May 18, 2022: What do hackers want from healthcare? Join us for a special episode. Reverse Engineering, a Hackers Approach. Guido Grillenmeier, Chief Technologist at Semperis and Matt Sickles, Solutions Architect at Sirius Healthcare walk us through Semperis Purple Knight. A free tool to help you find your most dangerous vulnerabilities. AD is typically a weak point for HC organizations. 90% of attacks exploit AD. It is very difficult to gain an understanding of where your AD is at risk. Purple Knight maps those indicators to the MITRE ATT&CK Framework and provides guidance on how to fix the issues. As hackers, what defenses do we have to be concerned about? What will cause us to choose a different target? If we are detected will that just move our timeline up or will we move on? How long do we need access to the compromised AD to know if we can get to our target hack? How much time do we need in the target system? And flipping back to the other side, what can a CIO do today to ensure their health system is ready for an attack on their Active Directory?
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on This Week Health.
Part of the challenge that a lot of mistakes are made because of additional complexity and that complexity opens doors for intruders to use against you and then enter and reach at some point the main dominance in your environment. That means the keys to the kingdom.
This is a Solution Showcase. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health. A channel dedicated to keeping health IT staff, current and engaged. You can subscribe wherever you listen to podcasts, Apple, Google, Spotify, Stitcher, Overcast. You name it. We are there. You can also go to this weekhealth.com and subscribe there as well. And now onto our show.
All right, today we have a solution showcase and we're going to be talking cybersecurity and specifically we're going to be talking hacking healthcare. And what we're going to try to do is reverse engineer a hacker's approach to getting into healthcare. And we have two great guests with us today. We have Guido Grillenmeier, Semperis Chief Technologist and Matt Sickles, who I like to call a cyber security first responder and he's with CDW and also at an executive healthcare strategist for them.
Gentlemen, welcome to the. I always love these conversations. And then the primary reason is because you guys have been on the front lines, you've been on the front lines immediately following an attack. You've been doing console commands and trying to help restore active directory and those kinds of things.
And I think it gives us a pretty good perspective. And if that wasn't enough I you're with Sempra Sempras security's one of the largest hospital systems in the US and six of the world's top healthcare providers with regard to active directory and securing active directory.
So we're just gonna go at it and see what it looks like. And I've decided to flip the script a little bit and you guys aren't professional hackers per se, but you've seen it, seen it from the other side. So I'm going to try it. Get you to put that lens on hacking healthcare, reverse engineering, a hacker's approach.
So let's start with Stephen Covey always says, let's begin with the end in mind when a hacker says I'm going after a health system or this specific health system, what do hackers want from healthcare? Matt, do you want to kick us off with that one?
Yeah. And bill, great to talk with you again. And as you asked that question, it's very simple. Organized crime can sell a social security number or a credit card number for $1 to $100. A full health record is about a thousand dollars right now on the black market. So the economy of scale right there, that factor of how much money they get per record. That's an easy calculus to say it's all about the money. Yes, it is about disruption, but it is money.
A thousand bucks. Is it really my medical information or is it more my identity
Well think about it. With the medical information, you can file false health claims. You can get prescriptions, so you get that record. And now there is tangible value. afterward you can start to have those medical claims, which then can process through. You might get a reimbursement, then you can get fake prescriptions. Those can be fulfilled. And that actually bolsters some of the illegal drug trade around.
So when they're going in, they're really looking for information. Has that been your experience as well Guido? They're there just after collecting information of some kind for the most part?
Oh, absolutely. I mean as Matt already said, this is all about the money, the moral filter of not attacking the health care system. That's Long gone. It used to be like that, that, Hey even hackers had some level of ethics and wanted to make sure that they don't disrupt the system where lives are at stake, but that's long gone for quite a few years now. They're also going after healthcare system because in the end for them, it's making money. It's all about making money and selling data that they can steal out of your environment. Be it healthcare, be it, some other. industry And worst case, if they don't think that they can make enough money directly, it's all about going down the ransom route and trying to make you pay for something and to increase that risk is even to destroy you. And that's of course, where it becomes disruptive.
it's interesting. We have seen a number of health systems pay the ransom. And we, we saw the pipeline company. Is it going to the pipeline? Yeah. Yeah. They paid the ransom as well. And that's another cool drop of money that just, I mean, you don't even have to complete it.
