SPHINX Use Cases: Part II
Continue from blog entry SPHINX Use Cases: Part I
Through the following classification of use cases, SPHINX aims to better understand how threats, risks and vulnerabilities are manifested, as well as how prevention, recovery and mitigation actions can be improved.
Rootkit Malware Attack in a Cancer Treatment Institute
Description: A cybercriminal sends numerous emails carrying a new rootkit malware to different user recipients in the public cancer treatment institute. A user from the institute’s nursing staff opens the email, which infects the computer with a rootkit malware.
The new malware circumvents the continuous monitoring of network devices against attacks, and the existing firewall blocking network connections, which records the traffic to the cybercriminal’s remote IPs, but has no alerting mechanism in place. It allows the cybercriminal to spy all the computer’s activity for several months and, through keylogging, to steal the login credentials of several users, used to access the institute’s healthcare information systems. Then, the cybercriminal utilises the stolen credentials to access those information systems, view the patients’ medical data and alter the records (e.g., treatment plan and lab results).
Responding to the attack, the institute’s IT department starts an investigation procedure: analysing the logs of several computers, the IT staff is able to identify the compromised computer and login credentials. Those accounts are immediately suspended, whereas the compromised computer receives a clean install. The patients’ database is then restored from the latest backup prior to the attack.
Attack Impact: In this case, the malware impacts the cancer treatment institute’s patient records, causing the violation of the data integrity and confidentiality. The attack affects not only the healthcare organisation (the cancer treatment institute) as care delivery can no longer rely on the accessible patient treatment plans, but also the patients who see their privacy violated. The attack’s expected recovery time is estimated to be several months.
SPHINX Role and Added-value Benefits: The SPHINX System is relevant in the identification of system vulnerabilities, including the email server (SPHINX vulnerability assessment and security protocol analysis tools), in the early detection of the attack by performing continuous monitoring of the network’s and the database’s activity (SPHINX data traffic monitoring, anomaly detection and intrusion detection tools), in the prompt alerting of relevant IT staff of the suspicious network activity and database security breach (via the SPHINX interactive dashboard tool), in the presentation of a detailed report on the cyber-attack (SPHINX security information and event management, forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the IT department staff on how to proceed to trigger and implement the adequate recovery and mitigation procedures, including blocking the attack and restoring the institute’s patient records (SPHINX decision support tool).
Theft of Health Data by Exploiting Vulnerable Software
Description: An attacker uses the national portal for the public sector – whose access is open to the general public – and searches for procurement/purchases of IT software and equipment conducted by healthcare service providers over the last years, therefore identifying those that are most likely to own outdated IT software and equipment.
Within the list of vulnerable healthcare organisations, the attacker chooses a large health clinic that has acquired an inventory software that has not been updated and sends several emails to the clinic impersonating a representative of a medical product supplier and providing an attached file looking like a PDF document (e.g., Invoice.pdf or Catalog.pdf) but delivering a JAVA Remote Access Trojan (RAT) malware specifically designed to exploit the known vulnerabilities of the clinic’s inventory software.
The clinic’s employees notice that the IT infrastructure is less responsive than usual and present claims to the IT department. Acting on the claims, the IT department conducts an investigation and identifies the presence of the JAVA malware in the inventory software. They proceed with a clean installation of the inventory software, updated with the latest security patches, in all affected computers.
Attack Impact: The attack causes a violation of data confidentiality in what concerns the clinic’s operations information, the employees’ data and the patients’ data. The clinic’s inventory/supply operations are halted and the access to the patients’ databases suspended. The attack’s expected recovery time is estimated to be 2 or 3 working days, depending on the number of affected assets and on the effort required to re-install the updated inventory software. Still, several months may be required for the clinic to recover from the financial losses due to compensating claims by affected suppliers, employees and patients, and to marketing campaigns to procure new suppliers, recruit new employees and clients and rebuild the clinic’s reputation.
SPHINX Role and Added-value Benefits: The SPHINX System is relevant in the identification of unattended and vulnerable critical assets (SPHINX vulnerability assessment tool), in the early detection of the attack by performing continuous monitoring of the network’s and the databases’ activity (SPHINX data traffic monitoring, anomaly detection and intrusion detection tools), in the isolation of the compromised computer, preventing the spreading of the RAT malware throughout the network (SPHINX sandbox tool), in the prompt alerting of relevant IT staff as soon as the attack is detected (via the SPHINX interactive dashboard tool), in the presentation of a detailed report on the cyber-attack (SPHINX security information and event management, forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the IT department staff on how to proceed to trigger and implement the adequate recovery and mitigation procedures, including blocking the attack and restoring the clinic’s databases (SPHINX decision support tools).
More information about the SPHINX use cases can be found in Deliverable 2.4 that is publicly available here.