Using Threat Intelligence To Protect Digital Healthcare › wp-content › uploads › ... · Law...
Transcript of Using Threat Intelligence To Protect Digital Healthcare › wp-content › uploads › ... · Law...
F5 Networks
F5 Labs
Lancashire Teaching Hospitals NHS Foundation Trust
Using Threat Intelligence To Protect Digital Healthcare
Neill BurtonDirector, UK Channel
F5 sales
David WarburtonSenior Threat Research Evangelist
F5 Labs
Saeed UmarHead of Technical Services
Lancashire Teaching Hospitals
NHS Foundation Trust
Richard HarveySolutions Engineer
F5 sales
External Partners
Security professionals researching threats and
publishing intelligence, twice a week.
F5 Teams
Sales
Engineering
PD Threat
Research
Silverline
F5 Security
Incident
Response
Team
Effluxio
UK
Information
Comm.
Office
Webroot
US State
Attorney
General
Offices
Healthcare
2019 - 2020 Q4 16%
2019 - 2020 Q3 19%
2019 - 2020 Q2 20%
2019 - 2020 Q1 16%
2018 - 2019 Q4 16%
UK healthcare accounts
for 18% of all breaches
0.0% 2.0% 4.0% 6.0% 8.0% 10.0% 12.0% 14.0% 16.0% 18.0%
Health
Finance
Services
Retail
Education
Manufacturing
Insurance
Tech
Non-profit
CPA
Food
Public
Entertainment
Law firm
Hotels
Transport
Telecom
Utility
Comm
Media
Chemical
1025
85%
Breach Analysis State Attorney General
0
5
10
15
20
25
30
35
40
45
2019 - 2020 Q42019 - 2020 Q32019 - 2020 Q22019 - 2020 Q12018 - 2019 Q4
Phishing
Unauthorised access
Data of wrong data subjectshown in client portal
Hardware/softwaremisconfiguration
Malware
Other cyber incident
Ransomware
Brute Force
Denial of service
• Healthcare account for
16% of all breaches in US
• 42% social engineering
• Email and access account
for 54%
• Insiders only 7 incidents
29%
25%13%
11%
4%
4%
4%
3%2%
1%1%1%1%1%1%1%Email
Unauthorized access
Phishing
Ransomware
Accident
Misconfiguration
Insider
Physical
Malware
Formjack
Insider at third party
Stolen creds
Access stolen from third party
Third-party compromised
Unknown
Web hack
• Healthcare top again with
22% of all breaches
• Phishing and use of
compromised credentials
account for majority of
breaches
• Email inboxes contain
sensitive personal data
• 54% of breaches were due to
criminal and malicious activity
Phishing (compromised
credentials)46%
Compromised or stolen credentials (method unknown)
16%
Malware13%
Ransomware22%
Brute force3%
“Amateurs hack systems,
professionals hack
people”
- Bruce Schneier
6.5% 6.5%
9.7% 9.7%
3.2%
6.5%
32.3%
6.5%
Telecom Retail Tech Manufact NonProfit Health Finance Public
Brute Force attacksby industry from reported 2019 F5 SIRT incidents
USERNAME Credit Card
Data
USERNAME Intellectual
Property
USERNAME Healthcare
Data
USERNAME Passport
Data
USERNAME Financial
Data
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
Credentials from Previous Breaches
Phishing Attacks Impersonating Health Authorities
– WHO
– Public Health Offices (CDC)
– Revenue Agencies
– Human Rights offices
– Charities
– Unicef
– WSJ
– FedEx
0
5000
10000
15000
20000
25000
30000
35000
40000
Phishing Attempts
Malware Attachments
Corona or CoronavirusAPTS CYBERCRIME
2020
20.4B DEVICES
Gartner
1TDEVICES
2035
Softbank
*Excludes smartphones, tablets, and computers
3 minsFind source code
(Pastebin search)
1
30 minsWeaponize
2
10 minsValidate everything
is working properly
3
< 45 minutes
1,585,907
3,943,544
5,786,490
8,505,596
10,249,603
13,216,693
14,204,715
19,385,768
31,640,282
129,693,957
MS CRM: 5555
ICB / SWX: 7326
MS RDP: 3389
Telnet: 23
SMTP: 25
HTTPS: 443
HTTP: 80
SSH: 22
RFB / VNC: 5900
MS SMB: 445
Global Count
WannaCry
• Wormed ransomware able
to spread to connected
devices
• Bayer MedRad device
used to assist in MRI
scans
• Radiography, mobile X-ray
and mammography
products from Siemens
Healthineers
.
ChinaTencent
China Telecom
Terminal Servers?
Shifted workloads to the
cloud?
