Ireland appeared to be shaken to the core by the recent cyberattack on the HSE and the Department of Health, but once past the initial shock, it is time for an in-depth look at the Irish cybersecurity infrastructure and whether such attacks could not have been anticipated, detected, or prevented.
In 2017, the National Health Service (NHS) in the United Kingdom came to a standstill because of an attack by the notorious WannaCry ransomware that paralysed their computers. The recovery was long and cost the NHS £92 million, but were any lessons learned on this side of the Irish Sea? Let’s have a quick look at the details we know and how the matters could have been handled differently.
It has been reported that 700 gigabytes of the HSE’s data was allegedly exfiltrated by the cybercriminals. Given that the data is stated to be of a sensitive nature, content aware data leak prevention (DLP) could have been useful in preventing the movement of such data. Content aware DLP software aims to prevent intentional (and accidental) leakage of sensitive data by first identifying the data (using some rules written by the administrator) and then controlling who can access the data, how they can interact with it (and when), and where it can be moved.
The utilisation of a cloud sandboxing solution can also be effective in combating ransomware infections and zero-day threats. A properly configured cloud sandboxing product will temporarily pause the execution/opening of any unknown files until they are analysed in an operating system in the cloud. If a file is found to be malicious, execution is stopped and the file removed, with detections being provided to all the other endpoints on the network. If the file is benign, it will be allowed to run. Sometimes the most effective way of detecting what a piece of unknown software will do is to simply let it run and monitor its behaviour. It’s obviously too dangerous to do this on protected network hence the utility of cloud sandboxing solutions.
Given that the reports suggest the attackers “lived” in the network for approximately two weeks, it must be asked if the HSE’s security team were utilising an endpoint detection and response (EDR) solution. EDR products aim to detect the movement and actions of attackers in a protected network by reporting seemingly innocuous events to security teams for analysis. Things like the commands they would have run, the files they would have changed, the login attempts they would have made, etc. These actions when flagged by a proper solution should ring alarm bells for any security operation centre analyst and trigger an immediate investigation. In short, a correctly configured EDR solution would have flagged events typical with lateral movement to analysts.
ESET Ireland continuously stresses the importance of a thoroughly planned defensive posture and a multi-layered approach to cybersecurity. While there is no such thing as 100 per cent security, by applying comprehensive preventive measures, the bar can definitely be raised to an extent that makes it a lot harder for cybercriminals to carry out major disruptions.
T: 053 914 66 00