You just sort of have to create enough chaos that somebody is saying, Hey, if you can undo this chaos, we'll give you money. And then you don't even have to have that backend a supply chain, if you will, of the data and selling the data and actual and doing all that stuff, you could just shut it down there. Our cybersecurity actors specialists at this point, there's people that are just looking to do ransomware and people who are looking to do data exfiltrate.
Happy to take that one because absolutely. I mean, they're, they're splitting up across the different expertise areas. Yeah. You basically have ransomware as a service where you have one group taking their early part in a ransomware chain of events.
And you can picture it as three different type of phases, the ind phase, where you have to sort of try to get into the network of your target, a picture, a hospital, the network of a hospital where somebody will have maybe a USB drive access. Although most of those end points are well-protected. Somebody will have that access and even through a USB port, you can inject.
The most traditional ways are still phishing mails and some other malicious websites. But the point is at one point you're in and then that is the job done for that first for those first dies, they might still implement the control command and control systems for remote accessing into that network now, so that they can then hand over and sell that access.
So the highest bidder on the dark net to basically say, Hey, I've got this with think about Amazon order page with what's the industry how can it be accessed? And then the next phase is to get to the data of the edge target. And that's the access of that. Some other group purchases and then takes the next step. And in that. That's then the fine pass that they take to get to higher elevated privileges to get to your data.
So I'm going to ask the question of what makes healthcare specifically vulnerable. just something you just said is pretty interesting to me. So if right now I went out dark web and wanted to find access to a hospital. Are you saying that I could actually start bidding on access to. A hospital or several hospitals?
Unfortunately. Unfortunately, that's the case. I, I'm not on those platforms that I could give you statistics. Thankfully. Let's say all the good guys are, and they're monitoring this. You even get credentials that are stolen and can purchase them. And big companies like Microsoft is buying stuff on the dark net to then understand what credentials are actually compromised so that they can then help you to understand which of your people are compromised.
Yeah. And Matt, you're shaking your head. Yes, too. So you strongly agree with that.
Yeah. And one of the things you can go look at these, a department of health and human services actually released a really good presentation. And the title of it is called demystifying black matter. And this was one of the variants and one of the organizations that came in they were wrapped around Conti and cobalt strike beacon.
So some of the standard approaches, but that paper actually details the job postings on the dark web, where it is applicable and where you are going to get value. So that's the type of information that we are seeing. Now we're seeing that specific information to see if it is healthcare, if it's corporate and to stay away from healthcare or to go ahead and attach the attack vector to healthcare. So that's a reality of today.applications in:
Then we have. 25,000 employees was my health system. And with 25,000 employees, it just takes one. Right. And, and you're in. So that was another one of the challenges and then the other is we're being pushed for digital, Hey, connect this, connect this let's connect with consumers this way. Let's, let's do IOT. Isn't this interesting. We could monitor devices from the home and whatnot. So it's like, Hey, move fast. And secure it all while we go. I mean, did, did I capture it pretty well of how complex it is to secure this environment? Matt? What, what are your thoughts?
Yeah, you're, you're building the airplane while you're flying it, right. You've already launched. You're already up in the air and then all the rules change. It literally becomes that rule of physics. That is a moving target. If we go back to a Willy Loman statement, why do you Rob banks? Because that's where the money is, right? Why do you go after hospitals? It's a very small community, right? Bill. How many people do you know in the healthcare industry? All of them, right. Who the people are and they rotate and they go around from organization to organization. So any of the deficiencies that a leader or an organization resource has from another hospital system is going to track with them.
