A Weekend in Incident Response #30: New Cybersecurity Center Promises to Help U.S. Healthcare Sector Improve Their Cyber Resilience

In light of the increased frequency of cyber attacks against health care institutions in the United States and around the globe, the recent announcement from U.S. Department of Health and Human Service (HHS) regarding the launch of a dedicated cybers ecurity center gives hope to security practitioners in this sector that they will soon be able to improve their cyber resilience against the escalating cyber threats.

The Health Cybersecurity and Communications Integration Center (HCCIC), scheduled to reach initial operating capability before the end of June, is modeled on the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center. Christopher Wlaschin, the CISO at the U.S. HHS, identified the key goals of the HCCIC as trying to “reduce the noise about cyber threats in the health care industry” and to “improve the ability of health care institutions to protect against cyber attacks.”

Mobile Health Applications and Growing Ransomware Attacks Raise Concerns

The imputes for this center are twofold: first, the exploding rate of ransomware attacks on health care organizations in recent years, and second, the increased exposure to cyber attacks brought about by the growing adoption of mobile health applications. Together these developments have pushed the government to take more decisive action to help the health care sector build more effective cyber resilience systems.

Information Sharing and Best Practices

Information collaboration and analysis of cyber threat intelligence will be at the forefront of the activities undertaken by the new center. Sharing cyber threat intelligence within an industry sector and between private companies and authorities is a significant part of overall efforts for improving the preparedness of an organization to promptly and effectively respond to cyber incidents. However, this sharing of intelligence can often also create a torrent of noise, rendering it difficult for security practitioners to discern credible information on what actually constitutes a potential threat to the cyber security of their organization. Antithetically, unfiltered intelligence sharing can actually prevent a faster and more effective response.

For this reason, organizations require a programmatic solution to help them share only the essential information related to cyber threats, past and current, and the cyber security events they have already faced. The prescribed solution is an automation and orchestration platform that has the built-in capability to integrate with threat intelligence sharing platforms such as STIXTAXII or Splunk, to name a few. This customizable platform can enable organizations within the health care sector to: share operational intelligence related to cyber security events in a secure and efficient manner; eliminate the risk of sharing any confidential company or patient data; and, cut out the noise from irrelevant information that so plagues intelligence sharing today.

In this new reality, where new and ever more sophisticated threats loom large on the horizon, health care organizations that choose to implement a cyber incident response platform with these built-in threat intelligence capabilities will do so knowing they have taken a big step forward to ensuring the protection of valuable business information, and confidential and sensitive patient data.

A Weekend in Incident Response #26: Tackling Advanced Persistent Threats Through Email Parsing Rules and Information Sharing

Advanced persistent threats (APTs) have become a particularly common type of cyber attack used by cyber criminals and state-sponsored actors looking to gain continuous access to government and private organizations’ networks. These attacks are extremely difficult to defend against, due to their sophistication and precise targeting which helps successfully circumvent cyber defenses and maintain access to an organization’s network undetected for prolonged periods of time.

The severity of the damages incurred by advanced persistent attacks and the costs associated with them, will continue to rise exponentially. Organizations would be wise to invest more financial and human resources into detecting, preventing, and eradicating those attacks.

Incoming Email Automation

A fast reaction time and the ability to diagnose a cyber threat correctly as quickly as possible is key to resolving cyber incidents and containing the potential damage that can arise from them. To that end, organizations need to automate their cyber incident response processes, in order to accelerate the reaction of their cyber-security professionals and enable them to identify every threat and resolve every incident in a timely manner. An automation-and-orchestration cyber incident response platform is arguably the ideal solution for organizations that are potential targets of advanced persistent threats.

These platforms have a wide spectrum of features that are aimed at tackling advanced persistent threats, with incoming email automation being among the most effective ones. Email parsing rules within cyber incident response platforms allow your cyber-security team to detect intrusions and block potentially hazardous emails. After such rules have been created, the platform can analyse incoming emails and scan specific parameters, including the subject, the body, and the sender address, to filter out the ones with malicious content, helping to prevent advanced persistent threats attempting to access your network through phishing email messages.

Information Sharing Capabilities Also Key

Another essential feature of some cyber incident response platforms is the ability to share incident information with law enforcement and with cyber threat intelligence platforms, improving an organization’s capability to successfully defend against advanced persistent threats. For instance, if a platform supports threat intelligence exchange platforms such as STIX, you will be able to share and receive key information related to current and past cyber security events, allowing you to adjust your cyber defense program based on changing methods, tactics and channels used by advanced persistent threat attackers.

In a word, staving off advanced persistent threats requires a comprehensive approach by cyber security professionals. It should be centered around the use of a cyber incident response platform capable of threat intelligence sharing and incoming email automation, as some of the most effective tools for battling these types of sophisticated cyber attacks.

A Weekend in Incident Response #18: Sharing Threat Intelligence as One of the Crucial Components of a Strong Cyber Defense

In many aspects, cyber crimes are similar to other, more traditional types of crimes. Forensic investigation and analysis of the evidence recovered at the crime scene are among the aspects that cyber attacks have in common with other crimes. These are some of the key components of a fast and effective solution to a crime of any type, but are especially important when it comes to cyber attacks. Being able to gather evidence and various data related to a cyber security event is crucial for detecting and preventing future incidents. Considering that government agencies, organizations, and businesses across many industries around the world are facing a growing threat of cyber attacks, sharing threat intelligence is becoming an increasingly important part of the global efforts for successfully tackling cyber crime.

Incident Response Platforms with Threat Intelligence Sharing Capabilities

Threat intelligence sharing is a major part of the broader cyber-security incident response process, and organizations are advised to pay special attention to it. Among other things, this means that when they start shopping around for a cyber incident response platform, it’s recommended that they look for a platform that can provide this capability, because trying to share cyber threat intelligence through other means can add an unwanted burden to their cyber-security teams and incur substantial costs.

There are a lot of cyber-incident response platforms that support various threat intelligence sharing tools and mechanisms, including TAXIISTIXSplunk, QRadar, and ThreatConnect, presenting a fast and simple method for sharing threat information among organizations.

These types of platforms allow you to notify other organizations, cyber threat analysts, threat sharing communities, and everyone involved with cyber defense, of every cyber security incident, sharing with them very important information, such as where a given attack has come from, attack patterns, and possibly identification of the attackers, among others.

Sharing Threat Intelligence Increases Response Plan Effectiveness

Sharing intelligence often proves to be crucial to resolving cyber incidents as fast as possible and containing the damage after an incident occurs. It can also help predict and detect future incidents, allowing organizations to prepare and adjust their cyber defense accordingly and take appropriate actions to mitigate the potential risks.

Ultimately, sharing threat intelligence can help lead to the development of more advanced incident response platforms and the creation of more effective response plans, further deterring cyber attackers and preventing breaches.