The modern health IT cyber terrain is made up of a steadily increasing number of connected medical devices. These devices are not just sensitive, they’re literally life-and-death. Moreover, each medical Internet of Things (IoT) device must, by definition, contain at least some medical PII in order to function – an insulin pump needs dosage history, for example. Much of the PII residing on medical IoT devices is completely unprotected, including by even the most basic of encryption, and this is especially true for legacy systems. Many of these devices cannot simply be blocked either – imagine an MRI machine unable to disseminate life-threatening scan findings because of a poorly-configured firewall.
In most healthcare organizations, security teams simply cannot delineate all network assets and activity at any given time since activity is so dynamic and distributed. The task is beyond human capacity to track, and existing tools can’t yet paint an understandable yet cohesive picture of activity across the enterprise. By plugging one hole, security teams encourage attackers to search for another. Moreover, by ‘just’ fighting off attacks, the organization loses important threat intelligence. Was the flagged activity an innocent employee trying to browse a forbidden web site, or malware trying to connect to its Command and Control and exfiltrate data?
To architect a solution, healthcare organizations first must understand the unique Health IT and medical device IoT challenges before them.
Health IT Challenges
- Blind Spots Lead to Big Breaches. Large blind spots exist within Health IT networks due to lack of visibility around east-west traffic which allows for malware to potentially move laterally and infect both intra- and inter- enterprise systems. This can lead to big breaches with the potential to affect the ability to deliver proper care to patients.
- Inability to Securely Monitor Healthcare IoT Devices Today. Un-managed terrain of healthcare devices that support patient telemetry are vulnerable to attack as they do not have the adequate security controls in place to detect malicious behavior.
- Protection Products Can’t Catch Everything. Current blocking and protection products are not enough to prevent infiltration and a breach. Endpoint protection (EPP), intrusion protection systems (IPS), intrusion detection systems (IDS) are rules – signature based and require effort to maintain their ‘freshness’. Even with these tools in the security suite, many organizations cannot effectively protect themselves from the myriad of APT approaches.
- Prevention Products Have Limited Reach. Data Loss Prevention (DLP), Endpoint detection and response (EDR), User behavioral analytics (UBA) along with other capabilities have limited scope and can be by-passed as they require constant tuning and iterative care and feeding.
- Designed for Alerts not Detection. Alert fatigue and false positives end up being the primary focus of security teams with sub adequate security posture. Overwhelmed by alerts, detection capabilities are de-prioritized or lost.
- Perimeter-based solutions are not good enough. Many organizations use perimeter-based solutions to prevent access to malicious domains and prevent attackers already inside from connecting with Command and Control servers to exfiltrate valuable information. These capabilities can block at the border but are also vulnerable to being by-passed. Many of these solutions are based on user behavioral analysis, machine learning, threat intelligence, and reputation. These approaches can indeed successfully block a specific process or connection from reaching its destination. They require the latest signatures and rules to keep them relevant.
Challenges with IoT
Securing Healthcare IoT is a challenge for several reasons.
- The diversity of platforms that make up an IoT solution is vast. This presents difficulties in building a standard solution that can be supported by an organization.
- It becomes quite cost prohibitive to engage in the development of agent technology for IoT platforms. It appears that more and more vendors are appearing in the market with good solutions to solve certain business problems. However, security is not always at the forefront of solution development.
- IoT is un-managed terrain in that it does not consistently support endpoint protection (EPP) and end point detection and response (EDR) agents for the vast number of platforms that exist. This impacts to the ability to scale solution sets in an agile manner to improve the security posture of an enterprise.
Solving Challenges with Deception
In today’s high-stakes cyber battles intelligence is mission critical. If a platoon of soldiers is attacked, they need to defend themselves. But another key element of their mission is understanding who attacked them, what tactics were used, and what weapons employed. By understanding the enemy, they will be better prepared to repulse future attacks. Similarly, when suspicious network activity is detected, healthcare security teams need to simultaneously defend and proactively work to discover the type of communication and protocols used, the type of data sent, the processes that are trying to connect, and more.
To this end, more and more cyber-defenders are adopting a cyber defense approach based on Deception technology. Deception software is designed to not only draw in attackers, but also to help defenders discover more about them. In the case of malicious intentions, the Deception approach allows healthcare security teams to take the initiative – proactively developing intelligence that helps find the attacker’s communication channels, understand how the connection is established, and reveal what protocols are used. The threat intelligence and visibility generated by drawing the attacker in rather than simply repulsing him enables an understanding of his goals – preventing not only this attack, but also future attacks.
Cyber Deception has evolved over the past five years and has demonstrated a high degree of efficacy in network defense. Deception technologies focus on deploying decoys, i.e. fake hosts through emulation or virtual machines (VM) to confuse, mis-direct, and thwart adversary campaigns. Fidelis Deception is unique in that the development of decoys is a repeatable, straight-forward process that only requires a packet capture (PCAP) file from a host. In the case of IoT platforms this provides added incentive. Breadcrumbs are configurations, accounts, and key files (e.g. registry keys) that can be distributed to decoys to make adversaries believe that decoys are real hosts. The distribution of these breadcrumbs to alter adversary perception thereby changing their perception of the attack surface is an active area of research within Fidelis R&D teams. There are several key benefits for using cyber deception for securing IoT platforms. These are as follows:
- Cost. Rather development of decoys follows a repeatable process within the Fidelis ecosystem based on understanding the IoT device’s protocols during active operation. A decoy can be developed from this traffic and be deployed with relative ease. This reduces the cost along with provides a simple process for building a deception layer.
- Scalability. Deception deployments can range in number from 1 to several hundred decoys of varying types. Both emulation and VM based deception layers are easy to deploy and can be tailored to need and randomized on demand to confuse adversaries. As need IoT medical devices are acquired, scaling the deception layer is a simple process of building decoys and deploying them in a repeatable manner.
- Automation & Accuracy. Deception based on learning the terrain is deployed automatically and does not trigger false positives. Thus, it does not require resources like other security solutions.
- Performance. The Fidelis Deception technology stack is highly performant and has been load tested in various environments.
- Supports IoT Platform Diversity. The diverse nature of IoT platforms can be easily adapted as decoys. If a new vendor platform arises, decoys can be easily built and deployed.
- Reduced Demands on Support Teams. Deployment of new rules as new behaviors are discovered is not required for a deception layer. Rather, understanding adversary behavior and deploying breadcrumbs becomes the focus.
- Avoids EPP and EDR Signatures. Maintaining fresh signatures and rules for EPP and EDR is not required for deception. This reduces the demand on both cyber analyst and server operation center (SOC) deployment teams
- Avoids maintenance of custom EPP / EDR Code. Deception does not rely on the development of EPP or EDR agents and support of this custom code per IoT platform. This reduces the cost for software development and support staff for maintenance.
- Fidelis integration. Customers having the Fidelis Network Module and/or the Fidelis Endpoint Module benefit from the integration among the products. Information is shared among the products and the integrated CommandPost (CP) is used to manage the Network and the Deception module as one product.
Providing unique visibility into network activity, Deception is able to identify the usage of unauthorized tools and uploads that violated security policy. By automating the process of network and systems analysis, Deception helps security staffs reduce noise and highlight actionable incidents, providing a clear story of potential attacks in each of their phases. Moreover, Deception provides a uniquely granular view into attacker activities and communication channels, delivering excellent visibility of internal and egress traffic analysis as well as network usage analysis by decoupling human and machine processes.