That's another thing is that people are now using the social engineering aspect that vector of watching LinkedIn, seeing when they leave one health system and where they show up in another. And if it's post. You can pretty much assume that some of those behaviors are going to continue.
allow me to add something on the statement that you made on the application. So, and so many applications. Well, those applications are also not modernized the way that they might need to with that many that you have, that means, especially in healthcare environment, you have applications that require all the versions of the operating system that you cannot get rid of. That means you're, you're actually pulling away. Legacy. And that also means a an it risk. Yeah. A security risk through older operating systems that you cannot secure the same way as newer ones. And, and th that is another larger let's say risk for health care than maybe some other industries.
Yeah. I want, I want to talk a little bit about active directory. It's it's interesting to me. So as the CIO, one of the things I was constantly pushed on was, Hey, make it easier for people. Make it easier for them to access their system. They're moving very fast. They're seeing a lot of patients, especially within the acute care setting and whatnot, they're going from room to room and whatnot.
Hey, can you create a badging system? All right. So we have to tie that badging system into a common repository with credentials and security. And by the way, that badging system wasn't just to get them into. Into the active directory, but also got them into the EHR. It also got them into the PAC system.
Also got I, I vaguely remember there was like 16 that the standard set that the badge reader got them was access to about 16 systems. But the reason for that was we had to make their life easier. But in doing that, we aggregated the credentials into either active directory or some kind of directory In our case, it happened to be active directory tied to to Impravada and some other stuff. And are Are we in the process of doing that? Are we doing a favor to the, to the hackers? Are we making it easier for the Hackers
absolutely. The answer is clearly yes. I mean, that's the challenge of centralized. It, there's a clear benefit for the end user to, to enter their passwords not in a different one or entering it multiple times to access the business applications that they need. You're basically that whole single sign on element has been, has been a a usability element for the user. But it's Obviously contradictory to isolate for, for isolating different environments from each other, for security purposes, you still do that today for a specific, very sensitive systems to either isolate completely, or at least you add a second factor before somebody can access that.
I'm very sure that's also the case in. Okay environment. Th that's the way that you at least add, let's say another level of assurance that the person that is trying to authenticate to, to get to certain data is actually able to do so of course, Even though systems, can somebody sometimes be worked around there's, there's talk of fake tokens and all sorts of things out there, but the point is it comes down to there is that classic conflict of usability and security.
Yeah. So, so with active directory and the centralization of identities and the usability has gone. up I'm not going to say deliberate like automatically that that means security has totally been taken down because people have a chance with active directory to still also secure it. Well, but by default, it's not that well secured. And, and that's sort of part of the challenge that a lot of mistakes are made because of additional complexity and that complexity opens doors for intruders to use against you and then enter and reach at some point the main dominance in your environment. That means the keys to the kingdom.
Yeah. So it's interesting. we did multifactor authentication for the first log-in of the day, but we didn't do that for every log into the day. Cause they're logging in. 50 a hundred times a day. And so we had a, I think a timeout was set either at four hours or six hours. I forget what it was, where they'd have to do multi-factor a second time.
But if we did that every time they would've hunted me down and, and, string me up somewhere. So that would've been really hard, man. What's the state what's Microsoft's position on active directory now what's, what's the state of active directory right now. We, we put a lot of cards in this past.the easy button is. And since:
We're running legacy versions. Microsoft has done an increasingly. Well job of improving security, right? They've been put in global security group management, they've done global security account management for service accounts, et cetera. All of these one ups are really helping the industry. The problem is when we have that legacy debt in the organization, we can't upgrade active directory to its native mode with all of the bells and whistles.
I think that Azure is going to really push that forward. There is this complacency with active directory? Nobody rebuilds it. Nobody starts from scratch. I have said unpopular leader multiple times in front of a healthcare. It's time to completely rearchitect and redesign your user experience for active directory.
That is something that we're saying out loud. It doesn't go over very well, but once we talk it through, they get it, they see the risk level. So Microsoft is probably in the top five of where security vendors want to head right now with good communication, good security models. But no one is using.
