This Week Health

Don't forget to subscribe!

April 22, 2020: For this COVID-19 field report episode, we are joined by Ryan Kalember from Proofpoint where he is in charge of cybersecurity strategy. Ryan fills us in on the current landscape of cyber threats and what has changed during the pandemic and, interestingly, what has stayed the same. The coronavirus crisis has presented a huge opportunity for cybercriminals to exploit systems, using lures attached to all areas of the pandemic, however, as Ryan informs us, these lures use the same tactics with a different dressing. All of the ways in which phishing emails and attacks are conducted are the same as before this current period, it is the remote work model, overwork, and new systems that present refreshed opportunities for exploitation. In our conversation, we cover the range of ways bad actors are using these to their advantage and the trends in the cybersecurity space right now. Ryan takes us through the vulnerabilities that have become apparent during the last couple of months and shares some examples of how these can be taken advantage of. To finish off our chat, we look at the National Cyber Security Alliance and the focus of their work as well as how Ryan's position at Proofpoint fits into the larger picture of cybersecurity right now.

Key Points From This Episode:

  • The current landscape of cyber threats during the COVID-19 crisis.
  • Actors involved in COVID lures and the different levels we can identify.
  • The payloads and range of objectives that are present in these specific scams.
  • Variations on the same kind of attacks we would normally see before the crisis.
  • The impact of the 'work from home' model on company security.
  • Vulnerabilities of VDI environments and how attackers target VPNs.
  • Looking at the spread of these threats, industrially and geographically.
  • Examples of the emails that are received through regional attacks. 
  • Converting interest into an attack; the few steps it takes to gaining control of a system. 
  • Best practices for security, covering the technology and personal techniques.
  • Identifying the smallish number of people in an organization who might be at risk.
  • The work done by the National Cyber Security Alliance at present.
  • Ryan's role at Proofpoint as the head of cyber security strategy.
Transcript

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Welcome to this week in Health IT News, where we take a look at the news which will impact health it. This is another field report where we talk with leaders from health systems and organizations on the front lines. My name is Bill Russell Healthcare, CIO, coach and creator of this week in Health. It a set up podcasts, videos, and collaboration events dedicated to developing the next generation of health leaders.

Are you ready for this? We're going to do something a little different for our Tuesday Newsday show. Next week we're gonna go live at noon Eastern 9:00 AM Pacific. We will be live on our YouTube channel with myself, Drexel Ford Sus Shade. And David Munch with Starbridge Advisors to discuss the new normal for health.

It, uh, with you supplying the questions with live chat. Also, you can send in your questions ahead of time at hello at this week in health it.com. Uh, I'm so excited to do this and I hope you'll join us. Mark your calendar. Noon Eastern 9:00 AM Pacific on April 28th. If you want to, uh, send the questions, feel free to do that.

Um, and uh, you can get to the show by going to this week, health.com/live. This episode and every episode since we started the Covid 19 series has been sponsored by Sirius Healthcare. Uh, they reached out to me to see how we might partner during this time, and that is how we've been able to support producing daily shows.

Special thanks to Sirius for supporting the show's efforts during the crisis now onto today's show. All right. Today's conversation is with Ryan Columber, the EVP of uh, EVP Cybersecurity Strategy at Proofpoint and board member of the National Cybersecurity Alliance. Good afternoon, Ryan, and welcome to the show.

Great to be here. Thanks for having me, bill. Well, thanks for taking a few minutes to meet with me today. I, I saw a presentation that you did with a, uh, a partner of yours a couple weeks ago, and I thought that is a phenomenal topic. You guys covered so well, and I wanted to really explore it with you. And it's, we're gonna, we're gonna talk fishing today.

Now, we might veer off that topic a little bit, but for the most part, uh, this, this covid just opened up the, uh, the opportunities for. So give us, let's just start with the basic question, which is, what does the threat landscape look like during a crisis like this, like a covid-19 crisis? Well, interestingly, a lot of it looks the same, but the social engineering component, as you correctly pointed out, looks a lot different.

