Reading Room Table Display

TitleContentPublication Date
#StopRansomware: Hive Ransomware

Alert (AA22-321A)

“This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.”

 

“The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known Hive IOCs and TTPs identified through FBI investigations as recently as November 2022.”

 

“FBI, CISA, and HHS encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. Victims of ransomware operations should report the incident to their local FBI field office or CISA.”

Read full article, or download PDF version of this article, on the CISA site

This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.

*Excerpt taken from cisa.gov

November 30, 2022
Hive Ransomware

Hive is an exceptionally aggressive, financially-motivated ransomware group known to maintain sophisticated capabilities who have historically targeted healthcare organizations frequently. The Health Sector Cybersecurity Coordination Center (HC3) recommends the Healthcare and Public Health (HPH) Sector be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise.

The Hive ransomware group has been known to be operational since June of 2021 but in that time has been very aggressive in targeting the US health sector. One report covering the third quarter of 2021 – just months after they began operating – ranks them as the fourth most active ransomware operators in the cybercriminal ecosystem. Another report noted the observation of 355 companies in Hive’s first 100 days of operation.

Download Report as PDF.

May 17, 2022
NISTIR 8374- Ransomware Risk Management: A Cybersecurity Framework Profile

The Ransomware Profile identifies the Cybersecurity Framework Version 1.1 security objectives that support identifying, protecting against, detecting, responding to, and recovering from ransomware events. The profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences of events.

Visit NIST to read more or download PDF.

Resource:

March 1, 2022
Threat-Informed Cybersecurity Operations for Healthcare Delivery Organizations

Healthcare Delivery Organizations (HDO) face a complex set of challenges in their information technology and operational environment, with threats that can impact patient care, business operations, medical devices, facilities, protected health information, and public confidence. A critical element for defense is the Cybersecurity Operations Center (CSOC), which acts as a focal point for an HDO’s cyber threat monitoring and response. This paper provides a framework that aligns with the threats that HDOs face, which cyber leadership can use to help assess the state of their operational cyber defenses and inform planning for future defensive capabilities.

Download Guide as PDF

November 29, 2021
CISA Ransomware Resource Hub

Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. This website is the U.S. Government’s official one-stop location for resources to tackle ransomware more effectively.*

Visit CISA’s Ransomware Resource Hub to access all resources.

*Excerpt from www.cisa.gov.

July 19, 2021
Detect Cyber Events

All ransomware has something in common: as it interacts with the host it is trying to lock down, without fail it triggers host logs and network logs that can be used to detect the malicious activity. Unless, that is, the appliances and software responsible for generating those logs were never properly configured. What follows is an overview of the research you will need to do and the kinds of resources you will need to put in place to generate and gather meaningful and sufficient cyber event data.

Introduction

In cybersecurity, “detection” is a loaded term. In the context of NIST’s overarching Cybersecurity Framework, detection includes noticing potentially malicious activity, analyzing what has happened in more detail, and reaching final conclusions about what has happened. There is a lot going on there, all in a single stage. You will notice that data collection, which is a prerequisite for detecting anything within the data, is assumed and not specifically spelled out. For the purposes of our discussion, it is useful to consider the following flow, which is based on NIST’s Incident Response framework but is more granular:

Preparation > Collection > Analysis

Preparation

For our purposes, preparation is all about knowing your organization and your network:

  • First, determine your high value assets and mission essential functions, using a methodology such as Crown Jewels Analysis.
  • Knowing what is normal behavior on your network.
  • Training your team on how to use the tools at their disposal and how to interpret and act on alerts
  • Whitelisting:
    • Who are the authorized users on the network?
    • Which activities are permitted by which user roles?
    • Which hostname and IP addresses are expected to be seen on the intranet?
    • Which hosts are allowed to reach out to the internet?

Preparation is not a one-size-fits-all formula; what is important is to grasp the spirit of preparation and create documentation that makes sense for your organization. It is possible to catch some malicious activity without having done the type of preparation defined here, simply by deploying canned products and analytics. However, skipping this work will reduce your success rate and will also make remediation of an event more confusing, slow, and difficult.

Preparation can also include understanding adversary behavior. Knowing this information can help you identify what to look for and where to look for it. This type of preparation is described in greater depth in the Cyber Threat Intelligence resource page.

Collection

This is the collection and aggregation of raw network and host events: an unfiltered view into what is happening on your network. Which process are running, who is logging in, what kinds of packets are being sent from where to where – all of these questions and more should be answered by the data you collect. This data is gathered from sensors, which are utilities, services, or pieces of hardware on your network that sense what is happening and package the information into “events” that you can read and analyze. Typical sensors include:

Firewalls

Firewalls not only block suspicious traffic, but produce logs of what they’ve seen that can be a rich resource for security analysts.

Network Intrusion Detection Systems (NIDS)

Commonly known Free Open-source (FOSS) NIDS include Snort, Suricata, and Zeek. While similar to a firewall, they are out-of-band and can be placed anywhere within your network. They are designed to produce alerts that can be a great starting point for investigations. They can also be configured to give you metadata for every flow on your network, malicious or not, which gives you tremendous visibility into what is happening on your network.

Windows Event Logs

These host logs are incredibly detailed and can be configured to alert you to almost any kind of activity on a particular computer, ranging from a user logging in, to a process spawning, to a registry key being modified.

Auditd

While not as detailed, Auditd logs serve much the same purpose as Windows Event Logs, on Linux systems.

Sysmon

This after-market security tool offers alerts for critical host events such as process creation, in a more distilled format than what is offered by Windows Event Logs.

Endpoint Detection and Response (EDR) or Host Intrusion Detection System (HIDS)

An EDR is essentially a next-generation anti-virus platform that lives on each host in your network and catches malicious activity as it happens. This software typically can be configured to generate detailed logs, which are a valuable source of information to catch hackers as they try to move laterally in your network. Most of these platforms are paid, proprietary software, but they can be well worth it. Windows Defender is an example of an EDR that just happens to be built into the operating system.

While do not have to have every log type listed above, the more diversity of logs you have, the more effective your analysis will be. Data from all your sensors typically should be aggregated together in one place, in a normalized schema and time zone, so that you can reference and correlate all the logs conveniently. Most organizations choose to use a Security Information and Event Management (SIEM) platform, which is designed for storing and viewing these logs. Open source examples include Elastic SIEM and Apache Metron. To get all your logs into your SIEM, you will have to configure pipelines, or shippers, that send each log type from its place of origin to your SIEM. The best way to do this varies with each SIEM.