So I want to go to you. There's still some deficiencies here, right? So this is a 22 year old platform. And as Matt really articulately put out, put out there, we have many versions sort of intertwined here. We might be moving to Azure Ady and Azure and whatnot, but we still have a fair amount of 80 sort of sprinkled around the health system and whatnot. What are some of the deficiencies we're finding in these multimode environments.
I'd have to say that the majority of companies would try to keep the operating system of their domain controllers, which is where the active directory lives fairly up-to-date if they can. And I wouldn't necessarily say that the majority are running very, very old operating systems, but yes, some still are. But just to, just to add to the thought of worse Microsoft on, on that path is they clearly would like you to move away from active directory and put all your eggs in the Azure basket.
Yeah. That's where they want it. Azure is where the money is also from Microsoft and they concentrate all new features. On Azure, there is no updates in terms of security, in terms of features in the, what we so-called call on-prem legacy active directory, like you said, the 20 year 22 year old Ady, which has grown like Matt already alluded to to have new features and some security additions by.
I mean, even if people are on the right version of the operating system, they're not necessarily using all those new security features, they might not be aware of them. There's a lack of training because it's it's been deployed some 15, 20, maybe even 20 years ago or whatnot in an environment it's running let's not touch it.
That's not changed the security model. Even if there are improvements that Microsoft has given the. It's never too late to increase that level of security in an environment today. So that's the thing that I want to pass along there, and even though Microsoft would want you to get away, it's not really a topic of not being able to get away from AD as a technology, it's your apps. It's the apps that you use there, where you have invested millions of dollars in a development.net applications for running your healthcare systems. They do not authenticate natively into an Azure ads. So you, you are bound to the on-premise for quite some time.
let me ask you this. So it it's interesting to me, the last security audit I did, we did social social engineering. We did penetration testing and some other things. I remember the internal auditor that did the attack described for me what they did. And they got in with a run of the mill nurse credential, right? So they got onto a platform with the run of the mill nurse credential.
I'm like. I I don't even think, like they have access to this handful of things in the EHR. We have them sort of limited down, but they got the keys to the kingdom. I'm like, all right, well, how did you get to the keys to the kingdom? And then they described for me this, this escalation that they did until they had.
Essentially the controller, a control of the domain. They're looking at all the accounts they're doing just about everything they want it to do. Now don't beat me up too bad. This was almost eight years ago and we didn't. Yeah, we didn't know what we, we know today is spot on, but, but that's, they got in with a nurse credential.
So that's sort of that changes sort of the dynamic or they can get in with anything. And then they sorta. Escalated from there. I'll tell you how they did do it. They, they broke, they got into one of our remote environments. They broke out of the shell that it operated in, and then they had access to the to the root.
And then they started they started going around there and it, because it was a four system, it it really got them in pretty far into our system, which is something that we thought was just a nice way for the nurses to access the system when they were at home. It was, it was really, it was really I out that, that specific one was really eyeopening to me, the, the different things that that people do.
And so what, what I want to talk to you about is you you've targeted a health system. You get, you get in there. What approaches I just described one, are there other approaches that have been successful in terms of people penetrating in and getting access to these health systems?
Here's how I would do it. Very first you described grabbing the lowest credential that you can the least permission user. Well, fortunately that same user can add a computer to the domain. Very easily. That's one of the nice things about running Purple Knight, getting that report. That's one of the very first things that you get to see out of the Semperis tool is it actually can tell you how many computers can a mere mortal user add to the domain.
Well, once you add a computer to the domain and it has the proper naming convention, Now you're flying under the wire and you can do a lot more because you're on an authenticated domain, joined computer with just standard permissions. Now you start to run some of your standard toolkits that are available on distributions, like Cali Lennox that have those applicable toolsets that are nothing more than scripts that anyone can.
You now can start to harvest some of those elevated permission credentials. You start to watch some of those critical path systems, and that means you were elevation of permission. So this is still happening today, and this is the primary target. And that's the ease of some of the Microsoft active directory implementation of Kerberos for its security model.
And then some of those other elements. So Gita, I don't know if you're seeing anything different, but that's the modes I'm seeing with most of the.
