resisting the threats that we are likely to face.
Making continual efforts to measure security and quantitatively improve security is critical for HDOs as we face the potential for a heightened threat landscape.
Christopher Frenz is Information Security Officer and AVP of IT Security at Mount Sinai South Nassau.