Uh, I think the attackers just like. Marketers and public health officials and other people who are doing any sort of communicating today, uh, have realized that there's really only one topic that matters on planet Earth right now, which is Covid 19. Uh, and it is perhaps the most clickable lure that we have ever seen.

I don't think we can point to a single event in the history of either my involvement in cybersecurity, which goes back 20 years, or any of our threat researchers, where we can remember every single type of actor jumping on one lure bandwagon at exactly, uh, the same time, which is what we've seen happen basically since January.

Wow. Are, are the actors different or, I mean, it's the same set of actors. What, what are some of those actors? Sure. Uh, so there's really kind of a pyramid, right? And there's the nation state actors at the very top, uh, who tend to be the more sophisticated ones. We've seen actors from China, India, Pakistan, couple other places use Covid lures at this.

Then there's the sort of more targeted attackers that are going after maybe one organization, maybe a smaller set of organizations. We've seen them use covid lures. And then there's these scaled cybercrime actors that we can identify, uh, because they have their own infrastructure that's big enough. Uh, the most prolific actor that we track is one known as threat actor, 5 4, 2.

Uh, the very famous malware they use is called EMO test. Uh, E-M-O-T-E-T. Uh, and they were actually the first ones, uh, really doing this at scale. Going all the way back to late January. They started to attack Japanese organizations with lures referencing disruptions to supply chains in China. Uh, since then, much larger scaled cyber crime actors have all gotten on the bandwagon and even the least sophisticated threat actors of all, um, to do.

What we would call business email compromise, really simple spoofed messages. Saying something. I can remember one that was basically, I'm stuck downtown. Uh, four people have tested positive around me, so, uh, I'm gonna need to move some things around. Please get in touch. ASAP. Uh, so really Covid 19 is a wonderfully flexible lure for really any kind of cyber crime actor.

Wow. So what are the, what are the payloads. They're trying to deliver through this stuff. At this point, it's been hundreds of thousands of malicious payloads. Actually, we're probably into the millions I should check. Uh, but uh, really it's been about 70% malware. That is malicious software designed to compromise some aspect of your computer.

Uh, a lot of those have been remote access Trojans, a lot of them. Been key loggers, what we call information Steelers. Uh, some of them have had, uh, what we call downloader functionality, meaning it's one piece of malware, but it can become something else later. And oftentimes the actors can sell that access with people working away from corporate networks and good defenses for the first time in a long time, uh, those downloaders become more valuable.

Uh, and uh, the other 30% really is just credential phishing, trying to steal your password or login details. Some of that has gone after a multifactor authentication scheme. Not a lot of it has. Uh, and then there's of course the small volume stuff that has no payload at all, and it's just trying to get you to engage in a conversation.

So are, are we seeing any new sophisticated attacks or is it just variations on, uh, on old attacks that we've seen? It's much more the latter. There's nothing new under the sun when it comes to tradecraft, uh, because there doesn't have to be really, most of the cyber threat landscape at this point relies on human activation, right?

It's macros and word documents. It's sending PowerShell objects inside other documents. It's just sending people code and asking them to run it. That is a much more successful approach right now than the incredible time and effort it takes to find a vulnerability that no one's found before or maybe multiple different vulnerabilities in order to get them to some, uh, to do something useful in a modern browser or an operating system.

Really, that's out of the scope of pretty much all but the Apex actors. So if you are, we're all clicking on stuff. They don't need to do anything different from a technical standpoint. So you're saying I'm the weak link, is that what you're telling me? Carbon, silicon based risk. That's absolutely true. The vulnerability between the, and the, so how, how has, uh, has work from home?

Uh, you talked about people away from their, their normal work environment. Has that changed? Uh, things made it harder to secure the environment or anything to that effect. It certainly has an impact. One of the things that does change is your own behavior, right? People are not really enforcing the social norms that you might have in an office environment.

