PREVENT CREDENTIAL THEFT IN HEALTHCARE

Transcription

1 PREVENT CREDENTIAL THEFT IN HEALTHCARE SPOTLIGHTS Industry Healthcare Use Case Prevent credential theft Credential Phishing and Credential Abuse Theft and abuse of stolen passwords is one of the oldest attacks in the book, yet it remains highly effective. Adversaries can use stolen credentials to impersonate valid users, allowing them to bypass the entire attack lifecycle, move uninterrupted throughout their target organization s network and shift to the abuse of credentials from within. You can prevent credential theft with Palo Alto Networks Next-Generation Security Platform by stopping credential leakage, blocking access to phishing sites and enforcing multi-factor authentication security policy in the network. Business Benefits Decrease risk to patient data through improved security capabilities. Prevent unauthorized users and malicious content in hospital networks. Improve compliance with HIPAA, GDPR and other applicable data protection regulations. Operational Benefits Rely on technology, not just traditional user education, to prevent credential theft. Security Benefits Reduce risk of successful cyberattacks, including exfiltration of ephi. Prevent unauthorized users from moving laterally across your network. Business Problem A recent HIMSS Analytics survey of healthcare providers, commissioned by Palo Alto Networks, highlighted as providers most important security challenge, with more than 86 percent of respondents reporting and phishing attacks as their greatest area of vulnerability. 1 Similarly, according to threat data from more than 1,000 global healthcare providers on Palo Alto Networks Next-Generation Security Platform, -based cyberattacks account for 94 percent of attacks against healthcare organizations (see Figure 1). 2 As for why is so extensively used to launch cyberattacks against healthcare organizations, there is a simple reason: Credential phishing is a proven method of stealing passwords by taking advantage of the human element. Sources of Cyberattacks in Healthcare Web Browsing 2% 94% 4% FTP /Phishing Figure 1: Origin of cyberattacks against healthcare organizations on the Next-Generation Security Platform in 2017 Passwords are among the weakest links in computer security easy to steal, hard to secure and little proof of a user s identity. Stolen passwords let attackers greatly simplify their attacks and effectively bypass security measures designed to stop other types of threats, such as malware and exploits. 1. HIMSS Analytics Healthcare IT Cybersecurity Study, October paloaltonetworks.com/resources/techbriefs/himss-analytics Flash and other sources constituted less than.05%. Data from AutoFocus filtered on global healthcare industry from 1/1/17 through 6/1/17 Palo Alto Networks Prevent Credential Theft in Healthcare Use Case 1

2 Security practitioners and threat actors are constantly developing new techniques to gain advantages over each other. In recent years, security teams have stepped up their approaches to protecting their infrastructure by fortifying network perimeter defenses, building up protections against advanced malware, upgrading vulnerable operating systems, automating patch delivery to stop exploits and developing countermeasures to spot intruders. Threat actors looking to circumvent these measures are shifting their attention toward the next weakest link in the security chain users. Instead of finding and exploiting vulnerabilities in networked systems, it is faster, cheaper and far easier to steal a password from a user. With stolen credentials in hand, the attacker no longer appears as an anomaly, for they operate as a known user and outside the traditional threat protections aimed at stopping intruders. Schemes to steal passwords have existed for decades long enough for many refinements in the techniques to trick users. It would be a mistake to think of modern, targeted credential theft as the same as garden-variety phishing, such as the ploys used to defraud consumers. Advanced attackers are looking for entry points into healthcare organizations, not just access to individual bank accounts, and as such, they target specific victims who have the access they want. For example, attackers know users in a hospital s finance department may have access to a large amount of health insurance information, and that a database administrator in IT can access many patient records. Business Drivers There are a multitude of business risks associated with credential theft through phishing. Credential theft in healthcare can lead to exfiltration of patient or financial data, deployment of ransomware, or both. Given the high value of patient records on the black market compared to financial records, the healthcare industry is frequently targeted by cyber adversaries. Possible outcomes of credential theft include: Impact to patient care Loss of patient data Negative publicity Regulatory compliance penalties Traditional Approaches Typical approaches to phishing mitigation usually center on security awareness efforts and security point products for . Security awareness efforts are always a best practice, but many hospitals struggle to operationalize such efforts due to the unique culture in healthcare. Doctors are notoriously resistant to reading security-related s, and security teams often struggle to get leadership buy-in for testing hospital staff with fake phishing s. Cyber adversaries usually attempt credential theft by first launching targeted campaigns against specific users to steal credentials, which they subsequently abuse to get inside the organization. With the appearance of a valid user, an attacker can conduct lateral movement to gain more access. Healthcare organizations traditional approaches to mitigating phishing and credential abuse have been largely ineffective. Credential Phishing How It Works While there are many ways an attacker can obtain user credentials, credential phishing is the method of choice for a targeted attack. With credential phishing, the attacker will build a site that appears legitimate, or reuse a legitimate site s content, along with a look-alike domain name. The site mimics an application the victim expects to interact with, such as a clone of his or her webmail front end or the company s employee authentication page. The attacker baits the victim into visiting this site via an or social media message that appears to be from a known, trusted person or organization. After harvesting the user s credentials, the attacker can impersonate that user or use the credentials from a compromised endpoint within the victim s organization. Traditional Mitigation Approach Security products like mail gateways try to stop the delivery of phishing s to users, using techniques such as rewriting URLs embedded within copy to redirect and block visits to phishing sites. The efficacy of this approach depends on whether malicious links are sent to users corporate accounts and whether the security vendor has identified a given site as bad before users encounter it. In healthcare, it is common for security teams to attempt to block all uncategorized websites to mitigate the risk of new phishing domains. However, this usually fails in practice due to a small number of lightly trafficked, healthcare-related websites deemed critical by a select group of outspoken doctors. Although it s an effective practice, simply blocking all uncategorized websites is usually not well-received by the business. Palo Alto Networks Prevent Credential Theft in Healthcare Use Case 2