USAWS
Google Cloud
Azure
If Shodan can find
you…
Routers, IoT, Smart TVs, IP cameras
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
1Bot
Brickerbot
2Bots
WireX
Reaper
3Bots
Mirai
BigBrother
Rediation
1Bot
Remaiten
1BotMoon
1Bot
Aidra
1Bot
Hydra
3Bots
Satori Fam
Amnesia
Persirai
1Bot
Crash
override
1Bot
Gafgyt
Family
2Bots
Darlloz
Marcher
1Bot
Psyb0t
4Bots
Hajime
Trickbot
IRC Telnet
Annie
DNS Hijack
DDoS
PDoS
Proxy Servers
Unknown…
Rent-a-bot
Install-a-bot
Multi-purpose Bot
Fraud trojan
ICS protocol monitoring
Tor Node
Sniffer
Credential Collector
Shifting to multi-purpose
Crypto-miner
13Bots
SORA
OWARI
UPnPProxy
OMNI
Roaming
Mantis
Wicked
VPNFilter
DaddyL33t
Josho
Tokyo
Extendo
Hakai
Akiru / Saikin
7BotsJenX
OMG
Masuta
PureMasuta
Hide ‘N Seek
DoubleDoor
Katrina
6Bots
Death
Okane
Anarchy
Torii
Yasaku
Thanos
6Bots
Vermelho
Miori
IZIH9
APEP
SEFA
Yowai
53.08%
43.90%
24.66%
24.37%
22.97%
21.45%
19.24%
17.57%
12.88%
12.44%
4.50%
0.09%
0.93%
4.35%
57.58%
7.82%
16.49%
2.51%
0.47%
18.65%
37.21%
3.46%
46.80%
55.18%
70.99%
18.04%
69.21%
62.05%
78.25%
81.95%
68.47%
50.35%
92.04%
Gambling
Airlines
Financial
Healthcare
Tickets
Ecommerce
Travel (incl. Airlines
Adult Entertainment
Insurance
Real Estate
Travel (no Airlines)
% of Traffic
Bad Bots Good Bots Human
Source: GlobalDots Bad Bot Report 2018
.PNG
Attacks go
after easy
targets
Rapid expansion of remote access while decreasing security
controls
Rapid increase of remote access
Rapid expansion of unplanned remote access
can introduce over privileged risks
Increased risk of pivoting attacks
Working “offline” drives more local PII storage
Allowing BYOD authentication to corp network
RDP (port 3389) exposure publicly up 41%
Publicly discoverable RDP hosts (in Shodan) are up
45% since Jan.
Exposing highly targeted ports publicly attracts brute
force, cred stuffing and DoS attacks.
At a time when phishing campaigns are
targeting consumers using corporate
resources at home.
MFA is being disabled
Lack of posture assessments with BYOD
Can’t secure internet connection of remote assets
when split tunneling.
Exposing login to internet attracts brute force,
cred stuffing and DoS attacks.
VPN exposure publicly up 33%
Users
APM
Kerberos /Header Based
ReverseProxy
Directory Services
Web
Mobile
Mac and Windows
VPN
On Premises
VPN
Code Load
balancerDNSAPI
gateway
App
security
DDoS CDNIngress
controller
App / web
server
Customer
F5 Code to customer
Web app
firewall
DDoS +
bot protection
Access
management
SSL decryption
& orchestrationCredential & anti-
fraud protection
L4 firewall
including IPS
END TO END APPLICATION SERVICES
SaaS apps
Cloud-based apps
On-premises & custom apps
SAP HANA
Oracle PeopleSoft
Line of Business
Custom Apps
Kerberos-Based
Header-Based
SAML
OAuth / OIDC
Azure AD
ACCESS ALL APPS
Federation for SaaS, cloud
(IaaS), and on-premises, and
custom apps
SIMPLIFY AND SECURE
SSO decrease number of passwords
improving the user experience
IDENTITY AWARE PROXY
Conditional Access: Client and
device and app context, MFA
CONTEXT-AWARE POLICIES ENFORCE CONDITIONAL APP ACCESS
Simplifying application access
BlackFish
• Subscription service to validate if userID/password (hashed/encoded values) are known to be comprised
• Can integrate with remote access solutions such as F5 APM
• Can integrate using APIs to non F5 security devices
THE AVERAGE PERSON USES THE SAME CREDENTIALS FOR 4 ACCOUNTS
Has your credentials been compromised?
WEB APPLICATION FIREWALL AND SHAPE
Who, What, Why – Protect your apps!
Protecting application code from attacks Protecting application logic from fraud
Code Load
balancerDNSAPI
gateway
App
security
DDoS CDNIngress
controller
App / web
server
Customer
WAF Shape
| ©2020 F533
F5 Technology to Support Front line ServicesHEALTHCARE, NON-PROFIT AND EDUCATION SERVICES
**
* Case by case basis
| ©2020 F534
HTTPS://WWW.F5.COM/BUSINESS-CONTINUITY#RESOURCES
Online Technical And Response Services
* Not just during Covid-19, available with any active support contract
| ©2020 F535
Thank You