Photo: Vertigo3d/Getty Images
The conflict between high-security protocols and the fast-paced nature of life-saving medical work can introduce an array of vulnerabilities. But red teaming exercises can help manage these risks, explained Pieter Ceelen, product owner for Cobalt Strike and Outflank at security firm Fortra.
Red teams simulate real-world cyberattacks to discover how an organization actually responds under pressure and can identify whether critical machines are properly isolated and uncover risky workarounds, like credential sharing or simplified logins.
"The intent of red teaming is to have a 'sparring match' between a healthcare organization's security defenses and seasoned security testing professionals that mimic those attackers," Ceelen said.
When we spoke with Ceelen recently, he offered some real-world testing examples, and gave advice on using security testing results to balance usability and security.
Q. Why do detection and response capabilities often fall short, and how can red teaming benefit provider organizations?
A. Real attackers constantly try to find the bypasses and limits of existing security controls. For them, security controls are just barriers, and they invest their time into bypassing these barriers in the simplest way possible.
Red teamers use attack techniques simulating those used by real cybercriminals. This can range from testing staff security awareness with targeted spear phishing to deeply technical attack techniques that rely on sophisticated evasion of security monitoring, as seen in Outflank Security Tooling.
The value of red teaming is to see how an organization reacts when under active cyberattack and identify learnings in a variety of areas so that security defenses can be strengthened. Additionally, red team engagements are controlled tests that include safety measures, with clear "rules of engagement" to avoid unwanted impact.
I've had situations where my team was actively simulating an attack on a hospital, and security defenses detected it. The hospital's security team escalated an incident internally, and due to the potential impact, they realized they would need to shut down internet access.
However, "shutting down the Internet" was something they had never done before. So they had no idea how to do this operationally, and the impact on critical medical processes was unknown.
Once the internal team was informed that this was a red team test, they started working out emergency procedures and testing them so they could be better prepared in the event of an actual attack such as this.
Other tests in the healthcare industry resulted in completely different learnings, ranging from technical controls to organizational issues. The learnings are unique to each organization and based on maturity and the exact scenario at play.
Q. What are some key legacy system risks that could benefit from vulnerability identification through red teaming exercises?
A. Red teaming exercises can identify whether key pieces of medical IoT are properly isolated and the impacts of a potential system compromise. The tests depend on the exact scenario and objectives.
One example is an MRI scanner, a complex software technology connected to a hospital network. The devices have long life spans. Thus, the underlying IT components of an MRI machine are like other software and need security patch management routines over time.
Unfortunately, these machines might be exempted from typical corporate security controls, and they do not receive the protection and patches needed, making them attractive targets for an attacker.
Q. Why does credential management need more attention?
A. Medical staff are often executing time-critical, life-saving tasks. If their task requires an IT component, they may be asked to authenticate using a credential.
However, complex and lengthy passwords, or typing over a two-factor code, do not work in time-critical situations. This can result in poor credential practices, ranging from passwords being shared between colleagues to the use of overly simple passwords.
While the reason this happens is understandable, unfortunately, these kinds of patterns are often abused by attackers. Finding the right balance between usability and security is complex but necessary.
Q. What is your advice for safely testing ransomware and downtime scenarios?
A. Organizations should first and foremost implement good industry practices like prevention controls, deploying detection and response tooling (endpoint detection and response and extended detection and response) and working out detection and response plans.
Testing in an environment like a hospital will always be challenging since they run 24/7 and are highly sensitive to unplanned interruptions. However, a variety of tests can still be executed.
For example, tabletop exercises can test organizational aspects of security by walking through scenarios to discuss decision-making processes, roles and responsibilities, incident response procedures and more. Such announced IT tests with planned downtime can validate technical procedures that are not tied to critical clinical services.
Ultimately, full-fledged red team engagements are possible when significant time is invested in careful planning and coordination, ensuring that no "full-impact" actions occur while still realistically testing how an organization's defenses and response plans stand up against modern threat actors.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