Well, that's, that's spot on. It's spot on the point is, and you nicely said it's the, the lowest privileged user, the nurse, the nurse, any other non-administrative user, like any user in your active directory is a so-called authenticated user and those default permissions in the authenticator user. Meaning everyone in your ID can read a ton of information out of a D. Now that can be stripped down. Hardly anybody does that, but it could be stripped down. So that, that you was done doesn't know who is an administrator doesn't know who are the members of the domain admins group? Not those are tightening mechanisms that are, of course done in the well secured, active directory.
Many don't do that because they fear managing or changing permissions. And because that's the. That's what hackers find in most environments. And then they can easily find that path on how I actually progressed either laterally or vertically to, to at some point, get access to a privileged account that could be a domain admin director.
Especially if they don't tear it up nicely, who can actually manage end-user workstation servers and domain controllers, that should not be the same account. But it could also be using other weaknesses like service accounts that are privileged and have his so-called service, principal name attached to it that can be extracted easily with those tools on that Caylee system that might be added into the environment and many cases.
But it has been heard. I'm sure of many, it's like the huge toolbox of its own to help you get and extract stuff out of a D to elevate, to vertically
Gita. I want to, I want to come back to you and I want, I want you to tell us a little bit about. So again, I'm fairly familiar with the Microsoft toolset, a lot of command line stuff, a lot of different tools scattered here and there and that kind of stuff.
That's been my sort of experience with it. Sampras really brings a an, a nice interface to this. A nice, easy to run tool, a nice way to back all this up. I, in case you are. In case you are breached in some way, shape or form. Talk a little bit about Sempras your, your entry into into the security market. What, what areas you guys really focus in on and how you prepare health systems for these kinds of attacks?
Yeah. Thanks bill. That's actually exactly our specialty area. It is protecting a company's identities. We are working with a focus on Microsoft technologies, both the on-prem active directory like we mentioned a little bit legacy from a technology perspective, but no, and no means away from a, from a necessity perspective. So people and companies will need this for many years to come. But of course we also offer protection against Azure ID because Azure ID is that next target that either when you're attacked on-prem and you do have an Azure presence.
That might be less let's say prevalent in the healthcare environment than other industries, because maybe compliance to be since hinder you from actually going to the cloud, but one way or another it's all about people. Lovely. I love the statement from Bruce Snyder. An expert in cyber technology and computer security from Harvard university.
He basically says amateurs, hack systems and professionals, hack people. Yeah. It is your people, your identities that the hackers are going after. And it's our job to ensure that the identity system active directory is monitored. It's audited it continuously. We search we, we warn about indicators of exposure.
That means weaknesses, that your Ady has that need to be fixed. Yeah, we. Any change and can auto undo malicious changes that that an attacker might be doing in the middle of elevating their privileges and give you immediate warning so that you can act upon it. And if push comes to shove, let's be clear.
There no product can give you a hundred percent security. We're not here to promise that either we're lowering your vulnerability out there, but you might still be attacked. Malware ransomware can encrypt all systems and then it's all about speed getting back up, back to normal operations. And so we've also specialized in that mode to get customers back as quickly as possible, because if your forest is gone, your active directory.
Even the nurses that might need to have access to some patient records, nobody can Voke on in the environment to actually get to the data that they need to do their job. And so it's your job as an it admin to ensure that the system, the identity system comes back first. If that's not bad, no other apps will be accessible either.
Yeah. So that's our focus to make sure that Ady is secure and can be recovered quickly. And we wore new boat and the vulnerabilities on that and Azure ID as well.
Man, I want you to compare, contrast an attack on a system that had Sempras in place or a system where you have to sort of bring them in after the fact. what's the difference look like?
Yeah. So one of the key elements here we lost the standard maintenance on a, an active directory controller of getting into directory store mode, and then taking a backup. We lost that art. We went to backup solutions and we were hoping that the backup solutions were going to be able to hit.
In an environment that does not have a Sempras implementation or has run this Sempras purple Knight tool, you were blind to absolutely everything that will occur during a breach event. It's not may occur. It's will occur. They're going to go through the treacherous 20. They're going to attack the commonalities and you're unprepared for that.
