Healthcare Threat Hunting Must Get Proactive

George V. Hulme

November 03, 2021

Healthcare Threat Hunting Must Get Proactive

There's been no slowdown when it comes to healthcare-related security breaches. For the 12 months through July 2021, 706 healthcare data breaches (of 500 or more records) were reported to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Those 706 breaches exposed the records of a whopping 44,369,781 people.

A big part of the reason healthcare data breaches are so prevalent — and damaging — is because attackers can linger for extended periods within healthcare networks. Consider that IBM's Cost of a Data Breach Report 2020, which found the average time to identify a breach in 2020 was 228 days (that's just too long). Yet, the average time within the healthcare industry was 329 days (that's way too long).

For the healthcare industry to mitigate the damage from such security breaches, healthcare providers need to get proactive when chasing down threats in their organizations.

What is threat hunting?

Like ‘AI’, ‘machine learning’, or ‘actionable intelligence’, ‘Cyber Threat Hunting’ has become an industry buzzword that is used in multiple contexts and now has no clear definition. But understanding how to hunt across an environment requires that we must first understand exactly what Cyber Threat Hunting is.

Threat hunting is the practice of proactively searching for cyber threats that are prowling unnoticed in a network and digs deeper to identify adversaries in an environment that may have slipped past initial endpoint security defenses. A deliberate process using contextualized data designed to define potential cyber threat and proactively seek them out within an environment.

The shift from reactive to proactive threat hunting

Wait, what? Haven't enterprises been proactively hunting threats for some time now? Not really. Until only a handful of years ago, the typical enterprise (and today, this is still what the typical enterprise does) is set up intrusion detection systems and other monitoring systems and wait and see if intrusion alerts are triggered. These systems are primarily signature-based with some machine learning assistance. And when alerts do go off, and boy do they go off, security analysts need to vet them for potential false positives to find the very few alerts (in potentially tens of thousands every day) that pose a threat and matter.

For those alerts that need to be investigated, the analyst would look at the SIEM and retrieve the appropriate available logs. They'd see if they can determine the source of the potential incident. If the logs indicated something happened, the teams pull more tools, such as dedicated analysis toolsets and incident response systems, and they'd then take a closer look.

Suppose the organization determined a potentially severe incident did happen. In that case, they'd likely call an incident response consultancy who would come onsite and deploy their own tools and conduct their own independent investigation and work to come to an understanding of when the attack first started, what was the entry-point, how long has the attacker been active, and try to determine what other assets on the network may have been accessed and who may be behind the attack. They would also help to develop a containment and eradication plan that the breached firm would execute.

Such incidents often cost tens of thousands of dollars.

These breaches are just going on too long and are too costly. The longer an infiltration continues, the more assets and networks the attacker is likely to breach, the more data they're likely to steal and the costlier the data breach is likely to be, and the more expensive to root out the attacker. This is where proactive threat hunting comes in: catch the breaches early in their attack cycle and limit their damage.

Proactive threat hunting in healthcare

What is proactive threat hunting? Proactive threat hunting is essentially actively seeking threats lurking on systems and networks that have gotten past rule/signature-based security defenses.

The theory is that if threat hunters understand how the threat actors operate and what tactics, techniques, and procedures (TTPs) they use, they can build a hypothesis about how the threat actors may attack and what they might target and do within the environment. Of course, being successful at threat hunting requires the right people, information, and resources are in place. That would include a clear understanding of one's environment, the nature of threat actors, and the skilled people to do the analysis.

First, let's look at the environment and the technology with it. To successfully find threats on the network, one needs to look at the environment just like an attacker would, such as what networking equipment, internet-facing applications, wireless networks, connected devices are all in place — virtually anything that increases the attack surface.

In addition to understanding devices connected to the network and its topology, it's essential threat hunters get to know what "normal" looks like on their networks. The typical way data is collected for analysts is increasingly a challenge for healthcare. Because this data collection typically requires an agent to be placed on an endpoint and connected with a security analytics platform. With that data, the analysts can examine the data, establish a baseline for normal behavior, and identify potential threats. However, within the healthcare industry, it's not always so simple.

Within healthcare, there are increasing numbers of IoT devices and many dedicated and proprietary medical devices, medical platforms that can't accept an agent. Sometimes this is because of technical reasons. Other times it's because of regulatory compliance issues around device certification. This makes it much harder to develop a baseline and to identify potential threats. Still, healthcare organizations can gain increased visibility on their network activity and monitor that traffic for possible anomalies.

Thinking like a cyber attacker

Successful threat hunting requires analysts to think like attackers who target their environment would think. But to successfully build a hypothesis of how attackers attack the environment, it's crucial to have a clear understanding of what assets and data attackers are most likely to target within your environment and how they are most likely to attack those assets.

It's also essential to understand the healthcare threat landscape. Are there threat actors targeting healthcare in your geographical region? What TTP and tactics techniques and procedures do they use? When those answers are known, threat hunters get to work looking for indications of compromise.

When intruders are sought out in this way, the time to identify breaches can be reduced from roughly nine months to weeks, which can dramatically decrease the impact of the cost and magnitude of the breach. Of course, getting the right tools, information, and people in place isn't easy.

The tools for successful threat hunting

One of the primary toolsets for threat hunters would include an endpoint detection and response (EDR) platform. These platforms include integrated security products that continuously monitor endpoint data for potential threats. When possible, they will provide an automated response to remove or otherwise mitigate any identified threats. When such answers aren't possible, EDR platforms provide endpoint data to threat hunters or security analysts to investigate and act.

Of course, just setting up an EDR platform and waiting for it to trigger isn't very proactive. It's the same old reactive processes security has been engaged with for decades. The secret to successful threat hunting is using the EDR to identify known threats and gather data on threats, while the threat hunters actively seek breaches in progress. Unfortunately, when it comes to successful threat hunting, finding the right people is critical. The reality is there just aren't enough skilled threat hunters available to go around. These professionals command high salaries, and many large organizations actively seek to hire people with these skills.

This is where managed detection and response (MDR) services come into play. Consider MDR to be EDR plus cybersecurity services that search for active threats and breaches within organizations that have worked their way past the traditional signature-based defenses. The benefits of MDR are many, especially for small and mid-sized firms that can't afford to staff (even if they could find the right staff in the first place) a 24/7 security operation with proactive threat hunters.

Whether a healthcare organization chooses to build its threat hunting capabilities or turn to an MDR partner doesn't matter — what does matter is that the organization creates an effective internal threat hunting program. It's important that healthcare organizations get proactive when it comes to identifying threats and that they slash that time to detect a data breach down from nearly nine months to a matter of days, if not hours.

Learn more about what you need to start threat hunting.

Additional Resources:

Advanced Threat Protection in the Modern Age: An Interview with a Threat Hunter


Contact an expert



George V. Hulme

George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.

View all posts

You might also like