3 is not the only way to deliver a link to a user. For instance, most social media platforms have some form of messaging, and links sent through these bypass any protections applied to . In addition, cloaking techniques can make it very difficult to categorize a link as malicious before the user clicks it. A site may use short-lived or targeted content that appears benign to most visitors, which makes it difficult to categorize the site as malicious before it lures the intended victim. When the victim interacts with the site, it harvests their credentials, and the process is complete. Credential Abuse How It Works With stolen credentials in hand, the attacker can move on to the next stage of the attack to escalate access through credential abuse. Traditional Mitigation Approach Traditionally, healthcare organizations concerned about password theft implement multi-factor authentication, or MFA, at a VPN gateway to control remote access to the network. However, there are still many other ways for an attacker to get inside. For instance, an attacker can compromise an endpoint when its user is working remotely, then wait for the user to go to the office and connect the compromised endpoint to the internal network. With connectivity, the attacker can begin reconnaissance and lateral movement, and leverage stolen credentials, allowing the attacker to appear as a valid user and hide within normal network activity. In short, credential phishing leads to credential abuse, and traditional mitigation approaches based on security point products cannot effectively stop modern, motivated cyber adversaries from executing successful cyberattacks. Palo Alto Networks Approach to Neutralizing Credential Theft Palo Alto Networks Next-Generation Security Platform integrates protections against multiple types of threats, including capabilities to prevent credential phishing and stop the abuse of stolen credentials for lateral movement. The platform applies protections across the full attack lifecycle, making it difficult for attackers to successfully complete their objectives. Unlike legacy point products, components of the Next- Generation Security Platform automatically send and receive threat intelligence information from WildFire cloud-based threat analysis service to ensure threats discovered in one area of the network are quickly prevented in all others (see Figure 2). For example, malicious URLs WildFire discovers during the analysis PALO ALTO NETWORKS APPS Security Function of malicious files are blocked by Palo Alto Networks Next-Generation Firewall. CLOUD-DELIVERED SECURITY SERVICES APPLICATION FRAMEWORK & LOGGING SERVICE Layer 7 firewall (physical and virtual) Application whitelisting URL Filtering Intrusion Protection System, including anti-exploit Intrusion Detection System Network-based polymorphic anti-malware Polymorphic command-and-control prevention Credential theft prevention (only available with Palo Alto Networks) Multi-factor authentication for internal or external flows Malware analysis environment (sandboxing) with automatic signature creation for closedloop protection from new threats at security enforcement points Analysis of links in inbound Device and policy management and threat visibility Endpoint-based anti-exploit (signature-less) Endpoint-based anti-malware (signature-less) Threat intelligence analysis, hunting and response Closed-loop, preventive automation of threat intelligence feeds SaaS application visibility, intellectual property protection and threat prevention Always-on client VPN for endpoints ensures all traffic from endpoints passes through a next-generation firewall, whether the user is external or internal 3 RD PARTY PARTNER APPS CUSTOMER APPS NETWORK SECURITY ADVANCED ENDPOINT PROTECTION CLOUD SECURITY Figure 2: Palo Alto Networks Next-Generation Security Platform Product Next-Generation Firewall URL Filtering subscription Threat Prevention subscription WildFire subscription or appliance Panorama network security management Traps advanced endpoint protection AutoFocus contextual threat intelligence MineMeld threat intelligence syndication engine, stand-alone or as part of AutoFocus Aperture SaaS security service GlobalProtect network security for endpoints Figure 3: Core functions of the Next-Generation Security Platform ( functions in bold are especially relevant to preventing credential theft) The modern healthcare IT environment is widely interconnected, supports a highly mobile workforce and must embrace the growing demands of medical innovation. The Next-Generation Security Platform is designed to protect healthcare data wherever it goes, inside or outside the hospital boundary, by protecting endpoints, networks and clouds. Figure 3 provides a high-level summary of the capabilities of the security platform. Functions in bold face are especially relevant to credential theft and are detailed in the next section. Palo Alto Networks Prevent Credential Theft in Healthcare Use Case 3

