Traversing one step at a time: The lateral movement attack phase in a healthcare network.

Did you know that hackers can fetch up to a thousand dollars on the black market for health records but only a few dollars for Social Security numbers and credit cards?

The wealth of exploitable information contained in electronic health records (EHRs) makes healthcare one of the most lucrative targets for hackers. While the internet of medical things (IoMT) market has grown and diversified rapidly,  71 percent of the medical instruments that run Windows operating systems still use versions that will expire by January 2020. Using unsupported, outdated software for medical equipment favors cyberattackers and entices them to exploit this obvious vulnerability. 

Cyberattacks are becoming more premeditated, prevalent, and persistent in the healthcare sector. Hackers employ various tactics to gain access to sensitive information guarded in a hospital network. Succesfully executing a cyberattack involves the following stages: reconnaisance, intrusion, privilege escalation, lateral movement, and data exfiltration. These stages constitute the cyberattack life cycle, also known as a cyber kill chain. The prime difference between a strategically planned attack and a smash-and-grab incident is what is termed the lateral movement phase, which enables hackers to lurk in the network until they can exploit a hospital's critical database and harm the organization. 

Understanding lateral movement.

Lateral movement is a technique used by hackers in sophisticated cyberattacks, such as advanced persistent threats (APTs), to systematically traverse a network in order to to identify, intrude, and exfiltrate valuable data. To avoid detection, criminals initially gain access to low-privileged assets that have little protection. Hackers then utilize various tools and methods to move between devices and applications in the network, escalate privileges, and eventually gain access to the organization's prized data assets.

Penetrating the healthcare organizations' network.

This is the penetration stage where the hackers enter the organization's network. The rise of social engineering techniques makes it much easier; for example, a phishing email to a doctor's office with a from address that appears credible and a legitimate-looking patient ID in the subject line might be sufficient to convince the doctor to open the email. Cybercriminals can also gain access into the network through physical means. Plugging infected flash drives into unprotected computers or interactive kiosks can also grant adversaries access to the network. 

Compromising the infected node.

In the phishing email scenario mentioned in the "Penetrating the healthcare network" phase, the hacker could've attached a file titled "Blood Test Report." Unsuspecting doctors will instantly download it because they want to stay up-to-date on patients' health information. Macros to establish a connection with a malicious command-and-control (C&C) server could be contained in the attachment, which begins operating in the background without the doctor's knowledge. The attackers behind the C&C server can now easily operate the compromised computer. They can utilize this device to perform further surveillance on the network before proceeding deeper into the network towards critical servers.

In the following sections, we examine three stages of lateral movement that enable hackers to probe deeper into the network and reach crucial data assets: surveillance, privilege escalation, and network navigation.

Exploring the network.

The first stage of lateral movement is surveillance. Here, the attackers begin exploring the hospital's network to spot weak nodes and sensitive data.

They scan the network using open source tools such as Nmap to gather intelligence on operations that are running on the system, active network connections, open ports, and vulnerabilities in the network. Apart from third-party applications, cyberattckers also use several built-in Windows tools to avoid detection. Net User is a command-line tool for gathering account information and making changes to user accounts. Identification of active network connections also happens during this phase with the help of tools such as Netstat. Using this information, the cybercriminals sketch out a plan to reach the organization's crown jewels—the critical database containing personally identifiable information (PII) and personal health information (PHI) records of patients. This information can be used for various malicious purposes that put the patient's privacy and security at risk. 

Why break doors when the keys can be stolen?

The attackers now start looking for ways to gain administrative rights and escalate privileges. Tools like Mimikatz and Pwdump that assist in credential theft are readily available. These tools extract cached plain text passwords and certificates from compromised machines, then use these stolen credentials to authenticate in other machines. Pass the Hash and Pass the Ticket attacks may also be performed by the hackers to escalate privileges. Healthcare is the only sector where the proportion of insider attacks is greater than attacks by outsiders, so malicious insiders disseminating credentials for financial benefits or other motives cannot be ignored.

Burrowing deeper.

By now, the attackers have gained administrative privileges and have started controlling the systems from remote locations using remote administrative tools (RATs) and command-line tools to dig deep into the network. While they have already compromised multiple systems in the network, they need to move closer to the prized asset in order to exfiltrate it. The PsExec, a method of accessing systems remotely using SMB protocol, is also used to navigate from one device to another. It's not uncommon for a doctor or privileged network user to access sensitive data from remote locations as they might travel to treat patients or attend medical conferences. This prevalance of remote access usage by legitimate users makes it difficult to distinguish fradulent logs from legitimate ones. The attackers also ensure that they move towards the critical data servers in multiple parallel paths so they can remain in the network even if their cover is blown in one of the planned routes. Successful hackers pivot back and forth between different compromised nodes and continually burrow deeper into the network.

Through lateral movement, hackers penetrate deep into the hospital's network and gain access to critical databases such as the EHRs and PHI. These databases are a rich repository of PII, containing names, addresses, phone numbers, Social Security numbers, medical histories, and patient laboratory results. Each can be used to perform identity theft, synthetic identity fraud, or derive inferences to target the victims based on factors like ethnicity or health conditions. 

Intruders can also disrupt a hospital's operations as they proceed through the network by manipulating operational technologies, including a wide range of devices in the organization's network that assist in the diagnosis, treatment, and monitoring of patients. Such an incident would create havoc in the hospital's operations, potentially leading to life-threatening consequences; for example, exploiting a medicine infusion pump to alter the rate at which the drug is released into a patient's blood stream can instantly cause severe side effects or even death.  

Stop lateral movement in its tracks

While combating lateral movement within a network might appear intimidating because of its stealthy nature, this is also the stage of the kill chain where an attack could be effectively contained. Lateral movement gives defenders an edge over the attackers. Lateral movement takes up the maximum duration in a cyber kill chain; the presence of hackers in the network for long periods of time makes it easier for IT admins to spot and contain attacks. Secondly, in this phase, the attackers are forced to move ahead with uncertainty until they reach the desired location. This lack of control over navigation also makes the intruders more prone to detection. 

A security solution that tracks the logs of both users and systems is required to obtain a wholesome picture. Keeping a watchful eye on network logs and correlating incidents to derive insights can aid healthcare IT administrators in detecting lateral movement. While it's impossible to manually monitor every activity that occurs in the network, IT administrators can deploy numerous automated security analytics tools. These tools utilize advanced technologies such as machine learning, threat intelligence, and correlation techniques to identify network issues and alert IT administrations.

IT admins with hospital networks need to be alert to stay secure. The problem is not just "Hey, we've lost a health record"; it could foreshadow a larger issue, possibly placing a human life at risk. 

Related blogs


Change the way you manage security.

Defend against sophisticated threats.

Get started with Log360 UEBA.