Analysis

Once you have logs consistently flowing into your SIEM, you are ready to analyze them, which is the most important part of Detection! Refer to Health Cyber’s Analytics page for resources and a step-by-step guide for deploying open source analytics on your data.

To learn how to gain more insight into your detections, refer to the Cyber Threat Intelligence page.

Resources:

July 15, 2021
Rubric for Applying CVSS to Medical Devices

The Common Vulnerability Scoring System (CVSS) assists organizations in assessing the severity of vulnerability to determine the urgency and priority of the response. CVSS was developed for enterprise IT systems and does not adequately reflect the clinical environment and potential patient safety issues. To address these challenges, MITRE developed the “Rubric for Applying CVSS to Medical Devices.” The CVSS Rubric consists of a structured set of questions and corresponding decision flow diagrams, along with medical device specific examples and guidance, to help assess a medical device vulnerability in a consistent and standardized way. In October 2020, FDA qualified the CVSS Rubric as a Medical Device Development Tool.

URL to the paper on MITRE.ORG https://www.mitre.org/md-cvss-rubric

July 6, 2021
Zero Trust Architecture (ZTA)

Zero Trust Architecture (ZTA) can reduce the attack surface and limit adversarial lateral movement thereby reducing the impact of ransomware. The implementation of ZTA requires the integration of existing and new capabilities, as well as buy-in across the enterprise. Successful implementations will require multi-year planning that includes determination of drivers and use cases, policy development, architecture development, technology readiness assessment, pilots, user training, and phasing of deployments. The movement towards Zero Trust Architectures (ZTA) aligns with cybersecurity modernization strategies and practices to deter and defend against dynamic threats both inside and outside traditional enterprise perimeters. A key driver for ZTA adoption across the federal government space is the “Executive Order on Improving the Nation’s Cybersecurity” released from President Biden on May 12, 2021, directing executive agencies to “develop a plan to implement Zero Trust Architecture.”

The ZTA Tech Watcher report explores the state of the technology today and provides background, applicability, and benefits to organizations, outstanding challenges and issues, and recommendations. The paper can be found at  https://www.mitre.org/publications/technical-papers/zero-trust-architectures-are-we-there-yet;

July 6, 2021
CISA Fact Sheet Rising Ransomware Threat to OT Assets

CISA has published the Rising Ransomware Threat to OT Assets fact sheet in response to the recent increase in ransomware attacks targeting operational technology (OT) assets and control systems. The guidance:

· Provides steps to prepare for, mitigate against, and respond to attacks;

· Details how the dependencies between an entity’s IT and OT systems can provide a path for attackers; and

· Explains how to reduce the risk of severe business degradation if affected by ransomware

Read or download PDF.

June 14, 2021
Principles and Practices for Medical Device Cybersecurity

“International Medical Device Regulators Forum  guidance document provides concrete recommendations to all responsible stakeholders on the general principles and best practices for medical device cybersecurity (including in vitro diagnostic (IVD) medical devices). It outlines recommendations for medical device manufacturers, healthcare providers, regulators, and users to: minimize cybersecurity risks that could arise from use of the device for its intended purposes; and to ensure maintenance and continuity of device safety and performance.  This document considers cybersecurity in the context of medical devices that either contain software, including firmware and programmable logic controllers (e.g. pacemakers, infusion pumps) or exist as software only (e.g. Software as a Medical device (SaMD)).”*

Download “Principles and Practices for Medical Device Cybersecurity” PDF.

 

*Excerpt from http://www.imdrf.org/.

June 4, 2021
FBI Watch – TLP:WHITE Report

“The FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year. These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S. Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim. The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely and we assess are tailored to the victim. Recent ransom demands have been as high as $25 million.”*

Read full FBI Watch report.

 

*Excerpt from https://www.aha.org.

May 24, 2021
Ransomware Protection and Response

“Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access.

 

Here’s an example of how a ransomware attack can occur:

  1. A user is tricked into clicking on a malicious link that downloads a file from an external website.
  2. The user executes the file, not knowing that the file is ransomware.
  3. The ransomware takes advantage of vulnerabilities in the user’s computer and other computers to propagate throughout the organization.
  4. The ransomware simultaneously encrypts files on all the computers, then displays messages on their screens demanding payment in exchange for decrypting the files.”*

To read all information, visit the Computer Security Resource Center on the NIST site.

 

*Exerpt from https://csrc.nist.gov/.

May 19, 2021
Combating Ransomware: A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force

“This report details a comprehensive strategic framework for tackling the dramatically increasing and evolving threat of ransomware, a widespread form of cybercrime that in just a few years has become a serious national security threat and a public health and safety concern.”*

Visit the Institute for Security & Technology site to download PDF.

 

*Excerpt from securityandtechnology.org.

April 30, 2021
Locked Out: Tackling Australia’s ransomware threat

“This ​​​Industry Advisory Committee paper on Ransomware builds awareness for all Australians and their businesses on the current ransomware threat landscape. The paper presents real case studies and provides advice on how all Australians can best protect themselves from ransomware attacks.​”*

Download “Locked Out: Tackling Australia’s Ransomware Threat” as PDF.

 

*Excerpt from https://www.homeaffairs.gov.au/.

March 20, 2021
NIST Cybersecurity Framework

Assess Technical Readiness

The National Institute of Standards and Technology (NIST) Cybersecurity Framework is voluntary guidance intended to help organizations to better manage and reduce cybersecurity risk. The Framework provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand and communicate to all stakeholders.

The NIST Cybersecurity Framework consists of three-parts:

  • The Framework Core helps organizations manage and reduce cybersecurity risk in a manner that complements their existing risk management practices.
  • Framework Implementation Tiers help organizations assess the maturity of their existing cybersecurity risk management practices.
  • Framework Profiles are unique to an organization and assist in defining and prioritizing cybersecurity requirements and objectives.

Visit the NIST Cybersecurity Framework site.

February 25, 2021
No-Cost Malicious Domain Blocking and Reporting for U.S. Hospitals

No-Cost Cyber Defense for U.S. Hospitals

“The Center for Internet Security® (CIS®), in partnership with Akamai, is offering the Malicious Domain Blocking and Reporting (MDBR) service AT NO COST to all public and private hospitals and related healthcare organizations in the United States. This service provides an additional layer of cybersecurity protection that is proven, effective, and easy to deploy.