You have no visibility and it's going to be the surprise factor of it. You just won't know until you get that. Secondarily, if you have, Sempras even running the purple Knight tool in preparedness. And then if you have the full product on prim that right there is a much better experience. Active directory as Guido said is a tier zero application.
No systems can come back up. Think about the legacy applications that need eldap to authenticate for that single sign on think of all of these systems that require DNS DHCP to come online, to access the EMR EHR systems. So with Semperis or Putting the purple Knight run once community edition in as a first step, you're going to get that visibility.
You're going to get that scorecard and that's going to prepare you. You're now going to know where some of the demons are in your environment, and you're not going to have that shock and awe on day zero of the event. The big bang day is not the day to find out you have deficiencies in your active directory period.
What about recovery? Is recovery easier?
Yeah. So let's use the two archetypes that I mentioned the purple Knight tool, where you're just running the report. You're getting some of those best practices. That's going to lead you in a direction of improvements for backup running directory services, restore mode, et cetera.
So check mark. But if you have the full product on prim it's literally a snapshot and a replay methodology as we've gotten so used to with the backup and storage systems. This is really an effective mode also of that replay of how did they get in and what did they do along the way with those snapshots?
That in my opinion is one of the biggest benefits to the ticker tape ability here. We're going to be able to recreate the event and potentially prevent it from having. A next time, because we all know most breaches are a one, two punch, a small breach. And then about three months later, the big bang event occurs. That's when they drop the payload and they go after the critical assets.
Fantastic Cato. it's possible, I'd love for you to take control of the screen and go ahead and give us a little little preview of what purple Knight would tell you.
Absolutely have to do that. And let me just share the screen here.
Let me also just add to what Matt just said. That specifically the way that we back up active directory w he used this terms snapshot and that logic that the key thing is that we do not back up the operating system. Sempra solution for the backup of active directory is basically to back up the active directory data level, like an application level.
And that means we also don't take alone now where that's the key benefit that we have compared to your normal? Let's say operating system level backup system that also takes along the infections into your backup bin. So when you replay that. You get infected a domain controller potentially back and with our solution the, the recovery of your force fully automated, so less human error, but also on fresh systems, no malware comes along, so you're a safe.
So, but before that, and. And this is basically our free purple Knight tool that we're looking at here. I literally just went onto the system and launched this executable. Somebody would have downloaded it and can execute it. Phil. I'm just an authenticated user here. Yeah. I've logged on to the system with just a user that is a normal user in the child domain of my forest.
And yes, I need to have specific permissions to run the scripts that, that the tool is using. That's all described in the user guide, but I don't even need to be a local admin. I definitely don't need to be an administrator in active directory. To find weaknesses. Yeah. So if I, if I press next, I basically am able to, to see the domains and forests that are available in the environment that I have connected to.be a vulnerability in August,:
We're talking almost two years. There are still systems out there not patched. This is the easiest way for intruders in to your active directory, but it does take a moment longer to scan. That's why we have disabled it per default. It needs to reach out to all of your domain controllers and most of those other scans, just check the security.
Basically as you as, as they run and you can see here, 80 delegation various permissions in the environment that may need to be looked at here are the one skin is still taken a moment to, to finish something off. You can basically progress and understand the different things while they're running.
If your scans take a moment longer and then you get, then you get the score, then you get a score where. You might even think, Hey, 70% doesn't look that bad. Yeah.
A C minus. Is that what you're saying? Not too bad.
Exactly. Exactly. But, but from a security perspective, you actually want to be in the nineties. Yeah. You definitely want to be in the nineties. So without this is a good snapshot of understanding your Highland. And we're not going to look at every detail in the report, but you have to understand that you can create a very detailed report. That then goes into all of those details like here, which systems still have that vulnerability.
I've got one unpatched domain controller. That's all it takes. I found that the main. With a nurse account yeah. With an authenticated user account. And actually we shouldn't always say that the nurses are the most critical people out there and we sort of make them from an ed perspective there, of course, just in normal user, but let's make sure that that is not supposed to mean a discredit to that to that expertise, it's just from an ed perspective.
