Leveraging the Human to Break the Cyber Kill Chain

A kill chain is a term used by the US military to describe the steps or stages an adversary takes to attack you. However one thing that organizations have failed to do is leverage their employees to break the Cyber Kill Chain. To date, every diagram or paper I have seen on a Cyber Kill Chain leverages technology to stop attackers, from firewalls and anti-virus to HIDS and SIEMs. Do not forget people, they are a powerful resource to help you and your team. Here is how your employees can help break a Cyber Kill Chain.

• Reconnaissance: The first step most advanced attackers take is research. Their goal is to learn more about who they want to target and how. Employees often make this too easy by posting a huge amount of information about themselves, including hobbies, travel schedule and their network of family and friends. Quite often the information they post in only small snippets, but when aggregated together, bad guys can build an entire dossier on their targets. Teach people, especially those that are targeted, to limit what they post. Every new item they share makes it that much easier for bad guys. In addition social media alone is not the only resource bad guys leverage. Teach employees the proper destruction of information (kill the impact of dumpster diving) and effective use of encryption. The harder we make information to find, the more likely we break this stage.
• Weaponization: This is where bad guys develop their attack/payload, not much we can do here.
• Delivery: Lockheed Martin identified the three most common delivery methods as email attachments, websites and US removable media. Train staff to identify, stop and report phishing. Train people on the proper usefor USB media (such as only using authorized devices). The more you train people on all the different methods of social engineering attacks, the more likely they can identify and stop the delivery of these attacks.
• Exploitation: Even if people fall victim to an attack, their behaviors can stop actual exploitation. First, by keeping systems patched and current employees make it that much harder for any exploits to work. This is not just for work computers but mobile devices or even their computers at home (who says APT can't target people on their personal computers). In addition, even if attackers are successful, what if people detect the exploit and quickly report it. By creating Human Sensors you can react and stop an intrusion before an attacker can moves onto other stages.
• Installation: Same as exploitation, if your devices are patched and properly secured, this can go far in stopping an exploit from installing any malware. Once again, teach employees indicators of compromise AND how to report them, building out your network of Human Sensors.
• Command / Control: Not much employees can do to prevent this stage, but once again if we develop the Human Sensor they can identify and report this stage.
• Actions on Objectives: There are so many behaviors that employees can follow that help break this stage including; proper use of encryption, destruction of data, unique passwords for all accounts, using only proper systems for sensitive data, and secure use of Cloud. Finally, at the risk of sounding like a broken record, develop that Human Sensor.

There is no single solution when dealing with targeted attacks. However, by leveraging people, you can increase your chances of breaking the Cyber Kill Chain at numerous stages.

Why Healthcare Should Sweat ‘The Small Stuff’ When it Comes to Health Data Security

In the years since the passing of the 2009 HITECH Act, more than 30 million people in over 900 various cases have been affected by breaches of secure healthcare data.  The HITECH Act requires that HHS disclose to the SEC any incidents affecting more than 500 patients, but these numbers alone do not tell the whole story.  In a report to Congress, HHS disclosed that approximately 165,000 additional victims had been involved in ‘smaller incidents’ that fell below the 500 victim threshold.

The Ponemon Institute calculated that data breaches are costing the healthcare industry roughly $5.6 billion annually ─ and the Identity Theft Research Center reported that healthcare data breaches accounted for almost half of major incidents reported across all industries (the first time healthcare has topped their list).

• The turbulent rollout of public health insurance exchanges with many questioning the amount of focus dedicated  to ensuring their security
• Discovery of the Heartbleed bug, which caused massive vulnerability across the Internet and sent millions of consumers scrambling to change their online login credentials
• The theft of 4.5 million patient health records from Community Health Systems (CHS) made possible by Heartbleed.  This was the second largest breach of health records ever in the U.S. and has many in the healthcare industry fearfully anticipating future attacks made possible by information stolen through the vulnerability
• Hackers successfully breach the Healthcare.gov website and leave behind malicious software.  Though no patient data was believed to be taken, many are worrying about further attacks as a new enrollment period approaches and the exchange is flooded with new patient information

What are criminals stealing?

• Criminals are targeting social security numbers (which in turn are used to steal identities) and creating fraudulent credit cards, passports, and bank accounts
• In other instances, the goal is electronic Protected Health Information (ePHI) or Electronic Medical Records (EMRs) which provide criminals with the information needed to fraudulently receive healthcare services under the guise of being insured – an $80 billion per year problem for the public insurance sector alone

A Large Target Just Got Larger

In December, HHS proposed a new rule that would widen the amount of information shared as part of the Medicare Shared Savings Program (including ACOs) and “streamline access to such data to better support program and ACO function and goals…”  As shown below, this new rule includes not only the beneficiary’s name, date of birth, health insurance claim number and sex, but four other categories of information, including:

1. Demographic data, such as enrollment status
2. Health status information, such as risk profile and chronic condition subgroup
3. Utilization rates of Medicare services
4. Expenditure information related to utilization of services

Industry Regulators and Other Healthcare Stakeholders Take Action

• In 2015, the HHS Office for Civil Rights (OCR) began a random audit program not only of covered entities, but also business associates – expanding their focus from providers to the broader healthcare landscape
• The Financial Services Department of New York announced it will introduce stringent cybersecurity standards and will begin performing targeted assessments and reviews of insurance companies (which will likely impact healthcare payers)
• The National Health Information Sharing & Analysis Center (NH-ISAC) and Center for Internet Security (CIS) announced a partnership to improve and strengthen nationwide cybersecurity measures for the healthcare industry, including a focus on medical devices

Stand alone, these measures will not be sufficient to combat this criminal threat, but are the beginnings of an alignment between regulatory and technology-based solutions that will mature over time.