4 The following sections detail how the Next-Generation Security Platform provides multiple layers of defense throughout the credential theft attack lifecycle (see Figure 4). PREVENT CREDENTIAL-BASED ATTACKS Research + Target Harvest Credentials Infiltrate Move Laterally Exfiltrate Move CREDENTIAL-BASED ATTACK LIFECYCLE Reconnaissance Harvest additional credentials PREVENT CREDENTIAL THEFT AND ABUSE Educate Educate your users to identify phishing attacks Prevent credential phishing Identify and prevent valid corporate credentials from being sent to illegitimate websites Prevent infiltration Use MFA with VPN and reduce the attack surface with perimeter defenses and threat prevention Prevent credential abuse Centrally enforce policy-based MFA at the network layer for all sensitive/critical resources and application Successfully prevent data exfiltration DONE Figure 4: Palo Alto Networks approach to preventing credential-based attacks STEP 1: RESEARCH AND TARGET The first step of a credential-based cyberattack is research and targeting. In this phase, an attacker sends targets carefully crafted s that encourage them to follow a link to a phishing website created recently enough that no security vendor has categorized it. Palo Alto Networks Strategy: Educate Educate your users on how to spot phishing s. Test your users security hygiene with fake phishing s. Follow up with the worst offenders. STEP 2: HARVEST CREDENTIALS Next, the attacker waits for users to log in to the phishing site using their enterprise credentials. Phishing sites are designed to catch victims with their guard down. Victims might, for instance, be excited for the opportunity to request more space in their box and fail to notice that the domain name is misspelled. Palo Alto Networks Strategy: Prevent Credential Phishing Implement a feature called Credential Theft Prevention, unique to Palo Alto Networks, to identify and prevent submission of valid credentials to illegitimate or uncategorized websites (more about this feature in Step 5: Exfiltrate ). Transmit links in s to WildFire for sandbox analysis. WildFire browses the websites in a virtual environment to determine whether they are malicious. URLs determined to be malicious are blocked at the firewall. Integrate Palo Alto Networks firewalls with Proofpoint, a popular security provider. Links inspected by Proofpoint are transmitted to WildFire for analysis, and malicious links are blocked by Proofpoint and next-generation firewalls. Block access to known phishing sites at the firewall with a URL Filtering subscription. STEP 3: INFILTRATE THE NETWORK Once armed with a user s credentials, the attacker attempts to remotely connect to the hospital network through the client VPN. Palo Alto Networks Strategy: Prevent Infiltration Require MFA on remote VPN connections. When anyone attempts to log in, the user will receive a notification on their phone requesting confirmation of the attempt. Deploy strong perimeter defenses based on a next-generation firewall with WildFire and a Threat Prevention subscription. Palo Alto Networks Prevent Credential Theft in Healthcare Use Case 4

