whitepaper

Protecting the Heart of Your Healthcare Network:
The Domain Controller

How attackers use domain controller penetration for large-scale compromises

introduction

Recently, 90% of cyberattacks were found to be financially motivated.1 This comes as no surprise since the average payment following a ransomware attack increased 171% in 2020.2 In today’s threat landscape, the healthcare industry continues to be a prime target for these financially motivated attacks, resulting in a 55% increase in attacks. Among the attacks on healthcare, Pondurance predicts that domain controller compromises will become one of the primary focus areas for cybersecurity.

Pondurance has spent a considerable amount of time analyzing common attack patterns that negatively affect the healthcare industry in an effort to better reduce compromise, shorten dwell time, and prevent irreversible damage from attacks. In doing so, a common factor associated with these large-scale attacks involves a compromised domain controller. One of the most common ways the Pondurance security analysts see a domain controller compromised is through poor cybersecurity hygiene, such as unpatched systems and outdated medical devices, open ports, misconfigurations, stolen credentials, and bad user behavior.

In addition, the team has seen more sophisticated and highly organized attacks break through even the most protected and advanced healthcare infrastructures. In fact, more than half of all healthcare organizations have experienced a data breach or cyberattack that has exposed protected health information (PHI).4 Medical identity theft is a growing issue among the healthcare industry, with medical records proving to be more valuable to attackers than other types of data. Healthcare IT staff are already stretched to capacity, and the lack of cybersecurity talent does not help alleviate this burden.5 As these trends continue to plague the healthcare industry, compromising a domain controller is not the only tactic that bad actors are leveraging to exploit healthcare organizations.

From a business perspective, smaller investments have been made to create a focused strategy in domain controller security and ongoing monitoring and testing, which are well-invested funds when it comes to maturing your cybersecurity program. However, when prioritizing assets, the domain controller oftentimes can be overlooked as a key asset. In most cases, it should be at the top of the list.

How cyberattacks impact the
healthcare industry:

Risk to revenue.

Risk to medical research and other intellectual property.

Risk to medical devices.

Risk to HIPAA compliance and regulatory fines.

Risk to reputation.

Risk to legal exposure and remediation costs. 

Domain Controllers are the Heart of Any Healthcare Organization

The domain controller is seen as the heart of any distributed network, making it a valuable asset within any healthcare IT infrastructure. The domain controller is a server that verifies requests and confirms the users on the computer network are who they say they are, which is invaluable when handling and protecting sensitive healthcare information. This includes checking the usernames, passwords, and other credentials and then deciding whether to allow or deny access to the users.

However, there is no silver bullet to stop bad actors from gaining access to the domain administrator or enterprise administrator privileges. A common threat to the domain controller is people. Internal threats such as an organization’s employees can lead to unauthorized access to a domain controller, which is equivalent to taking the keys to the castle. Access to sensitive data such as PHI, health insurance, financial information, and intellectual medical property, including valuable research, can lead to a tremendous loss for any healthcare facility — and that does not account for potential HIPAA and regulatory violations

As security analysts investigate the root cause of a domain controller compromise, it is worth examining and considering ways to reduce the spread of ransomware throughout a medical network. While completely eliminating cyberattacks may not be realistic, healthcare organizations should focus on maturing their cybersecurity program by incorporating a dynamic defense methodology that leverages people, processes, and technology together to defend against today’s and tomorrow’s cyberattacks.

Compromises to the Domain Controller

Ransomware has received much attention when it comes to the healthcare industry. This prevalent attack crippled numerous healthcare operations during the COVID-19 pandemic as many organizations moved the majority of their operations to telemedicine and a remote environment for staff. Digital transformation is a key contributing factor that significantly broadened the attack surface for healthcare, and attacks have been accomplished through the domain controller. Healthcare organizations of all sizes are constantly being targeted, while there are no signs of attacks slowing down.