MDBR is a fully-managed proactive domain security service, with CIS and Akamai fully maintaining the systems required to provide the service. Once an organization points its DNS requests to Akamai’s DNS server IP addresses, every DNS lookup will be compared against a list of known and suspected malicious domains. Attempts to access known malicious domains associated with malware, phishing, ransomware, and other cyber threats will be blocked and logged.

The logged data is then provided by Akamai to CIS’s Security Operations Center (SOC). The SOC uses this data to perform detailed analysis and aggregate reporting for the benefit of the hospital community, as well as organization-specific reporting and intelligence services. If circumstances require, remediation assistance is provided for each organization that implements the service.”*

Read about No-Cost Cyber Defense for U.S. Hospitals.

 

*Excerpt from www.cisecurity.org.

February 23, 2021
Protecting Data from Ransomware and Other Data Loss Events

“The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) developed this publication to help managed service providers (MSPs) improve their cybersecurity and the cybersecurity of their customers. “*

Read more about A Guide for MSPs to Conduct, Maintain, and Test Backup Files and to download PDF.

 

*Excerpt from csrc.nist.gov.

February 21, 2021
Design Defenses

IT and cybersecurity practitioners are responsible for the technical implementation of defensive technologies. Before a ransomware incident occurs, healthcare organizations should have an effective security architecture in place to identify, protect, detect, respond to and recover from ransomware. The NIST Ransomware Practice Guides below provide reference designs using existing commercial products that could aid an organization in remediating gaps in an organization’s cybersecurity implementation.

NIST SPECIAL PUBLICATION (SP) 1800-25
Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events

This NIST Ransomware Practice Guide shows how organizations can develop and implement appropriate actions/technologies to remediate gaps in an organization-cybersecurity implementation using existing commercial products, which can be deployed before a detected cybersecurity event.

NIST SPECIAL PUBLICATION (SP) 1800-11
Data Integrity: Recovering from Ransomware and Other Destructive Events

This NIST Ransomware Practice Guide shows how organizations can develop and implement appropriate actions and use various technologies to recover from a cybersecurity event.

 

 

February 21, 2021
Cybersecurity Maturity Models

EVALUATE CYBERSECURITY MATURITY

HHS recently published an overview of three Cybersecurity Maturity Models including the NIST Cybersecurity Framework. These models allow an organization to baseline their current capabilities against best practices.

Download the presentation on Cybersecurity Maturity Models.

 

February 19, 2021
Podcast Interview: Cyber and Supply Chain Threats to the Health Care Sector

“Matthew Halvorsen, Strategic Program Director for NCSC’s Supply Chain and Cyber Directorate, recently sat down with Gregory Garcia, the Executive Director for Cybersecurity of the Health Sector Coordinating Council, for an audio interview on current threats to the health care sector. The discussion focused on cyber and supply chain threats, including ransomware, nation-state targeting of COVID-19 research, and other current topics.”*

Listen to Podcast or read transcript.

 

*Excerpt from www.dni.gov.

February 18, 2021
Designing Cyber Resilient Systems (NIST SP 800-160 Vol. 2)

NIST Special Publication 800-160 Volume 2, Designing Cyber Resilient Systems: A Systems Security Engineering Approach, defines cyber resiliency as the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources. NIST SP 800-160 Vol. 2 offers a framework for understanding the problem space and the cyber resiliency solution space. It supports engineering analysis and judgment, identifying factors to consider when making trade-offs among different possible capabilities. It includes notional worked examples, to illustrate how cyber resiliency concepts and technologies can be tailored to different environments. For healthcare providers, implementing cyber resiliency could mean preventing loss of life.

Visit the NIST site to download the publication.

 

February 16, 2021
Stop that Phish

“Email and messaging services (such as Skype, Twitter, or Snapchat) are one of the primary ways we communicate. We not only use these technologies every day for work, but also to stay in touch with friends and family. Since so many people around the world depend on these technologies, they have become one of the primary attack methods used by cyber attackers. This attack method is called phishing. Learn what phishing is and how you can spot and stop these attacks, regardless if you are at work or at home.”*

Learn more about phishing on the SANS site.

 

*Excerpt from www.sans.org.

February 16, 2021
SEI Cyber Minute: Mitigating Ransomware

Watch Rotem Guttman in this SEI Cyber Minute as he discusses “Mitigating Ransomware.”

 

 

February 11, 2021
Health Care Industry Cybersecurity Task Force

“HHS established the Health Care Industry Cybersecurity Task Force following the passage of the Cybersecurity Act of 2015. The Task Force members represented a wide variety of organizations within the health care and public health sector, including hospitals, insurers, patient advocates, security researchers, pharmaceutical companies, medical device manufacturers, health information technology developers and vendors, and laboratories.”*

Read more about the Health Care Industry Cybersecurity Task Force.

 

*Excerpt from www.phe.gov.

February 11, 2021
HHS 405(d) Aligning Health Care Industry Security Approaches

Provides industry-led consensus-based guidelines, practices, and methodologies that aim to  raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the HPH sector.

Visit the HHS website to view resources.

February 11, 2021
Cybersecurity Toolkit for Digital Health

“The Cybersecurity Toolkit for Digital Health serves as an educational resource for digital health companies at all stages of growth on both the fundamentals and best practices for cybersecurity and privacy protection.”*

Visit Mass Digital Health site to access all resources.

 

*Excerpt from massdigitalhealth.org.

February 11, 2021
SANS: Internet Storm Center (ISC)

“The ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.”*

Vist the Internet Storm Center.

 

*Excerpt from isc.sans.edu.

February 11, 2021
FBI: InfraGard Portal

“InfraGard is a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of U.S. Critical Infrastructure. Through seamless collaboration, InfraGard connects owners and operators within critical infrastructure to the FBI, to provide education, information sharing, networking, and workshops on emerging technologies and threats. InfraGard’s vetted membership includes: business executives, entrepreneurs, lawyers, security personnel, military and government officials, IT professionals, academia and state and local law enforcement—all dedicated to contributing industry-specific insight and advancing national security.”*

Visit FBI InfraGard site.

 

*Excerpt from infragard.org.

February 11, 2021
US Computer Emergency Response Team (US-CERT)

As part of its mission, CISA leads the effort to enhance the security, resiliency, and reliability of the Nation’s cybersecurity and communications infrastructure.

Visit the US-CERT site.

 

February 11, 2021
Common Vulnerability Scoring System Special Interest Group (SIG)

“The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.”*

Read more about CVSS.

