Advanced Persistent Threats – Time for a Threat Hunting Capability

• Advanced persistent threats (APTs) have increased as a result of the rise in interest by nation states and other sophisticated organizations to obtain valuable information. Notably for healthcare, this may include health data, but the threat actor may have other objectives in mind.
• APTs are by design deceptive, elusive and difficult to detect. Even when detected, it is difficult to determine if they are a benign or offensive activity or what their real objective may be, when they will be triggered and the damage they may do.
• Healthcare organizations are seeing increasing APTs perpetrated by nation state actors with nefarious, by often unclear, intentions. It is critical that organizations maintain an awareness of this threat type, but moreover, develop and maintain a threat hunting capability.
• Healthcare organizations can leverage several well-developed resources for guidance and real-world data.

APTs

NIST defines the APT as: “an adversary or adversarial group that possesses the expertise and resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors, including cyber, physical, and deception.”

Further, NIST states that “the APT objectives include establishing a foothold within the infrastructure of targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission, function, program, or organization; or positioning itself to carry out these objectives in the future. The APT pursues its objectives repeatedly over an extended period, adapts to defenders’ efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives.”

The Need for a Threat Hunting Capability

Healthcare organizations must understand that they are facing a threat vector that is executed by organized and motivated threat actors. Their approaches may differ across organizations, so detection is not just about looking for indicators of compromise, but also by studying the motivations and tactics of the currently identified nation-state actors. As this is an evolving playing field, organizations must develop and maintain a threat hunting capability. Most optimally placed in the Security Operations Center (SOC), the SOC team can leverage several well-developed resources for guidance and real-world data.

Resources

NIST

The National Institute of Standards and Technology (NIST), part of the US Department of Commerce, has identified the APT as a critical attack vector and has issued informational guidance and approaches.

Notably, NIST has issued NIST Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information.

(This is a supplement to NIST SP 800-171r3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.)

NIST SP 800-172 contains recommendations for enhanced security requirements to provide additional protection for Controlled Unclassified Information (CUI) in nonfederal systems and organizations when such information is associated with critical programs or high value assets. (This guidance is relevant to healthcare organizations as they fall under the type and nature of organizations for which this guidance is intended (non-federal systems that have high-value assets)).

The enhanced security requirements are designed to respond to the APT and supplement the basic and derived security requirements in SP 800-171. While the security requirements in SP 800-171 focus primarily on confidentiality protection, the enhanced security requirements in this publication address confidentiality, integrity, and availability protection.

The enhanced security requirements are implemented in addition to the basic and derived requirements since those requirements were not designed to address the APT. The enhanced security requirements apply to those components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components.

MITRE ATT&CK

MITRE ATT&CK Framework - MITRE ATT&CK is a comprehensive knowledge base that contains information on current APT threat vectors and actors tracked by The MITRE Corporation. The information in ATT&CK is based on real-world data gathered over several years. ATT&CK can be leveraged by SOC teams to develop threat hunting capabilities and in some cases, develop threat detection rules, as the ATT&CK knowledge base contains information on the tactics, techniques and procedures (TTPs) for the most recently tracked threat actors.