Uh, that transaction where you might have walked down the hall to validate with the finance department before sending that wire, that's not happening when everyone's working from home. Uh, and there are some technical controls that are probably not in place. You might be working from a device that you've never worked from before.

Might be a home computer that hasn't been patched in a while. Uh, you might have a wifi network that you've never changed the default password on. Uh, there are all kinds of risks that factor in from that perspective, that have been mitigated by some things that, uh, organizations have been able to put in place, but not necessarily.

A lot of them. So when you remove a user from the traditional secure environment, you're basically putting a lot of controls, uh, out of the equation, and you're focusing on two main controls. One is the ways in which that, uh, employee communicates, which might be directly to cloud services, and never go through any network you control or see it all.

Uh, and of course, that user's endpoint, whatever happens to be well that've. Healthcare CIOs, uh, interviews over the last, um, about 40 days or so, and a lot of 'em sent people home and one of the things that happened was they ran out of equipment. Yeah. So for the first time, they weren't working off of work equipment, they were putting 'em at home, so they were trying to create layers of abstraction.

They were, they're trying to, you know, virtualize the whole environment and.

And they were utilizing cloud environments much more so than they before. Does this.

Help at all. I mean, but because phishing attacks, it's, it's coming through email. Right? It's, it's just continually coming that way. When they compromise, they're not gonna compromise the VDI environment. And if they do, who cares? You could just, you could wipe out that VDI I environment. Yeah. But, but they, they could compromise the, the home computer.

Does that create a, a, a problem? Sure. Because that home computer's now talking to the systems that that person needs to work. Those could be cloud systems, there could be cloud applications. They could be EMR applications. Uh, that same exposure happens when that, uh, home computer has access to systems and data that you care about.

So ultimately, the, the hot approach is obviously to try and go through to what we call zero trust, which is a very old idea that has, uh, acquired some new momentum where really the idea is that your perimeter is not a network perimeter. Your perimeter is everywhere you make an access. Decision. So frankly, the corporate network, the, uh, the network that you own and maintain should always have been treated like it was a home wifi network that you didn't trust.

So in a lot of cases, CIOs and CISOs have been able to make some progress towards that model because they simply have to, now you have no network trust in the equation. Um, that said. The risk is still there from a phishing attack. You're right that the risk is mitigated when you're using things like virtual desktops because you can, of course burn them down.

Uh, when it comes to email though, it, it is pervasive. So if there's any kind of persistence in that session at all, or if there's a user using email from within a virtual desktop. In an environment that has access to to production systems, there is going to be exposure there. And you're not gonna have this traditional set of network security controls.

That means your email security controls matter a lot more and your endpoint security controls matter in the case of home equipment. Yeah, and I think one of the, one of the concerns that, I just wanna point this out and in the VDI environment, I think people think, well, environment, it's patching. As anything out go into environment.

And start capturing all sorts of stuff. Oh, absolutely. Well, particularly, and particularly as there are so many vulnerable VPNs out there right now. Uh, and we have seen attackers, uh, leverage the vulnerabilities in Pulse secure in Palo Alto devices, in Fortinet devices, which are very widespread in healthcare, in order to compromise entire environments.

Uh, and those, a lot of the, uh, patching, uh, should have gotten done months ago in those cases. And, uh, in the case of Citrix devices where you actually had app application delivery controllers themselves be vulnerable, you know, it's never quite as simple as these are VDIs, they're disposable. I don't have to worry about security anymore.

You make an excellent point on just how exposed you are if the broader environment gets compromised, which again is, uh, something that threat actor has a lot more options on with people working from home. Yeah. Uh, all right, we'll get back to, we'll get back to . This is what happens when I get going on this.

So, um, where have the campaigns been targeting? Are, are, are, I mean, we're talking about healthcare, but is it pretty broad here? Is it all the industries? Is it, is it all geographies at this point? It is pretty global. Uh, we've seen, again, the campaign start in Asia where the pandemic started. Uh, we've seen a lot of European targeting Canada, Australia.

