F5 Networks

F5 Labs

Lancashire Teaching Hospitals NHS Foundation Trust

Using Threat Intelligence To Protect Digital Healthcare

Neill BurtonDirector, UK Channel

F5 sales

David WarburtonSenior Threat Research Evangelist

F5 Labs

Saeed UmarHead of Technical Services

Lancashire Teaching Hospitals

NHS Foundation Trust

Richard HarveySolutions Engineer

F5 sales

External Partners

Security professionals researching threats and

publishing intelligence, twice a week.

F5 Teams

Sales

Engineering

PD Threat

Research

Silverline

F5 Security

Incident

Response

Team

Effluxio

UK

Information

Comm.

Office

Webroot

US State

Attorney

General

Offices

Healthcare

2019 - 2020 Q4 16%

2019 - 2020 Q3 19%

2019 - 2020 Q2 20%

2019 - 2020 Q1 16%

2018 - 2019 Q4 16%

UK healthcare accounts

for 18% of all breaches

0.0% 2.0% 4.0% 6.0% 8.0% 10.0% 12.0% 14.0% 16.0% 18.0%

Health

Finance

Services

Retail

Education

Manufacturing

Insurance

Tech

Non-profit

CPA

Food

Public

Entertainment

Law firm

Hotels

Transport

Telecom

Utility

Comm

Media

Chemical

1025

85%

Breach Analysis State Attorney General

0

5

10

15

20

25

30

35

40

45

2019 - 2020 Q42019 - 2020 Q32019 - 2020 Q22019 - 2020 Q12018 - 2019 Q4

Phishing

Unauthorised access

Data of wrong data subjectshown in client portal

Hardware/softwaremisconfiguration

Malware

Other cyber incident

Ransomware

Brute Force

Denial of service

• Healthcare account for

16% of all breaches in US

• 42% social engineering

• Email and access account

for 54%

• Insiders only 7 incidents

29%

25%13%

11%

4%

4%

4%

3%2%

1%1%1%1%1%1%1%Email

Unauthorized access

Phishing

Ransomware

Accident

Misconfiguration

Insider

Physical

Malware

Formjack

Insider at third party

Stolen creds

Access stolen from third party

Third-party compromised

Unknown

Web hack

• Healthcare top again with

22% of all breaches

• Phishing and use of

compromised credentials

account for majority of

breaches

• Email inboxes contain

sensitive personal data

• 54% of breaches were due to

criminal and malicious activity

Phishing (compromised

credentials)46%

Compromised or stolen credentials (method unknown)

16%

Malware13%

Ransomware22%

Brute force3%

“Amateurs hack systems,

professionals hack

people”

- Bruce Schneier

6.5% 6.5%

9.7% 9.7%

3.2%

6.5%

32.3%

6.5%

Telecom Retail Tech Manufact NonProfit Health Finance Public

Brute Force attacksby industry from reported 2019 F5 SIRT incidents

USERNAME Credit Card

Data

USERNAME Intellectual

Property

USERNAME Healthcare

Data

USERNAME Passport

Data

USERNAME Financial

Data

USERNAME

USERNAME

USERNAME

USERNAME

USERNAME

USERNAME

USERNAME

USERNAME

USERNAME

USERNAME

USERNAME

USERNAME

USERNAME

USERNAME

Credentials from Previous Breaches

Phishing Attacks Impersonating Health Authorities

– WHO

– Public Health Offices (CDC)

– Revenue Agencies

– Human Rights offices

– Charities

– Unicef

– WSJ

– FedEx

0

5000

10000

15000

20000

25000

30000

35000

40000

Phishing Attempts

Malware Attachments

Corona or CoronavirusAPTS CYBERCRIME

2020

20.4B DEVICES

Gartner

1TDEVICES

2035

Softbank

*Excludes smartphones, tablets, and computers

3 minsFind source code

(Pastebin search)

1

30 minsWeaponize

2

10 minsValidate everything

is working properly

3

< 45 minutes

1,585,907

3,943,544

5,786,490

8,505,596

10,249,603

13,216,693

14,204,715

19,385,768

31,640,282

129,693,957

MS CRM: 5555

ICB / SWX: 7326

MS RDP: 3389

Telnet: 23

SMTP: 25

HTTPS: 443

HTTP: 80

SSH: 22

RFB / VNC: 5900

MS SMB: 445

Global Count

WannaCry

• Wormed ransomware able

to spread to connected

devices

• Bayer MedRad device

used to assist in MRI

scans

• Radiography, mobile X-ray

and mammography

products from Siemens

Healthineers

.

ChinaTencent

China Telecom

Terminal Servers?

Shifted workloads to the

cloud?