Third-Party Risks

Organizations of all sizes have experienced their fair share of cyberattacks due to third-party and vendor risks. The healthcare industry is not any different, and third-party risks are one of the biggest vulnerabilities that providers face. In fact, according to a Pondurance study, 42% of enterprise healthcare organizations say third-party and vendor risks are the leading cybersecurity and privacy challenges they face in today’s threat landscape.

Bad actors are looking at third-party vendors to find the weakest link to access a healthcare facility’s network servers. Business associates are also prime targets when it comes to third-party risk because they too have access to PHI. Many of the reported data breaches in March 2021 occurred with business associates of HIPAA-covered entities, and the numbers will continue to rise.

Impersonation

From phishing and hijacking emails to stolen credentials and social engineering, impersonation is a classic way for attackers to gain access to domain controllers. During the COVID-19 pandemic, security professionals saw a significant increase in phishing attacks that were related to COVID-19. In fact, phishing was the top attack vector seen by the Pondurance security analysts. Attackers are particularly skilled in the art of impersonating individuals and taking advantage of humans and system weaknesses.

Third-party and vendor risks are the leading cybersecurity challenges:

Ransomware

Healthcare facilities of all sizes are prime targets for cyber threats largely due to the valuable source of sensitive data they process. In a ransomware attack, sensitive data, systems, and other digital resources are held hostage by financially motivated bad actors who demand payment to unlock the information. These bad actors and their extensive network of accomplices pose multiple risks to healthcare organizations including: 1) impact of patient are and safety; 2) disruption of business operations; and 3) disclosure of sensitive information. Attackers have proven their ability to paralyze an organization’s daily operations, impacting the privacy and safety of its patients. A successful ransomware attack forces medical facilities to implement manual processes until the ransom is paid.

Also, unlike a breach where the damage is done and the only option is cleanup, ransomware carries a heavy burden on healthcare organizations of whether to pay or not pay. This decision could mean life or death in some situations, if hospitals are forced to turn away patients or when critical, high-tech, lifesaving equipment that physicians rely on in emergencies is compromised.

Medical devices and applications

Advances in medical devices play an important role in modern healthcare. However, at the end of the day, these devices have operating systems that are connected to the internet and can be just as vulnerable to compromise as any endpoint device. These high-risk vulnerabilities could allow attackers to perform a myriad of malicious activities such as stealing PHI, causing devices to malfunction, and possibly accessing a medical facility’s network.

Common Techniques for Unauthorized Access to Domain Controllers

Let’s explore some of these occurrences. The following methods are the most common techniques for accessing a domain controller:

Compromised user and administrative credentials continue to be a common gateway for compromise. This technique takes advantage of human error, which allows user credentials to be captured or malware to be loaded through a phishing email or drive-by download.

Legitimate credentials via remote desktop protocol (RDP) is a common technique attackers use to gain easy network entry or lateral movement. RDP is a legitimate tool that IT departments use to access and manage Windows systems remotely, which makes it a stealthy method for attackers to penetrate networks. RDP exploit programs and services are easy to purchase and use, or the attacker can buy stolen credentials for organizations from $10 to $100 per credential to carry out credential stuffing attacks to access the domain controller.

Altering configurations over a server message block (SMB) to open access over certain protocols is another exploit method targeting credentials. Attackers also can use it as an entry point. SMB is a critical protocol for an active directory and can serve as a network file sharing tool. SMB is widely deployed and used by billions of devices in most operating systems, including Windows, Linux, MacOS, iOS, and Android. Like RDP, administrators use SMB to access systems, but it is also used system to system for sharing files, data center replication, centralized data management, and mobile devices replicating storage for many mobile devices to cloud storage. Backdoor installation over SMB with legitimate credentials can occur based on the above techniques and other user-initiated actions such as phishing or clicking on a malicious file.

Healthcare organizations should focus their efforts on protecting devices that are managed by domain controllers and ensure any patches that are released are deployed as soon as possible.

Compromised virtual private network user credentials often make the first step of a compromise much easier. Leveraging multi-factor authentication (MFA) can make this attack method challenging.

Exploiting a myriad of outdated services running on the target domain controller is a common technique.