 

*Excerpt from first.gov.

February 10, 2021
Common Vulnerabilities and Exposures (CVE)

CVE® is a list of records—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities.

Visit CVE site.

 

February 10, 2021
11 Strategies of a World-Class Cybersecurity Operations Center

If you are getting started in cybersecurity operations, evolving your existing security operations center (SOC), or engaging with a SOC regularly, MITRE offers free downloads of 11 Strategies of a World-Class Cybersecurity Operations Center—both for the 20-page summary document and the full textbook. Fully revised, this second edition of the popular 10 Strategies of a World-Class Cybersecurity Operations Center includes new material and evolved thinking to bring a fresh approach to excelling at cybersecurity operations and leveraging up your cyber defenses.

You will learn to:

  • Identify the right SOC structure and functions for your organization.
  • Hire and grow talented staff, foster a sense of community, and create a place people want to be.
  • Instrument digital assets and fuse their data to speed workflow, maximize detection, and inform situational awareness.
  • Leverage cyber threat intelligence to operationalize threat-oriented defense, adversary emulation, hunting, and response.
  • Tell the SOC’s story through effective metrics and communications, internally and externally.

Read more and download PDFs.

 

February 10, 2021
CISA Cyber Resource Hub

Cybersecurity Resources to help agencies make data informed risk decisions, by gaining visibility with vulnerability trends, adversarial activities and, most important, effective mitigations to implement for better protection of their networks.

Visit CISA’s Cyber Resource Hub to access all resources.

 

February 5, 2021
Cyber Resilience Review (CRR)

The Department of Homeland Security/Cybersecurity and Infrastructure Security Agency (DHS/CISA) offers a Cyber Resilience Review.

“CRR is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.”*

Visit the CISA site to access all resources.

 

*Excerpt from us-cert.cisa.gov.

 

February 5, 2021
Cyber Tabletop Exercises

Evaluate your cyber response plan

Cyber Tabletop Exercises (TTX) are a way to evaluate your cyber response plan with scenarios that identify gaps between what you’ve planned for and what can actually happen, practice roles and responsibilities, and improve communications throughout organizations.

Intelligence Driven Exercises and Solutions (IDEAS) is a TTX methodology – during which participants explore dynamic problem sets or threats in a unique way to challenge assumptions, methods, and strategies and bolster understanding.  The resources below provide both an overview and detailed description of the methodology.

Resources:

Other Resources:

  • Enhancing Cyber Wargaming – This report describes a framework for cyber wargaming that bridges the gap between strategic tabletop exercises and hands-on cyber red-teaming. Included in the report is a comprehensive survey of existing cybersecurity exercises.

 

February 1, 2021
Health Information Sharing and Analysis Center (H-ISAC)

“Crowdsourced Cyber Security | Sector Threat Intelligence | Shared Best Practices

Health-ISAC Inc. (H-ISAC, Health Information Sharing and Analysis Center), is a global, non-profit, member-driven organization offering healthcare stakeholders a trusted community and forum for coordinating, collaborating and sharing vital physical and cyber threat intelligence and best practices with each other.”*

Visit the H-ISAC site for more information and resources.

 

*Excerpt from h-isac.org.

February 1, 2021
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients

“Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), the primary publication of the Cybersecurity Act of 2015, Section 405(d) Task Group, aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector. It seeks to aid healthcare and public health organizations to develop meaningful cybersecurity objectives and outcomes.”*

Visit the Public Health Emergency site to access all documentation.

 

*Excerpt from www.phe.gov.

February 1, 2021
Health Sector Cybersecurity Coordination Center (HC3) Homepage

“A Prescription for Health Sector Cybersecurity

Health Sector Cybersecurity Coordination Center (HC3) was created by the Department of Health and Human Services to aid in the protection of vital, healthcare-related controlled information and ensure that cybersecurity information sharing is coordinated across the Health and Public Health Sector (HPH).”*

Visit HC3 site to access all products.

 

*Excerpt from www.hhs.gov.

February 1, 2021
Health Sector Coordinating Council

“The Health Sector Coordinating Council (HSCC), in partnership with the U.S. Department of Health and Human Services, is pleased to announce the release of the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication. The four-volume publication seeks to raise awareness for executives, health care practitioners, providers, and health delivery organizations, such as hospitals. It is applicable to health organizations of all types and sizes across the industry.”*

Read more on the HSCC site or download “HICP: Managing and Protecting Patients” PDF directly.

 

*Excerpt from healthsectorcouncil.org.

February 1, 2021
Cyber Assessments

Cyber Assessments include a full range of vulnerability and penetration testing, and adversary assessment methods to bolster an organization’s ability to identify, protect, and detect ransomware threats. By tailoring and applying assessment methodologies and tools focused on business requirements, employing these methods can help improve an organization’s ability to assess and manage their enterprise ransomware risk.

Download Cyber Assessment PDF.

 

January 28, 2021
User Awareness Training

TRAIN STAFF TO AVOID INFECTION

Users are often the most effective cyber sensors. User awareness training helps every employee in your organization to better recognize, avoid, and report potential threats that can compromise critical systems via known attack vectors, including phishing and ransomware.

MITRE has implemented a program to train users on how to recognize and handle suspicious emails.  We provided an overview of how to establish such a program.  The EARNEST Practice helps educate End Users to be effective Cyber Sensors.

Resources:

January 25, 2021
Cyber Threat Intelligence

Cyber threat intelligence understands and analyzes real-world threats and adversaries to share data and knowledge utilizing the traditional intelligence cycle to evolve from data, through information, to intelligence. It may be tactical, operational, or strategic in nature, informing activities ranging from remediation to threat hunting and strategic organizational risk management.

Understand the Adversary

Understanding the adversary is one of the first steps in preparing a threat-informed defense. This paper describes how incremental developments in ransomware since 1989 have led to the emergence of a ransomware business model. This business models allows the highly damaging ransomware infections seen today. To learn more about this evolution and common initial access vectors used by ransomware groups, read the Evolution of Ransomware paper.

Defending Against Ransomware: A Cyber Threat Intelligence Primer

A Cyber threat intelligence capability can help organizations take a threat-informed defense approach to protecting itself from a wide range of malicious cyber activity, including ransomware. A robust CTI program will generally follow the “intelligence cycle” – Planning and Direction, Collection, Processing, Analysis and Production, and Dissemination and Feedback – to ensure it is meeting the expectations of stakeholders and maturing to meet evolving demands. This guide is intended to assist organizations interested in establishing a CTI program and those maturing an existing capability.