USAWS

Google Cloud

Azure

If Shodan can find

you…

Routers, IoT, Smart TVs, IP cameras

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

1Bot

Brickerbot

2Bots

WireX

Reaper

3Bots

Mirai

BigBrother

Rediation

1Bot

Remaiten

1BotMoon

1Bot

Aidra

1Bot

Hydra

3Bots

Satori Fam

Amnesia

Persirai

1Bot

Crash

override

1Bot

Gafgyt

Family

2Bots

Darlloz

Marcher

1Bot

Psyb0t

4Bots

Hajime

Trickbot

IRC Telnet

Annie

DNS Hijack

DDoS

PDoS

Proxy Servers

Unknown…

Rent-a-bot

Install-a-bot

Multi-purpose Bot

Fraud trojan

ICS protocol monitoring

Tor Node

Sniffer

Credential Collector

Shifting to multi-purpose

Crypto-miner

13Bots

SORA

OWARI

UPnPProxy

OMNI

Roaming

Mantis

Wicked

VPNFilter

DaddyL33t

Josho

Tokyo

Extendo

Hakai

Akiru / Saikin

7BotsJenX

OMG

Masuta

PureMasuta

Hide ‘N Seek

DoubleDoor

Katrina

6Bots

Death

Okane

Anarchy

Torii

Yasaku

Thanos

6Bots

Vermelho

Miori

IZIH9

APEP

SEFA

Yowai

53.08%

43.90%

24.66%

24.37%

22.97%

21.45%

19.24%

17.57%

12.88%

12.44%

4.50%

0.09%

0.93%

4.35%

57.58%

7.82%

16.49%

2.51%

0.47%

18.65%

37.21%

3.46%

46.80%

55.18%

70.99%

18.04%

69.21%

62.05%

78.25%

81.95%

68.47%

50.35%

92.04%

Gambling

Airlines

Financial

Healthcare

Tickets

Ecommerce

Travel (incl. Airlines

Adult Entertainment

Insurance

Real Estate

Travel (no Airlines)

% of Traffic

Bad Bots Good Bots Human

Source: GlobalDots Bad Bot Report 2018

.PNG

Attacks go

after easy

targets

Rapid expansion of remote access while decreasing security

controls

Rapid increase of remote access

Rapid expansion of unplanned remote access

can introduce over privileged risks

Increased risk of pivoting attacks

Working “offline” drives more local PII storage

Allowing BYOD authentication to corp network

RDP (port 3389) exposure publicly up 41%

Publicly discoverable RDP hosts (in Shodan) are up

45% since Jan.

Exposing highly targeted ports publicly attracts brute

force, cred stuffing and DoS attacks.

At a time when phishing campaigns are

targeting consumers using corporate

resources at home.

MFA is being disabled

Lack of posture assessments with BYOD

Can’t secure internet connection of remote assets

when split tunneling.

Exposing login to internet attracts brute force,

cred stuffing and DoS attacks.

VPN exposure publicly up 33%

Users

APM

Kerberos /Header Based

ReverseProxy

Directory Services

Web

Mobile

Mac and Windows

VPN

On Premises

VPN

Code Load

balancerDNSAPI

gateway

App

security

DDoS CDNIngress

controller

App / web

server

Customer

F5 Code to customer

Web app

firewall

DDoS +

bot protection

Access

management

SSL decryption

& orchestrationCredential & anti-

fraud protection

L4 firewall

including IPS

END TO END APPLICATION SERVICES

SaaS apps

Cloud-based apps

On-premises & custom apps

SAP HANA

Oracle PeopleSoft

Line of Business

Custom Apps

Kerberos-Based

Header-Based

SAML

OAuth / OIDC

Azure AD

ACCESS ALL APPS

Federation for SaaS, cloud

(IaaS), and on-premises, and

custom apps

SIMPLIFY AND SECURE

SSO decrease number of passwords

improving the user experience

IDENTITY AWARE PROXY

Conditional Access: Client and

device and app context, MFA

CONTEXT-AWARE POLICIES ENFORCE CONDITIONAL APP ACCESS

Simplifying application access

BlackFish

• Subscription service to validate if userID/password (hashed/encoded values) are known to be comprised

• Can integrate with remote access solutions such as F5 APM

• Can integrate using APIs to non F5 security devices

THE AVERAGE PERSON USES THE SAME CREDENTIALS FOR 4 ACCOUNTS

Has your credentials been compromised?

WEB APPLICATION FIREWALL AND SHAPE

Who, What, Why – Protect your apps!

Protecting application code from attacks Protecting application logic from fraud

Code Load

balancerDNSAPI

gateway

App

security

DDoS CDNIngress

controller

App / web

server

Customer

WAF Shape

| ©2020 F533

F5 Technology to Support Front line ServicesHEALTHCARE, NON-PROFIT AND EDUCATION SERVICES

**

* Case by case basis

| ©2020 F534

HTTPS://WWW.F5.COM/BUSINESS-CONTINUITY#RESOURCES

Online Technical And Response Services

* Not just during Covid-19, available with any active support contract

| ©2020 F535

Thank You