You don't need to be an admin to find out even printers folders, if there is running many, many other things. And without going to all through all of these. All sorts of other interesting ways that intruders could then use it. And I've just mentioned this one privilege chooses with a service principle name, our tool tells you about that, but it also gives you information.
What, why is this a topic? The likelihood and what should you do about it to basically. Improve your situation. So it's not just a tool that gives you a lovely numbers and a nice little UI. It actually has actionable items and this tool is for free. And of course we have a little bit more to, to, to, to help our customers with our professional products to do this continuously, et cetera.
that's the freel tool. And that's pretty interesting, Matt. We are, you, you mentioned this, that even having run that free tool is helpful going into an event.
That's all right. Yeah. And one of the things I'll ask you to real quick is how far away from a default domain controller was that had you manipulated that to be worse, or was that pretty much an out of the box? Microsoft DC promo domain.
Great question. So of course, if it's like if there's nothing in your Ady and then you run per default it's won't be as bad. Yeah. There are a few things like, like you would have patched, it would have been a no zero log on findings. If other configurations wouldn't have been bad, but the point is.
I'm not even at the level, in my environment, to what I see out there in the field with customers, when we talk about their environment and get their reports, nothing is sent to us. Let's be clear on that, but they share like on the screen and we talk about it and we evaluate, what should you do? Much worse because of the legacy that they pull along. This is not. This is this is not necessarily other default, but what they've done to their D that's what makes it more.ually had your DC, that was a:
Now you get that heads up, right? Then there's some other elements in there. The principal leaders knowing about some of the patching, this is a critical set of information that you're not going to get off of a vulnerability management tool. You're not going to get a report from most of your penetration testing.
And you're a fan of vulnerability testing as part of your HIPAA security runs. It gives you that intelligence specific to the active directory database, the NTDs. Most importantly, as we're talking about ransomware events and hacking, this is one of the biggest things you learn about. Do you have an unprotected distributed file system or a unprotected SIS fault?
That is the primary vector of spreading laterally across the entire organization. And once you put malicious code into those two components of an active directory, the game is effectively over.
so that's the, that's the free purple Knight free community edition. I can get that. when we were talking about engaging Sempra, she actually put the tool out there. Now we're monitoring any changes to to the domain. We're monitoring changes to the policies and all those kinds of things. So we're at that point, are we getting alerts, as things are getting.
Yep. So, so Sempra says a bigger brother and that is the directory services protector. As the name implies, it's an active protection of the environment that scans continuously for vulnerabilities also is updated.
If there's new vulnerabilities that are known new zero day. And those, you need to check for those. And then it's updated with a proper, let's say rules that can easily be downloaded automatically or given into the system offline, depending on what the preference is of, of that an environment of the responsible people for that environment.
But more so it also scans any change in active directory using the replication data stream directory services protector, basically understanding. Even changes that might occur in your Ady. If an intruder tries to work underneath the cover, using tools like Mimikatz DC shadow, which it uses a different system to write into the replication stream, what does that translate to?
That means no audit logs are written most tools, SIEM tools that gather. Data to understand what's happening in the environment. They fully rely on your audit logs on your domain controllers. If things are not written into that, if changes don't go there, you don't know about it. We do, because we basically catch any change that's that is out there.
And then we can act on that. You can undo the changes that an intuitive does. You can see forensically what has happened in this time. Often it's not like right away that you realize that that intruder. Compromised one of your admin existing admin accounts, and it takes you a while to realize that was a malicious act versus a normal, a domain administrative act.
And then you can still see, well, what has John really done in the past, whatever 24, 48 hours or in a certain phase in some weeks ago, whatever it is it can be found. And then none. So that's the big benefit over. Don't get me wrong. Perfect. Starting point. And anything free is let's say good, but this is not just free and for the fun of it, there's value to it. The bigger brother has even more value to it. And then of course, there's the other product that we use for protecting the backup, the backing up a D to then be able to fully, automatically recover your whole for.