Read more about Defending Against Ransomware in the PDF.

Monitoring Threat Intelligence

The goal of cyber threat intelligence (CTI) is usually to help an organization focus on understanding their greatest threats by providing analyzed intelligence to assist network defenders and decision-makers in making more informed, threat-based decisions. CTI should be actionable and applicable to both near- and long-term information needs for network defenders and decision-makers. CTI should enable activities and actions at the tactical, operational, and strategic levels, ranging from activities such as specific rules network defenders implement within their environments, to enabling proactive adversary hunting methodologies, and progressing to informing strategic decision-making about limited budgetary and personnel resource allocations. A variety of unclassified, commercial, and open-source threat intelligence public and private resources provide insight for organizations to the latest threats.

Other Resources:

Cyber Threat Intelligence Sharing

JOIN COMMUNITY GROUPS

When possible and appropriate for their circumstances, organizations should share cyber threat intelligence with peer institutions and government entities. Official forums exist to facilitate this, such as HS-ISAC. These sharing relationships can also be an excellent source of threat intelligence for your organization.

Other Resources:

 

 

January 25, 2021
Deploy Cyber Analytics

Analytics are bits of code that we can use to match up known ransomware tactics and techniques with actual events on our system, as a way of flagging malicious activity. The Analytics Deployment Guide walks through the process of choosing the right analytics for your use case and using them to detect malicious activity in your raw data. Use the table of analytics below as a resource in this process.

Read the Analytics Deployment Guide

Introduction and Prerequisites

This short guide is designed as a quick starter for those who are unfamiliar with the common strategies behind analyzing cyber event data and finding threats. This guide assumes you have done the preparatory work described in the Detection guide. This means that your team is trained, you know which things in your network are most sensitive, you have created the appropriate whitelists, and you have a number of sensors feeding into a SIEM.

Review Threat Intelligence

Before deploying analytics, it is helpful to gain insight into the current threat landscape. We have a heat map of techniques that have recently been used by ransomware threat groups. We have also created a view within the ATT&CK Navigator that highlights the tactics used by ransomware software documented in ATT&CK. Organizations can learn more about tracking ransomware techniques on an ongoing basis on the Cyber Threat Intelligence resources page.

Analyze and Detect

Once you have logs consistently flowing into your SIEM and you know what you need to detect, you are ready to do analysis! Analysis comes in three main flavors:

Alert-based Investigation

Ideally at least one of your sensors will be a security alert-producing product, such as an EDR or NIDS. These sensors have already done some analysis on the raw event data, and have decided to tell you “I think something bad might be happening here,” as opposed to other sensors that are just giving you raw, unanalyzed data. If you have security alert logs, you want to start there. In an alert-based investigation, a human analyst would view the content of the alert and decide whether she agrees that the behavior is suspicious, given her understanding of normal network activity. If she decides it warrants further investigation, she will correlate the alert with the other logs available to her in the SIEM, helping to paint a fuller picture of what is happening. This is why it is important to have as many sensors as possible, to give as much context as possible during an investigation.

Hunting

Hunting consists of perusing your logs, searching for any suspicious activity, not aided by any automated alerting. This is typically done by skilled, experienced analysts who have been trained to know what to look for and also have expert insight into what normal activity on your network looks like, a result of the Preparation phase. Some organizations choose to bring in a specialized team from time to time to do this type of hunting. Hunting is important, but to some extent it can be like finding a needle in a haystack, without knowing what the needle looks like. This should not be your primary mode of operation.

Secondary Automated Analysis

While your EDR, firewall, and IDS can produce some security alerts, in many cases they are only guessing at what is bad and will produce false positives, and they will miss other significant events altogether, because they each see only part of the picture. Each security product is blind to the context of what is happening elsewhere on the network. When you have all the data in your SIEM, you have the opportunity to conduct more analysis based on more cohesive knowledge. With this in mind, there are many machine analytics that will parse through the data in your SIEM and produce alerts as appropriate. It is entirely appropriate to write your own analytics, but it also makes sense to take advantage of all the open source analytics that others have already written that may apply to your network as well. Some open source analytic repositories include:

Reference Health Cyber’s analytics table for a list of open source analytics you can use to provide maximum detection of the ransomware-related hacking techniques listed in ATT&CK. You will see that numerous analytics are available, and it might not be feasible to deploy them all at once. We recommend starting with those that cover critical techniques that are being leveraged to a high degree by current ransomware threat groups. For a picture of which techniques are trending, reference our Ransomware Heat Map.

When you have built or collected the analytics you want, you will need to do several things to run them on your data:

  1. Convert the analytic to use your data schema, if necessary.
  2. Test the analytic within your SIEM to see if it functions as anticipated.
  3. Set up a mechanism to feed the data through your analytics. This architecture can vary. One popular method is to run batch jobs every few minutes: this method would take the latest raw data in your SIEM and apply your analytics to it, spitting any results into a new log somewhere.
  4. Set up a maintenance timetable that will remind you to periodically review which analytics you have deployed, and decide if they are still relevant. Some analytics can become outdated as technology and threats change

Walk through our analytic deployment scenario for an example of how this all works!


Analytics Deployment Scenario

The Analytics Deployment Scenario demonstrates how to apply the methodology in the Deployment Guide.

Analytics Table

January 25, 2021
Cyber Resiliency

Cyber Resiliency enables organizations to continue to function while under a cyber attack. No matter how strong an organization’s defenses, determined adversaries may penetrate. Implementing resiliency techniques will allow continuation of critical operations and business processes during a successful attack. For healthcare providers, implementing cyber resiliency could mean preventing loss of life.

The resources listed below provide additional details on Cyber Resiliency and its implementation.

Resources:

 

January 25, 2021
Data Integrity: Recovering from Ransomware and Other Destructive Events

NIST Special Publication (SP) 1800-11 – Data Integrity: Recovering From Ransomware and Other Destructive Events

This NIST Ransomware Practice Guide shows how organizations can develop and implement appropriate actions and use various technologies to recover from a cybersecurity event.

Visit NIST to read more or to download PDF.

The resources below provide additional resources that could aid an organization in recovering from ransomware or other destructive events.

Other Resources:

 

 

January 25, 2021
Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events

NIST Special Publication (SP) 1800-26 – Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events

This NIST Ransomware Practice Guide shows how organizations can develop and implement appropriate actions and use of technologies to detect and or respond to a detected cybersecurity event. (This practice guide spans both the Detect and Respond CSF domains.)

