After an Iranian general was killed in a U.S. drone strike last week, security experts and the Department of Homeland Security is warned of possible cyber strikes from Iran that could target critical infrastructure, government agencies as well as private businesses. So what kinds of potential attacks should U.S. health care sector entities be prepared to deal with?
I'm Marianne Cobisak-Bigie, Executive Editor at Information Security Media Group. Today I'm speaking with Caleb Borlow, CEO of Security Consulting firm Sinajistek. Caleb has spent several previous years fighting Iranian-based cyber attacks, including on companies in the U.S. and elsewhere.
So Caleb, for starters, very briefly describe the kind of previous work you did involving Iranian cyber attacks, what sorts of cyber attacks, and what sorts of entities were the victims? Well, you know, in a prior life, the time building out large-scale response teams. And interesting enough, one of the areas that my team became really specialized in was responding to what I call destructive attacks. You know, scenarios where when you walk in the night on Tuesday, it's all gone.
Now, we've all been so accustomed to the traditional data exaltration attack where, you know, bad guys deals, data, intellectual property, and that's bad, but the system still works. Now, what happens in a destructive attack is kind of like ransomware. It's all locked up, but there's nobody to pay. There's no getting it unlocked.
And you can't even restore from backup in these scenarios because the malware that's used destroys the boot record on the device. So you have to low level format the drive on a computer meeting. You have to manually touch it. And oftentimes, you know, the approach ends up with people involved in actually replacing the equipment.
Now, let me just put this in perspective. And keep in mind, two things to understand about destructive or wiper attacks. First of all, the vast majority of them have not hit the United States. And there's a couple of exceptions.
And the second thing to understand is you can count all of these on less than two hands, right? There's very few of them. But if you look at the extent of the damage that is caused, you know, so the IBM X-Force actually did some work in, this is public data, they view the average cost of the attacks we've seen so far as over $200 million per incident. And on average, 12,000 devices are destroyed in an attack.
Now, again, keep in mind two things. One, there have been very few of these today that mostly have been focused in the Middle East. And two, they've been focused on a large scale industrial control systems in the energy and natural gas sector. But part of what we have to understand with the recent events over the last week is the targeting and the geographies in which these attacks may very well change.
So Caleb, based on what you just said and the fact that so far, thankfully, we've seen few of these sorts of attacks, what would an attack like this, a wiper attack in the healthcare sector potentially look like, what would be the mechanics of such an attack, and what would be the potential damage to an organization and potentially the overall sector? Well, the first thing we have to recognize is that we actually have a very good lens into this when we look at what has occurred, particularly over the last number of months, with ransomware attacks, right? So in a lot of ways, the method in which an adversary gets onto a system, the method in which they move laterally, the time in which they'll wait and build access to systems, oftentimes they'll wait between one and four months once they're in to make sure that their malware is deployed on as many systems as possible and that it's been backed up, you're going to see all the same trends. We've all become somewhat accustomed to seeing that today with the ransomware incidents, whether it was more than 100 nursing home facilities that were locked up or the three hospitals we saw down in Alabama locked up.
And there have been countless examples in the last number of months of various types of hospitals and other healthcare institutions that have been locked up with ransomware. Here's the key difference. Pretty much every one of those scenarios, at some point in the process, someone made the decision to pay. Now, it doesn't mean it made life a whole lot easier.
Oftentimes, they had months worth of work to take paper, medical records, and put them back in electronic form. In many cases, they were having to divert patients or, you know, stop scheduling altogether. In one case, in a practice in California, where they didn't pay, they couldn't afford to pay, they literally had to close up shop, because think of it this way. If you can't get access to this schedule, you don't know who's going to walk in the door tomorrow.
And if you don't have access to the medical records, you have no idea what somebody's history is, right? So in most incidents people have paid, it's still a brutal process, but there's been a way to get the data back. Now, not that I would necessarily condone paying it, but this is the reality we're in. So the first thing to understand is that if a system is locked up with a destructive attack, it's gone and it's never coming back.
And that the systems have to be manually touched to restore them. You can't do anything online, there's no automation you're going to build. And in most cases, you're probably replacing that hardware if it's aged, because you probably don't even have access to the drivers anymore in a low level format machine. So the impact is devastating.
And you know, I think if we look at the financial system of a lot of hospitals, the real question you get into is how long could you operate without access to your EHR, without access to patient history, and without access to be able to build? And I think in a lot of institutions, that answer is probably measured in a matter of weeks. So the kind of impact there is really potentially significant. Now what we should also talk about is what are the chances of this happening in healthcare?
