Cyber security in the healthcare industry

Enhancing threat visibility with EDR

Case study: How we helped a healthcare provider rapidly detect & respond to advanced malware.

Overview

Leveraging EDR to accelerate the remediation of advanced threats

Discover how Redscan’s Managed Endpoint Detection and Response (EDR) service helped protect a leading healthcare provider against a sophisticated strain of malware – swiftly identifying and disrupting the threat before it spread.

Industry

Healthcare

The Incident

Summary

Large volumes of sensitive patient data
Targeted by sophisticated malware
Need for round-the-clock monitoring

As a private healthcare organisation, Redscan’s client processes large volumes of patient data, including highly sensitive medical records.

To improve the protection of this information beyond the level of security offered by traditional perimeter solutions, the organisation uses ThreatDetect – a specialist managed detection and response service supplying the people, technology and intelligence needed to swiftly identify and help address a wide range of threats.

When Redscan’s client was targeted by a sophisticated type of malware that sought to harvest employee credentials and exfiltrate data, Redscan’s experts were on hand to quickly identify, investigate and respond to the attack to minimise operational disruption and prevent patient details from being stolen.

The Investigation

Summary

ThreatDetect™ MDR
Incident analysis
Kill chain investigation
APT identification
Future incident prevention

Proactive Intrusion Detection System (IDS) and Security Information and Event Management (SIEM) monitoring are key features of Redscan’s ThreatDetect Network MDR service that help to identify attacks targeting on-premise, cloud and hybrid IT environments.

Having first become aware of some suspicious port-scanning activity on the client’s infrastructure, Redscan’s Cyber Security Operations Centre (CSOC) analysts were aware that an attack could be imminent.

Endpoint Detection & Response is an optional, but increasingly valuable part of the ThreatDetect service that Redscan delivers to its clients. In this case, Carbon Black’s Response solution was deployed across a series of the organisation’s endpoints deemed to be high risk, enabling Redscan’s CSOC analysts to achieve greater event visibility, enhance threat hunting and perform swifter incident response.

On this occasion, it was Cb Response that first alerted the Redscan team to the presence of malware on two of the client’s host machines. A Redscan analyst set about quickly investigating the alarm and within several minutes was able to establish that the alert was a true positive. Malware with an unknown signature had been detected and was attempting to terminate and delete the host’s Windows Defender Service, as well as connect to a series of known malicious IP addresses.

A priority two (P2) incident was promptly raised to the client by the CSOC via Redscan CyberOps, the threat notification and analytics platform included as part of ThreatDetect. By accessing CyberOps, the client was able to obtain a full overview of the incident and the remediation guidance needed to respond accordingly. On this occasion, the advice was to isolate the infected hosts from the environment, perform a full malware scan and block the observed malicious IPs at the perimeter firewall.

That wasn’t to be the end of the incident however.

Increasing incident severity

Almost immediately after notifying the client of the incident, the Redscan team detected the same malware on two additional hosts, prompting the incident to be escalated to a P1 – a level of classification reserved for critical incidents which pose an extremely high degree of risk.

Redscan’s incident response playbook for malware infections was in full execution at this point. To prevent additional infections, the CSOC used Cb Response to ban the signature of the identified malware binaries and, with the client’s authorisation, used the same tool’s incident response capabilities to quickly isolate all infected hosts from the network.

Investigating the kill chain

Upon containing the malware, the Redscan team set about analysing the kill chain of the attack – how it was able to obtain a foothold on the client’s network and spread so quickly.

By recording each and every file execution and modification, registry change, network connection and binary execution across all installed hosts, Cb Response is an important tool that helps the Redscan CSOC team perform more detailed digital forensics to inspect deeper into IT networks for signs of malicious activity.

One of the binaries that Cb Response identified was attached to the roaming Windows® profile of one particular employee, who had logged into multiple endpoints, thus spreading the infection in the process.

The malware detected, Trickbot, was a Trojan designed to harvest user credentials, exfiltrate data and add infected hosts to a botnet of devices.

While forensic investigation of network and endpoint log files revealed no evidence of data loss, the malware was observed to have conducted an internal network IP scan – designed to obtain DNS information about the network which could be used to help attackers spoof network addresses for social engineering scams.

Owing to the advanced, persistent nature of the malware, identifying the source of the attack proved harder to ascertain. Previous variations of the Trickbot malware are known to be widely distributed by spam emails as well as infected attachments and URLs. The team had no reason to suspect that the source of this infection was anything different.

A highly persistent threat

In the week that followed detection of the original four malware infections, the Redscan’s CSOC team observed 12 additional malware binaries resident on hosts, each with a different signature and attempting to communicate with malicious IP addresses in locations including Russia, Germany, France and Canada. The new infections were linked to the roaming profiles of a number of employees, including a system administrator.

Whenever a new infected host was identified, it was quickly isolated from the network for a minimum of 12 hours and scanned to remove the infection. As an additional precaution, particularly given the evidence that a system administrator had been compromised, all of the client’s employees were encouraged to reset their Windows login credentials.

Further forensic investigation by the Redscan team revealed references, within the malware’s code, to RDP-related registry keys. Disabling Remote Desktop in Windows to mitigate the risk of any unauthorised connections was subsequently recommended.

Preventing future incidents

After receiving confirmation that all infected machines had been successfully cleaned, and with no new infections reported, the incident was finally closed by the Redscan team. Given the severity of the incident, a detailed report was prepared for the client. This included a full event timeline, detailing all actions taken, and a list of recommendations to help mitigate the risk of future attacks.

The advanced persistent nature of Trickbot, and other forms of malware, means that future attacks cannot be discounted. With ThreatDetect Network MDR and Endpoint EDR, the client can be sure, however, that it will be ready to respond quickly and effectively should any anomalous activity present itself.

Service benefits

35% off when you upgrade ThreatDetect™

A significant uptick in the volume of threat activity specifically targeting endpoints and remote workers means it’s vital to ensure that your organisation has the best endpoint security in place. To help our clients achieve greater threat visibility and coverage, we’re offering 35% off the list price of our Managed NGAV and EDR services up until the end of 2020. Benefit from:

The latest endpoint technology

Redscan's agnostic approach to technology means we support a range of NGAV and EDR technologies and will work with you to identify and deploy a solution that’s best tailored to your organisation’s security needs and is fully integrated with our CyberOps platform.

Over 250 high-fidelity use cases

Our experienced team of threat hunters don’t rely on out-of-the-box rules to detect threats. To get the most from your endpoint tool of choice, we've created hundreds of custom-built use cases and apply the latest threat intelligence to continually develop more.

Automated incident response actions

Having the capability to not only detect but also to rapidly respond to threats is essential. By leveraging the power of the latest endpoint tools, we automate incident response actions to disrupt and contain threats as soon as malicious activity is detected within your environment.

Request a quote

Complete the form to learn more and save 35% when you upgrade your ThreatDetect service

Two Redscan team members analysing cyber security intelligence

1000 characters left

I would like to receive invitations, insights and thought leadership content from Kroll

View our privacy policy

Terms and conditions

35% discount is off the total list price of a 12 month package to Redscan’s ThreatDetect service for endpoints (including software licences).
For Redscan clients that do not already subscribe to ThreatDetect with managed endpoint monitoring, minimum order quantity is 100 licences.
Software installation by Redscan is not included as part of the offer and subject to a supplementary fee.
Redscan reserves the right to withdraw or change the terms of this offer at any time.
Offer applies to all orders received by 31st December 2020.