Visit NIST to read more or download PDF.

The resources below provide additional resources that could assist an organization in detecting and responding against ransomware or other destructive events.

Other Resources:

 

January 25, 2021
Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events

NIST Special Publication (SP) 1800-25 – Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events

This NIST Ransomware Practice Guide shows how organizations can develop and implement appropriate actions/technologies to remediate gaps in an organization cybersecurity implementation using existing commercial products, which can be deployed before a detected cybersecurity event. (This practice guide spans both the Identify and Protect CSF domains.)

Visit NIST to read more or download PDF.

The resources below provide additional resources that could aid an organization in identifying and protecting critical assets against ransomware or other destructive events.

Other Resources:

 

 

 

 

 

January 25, 2021
Cyber Operations Rapid Assessment (CORA)

Assess Cybersecurity Operations

Cyber Operations Rapid Assessment (CORA) is a lightweight assessment tool used to evaluate your overall cybersecurity operations and infrastructure. CORA can enable healthcare organizations to gather a snapshot of their cybersecurity operations capabilities and provides specific recommendations for improvement. CORA emphasizes threat analysis, incident prevention and response, and threat intelligence information sharing. CORA is an effective model for an organization seeking a quick review of its cybersecurity operations capability, and as a possible prelude to a more rigorous assessment such as Crown Jewels Analysis (CJA).

The resources below provide addition detail on CORA and its application.

Resources:

January 25, 2021
Rubric for Applying CVSS to Medical Devices

The Common Vulnerability Scoring System (CVSS) is an open standard designed to convey vulnerability severity and help determine the urgency and priority of response. When vulnerabilities are discovered in medical devices, medical device manufacturers, typically working with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC), use CVSS to provide a consistent and standardized way to communicate the severity of a vulnerability between multiple parties, including the medical device manufacturer, hospitals, clinicians, patients, NCCIC, and vulnerability researchers.

Read more about the CVSS on MTRE site.

 

January 22, 2021
The MITRE Systems Engineering Guide

Technical Paper

The primary purpose of the MITRE Systems Engineering Guide, or SEG, is to convey The MITRE Corporation’s accumulated wisdom on a wide range of systems engineering subjects—sufficient for understanding the essentials of the discipline and for translating this wisdom into practice in your own work environment.

Read more about the SEG or request a PDF.

 

January 22, 2021
Incident Preparedness and Response

Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook

Technical Paper

This playbook outlines a framework for health delivery organizations (HDOs) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, ensure effectiveness of devices, and protect patient safety.  This document can help HDOs to prepare for and respond to ransomware attacks.

Read more about the Playbook or Download PDF directly.

Essential Clean-Slate Cyber Recovery Assessment for Time-Critical Processing

Technical Paper

This document outlines a framework and set of criteria for assessing an organization’s ability and time to recover from a devastating cyberattack. Assessment criteria provide stakeholders with a common language for analyzing recoverability, and the framework offers a method for performing introspective assessments. These tools can help organizations better ensure that they are prepared and able to execute recovery plans in the event of a ransomware or other cyberattack.

Read more about the framework in the PDF.

 

Resource:

The ASPR TRACIE Healthcare System Cybersecurity: Readiness & Response Considerations resource can help healthcare facilities, particularly hospitals, and the systems they may be a part of, understand the roles and responsibilities of stakeholders before, during, and after a cyber incident. Information within this document is specifically related to the effects of a cyber incident on the healthcare operational environment, specifically the ability to effectively care for patients and maintain business practices and readiness during such an event. While the focus of this document is on disruptions associated with a large-scale cyberattack, many strategies and principles outlined are relevant to a range of cybersecurity incidents and healthcare facilities.

 

January 22, 2021
Caldera

CALDERA™ is a cybersecurity framework designed to easily run autonomous breach-and-simulation exercises. It can also be used to run manual red-team engagements or automated incident response.

It is built on the MITRE ATT&CK™ framework and is an active research project at MITRE.

The framework consists of two components:

  1. The core system. This is the framework code, consisting of what is available in this repository. Included is an asynchronous command-and-control (C2) server with a REST API and a web interface.
  2. Plugins. These are separate repositories that hang off of the core framework, providing additional functionality. Examples include agents, GUI interfaces, collections of TTPs, and more.

Visit the CALDERA site to access the tool and documentation.

 

January 22, 2021
Ransomware and Breach

File Agenda:

  • Ransomware Prevention
  • Ransomware Recovery
  • Breach Review
  • Ransomware and Security Incidents
  • Ransomware and Breaches
  • Breach Resources

Download PDF from Health & Human Services Office for Civil Rights.

 

January 22, 2021
Ransomware and HIPAA Fact Sheet

“Ransomware exploits human and technical weaknesses to gain access to an organization’s technical infrastructure in order to deny the organization access to its own data by encrypting that data. However, there are measures known to be effective to prevent the introduction of ransomware and to recover from a ransomware attack. This document describes ransomware attack prevention and recovery from a healthcare sector perspective, including the role the Health Insurance Portability and Accountability Act (HIPAA) has in assisting HIPAA covered entities and business associates to prevent and recover from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack.”*

Download “Ransomware and HIPAA Fact Sheet” from the Health & Human Services site.

 

*Excerpt from www.hhs.gov.

January 22, 2021
Cyber Attack Checklist

“My entity just experienced a cyber-attack! What do we do now?

A Quick-Response Checklist from the HHS, Office for Civil Rights (OCR)

Has your entity just experienced a ransomware attack or other cyber-related security incident, and you are wondering what to do now? This guide explains, in brief, the steps for a HIPAA covered entity or its business associate (the entity) to take in response to a cyber-related security incident.”*

Download Cyber Attack Checklist from Health & Human Services (HHS) site.

 

*Excerpt from www.hhs.gov.

January 22, 2021
Cyber Security Guidance Material

Health Information Privacy

“On this website you will find educational materials specifically designed to give HIPAA covered entities and business associates insight into how to respond to a cyber-related security incidents.”*

Visit the Health & Human Services site for resources.

 

*Excerpt from www.hhs.gov.

January 22, 2021
Laws and Regulations Enforced by OCR

“Office of Civil Rights (OCR) enforces nondiscrimination regulations that apply to programs, services, and activities receiving HHS Federal financial assistance.  We also enforce nondiscrimination provisions of other laws as they apply to programs and activities receiving HHS Federal financial assistance.”*

Visit the Health & Human Services (HHS) site for all resources.