No one's really been immune to this. Uh, the lions share has, of course, been in the US as that's the, usually the lion's share of targeting Anyway. Uh, and the, um, the healthcare industry certainly has not been spared. You know, there was of course that chatter around the ransomware actors not hitting healthcare in, in the short term.

That doesn't appear to have panned out. Uh, certainly there are a couple of ransomware infections that people are dealing with right now in healthcare and healthcare adjacent organizations, but really the, uh, campaigns themselves are of every imaginable flavor. In healthcare specifically, we have seen quite a lot of BEC style campaigns and we've seen lures that purport to come from the CDC, the WHO, uh, recognized national and international, and sometimes even local or state authorities, uh, that are in charge of promulgating information around the pandemic, which of course in a healthcare organization is going to have an even higher click rate than your generic covid 19 lower, which is already gonna have an incredibly high click rate.

Yeah. All right, so let, let's dive into some of those. 'cause in your presentation, uh, you, you.

I thought that was pretty telling. So you had regional risk, fear and safety, economic risk, covid, cure, uh, were just some of the different things. Uh, give us, give us some examples or give us an example on each one of these. So when you were talking about regional risk, what kind of, what kind of email would people be looking at?

In the regional risk category, you're looking for things that are basically like, well, we have PPE coming in from China. Uh, so there's gonna be some regional tie to the lure and there might be even regional ties to targeting. So for example, we saw a lot of campaigns in Italy, uh, attacking healthcare organizations and other organizations that were all around the procurement of of PPE.

Personal protective equipment, uh, those very often have a regional flavor. They're, they're very convincing. They're often pretty specific. Uh, there are some others that are even hyper regional, meaning, you know, they're, um, that, uh, almost a single office location is involved in that, and that, that transitions a little bit into the fear and safety ones.

Basically, our colleague has tested positive. Click here for the details of how we're gonna contact rac, sort of. All too imaginable for, uh, uh, most of us who work in office environments, uh, on a normal basis. Uh, those have tailed off a little bit as, as people have been working from home for longer. But if you had the sort of morbid curiosity about which of your coworkers tested positive for covid 19, that would be an excellent lure to get people to click on.

That third category around the economic side has really ramped up over the last week or so. Certainly as the stimulus payments have started to hit in the us. Um, it is a really fishable looking website. It's, um, free file fillable forms.com. I'm not making up that URL, that is the actual one you get to if you go to the IRS and you're making a change to your direct deposit information.

Uh, and, uh, lures around even private banks doing things for their customers around covid 19 have been circulating for a while and are clearly pretty effective. We're seeing, given that it's what's everybody's mind right now, are. What are the procedures for when we go back? Uh, and all of that really tracks to, of course, the headlines that we see and threat actors are wonderfully skilled at adapting those things into phishing lures.

I don't, so you sent me an email that says, because that is the conversation right now. How do we step outta this and what is the new normal? How do we get to the next, the next phase? So obviously a lot of interest in that topic. So how do you turn that interest into a, into an attack? Well, maybe I'll put together a Word document that is going to be on all our office locations.

Here's the new policies and procedures and the dates, and here's a calendar for when we go back. And I'm not gonna put anything about that in the, the message body, 'cause I want you to click on that attachment. You're gonna open it, maybe it asks you to enable content that a little yellow bar at the top of the document.

You click that you've just run my code and I own your box. It's that simple. Uh, and that is a simplified example, but there are many, many, many permutations of that, uh, in the wild right now. All right, so we, I think every time I hear one of these pre presentations, you've appropriately scared the heck out of me,

So it, it becomes a question of, you know, what are, what are some of the best practices? I mean, it's, it's people. It's people who are clicking on these things. People are. But let's talk about it from two aspects. One is, I am, I am it. I know I need to do training. I need, I know I need to create awareness. I know I need to continue to, to, to do that.

That whole training aspect. Talk first about the technology side. What are some things we absolutely need in place? And then, and then obviously you're gonna hit on what, what do we need to make people aware of? Sure. So there's two really simple things that are very, very effective technical controls. One, as I mentioned, none of this tradecraft is new.