5 STEP 4: MOVE LATERALLY With access to the network, the attacker moves laterally in search of servers or applications containing high-value information (i.e., PHI or financial data). If the compromised user doesn t have the required credentials to access the resource the attacker is pursuing, the attacker may engage in further credential harvesting techniques (i.e., exploit applications and deploy malware). Palo Alto Networks Strategy: Prevent Credential Abuse Centrally enforce policy-based MFA, internally, at the network layer, for sensitive/critical/legacy resources and applications. STEP 5: EXFILTRATE At this stage, without the previous measures in place, the attacker would exfiltrate network data through an approved, seemingly benign tactic, such as uploading it to a free file sharing site. However, since the network is protected by the techniques detailed here to stop the credential-based attack lifecycle, the attack is interrupted and ultimately unsuccessful. Credential Theft Prevention: A Unique Feature of Palo Alto Networks Next-Generation Firewall Palo Alto Networks Next-Generation Firewall delivers preventative capabilities to stop the leakage of corporate credentials to illegitimate websites. These capabilities identify when users attempt to submit corporate credentials and enforce policies that check whether credential submissions are allowed. These capabilities stop attackers ability to use new, previously unknown credential phishing sites to steal corporate credentials. Unlike other security products on the market, Palo Alto Networks does not rely on pre-emptively classifying sites as malicious as the sole means of enforcing policy. Most traditional security products attempt to catalog and block access to every bad site. Although this is the proper action from a policy perspective, it remains impossible to know every phishing site in existence, especially if an attack is narrowly targeted in nature. Anything not known to be malicious is allowed, including new, previously unknown phishing sites. Palo Alto Networks enables healthcare organizations to enforce policy that keeps corporate credentials within the realm of known business applications. It is much easier to identify known, valid sites compared to the ever-changing list of new, malicious sites. If a user accesses a known business application, policy permits the user to connect and authenticate with corporate credentials. If a site is known to be malicious, all interaction with the site is immediately blocked. If the site is neither a business application nor a known phishing site, it is still unclear if it is benign or a new, unknown phishing site. In either case, it should not be allowed to have corporate credentials submitted. The next-generation firewall allows the user to access the site, but enforces policy to detect and block any attempt to submit corporate credentials. Only Palo Alto Networks Next-Generation Firewall is capable of enforcing these types of policies. As an in-line network device, it sees all traffic, which makes it effective at stopping all attempts to access known and unknown phishing links, no matter how the user receives them via , embedded in a document or through social media. These capabilities build upon the principles of prevention, providing important measures to stop the theft of credentials through phishing. Multi-Factor Authentication Prevents Credential Abuse As discussed, MFA is a common technique used to control remote access to hospital networks, but a problem remains MFA is seldom enforced for internal traffic. To stop attackers from moving laterally inside the network, next-generation firewalls include the ability to enforce MFA as an authentication gateway within the network. These measures validate users identities (with MFA) and enforce segmentation policies to neutralize attackers ability to use stolen credentials to gain access to critical internal systems or legacy applications. Enforcing authentication policy at the network layer, rather than at the application layer, avoids the application integration problems that derail many MFA deployments. By enforcing MFA policy in the network layer with the next-generation firewall, the application does not require any modification at all. This makes enforcement of MFA policy possible across all types of applications, whether or not the application itself supports interfaces for external authentication. It provides great coverage and protection for all types of applications whether delivered through the web, client/server, internally developed or through a terminal by placing the enforcement at the intersection for all applications: the network. MFA plays a key role in stopping the advance of attackers in lateral movement. For one thing, MFA stops many lateral movement techniques attackers use when operating on compromised endpoints. Even if a device were connected to the internal network and an attacker possessed stolen credentials, the attacker would still not be able to complete MFA to pass through the next-generation firewall. MFA eliminates attackers ability to interact with protected applications altogether, because there is no network access at all to the application if MFA is not completed. For example, an attacker conducting reconnaissance may try to find and exploit a vulnerability in an older database that s still in production. However, that attacker would not be able to reach a database protected by MFA policy in the next-generation firewall, nor send the packets to the server to exploit the vulnerability. Palo Alto Networks Prevent Credential Theft in Healthcare Use Case 5

6 Palo Alto Networks Credential Theft Prevention How It Works Now that you re more familiar with the multiple layers of defenses in Palo Alto Networks Next-Generation Security Platform that work together to prevent credential theft, let s take a look at how these functionalities work. Medical staff Method: HTTP Post Username: doctor Password: password123 Next-generation firewall (edge) 10gin.c0mpany.com User-ID Agent Active Directory domain controller (read-only) Figure 5: How Credential Theft Prevention works on the next-generation firewall The Credential Theft Prevention function of the next-generation firewall requires access to a read-only domain controller (see Figure 5). This enables a lookup to compare user-submitted credentials against a given user s actual credentials stored in the domain controller. In addition, a User-ID technology agent is installed on the read-only domain controller. The User-ID agent builds a bloom filter a space-efficient, probabilistic data structure used to test whether an element is a member of a set that the firewall uses to look up credentials. The bloom filter, by design, cannot be used to extract the original password hashes. This architecture provides a high-performance yet secure way to ensure users in the hospital network cannot submit their enterprise credentials to illegitimate or uncategorized websites. Palo Alto Networks Multi-Factor Authentication How It Works There are two ways to implement MFA on Palo Alto Networks Next-Generation Security Platform. Web applications are protected differently from non-web-based applications. Protecting Web-Based Applications With MFA Products required: Palo Alto Networks Next-Generation Firewall Third-party multi-factor authentication product (Ping Identity, Duo, Okta) MFA is enabled for web-based applications by enabling the captive portal via a security policy on the next-generation firewall. To enable additional authentication factors beyond username and password, you can integrate the firewall with MFA vendors like Ping Identity, Okta and Duo, through RADIUS or vendor APIs. Refer to Figure 6 for a diagram that illustrates a high-level architecture for this scenario. Captive portal Internal medical staff MFA gateway (next-generation firewall) GP Internal users Healthcare applications Data center Mobile device for MFA Enabled through MFA vendors Figure 6: How MFA works for web-based applications Palo Alto Networks Prevent Credential Theft in Healthcare Use Case 6