Yeah. So Ms. Cybersecurity framework identify the risks purple Knight protect, detect, and respond. You have w what what'd you call it the protector defense.
The directory services, protector, DSP
the DSP, and then recover is another tool. And what's that called
active directory, forest recovery, 80 F R
ADF, our recovery. And that really covers the, the five areas of the NIST cybersecurity framework. I mean, that gets you from, Hey, knowing what's going on protecting while things are, are in operation. And if you happen to get breached we're going to be able to get that, that, that environment backup and run. Fairly quickly so that, so that we can be kept back to normal operations as quickly as possible.
Let me add to that even after you recover. You might not be sure if the recovered Ady is fully safe and then to, to might've done something and ADFR has a post recovery scan that actually checks for, let's say malicious changes and other vulnerabilities in that recovery. And so you are sure that you can close those back the worst and be safe to move on with your recovery environment.
All right. Well, we're coming up to the end here and I'd love since you guys have so much experience. We're talking to health systems, we're talking to health system leaders. We're talking to health system, cybersecurity professionals what's, you know what. Are your parting words for them? What are your parting words in order for them to ... what should I take away from this as a health system leader, Matt? We'll, we'll start with you.
Yeah. So active directory needs to be put as a tiered zero critical system in all healthcare environments, if it is not respected as such, it is going to be very damaging when something happens to it, it doesn't have to be a malicious attack.
It can also be an error. It can be an emission of a correct work process. So getting the active directory now is a critical path system, making sure that it is treated the equal level as an EMR EHR. That's a real important aspect. Then putting that specific monitoring and threat vulnerability management on top of it, it's omnipresent.
It's always running. You need to be able to go back to patient zero when there isn't. And I promise you that your continuity of care models need to include discussions around the active directory restoration, the order of operations. So that means your business continuity, your incident response plan. Also need to have that lexicon. That is the gap I'm seeing in almost every healthcare that I speak with across the nation right now is that it is a discovery piece. After the fact it needs to be right up. And there needs to be accountability for that. We have training with resources and with technology to support it for the continuity of care.
Fantastic ghetto parting words to healthcare security professionals.
Oh, first of all, second, everything that Matt just said, that was a beautiful summary that brings it right to the point. I'll add that basic security practice. Get your quite fun to reduce your vulnerability. And it's, it's often just making sure that your administrators that are responsible for your domain that have a domain admin account don't manage the workstations with that account. Matt said at night, Tiering. Yeah. Tier zero. That's the only area where those accounts would work. So it's, it's literally some basic security basics. Get you very far in patching. Yeah. Get you very far. Don't forget that there are reasons that patches are there. Most of them are for security improvements. Don't be too slow with that because in the end, it's all about protecting your clients, protecting the people that take care of.
Gentlemen. I want to thank you. I mean, the first 20, 30 minutes of this show, I got the normal terrified, which is what I usually do when I talk to you professionals who have been on the front lines. But I, I like where we ended just understanding how to protect that system had identified. The vulnerabilities that we do have, how to protect that system and how to restore that system. That's the, the, the kind of expertise and experience that I appreciate when professionals share. They don't leave me in that.
I go to some conferences and I, I walk out thinking. There's nothing I can do. I mean, the attacks keep coming on a daily basis and it turns out there's a lot of, there's a lot of really good practices out there and tools like the Cypress tool that, that helps us it gives us a leg up.
But vigilance as always, I'm sure you guys are gonna tell me visual insists, always. So Hey again, thank you for your time. Really appreciate it.
Thank you, bill.
What a great conversation with Guido Grillenmeier with Semperis and Matt Sickles of CDW. I love to capture their perspective. They are there on the front lines when things happen in healthcare. And to be able to capture that and share that with the community is so valuable. And I really appreciate being able to do that for you.
We want to thank our sponsor for this episode, which is Semperis, who is ???? investing in our mission to develop the next generation of health leaders. Thanks for listening. That's all for now.