So if you have good controls on the email vector, you're safe from a huge percentage of this. Uh, and you're not putting the burden on stressed out employees who are of course working from home and maybe not in the mental state they might normally be in. Compelling.

Wanna enforce control, especially if started. Is on what those logins look like. If you can actually do some form of adaptive access control, figure out does this device look healthy enough to connect to my cloud resources? Even if it's something as simple as your office 365 accounts, which, uh, a threat has a lot of use for actually, that's gonna be very valuable.

It's simple and fast to configure. You can set it up with, uh, conditional access within the Microsoft Suite. There's all kinds of vendors like us that can help them actually, uh, deliver additional functionality on top of that and compromised account detection, which is really going to be, uh, the new perimeter for a lot of healthcare organizations right now.

But this is where the hope comes in, right? The. Likelihood that the majority of your organization is being targeted by these campaigns is actually quite low. They are reasonably targeted overall. It's not like we're dealing with tidal wave like volumes. In fact, the volumes in the overall email threat landscape are down from January to today.

Um, that's because a lot of the actors are doing something different. They're off selling the access that they got for many, many months prior to that. So with that, you have an opportunity to understand which small subset of your population is at risk. Now, the easiest way to start there is to figure out who gets interesting attacks, and that's not everybody.

You know, we've actually started scoring threats differently based on, you know, is the low really good? Is the attack sophisticated? Is this targeted? Is this targeted solely at healthcare as a, as a vertical? Uh, and when you can identify the small set of people in your organization, in the typical healthcare organization, it's, you know, even if you have tens of thousands of people, it's usually about a hundred that are getting interesting attacks.

You can identify which people you really do need to protect a little bit better. The second side of. Awareness training is fantastic. You wanna get those click rates low, but you have to also do that with the assumption that it's very, very difficult to get somebody in 2020 having been through everything that we've all been through, especially on the healthcare side, to not click on 100% of the things that might reach their inbox.

So there are other technical tools like browser isolation for those malicious links, which can be really, really effective in making sure that even if you do have a click, you don't have a breach on your hands. So take me back to. You introduced me to a, uh, a new concept perimeter and Office 365. We're.

And it's going to determine if I am a, a, as a, as a computer or as a person, a vulnerable actor, um, of some kind GI help. Give me a little bit more detail on that. Well, I mean, if you think about it from the perspective of what security companies and of course, Microsoft are trying to do. We're trying to figure out when you log in, whether you are who you say you are, and there's obviously very simple ways to do that.

Just check your password and there is some more science that of course you can apply to that. Uh, at any given point in time. Microsoft's own stat is that one half of 1% of all of Office 365 accounts are compromised in a given month. That means. Millions and millions of compromised accounts. And that's mostly because people reuse the same passwords over and over again, or they use really common passwords, spring 2020 exclamation point, that kind of thing.

So they're vulnerable to password replay and password spraying attacks. Uh, but that said. When I can identify that you're coming from a new computer that you've never used before to access our Office 365 tenant, that's a risk factor. Maybe in that case, I should ask you for multifactor authentication or some other form of proof that you are who you say you are.

There's lots of different ways to do that. It's always something that you wanna do in a way that's culturally appropriate for the organization, but it's a very, very rapid to deploy control. And when you have so many people going direct to cloud from home office, uh, the old, uh, chestnut information securities, that identity is the new perimeter.

You can also say people are the new perimeter, depending on how you choose to phrase it, but really that's what you're protecting now. Uh, and cloud actually gives you some very powerful ways to do that. So Ryan, give us, uh, national Cybersecurity Alliance. What, what is, what is the National Cybersecurity Alliance do?

Uh, so it's the longest tenured and probably best known organization that's just trying to raise awareness of cybersecurity and cybersecurity best practices amongst the general public. So, uh, you might know October is Cybersecurity Awareness Month. That was sort of the flagship product of the NCSA. And so what we're really trying to do there is get good guidance in the hands of all of the people who need it to raise the overall resilience of society against cybercrime.