 

*Excerpt from www.hhs.gov.

January 22, 2021
Webinar: Combating Ransomware

Recorded webinar, 1.5hrs long, deep tech

Watch video on YouTube.

 

January 21, 2021
MS-ISAC Ransomware Guide

This Ransomware Guide includes two resources:

  • Part 1: Ransomware Prevention Best Practices
  • Part 2: Ransomware Response Checklist

“These ransomware best practices and recommendations are based on operational insight from the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The audience for this guide includes information technology (IT) professionals as well as others within an organization involved in developing cyber incident response policies and procedures or coordinating cyber incident response.”*

Download guide as PDF.

 

*Excerpt from www.cisa.gov

January 21, 2021
Ransomware Guidance and Resources

“CISA has observed continuing ransomware attacks across the country and around the world: See CISA’s Awareness Briefings on Combating RansomwareJoint Ransomware Statement, and CISA Insights – Ransomware Outbreak. Below, please find resources on CISA’s newly redesigned ransomware information page to better connect you with helpful resources and tools you and your organization need to guard against the ransomware threat.”*

Visit CISA to access all guides and resources.

 

*Excerpt from www.cisa.gov

January 21, 2021
Ransomware What It Is and What To Do About It

Read CISA document that covers:

  • What is Ransomware?
  • How do I protect my networks?
  • How do I respond to ransomware?

 

January 21, 2021
INSIGHTS Ransomware Outbreak

“Ransomware has rapidly emerged as the most visible cybersecurity risk playing out across our nation’s networks, locking up private sector organizations and government agencies alike. And that’s only what we’re seeing – many more infections are going unreported, ransoms are being paid, and the vicious ransomware cycle continues on. We strongly urge you to consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network (do you really trust a cybercriminal?).”*

Read or download PDF.

 

*Excerpt from us-cert.cisa.gov.

January 21, 2021
CISA, MS-ISAC, NGA & NASCIO Recommend Immediate Action To Safeguard Against Ransomware Attacks

“The recent ransomware attacks targeting systems across the country are the latest in a string of attacks affecting State and local government partners. The growing number of such attacks highlights the critical importance of making cyber preparedness a priority and taking the necessary steps to secure our networks against adversaries. Prevention is the most effective defense against ransomware.”*

Read or download PDF.

 

*Excerpt from us-cert.cisa.gov.

January 21, 2021
Crown Jewels Analysis (CJA)

IDENTIFY CRITICAL ASSETS

Crown Jewels Analysis (CJA) is a process for identifying those cyber assets that are most critical to achieve an organization’s key objectives and purpose. CJA can enable healthcare organizations to prioritize and apply limited resources effectively for cyber resiliency, the ability to continue critical operations during a major cyber attack such as ransomware.

The resources below provide addition detail on CJA and its application.

Resources:

 

January 19, 2021
Ransomware Techniques in ATT&CK

UNDERSTAND ADVERSARY TACTICS & TECHNIQUES

MITRE ATT&CK® is a globally-accessible, structured knowledge base of adversary cyber tactics, techniques, and sub-techniques that is based on real-world observations.  Tactics represent the “why” of an ATT&CK technique or sub-technique.  Techniques represent “how” an adversary achieves a tactical objective by performing an action.  Sub-techniques further break down behaviors described by techniques into more specific descriptions of how behavior is used to achieve an objective.  By using this structured knowledge of how real-world adversaries operate in cyber space to attack their victims, defenders can better prepare for, detect, and protect against those wishing to do them harm.

The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel. For this Ransomware Resource Center, we have created a specific view within the ATT&CK Navigator that highlights the known ransomware actors, software, and their tactics and techniques that are presently documented in ATT&CK.  ATT&CK primarily focuses on APT groups though it may also include other advanced groups such as financially motivated actors.  Many of the ransomware actors are small-scale cyber criminals, this list is not comprehensive.  However, most of the tactics and techniques that are presented here are likely representative of behaviors exhibited by other groups and actors that are not presently cataloged in ATT&CK.

MITRE also publishes Deploying Cyber Analytics, which can provide a means to detect known adversary behavior.  For this Ransomware Resource Center, we have identified the relevant analytics that pertain to the techniques and subtechniques highlighted in the Navigator view, below.

Below are the techniques, software, and groups that are presently documented in ATT&CK.  This information continues to evolve.  Feedback on relevant information from the user community is welcome at HealthCyber@mitre.org.

Common Ransomware Techniques in ATT&CK

T1566: Phishing

    1. Description: A common entry point for ransomware is through phishing via malicious email attachments and/or links.
    2. Detection: There are several tools to help aid in detecting phishing avenues, such as anti-virus software to examine potentially malicious documents/files, network intrusion detection systems, and third-party services that leverage TLS/SSL inspection. URL inspection within emails can also help detect whether links are malicious.
    3. Mitigation: Several mitigations exist for this behavior. Proper user training is critical for being able to prevent users being socially engineered. Antivirus software, network intrusion prevention systems, and restrictions on web-based contents can also aid in the prevention of ransomware infiltrating an environment.

T1486: Data Encrypted for Impact

    1. Description: This technique is indicative of ransomware. Adversaries will encrypt specific data and files in order to then request the ransom for the files to be decrypted.
    2. Detection: Monitor and search for large quantities of file modifications in user directories as well as processes. Systems that centralize file storage in an organization are the best place to implement this type of detection.
    3. Mitigation: The main mitigation is to implement a data backup and recovery plan.

T1083: File and Directory Discovery

    1. Description: Most ransomware will search for specific file extensions and folders on a system before determining what to encrypt and lock for ransom.
    2. Detection: Monitor processes and command-line arguments to search for actions that are indicative of file and directory reconnaissance.
    3. Mitigation: There are no mitigations for this type of behavior.

T1041: Exfiltration over C2

    1. Description: This involves the ransomware exfiltrating the information to extort the victim by threatening to publish the stolen data.
    2. Detection: Analyze network data for uncommon data flows.
    3. Mitigation: Implement a network intrusion detection and prevention system to use signatures for blocking transmissions by specific adversary malware. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection and prevention by common defensive tools.

T1490:  Inhibit System Recovery

    1. Description: Adversaries might delete or disable system recovery features to increase the impact of other ransomware techniques.
    2. Detection: Monitor processes and execution of command line parameters, as well as the status of services involved in system recovery.
    3. Mitigation: Perform and test backups of data and configurations for the operating system. Backups should be immutable or stored offline to protect them from the ransomware. Taking these precautions can help lessen the impact.