And so how likely would that be? Well, the first thing we have to understand, what I always encourage my teams to do is ask two key questions. What is the likely next move of your adversary? And what is the likely worst thing they could do and prepare for both of those?
So if we look at Iranian attacks to date, and again, I'm talking about destructive attacks, not information attacks, you know, not DDoS attacks and things like that. We're talking about these destructive attacks. These have historically been focused on economic gain, right? So the method in with the intent, if you will, was to either manipulate the supply or the cost of oil and natural gas in the Middle East.
Now that intent also came with a very tight focus, because if you kept focused to that specific geography, that specific industry, you were hopefully able to, if you were the adversary, get that economic gain you were after, but also limit the chances of repercussions. So again, you did not see these attacks with one or two exceptions, land here in the United States, and you really didn't see them migrate outside of ICS. So when most security researchers look at what happened last week, they say, oh, well, be worried about destructive attacks in industrial control system. But I think you actually have to pause and take quite a different look.
And you have to say, well, with what happened last week, where the US took out a top Iranian military commander, has that intent changed? And the simple answer to that is absolutely the intent of any retaliation would actually be either influence or political in mind, meaning that you want to generate as much chaos as possible, and you're no longer restricted to operating just in that specific geography, because you know that this is retaliatory in nature, and you're getting a little more emboldened in your retaliation, if you will. So there are two things that are likely to happen. And to understand this, you have to understand a little bit about how Iranian cyber operations are organized.
First thing you have to understand, depending on which numbers you want to believe, is there somewhere between around 120,000 cyber operators that are operating either in Iran or on behalf of. Now, this is a very loose-knit organization of many individuals that are either kind of in contract or loose relationships to the government. This is not necessarily a military operation, at least not at that kind of scale. Now, where this becomes important is when we go back to that keyword intent.
So the intent of the government, if we look at that, is probably driven more on influence operations. Because if they target influence, you know, everything from social media, at this moment, this is largely going to target the US government, military, and frankly everything 12. But it probably leaves out the American people. And in fact, if you look at some early messaging from the Iranian government, that really seems to be the party line.
And let's say in election year, there are lots of ways you could respond with influence operations that at least part of the US population may or may not have a huge issue with. And, you know, it sounds like they're already started down that path. Now, remember what I said about how they're organized. Not all of these cyber operators are working directly for the government.
One of the things that a lot of us are worried about is that because there is a once or twice disconnected connection to the government, there's an opportunity for more rogue operators, individuals that maybe want you to do things on behalf of the government but aren't necessarily directly tied. And there's an opportunity for a lot more rogue operators. Now, they're going to be looking for things that are more opportunistic. Now, we know their tool of choice is wiper-based attacks.
And if they're no longer constrained on operating just in the Middle East and no longer constrained on just touching ICS systems, you start to look at this and say, well, what might be opportunistic? Where could they get access to targets that have a direct impact on the US population? You know, and then they're going to get in the press. They're going to get them lost of attention and awareness.
And the simple answer to that in my view, and this is just one theory, is look no further than ransomware. Look no further than the targets of ransomware. Well, why? One, we know it works.
We know those targets are relatively weak in their defenses, let's say compared to the energy sector or the financial services sector. Two, we know historically that those networks are not segmented that once you get on you can move laterally and that impact can be significant. And three, we know these environments garner lots of press. So if we think about who has been targets of ransomware, we also have to recognize that if you're an adversary, you don't even need to do the work to do the target.
You can buy it openly on the quick. Because remember, you can buy ransomware targets as a service. So, you know, not only this opportunistic, a lot of the work up front, all of the kind of reconnaissance work is already done. So who falls into that category?
Well, unfortunately, it's a lot of US local and even state governments, police stations, school systems, things like that. And probably the most likely to be attacked in a ransomware incident is healthcare. So I think the point here is not to say, oh, well, there's a high probability that healthcare is going to be attacked. That's not what we're saying at all.
What we are saying, however, is that we need to be prepared for a different type of attack and healthcare based on this information. We need to be prepared for a wiper based attack and there's certain actions we need to take. And we also need to realize that, you know, we need to up our defenses here because the world has changed. And Caleb, for healthcare sector entities in the US to be prepared for these possible attacks, what should they be doing at this point?