Classification of breaches typically falls into five categories:

Integrity breach – Unauthorized or accidental alteration of personal data.

Availability breach – An accidental loss of access to/or destruction of PHI.

Intellectual property breach – Where critical information such as medical research, PHI, health insurance, and financial information can be used for nefarious purposes on a much larger scale.

Confidentiality breach – Unauthorized or accidental disclosure of/or access to PHI and other sensitive health information.

Safety – A recent addition because an attack can actually impact human life, which has occurred when cyberattacks have crippled hospital operations, forcing medical staff to turn away patients or leaving healthcare devices inoperable.

Protection of Domain Controllers

The healthcare industry is faced with a unique wave of challenges in defending itself from the rise in cyberattacks. The sophistication alone makes it extremely difficult to continuously protect a domain controller from compromise. Healthcare organizations can follow the recommendations below to prevent access to the domain controller:

Ensure that MFA is enabled on compatible protocols including all domain level systems to protect against the use of stolen credentials.

Maintain domain controllers and any applications running with supported release versions and ensure they are patched.

If RDP is enabled, ensure there are compensating controls associated with it such as registered origin IP addresses, destination-only access, and individual credentials with MFA added.

Implement an email defense filtering system, combined with URL/IP blocking outbound capabilities. Malicious phishing emails have proven to be an effective ingress point for bad actors.

Similar to RDP, ensure adequate protections are enabled for SMB. This requires protection from attacks where a server or device might be tricked into containing a malicious server running inside a trusted healthcare network.

Monitor and analyze logs to ensure in-depth 360-degree visibility is properly implemented. HIPAA requires that healthcare-covered entities have the proper technical

safeguards in place to adequately protect and monitor electronic health information. Logging alone is not sufficient; healthcare organizations require trained security analysts to triage any and all incoming security alerts.

Separate the use of local system administration from domain administration. If an endpoint such as a physician’s laptop or computer at the front desk is compromised, an attacker is able to discern local administrator credentials. While these credentials will be tested by the domain controller, if they are verified, an attacker can easily facilitate an attack against a healthcare network.

Monitor your healthcare IT infrastructure, medical devices, and domain controller at a system and application log level. In addition, monitoring access logs for anomalies such as nondomain IP addresses for failed attempts is key to stopping bad actors. Implementing an endpoint detection and response (EDR) can provide visibility into all endpoints, such as laptops and computers being used within a healthcare network.

Encrypt endpoints. The use of full disk encryption makes a great deal of sense on a number of levels when dealing with medical data.

Conclusion

Healthcare organizations are faced with unique challenges that affect critical departments within their ecosystem. Unlike a typical organization, healthcare IT departments are broken down by clinical function, creating potential miscommunication that leads to an increase in security gaps. Constant monitoring of the domain controller at a system and application log level is critical in responding to malicious activity. In addition, the monitoring does not stop there. Reviewing and analyzing access logs and medical device traffic for anomalies is a key function that security operations centers (SOC) should prioritize to immediately ascertain the severity of the incident and verify critical information.

At the highest level, a long-term strategy to protect domain controllers is leveraging a foundational cybersecurity model that incorporates 24/7 monitoring to reduce blind spots. As domain controller attacks continue to increase in frequency and evolve in sophistication over time, understanding common attack patterns can significantly improve detection. The cost of a data breach has only increased year over year, and businesses should focus on monitoring their assets with a holistic cyberdefense solution and prioritize security awareness training throughout the entire business.

About Pondurance

Pondurance delivers world-class MDR services to industries facing today’s most pressing and dynamic cybersecurity challenges including ransomware, complex compliance requirements, and digital transformation accelerated by a distributed workforce. By combining our advanced platform with our experienced team of analysts, we continuously hunt, investigate, validate, and contain threats so your team can focus on what matters the most.

Pondurance experts include seasoned security operations analysts, digital forensics and incident response professionals, and compliance and security strategists who provide always-on services to customers seeking broader visibility, faster response and containment, and more unified risk.