Uh, cybercrime is now a top 10 global economy, no matter how you measure it. And so certainly that work has never been more important. That's, that's, that's an amazing statistic. Uh, so you're the, uh, you're in charge of cybersecurity strategy for Proofpoint. Give us an idea of what that role, what, what you do in that role.

I probably should have started with this. I'm gonna finish it. Sure, no problem. Uh, so my day is basically about making sure that our set of products, which, uh, are people-centric security products conveniently for this discussion, uh, are doing what they say they're supposed to be doing right now, meaning stopping all that covid phishing, helping people respond to it quickly, and then actually even going beyond that.

Uh, really we, we, we have a three part product portfolio. One, protect people from the attacks that target them. Two, make people more aware and more resilient so that they can better protect themselves and their organizations. And then, three, protect the data and systems that those people have access to.

Uh. If we're doing that right, uh, that certainly can lower the risk in this particular threat landscape and on into the future. Because right now we are living the future when it comes to a whole host of things, one of which is IT infrastructure. We, there's been more change to how we've deployed services, moved data.

Moved users in the last three months than probably the previous five years. And it is extraordinary to see, you know, how that is working out on a global scale. Uh, the last part of my job is of course, to advise CIOs and CISOs in terms of how to. Manage that change. And like you, I've had lots of conversations recently.

Everybody seems to be able to cram in more meetings via Zoom than they ever could in person when we were all traveling. Um, and uh, and it's great to see actually more of the world thinking about that human vulnerability because it really is the defining characteristic of the threat landscape, whether you're talking about.

Yeah, and I'll, I'll close with this, but you know, we're, we're on a Zoom call and I continue to use Zoom and they, the, the Zoom exploits have been, you know, widely touted and, and talked about, but it, it's a, it's an interesting example because they, they had the statistics of Zoom's usage through Covid 19, and it's, it's through the roof.

And I think at some point people just say ease of use. Trumps they, they read the security and they're like, yeah, you know, if somebody wants to drop in on this, on this call, so be it. And away we go. And, and that's generally a, that's, that's sort of a mindset that sort of permeates, isn't it? I think so. And also it zoom might not be appropriate if you're running a cabinet meeting.

If you're running a normal organization's, uh, you know, even telehealth, right? It, it might entirely be appropriate to that threat model. Uh, and certainly, you know, we're, we're avid users of Zoom. Uh, we keep, we keep a very, very close eye on the actual exploitability and utility of any of the vulnerabilities that are found.

And Zoom actually had had a bad one last year. We patch that quickly. Uh, and certainly had to get comfortable with team there and their, their, their processes. But you know, zoom is getting free pen tests from some of the best researchers on planet Earth right now. So it's gonna go some bumpy. Uh, times, but it'll come out.

On the end of it is probably the world's most secure video conferencing products because everyone on the world, in the, uh, in the world is really taking shots at it right now. So again, it's, as long as we can make it through this era, we'll probably come out better. Yeah, it's pretty amazing. Ryan, thanks for your time.

I really appreciate it. This is great conversation and I'm, I'm glad to be able to share it with our audience. My question's a pleasure, bill. That's all for this show. Special thanks to our channel sponsors, VMware Starbridge Advisors, Galen Healthcare. Health lyrics and pro talent advisors for choosing to invest in developing the next generation of health leaders.

If you wanna support the fastest growing podcast in the health IT space, the best way to do that is to share it with a peer. Send an email dmm, whatever you do. You can also follow us on social media. Uh, you know, subscribe to our YouTube channel. There's a lot of different ways you can support us, but sharing it with peers is the best.

Uh, please check back often as we'll be dropping many more shows, uh, until we flatten the curve across the country. Thanks for listening. That's all for now.

Contributors

Thank You to Our Show Sponsors

Our Shows

Today In Health IT with Bill Russell

Related Content

1 2 3 283
Healthcare Transformation Powered by Community

© Copyright 2024 Health Lyrics All rights reserved