Don’t wait another day to create a cyberthreat intelligence sharing team. Delve into the web’s dangerous corners, exchange what you find, learn from banking and defense. Just don’t presume cyberthreats won’t happen to you.
Anytime a major security incident occurs whether in healthcare or elsewhere the cyberintelligence team at insurer Aetna springs into action.
“When a large batch of credentials is released to the public on the dark web or on a website like Pastebin, we apply analytics to identify credentials that may be the same as what members are currently using,” Aetna CISO Jim Routh said.
If Routh’s team spots a match, that means there’s enough of a possibility that the cybercriminals could try to use those credentials for nefarious purposes that Routh has to address the situation.
“Out of an abundance of caution, we will force a password reset to proactively protect those accounts,” Routh explained. “Then we look for similarities in user IDs that may apply to our top vendors and we alert any that are impacted.”
And that’s just to start.
More sophisticated than traditional security
It’s worth noting that Denise Anderson, executive director of the National Health Information Sharing and Analysis Center, otherwise known as NH-ISAC, described Aetna’s team as particularly strong and savvy compared with the current state of healthcare organizations.
In other words: Many CIOs and chief information security officers could learn a lot from Routh and company.
Routh, in fact, was the global head of application and mobile security for JP Morgan Chase and worked for American Express before signing on with Aetna.
Indeed, Anderson explained that banking and defense sectors are ahead of healthcare in cyberthreat intelligence sharing—healthcare was hardly even talking about cyber as recently as five years ago.
“Threat intelligence is a relatively new concept and term,” Anderson said. “Intelligence should influence the more granular day-to-day work like looking at IP addresses and subject lines in emails.”
Sharing makes it better
Healthcare organizations that have not yet established a cyberthreat intelligence program should not rest on the presumption that you won’t have a security incident.
Many a CISO has said that there are two types of information security professionals in healthcare: Those who have been attacked or hacked and those who just don’t know they have.
Even though threat intelligence sharing is relatively new to healthcare there are a fistful of best practices that forward-thinking security professionals are employing already.
A first step is to participate in the intelligence sharing community that already exists by becoming a member of the NH-ISAC Anderson runs, joining InfraGard, the joint FBI-private sector partnership, work with the U.S. Computer Emergency Readiness Team (US-CERT), Department of Homeland Security’s Cyber Information Sharing and Collaboration Program (DHS CISCP), among others.
Don’t settle on just one, either. Routh recommended cultivating multiple sources to achieve best results because each can uncover different information.
“Gather information and read, read and then read some more. Develop a way to consume the intelligence you receive and make it actionable,” said Dan Wiley, head of incident response and threat intelligence head at Check Point. “Context is key to intelligence. The only way you can provide context to intelligence is to layer your knowledge about your environment with the intelligence you receive from others.”
Consider it a community. Give back. Share what you know about threats, solutions, what works, what doesn’t, and recognize that attackers — whether they’re acting alone, as part of a criminal syndicate, or even state-sponsored bad actors — are growing increasing sophisticated.
Delve into the dark web
To truly grasp what CISOs and infosec professionals are up against, it’s necessary to understand the threat landscape and, to every extent possible, your enemies.
“Get your house in order before stepping out into the threat intelligence arena,” said Bob Chaput, CEO of Clearwater Compliance. “This team must have the ability to identify a cyber incident and shut it down before the entire IT infrastructure is compromised.”
That encompasses having an intelligence team, strategy, framework, plan and infrastructure in place to defend the fortress, and only then exploring the internet’s murkiest corners.
“Ensure that some of your sources are active in the dark web and apply economic analysis to behaviors of criminal syndicates that use the dark web,” Routh said.
These practices require more acuity than the daily grind of security and compliance.
NH-ISAC’s Anderson said that seasoned intelligence experts, many of whom come out of the military, have the expertise to gather information about Tactics, Techniques and Procedures (TPPs), tracking cybercriminals, following campaigns and understanding the motivations of bad actors.
Anderson noted that healthcare entities can either hire infosec professionals with that experience or outsource threat intelligence. Either way, she recommended looking to other industries to learn about their processes and procedures, glean insights from how they sold cyberthreat intelligence sharing programs and the money required to fund them to the C-suite, and what they have learned working with security vendors.
A powerful warrior: Patience
Threat intelligence is an evolving and ongoing process. Never ending, even.
Check Point’s Wiley went so far as it to call it a life-long learning process, while Chaput rattled off regular testing, keeping current with application and operating system vulnerabilities, continual awareness and training about imminent threats, among the tasks to conduct on a regular basis.
Anderson, for her part, pointed out that the banking and defense industries started out slowly and healthcare is poised to follow suit.
“Intelligence activities take time,” Aetna’s Routh said. “So be patient and choose trends and topics for the long term.”