Well, there's a couple of things. So on the basic hygiene front, and these are all things that I'm sure listeners of this podcast have heard before, you know, you need to be worried about phishing emails, credential, compromise, you need to have basic provisions in place, like have your network segmented, which unfortunately is a real challenge in healthcare for a lot of institutions. You need to have more than any virus. You need to have a world class and point detection in response to one place because that's where you're going to find these folks.
That's how you're going to get triggered is when some file you've never seen before suddenly gets deployed to hundreds of thousands of machines with your infrastructure. You need to have two-factor authentication on all of your systems. And most importantly, admin credentials really need to be very limited. You don't want people just logging on everything with admin credentials, but you want to limit for a particular credential how many systems they have access to because if a bad guy gets access to one admin credential, you don't want them to have keys to the entire kingdom.
So that's kind of the hygiene stuff. Now let's talk more tactically. More tactically, first of all, you have to recognize that in my experience, these incidents, they can be on a network for anywhere from a month to three or four months before they detonate their attack. So you have to recognize that getting good backups and getting them offsite and disconnected is critical.
You know, I can't see how many times I've seen a situation where a company is doing a good job backing up, but because bad guys waited 30-60 days, they not only got into the primary backups, they got into the long-term backups, they got into the backup servers and fall gone. So get some good solid offsite disconnected backups, particularly backups of things like your domain controllers, crown jewels, systems, make sure you're segmenting those IDs. But here's the new thing. You need to build resiliency plans.
So your incident response plan isn't just about calling your insurance carrier and bringing in a forensics firm to go do the work. It's about actually having a business resiliency plan. How are you going to communicate? If all your systems, which likely and believe it or not, often includes the phones because they're always over IP, how are you going to communicate to orchestrate a response if all of that is down?
What is your response plan to operate in a decorated way? And these are things you don't have. There are plenty of companies, including mine, that can help you build those. But most importantly, and I think that the big message is start to think about this threat landscape in a new way, because unfortunately, a lot just changed.
Now the last thing I'll leave you with, and this is an interesting anecdote. You also really want to look at your insurance policy. The thing that most people don't realize is that in an active war or an active aggression from a foreign adversary, most insurance policies aren't going to pay out on that. Now you can get into a whole philosophical conversation about who declares when something's an active war.
But the simple reality is, if some level of a nation-state adversary is taking credit for an attack on your institution, the odds that your insurance company are going to pay out on that are significantly diminished. In fact, you'll even find terms like that in your homeowner's policy. So make sure you understand that and realize that a lot of the traditional backstuffs you're thinking about in an attack like this and a destructive attack really go away. And therefore you need a new plan.
So Caleb, with this well said, what should health care sector entities be looking for in order to spot these sorts of attacks before they do the most damage? And unfortunately, nobody's going to love the answer. You have to look for those really strange anomalies that don't occur very often. So for example, if you see a file getting deployed to hundreds of machines and you have no idea what it does, you need to start to ask questions.
If you see some unusual access, particularly from an admin, across a large number of machines, you need to ask that question. Now the good news is, there's lots of security tools out there that people have been buying have deployed to detect that. But here's where the adversary is really smart. And we've seen this in practice.
They know how a security operations center works. So I've seen them actually go get access to lots of credentials and then stop and do nothing for 31 days. And the reason for that is they know how a queue in a SOC works, which is that's going to set off flags and triggers and alerts. But any SOC operator is going to go in there and look at it.
I don't understand what this is. They're going to start their investigation. They're not going to figure it out because you didn't do anything. You just got access to a bunch of accounts.
And after a couple of weeks, that incident is going to fall at the bottom of their queue. And after about a month, they're going to forget about it. And literally, I've seen this happen a month of the day. Then they go to point their malware.
Of course, that's all triggers and alerts and all kinds of things all over the place. And then they do nothing for another whole month. Let that malware just kind of seething into the environment. No one realizes it's a problem.
And the same thing happens. It falls by the wayside and SOC. And then one day, they detonate. We've even seen adversaries go in and get access to specific systems and not do anything on them because they're saving them for the last day when they detonate.
And they want to make sure they still got access to the environment. So, unfortunately, what this means is you have to look for the really hard to find stuff. It means you need skilled operators in the environment. And the term that's used for this, you may have heard the term hunt.
You know, hunt teams. Unfortunately, that's the level of sophistication that's required to find these types of attacks. Great information, Caleb. Thank you.
I've been speaking to Caleb Barlow. I'm Mary Ann Kolbasak McGee, Information Security Media Group. Thanks for listening.