7 Policy is configured on the MFA gateway, which is typically a next-generation firewall at the data center edge, to enforce MFA for a specific combination of web-based applications based on a group of IP addresses, or applications (with App-ID technology) and users (with User-ID). When the MFA gateway policy is triggered, the MFA gateway presents the user with a captive portal page. You can customize this page to match your organization s branding and standard web style. The captive portal page prompts the user for a username and password, then integrates with your selected MFA provider to prompt the user to validate the attempt via a mobile app. Protecting Non-Web-Based Applications With MFA Products required: Palo Alto Networks Next-Generation Firewall GlobalProtect client MFA is enabled for non-web-based applications, such as RDP, fat clients and SSH, using the GlobalProtect client in conjunction with the next-generation firewall, which acts as an MFA gateway for internal users and an external GlobalProtect gateway for external users. Refer to Figure 7, below, for an illustration of the high-level architecture for this scenario. Captive portal External GlobalProtect gateway (next-generation firewall at network edge) MFA gateway (next-generation firewall at data center edge) Healthcare applications Remote medical staff Internal medical staff Mobile device for MFA Enabled through MFA vendors Data center GP Remote users GP Internal users Figure 7: How MFA works for non-web-based applications Much like the previous scenario, policy is configured on the MFA gateway, which is typically a next-generation firewall at the data center edge, to enforce MFA for a specific combination of non-web-based applications based on a group of IP addresses or applications (with App-ID) and users (with User-ID). However, in this scenario, when the MFA gateway policy is triggered, the GlobalProtect client prompts the user to authenticate at the captive portal page (see Figure 8). You can customize this message however you like. Clicking this link will send the user to the captive portal page to start the multi-factor authentication process (the same as with browser-based HTTP applications). Figure 8: GlobalProtect notification to authenticate with MFA on the captive portal page Implementation Considerations in Healthcare As with any large-scale technology deployment, it is best to introduce MFA into a production healthcare environment in phases, and only after a successful proof of concept and testing. It is common for healthcare organizations with multiple locations to enable MFA in a test lab first, and then for specific users in IT prior to a phased deployment by location, beginning with those systems least likely to introduce issues with standards of patient care. Users in hospital and clinical locations should be the last group. Palo Alto Networks Prevent Credential Theft in Healthcare Use Case 7

8 Internal network segmentation can significantly bolster healthcare organizations efforts to mitigate the risk of lateral movement. Migration of a flat legacy hospital environment to a highly-segmented one requires careful planning, change management and adequate time to avoid negative publicity that could derail the project. It is certainly worth the effort, though, especially once the automation capabilities of the security platform show their value. Benefits of Using Palo Alto Networks to Prevent Credential Theft in Healthcare Business Benefits Decrease risk to patient data through improved technical security capabilities. Prevent unauthorized users and malicious content in hospital networks. Improve compliance with HIPAA, GDPR and other applicable data protection regulations. Operational Benefits Rely on technology, not just traditional user education, to prevent credential theft. Security Benefits Reduce risk of successful cyberattacks, including exfiltration of ephi. Prevent unauthorized users from conducting lateral movement across the network. Conclusion Hospitals and other healthcare providers will continue to be targeted by cyberattackers to exfiltrate PHI data from their networks. Credential theft remains the easiest and most effective method for attackers to do so. It s critical for healthcare organizations to re- examine the people and technology based strategies they are employing to directly combat this type of attack. Using Palo Alto Networks Next-Generation Security Platform, security teams can stop credential leakage, block access to phishing sites and enforce multi-factor authentication security policy in their networks. These capabilities add to the multiple layers of security defenses healthcare organizations need to prevent credential theft Tannery Way Santa Clara, CA Main: Sales: Support: Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.prevent-credential-theft-inhealthcare-uc