Security Experts:

Value and Limitations of Vendor Telemetry and Reported Incidents

Threat statistics come from a variety of sources: reported incidents, vendor telemetry, internet traffic and dark web analysis. All have value, and all have limitations. 

Reported incidents form the basis of Verizon's Data Breach Investigations Report (DBIR) -- its limitation is that it cannot account for those incidents that contributors decline to report. Vendor telemetry reports on threats detected and blocked at the endpoint -- its limitation is that while it detects downloaders, it cannot account for the final download payload (because the attack has already been blocked).

These two limitations are amply illustrated in ransomware threats to the healthcare industry. For years, the media has reported healthcare as a major -- if not the primary -- target for ransomware. The postulated motive is that where lives may be put at risk, a hospital is likely to pay the ransom. DBIR 2019 statistics seem, at first glance, to confirm this hypothesis. 

Seventy percent of healthcare breaches are down to ransomware. Across all industry verticals (including healthcare) it accounts for just 24%. However, these figures need to be seen through two filters. Firstly, healthcare is required by HIPAA to report all ransomware infections while many other companies have no requirement to report ransomware. Secondly, we know from an earlier Sophos investigation that many ransoms are simply paid and not reported. So, while DBIR's healthcare figure is likely to be accurate, the 'all industry' figure is likely to be suppressed. The automatic assumption that healthcare is the primary target for ransomware becomes suspect.

If we now look at a new report (PDF) on healthcare from Malwarebytes, based on telemetry rather than reports, we find that ransomware hardly figures at all. Over the year, threats against the healthcare industry are dominated by the two trojans Emotet and Trickbot. But this doesn't mean that ransomware is no threat. Firstly, if ransomware succeeds, it hasn't been detected and blocked, and therefore doesn't appear in the telemetry. Secondly, if ransomware is the ultimate intent of Emotet and Trickbot, it is blocked before it is recognized and, again, doesn't appear in the telemetry.

The truth will lie somewhere between DBIR and Malwarebytes' telemetry. Ransomware is less targeted specifically against healthcare than suggested by the DBIR statistics, but is more of a threat than can be deduced by Malwarebytes' telemetry alone. Perhaps a reality check comes from Malwarebytes' list of targeted industries. Top is education, with manufacturing second. Healthcare comes a lowly seventh. 

Ransomware will almost certainly be a primary motive for all the attacks (absent, perhaps education, which Malwarebytes describes as "a security nightmare that leaves many education networks full of adware, Trojans, and ransomware"). Both Verizon and Malwarebytes believe they see indications that attacks against manufacturing are increasing. "Manufacturing has also become a big target for attackers, as disruption of operations is almost as valuable to an attacker as being able to ransom important data. While other organizations may be able to recover from a cyberattack without losing much profit, manufacturing organizations can't afford to have their technology locked out, as it guarantees profit loss."

But Malwarebytes also believes that threats specifically against healthcare are increasing: "With an uptick in threat detections through the third quarter of 2019, we expect to see the medical industry climb this list into the next year." In fact, there has been an overall 60% increase in threat detections comparing all of 2018 to the first three-quarters of 2019. Most of this is down to Emotet and Trickbot, but more recently Malwarebytes has detected an increase in the use of exploits. Probably associated with the use of these exploits, the firm has also seen a limited but noticeable rise in ransomware detections in recent months -- more specifically WannaCry, which has always found a ready target in healthcare.

Adam Kujawa, the director of Malwarebytes Labs, is charged with making sense of the telemetry data. "We see some increase in the detection of exploits and backdoors," he told SecurityWeek. "They seem to be rising along with a rise in the Trickbot detections; that is, to push Trickbot." Detection of an exploit means that Malwarebytes has blocked that exploit from something like a Word document trying to launch a malicious app or downloader. "This could be related to Trickbot's attempts to spread itself through email, and it could also be because we see additional efforts to move laterally." 

Malwarebytes has also detected backdoor attempts increasing in the same timeframe. "I'm thinking that Trickbot is installing and attempting to move laterally," he continued, "and regardless whether it succeeds or not, it has been dropping backdoor malware to give an attacker remote access to the network through the malware rather than just giving commands to a bot. With Emotet and Trickbot, it's just a relationship between the actor and the malware waiting to be told what to do next. The installation of a back door makes more sense because it allows the attacker to have more freedom in exploring what's on the endpoints."

There are two primary motives for bad actors to attack healthcare: the black-market value of electronic health records (EHR), and the attraction of ransomware. There is no reason to believe that that both motives aren't combined in a single attack, with Emotet first stealing data and then subsequently attempting to place ransomware possibly through first dropping Trickbot and a backdoor.

Backdoors may be important for the theft of EHR. There is no standard method of storing this data across the healthcare industry, which makes it easier to find and exfiltrate via a backdoor rather than simply issuing remote commands to a trojan bot like Trickbot.

The attraction of stealing EHR data is simply down to the value it commands on the dark web. "In 2014," said Kujawa, "it was reported that EHR was being sold for $50, compared to $1 for a social security number. An entire database of EHR data," he continued, "would probably fetch around $500k on the dark web. It's what can be done with the stolen data that is important: criminals can create counterfeit documents, tax returns, fake IDs, birth certificates, licenses of various types, but also engage in thefts, frauds, file fake insurance claims, obtain prescription medications and more."

Having stolen the data, the temptation will be to drop ransomware to further monetize the attack -- and we know from the DBIR figures that ransomware accounts for 70% of successful healthcare breaches. The value of the EHR, the attraction of the ransomware motive, and the low, albeit improving, state of healthcare security makes the industry an irresistible target for criminals. "The main problem, as elsewhere," said Kujawa, "is a lack of resources to watch everything. But healthcare institutions are often large organizations with servers and endpoints that have not been properly patched, creating the perfect storm for attackers. I suspect that over the next few months we may see some pretty serious healthcare breaches, including but not limited to ransomware."

Related: AMCA Breach: Many More Impacted Healthcare Firms Come Forward 

Related: Feeling the Pulse of Cyber Security in Healthcare 

Related: Health Firm EmCare Says 60,000 Employees and Patients Exposed in Breach 

Related: Tales From the SOC: Healthcare Edition

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.