T1562.001: Impair Defenses – Disable or Modify Tools

    1. Description: Adversaries may disable security tools to avoid detection.
    2. Detection: Monitor processes ensure security tools are running. The Registry can also be monitored for changes made to critical services or startup programs.
    3. Mitigation: Several mitigations exist for this activity. Restricting file/directory and Registry permissions as well as properly configuring user permissions is important.

T1485: Data Destruction

    1. Description: Individual files are destroyed or overwritten to make data irrecoverable, increasing the impact of locking files for ransom.
    2. Detection: Use process monitoring to monitor the execution and command-line parameters of binaries that could be involved in data destruction activity, such as SDelete.
    3. Mitigation: Perform and test backups of data and configurations for the operating system. Backups should be immutable or stored offline to protect them from the ransomware. Taking these precautions can help lessen the impact.

T1489: Service Stop

    1. Description: This technique involves the stopping of critical services (e.g., anti-virus, backup).
    2. Detection: Monitor processes and command-line arguments. Review edits to services, the Registry, and the service binary path.
    3. Mitigation: Restrict the file/directory and Registry permissions. Limit privileges for user accounts with respect to changing service configurations.

Ransomware Software in ATT&CK

Ransomware Campaigns

The ATT&CK Navigator image, below, highlights the techniques in ATT&CK associated with ransomware software, groups that use ransomware, or both according to the legend. Click the image to open ATT&CK Navigator in a new browser window. For a tutorial on how to use the navigator, click on the ? in the upper right corner. To see details, right click on the technique for a menu of options, and select “view technique” or “view tactic”.

LEGEND:

graySoftware groupsGroups CampaignsCampaignsGreen = All 3 (SW, Groups, Campaigns)Green = All 3 (Software, Groups, Campaigns)

orange = groups and softwareGroups & Software blue = Campaigns and SoftwareCampaigns & Softwarered = Campaigns and GroupsCampaigns & Groups

Ransomware Activity Heat Map

The following ATT&CK Navigator image presents techniques that have been leveraged by ransomware threat groups in roughly the last year and a half, based on open-source reporting not limited to ATT&CK. Darker shades represent techniques that have been observed more frequently. Techniques leveraged in the last few months, or those that are present only in third-party software, may not be reflected here. Click image to open Ransomware Activity Heatmap in a new browser window.

LEGEND: 

Legend
Click to view Heatmap

ATTACK FLOW

Attack Flow is a language for describing how cyber adversaries combine and sequence various offensive techniques to achieve their goals. Attack Flows help defenders and leaders understand how adversaries operate and improve their own defensive posture. This project is created and maintained by the MITRE Engenuity Center for Threat-Informed Defense in futherance of our mission to advance the state of the art and the state of the practice in threat-informed defense globally. An example of an Attack Flow is seen below in REvil Attack.

REvil ATTACK Flow

""

Click image to view full flow in new window.

January 16, 2021
How to Protect Your Networks from Ransomware

“This document is a U.S. Government interagency technical guidance document aimed to inform Chief Information Officers and Chief Information Security Officers at critical infrastructure entitites, including small, medium, and large organizations.  This document provides an aggregate of already existing Federal government and private industry best practices and mitigation strategies focused on the prevention and response to ransomware incidents.”*

Download PDF from www.fbi.gov

 

*Excerpt taken from www.fbi.gov.

January 16, 2021
Protecting Against Ransomware

Security Tip (ST19-001).

“Ransomware is a type of malware threat actors use to infect computers and encrypt computer files until a ransom is paid. (See Protecting Against Malicious Code for more information on malware.) After the initial infection, ransomware will attempt to spread to connected systems, including shared storage drives and other accessible computers.”

 

“If the threat actor’s ransom demands are not met (i.e., if the victim does not pay the ransom), the files or encrypted data will usually remain encrypted and unavailable to the victim. Even after a ransom has been paid to unlock encrypted files, threat actors will sometimes demand additional payments, delete a victim’s data, refuse to decrypt the data, or decline to provide a working decryption key to restore the victim’s access. The Federal Government does not support paying ransomware demands. (See the FBI’s ransomware article.)”

Visit CISA site for more info on Security Tip (ST19-001).

 

*Excerpt take from us-cert.cisa.gov

January 15, 2021
Ransomware Activity Targeting the Healthcare and Public Health Sector

Alert (AA20-302A)

“This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.”

 

“CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”

Read full article, or download PDF version of this article, on the CISA site.  

This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.

 

*Excerpt taken from us-cert.cisa.gov

January 15, 2021
How to Address the Threat of Ransomware Attacks

Watch educational video* on:

  • What is ransomware
  • How it works
  • What are the signs of infections
  • What can you do
  • Case studies
  • More info

  *Video located on dhsconnect.connectsolutions.com.  Source found at www.cisa.gov.

January 15, 2021
Security Primer – Ransomware

“The MS-ISAC in 2019 observed a 153% increase in the number of reported SLTT government ransomware attacks from the previous year. Many of these incidents resulted in significant network downtime, delayed services to constituents, and costly remediation efforts. The MS-ISAC largely attributes this increase to Ryuk ransomware infections and compromises affecting Managed Service Providers (MSP) that service SLTT governments. Not only are victims at risk of losing access to their systems and files, but they may also experience financial loss due to legal costs, purchasing credit monitoring services for employees/customers, or ultimately deciding to pay the ransom. The effects of a ransomware attack are particularly catastrophic when they impact emergency services and critical infrastructure, such as 911 call centers and hospitals.”*

Read more information and download PDF on the CIS site.

 

*Excerpt from www.cisecurity.org.

January 15, 2021
Ransomware: Facts, Threats, and Countermeasures

“Ransomware is a type of malware that has become a significant threat to U.S. businesses and individuals during the past two years. Most of the current ransomware variants encrypt files on the infected system/network (crypto ransomware), although a few variants are known to erase files or block access to the system using other methods (locker ransomware). Once access to the system is blocked, the ransomware demands a ransom in order to unlock the files, frequently $200 – $3,000 in bitcoins, though other currencies and gift cards are occasionally reported. Ransomware variants almost always opportunistically target victims, infecting an array of devices from computers to smartphones.”*

Learn more facts, threats, and countermeasures on the CIS site.

 

*Excerpt from www.cisecurity.org

January 15, 2021

Pin It on Pinterest

Share This