The following story illustrates what can occur before, during and after a cybersecurity hack. Malcolm Gerhard isn’t real, but the issues he faces are not products of fiction. Hardly a week goes by without a headline-grabbing cyberattack or data breach, and the healthcare industry is known to be at heightened risk. Actual case studies inspired Malcolm’s experience in this scenario. Read on to discover what happens when a SOC director discovers and responds to a healthcare hack. Would you have reacted differently?

Malcolm Gerhard packed up his pickleball racket. Some competitive cardio was often a welcome distraction from his security work at the regional group of medical practices. As Lincoln Healthcare’s security operations center (SOC) director, he was the official cybersecurity incident response officer on call.

“You seem stressed, Mal,” said Thu Ngo, his pickleball competitor and IT ops colleague. “Is it work-related?”

“Yeah,” Malcolm admitted. “There are just so many things out of our control.” The last thing he wanted was patient records to end up in the wrong hands.

Managing a SOC meant constant concerns about talent resources, training and solutions. Of course, like many of the “good guys,” Malcolm felt a strong sense of responsibility to protect Lincoln Healthcare’s patients and employees from data exposure.

A Visit to the SOC Watering Hole

Dr. Shane Stewart found himself with a few extra minutes in his office at Lincoln Healthcare. He decided to spend some time browsing a physicians’ message board from his work laptop. Thanks to his web browser’s autofill suggestions for his email address and password, the cardiologist was able to log in quickly.

Stewart was not a technologist — but he did consider himself pretty tech-savvy compared to other doctors. A decade prior, he’d worked hard to modify his clinical workflow to integrate Lincoln Healthcare’s new electronic health records (EHR) software. Meanwhile, many of his colleagues dug their heels in and protested the impacts of technology on patient care.

He scanned over message board threads until he found what he was looking for: a discussion about how his fellow cardiologists were integrating the latest board recommendations. Stewart posted a reply and headed home for the day.

In the mere moments it had taken him to post, malicious code on the forum took advantage of a vulnerability in his browser and launched a zero-day exploit.

What didn’t he know? His visit to the forum pulled Lincoln Healthcare’s network into a watering hole attack, which is when a hacker aims to impact a specific group of users by targeting sites those users regularly visit. In the mere moments it had taken him to post, malicious code on the forum took advantage of a vulnerability in his browser and launched a zero-day exploit.

Stolen Credentials Spin Out of Control

Before Dr. Stewart could even finish packing up for the day, the zero-day attack dropped a stealthy remote access Trojan (RAT) on his laptop. Like many other human endpoints, Dr. Stewart was guilty of a few security crimes, including storing his passwords in his web browser for easy access to his web apps and services.

It wasn’t long before the RAT programmatically scraped all the credentials necessary to gain control of his accounts, including his access to Lincoln Healthcare’s cloud-based EHR system.

There’s a RAT in the Practice Network

After entering the network via the watering hole attack, the RAT spent the next few weeks wreaking well-obscured havoc. With Dr. Stewart’s scraped credentials (and some escalated user privileges) the attackers behind the RAT had complete access to the practice’s EHR servers.

As quickly as the PHI was being compiled, it was being leaked.

It used an internal server to aggregate the protected health information (PHI) of tens of thousands of Lincoln Healthcare patients. As quickly as the PHI was being compiled, it was being leaked. This was thanks to the RAT’s connection between the internal server and an external file transfer protocol (FTP) site.

Private Data Leaves the Practice

The RAT’s activity wasn’t wholly undetectable: Its activity was reflected in server logs, but the overburdened SOC personnel didn’t detect it. Like many hospitals and medical facilities, Lincoln Healthcare strived to maintain compliance with Health Insurance Portability and Accountability Act (HIPAA) audits — and the team had not had a chance to tune the alert threshold of its security information and event management (SIEM) system to notify it of the anomalous activity.

Malcolm Gerhard and rest of the SOC team would have detected more than unusual data transfer activity if they’d had their SIEM properly tuned. There was a data trail left by the internal server’s connection to a server hosted at the dynamic domain, which revealed PHI was being exported.

To be clear, the SOC team wasn’t slacking during this time. Operations was slammed with researching solutions, false positives and industry intelligence. The sheer volume of noise Malcolm’s team sorted through on a daily basis was nothing short of dizzying.

An Unfortunate Hack Discovery

Malcolm’s worst nightmare came true three weeks later: He received a direct message on Twitter from a well-known security blogger and researcher who had a reputation for detecting leaks. But he wasn’t asking for an interview — he wanted Malcolm’s email address.

Malcolm’s heart pounded as he read through the email: “Sorry to be the bearer of bad news … ” The blogger went on to explain how he’d discovered the PHI of some of Lincoln Healthcare’s patients on a Dark Web forum dedicated to stolen information exchange. He included enough screenshots to confirm this was not a false alarm.

Lincoln’s Last-Minute Cybersecurity Incident Response

Malcolm’s hands shook as he sent a chat message to Lincoln Healthcare’s chief information security officer (CISO). Less than 30 minutes later the two sat across a table from Lincoln Healthcare’s CEO, legal counsel and chief public officer, discussing what to do next.

“How much is this going to cost us?” the CEO asked.

She looked exhausted, and Malcolm winced as he scanned the latest Ponemon report on data breaches. The report revealed the average cost of a data breach in 2017 was $3.62 million.

The conversation over the next few hours focused on their next steps. Malcolm and the rest of the team contacted law enforcement and began working to hire third-party experts to assist since they weren’t sure how to proceed.

Malcolm spent the following weeks in a stressed-out blur of meetings as he worked with the CISO to hire an incident response team to assist Lincoln Healthcare’s crisis team with the investigation, response and cleanup.

The Better Way to React to Hacks

Often, by the time a data breach is discovered, the malicious party has already done a significant amount of damage. However, there are a few crucial steps Malcolm could take to either prevent or more effectively control a costly breach and avoid the embarrassment of having a third party inform him of a looming security crisis.

To start, the incident response team can block and quarantine attempted zero-day exploits by investing in a robust endpoint security solution. It can also identify real-time threat exchange data using a security information and event management (SIEM) tool and generate timely alerts with a managed detection and response solution.

In addition, Malcolm might consider implementing an incident response platform to trigger real-time notifications during a data breach. An identity governance solution, meanwhile, can notify the team of escalated user privileges and lock down compromised accounts. Finally, participating in threat sharing can help Malcolm and his team stay up to date on risky IP addresses and servers.

The best hack react is the one put into place before an emergency cybersecurity incident response becomes necessary.

There’s no escaping the fact that cybercriminals are targeting valuable information, including everything from client PHI to financial records. When coupled with the dramatic growth of zero-day exploits, there are very real challenges confronting today’s SOC directors.

The best hack react is the one put into place before an emergency cybersecurity incident response becomes necessary. With an ecosystem of solutions, your security operations team will gain the power to detect, respond to and mitigate threats at every step of the process.


Read more articles about security intelligence & analytics

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…