In a recent report by the Department of Health and Human Services (HHS), several legitimate security tools have been identified as points of entry for cybercriminal activity. These tools, which include Cobalt Strike and Microsoft Powershell, are commonly employed to support healthcare IT environments.
Use the following information to better understand this troubling trend and the steps your practice can take to remain truly protected. Contact a PEAKE Practice Advisor for a free consultation or schedule a Security Risk Assessment before the end of the year.
This trend is a counterattack to existing antivirus and endpoint detection/response (EDR) tools. Since any illegitimate or black-market remote monitoring tool would likely be detected and blocked by endpoint protection software, hackers are finding ways to exploit existing security tools connected to target networks.
Many threat actors who specifically target the healthcare industry have been leveraging penetration testing tools and controlling remote computers in elaborate ransomware strategies. Cobalt Strike, a popular tool that organizations often use to simulate a cyberattack, has been flagged in recent ransomware attacks. Code in pentesting tools like Cobalt can be customized for nefarious purposes including social engineering and email phishing scams.
What can your practice do about these new threats?
It is important to note that the HHS report does not recommend abandoning the use of these tools, but rather professionally evaluating their use and policies surrounding their use.
The best way for healthcare business leaders to protect themselves is by having a firm grasp of what their IT environment looks like. It is imperative that someone in your organization maintains organized visibility into your IT systems and performance.
IT support organizations like PEAKE should provide the metrics and management options to bring confidence in your IT infrastructure and security, including internal tools and experts who can recognize when a monitoring, administrative, or controlling tool behaves suspiciously. If an unknown security tool’s commands show up, it could be evidence of a cyberattack, insider threat, or internal misuse. So, it stands to reason that the staff who monitor your IT systems need to identify what is known from what is unknown.
Schedule regular communication with your IT director or PEAKE Technical Account Manager. Include a discussion regarding the tools used on your network and tools used by any vendors that have access to your network. Communication and awareness are often our best defenses.