Five Ways to Give Bad Actors a Taste of Their Own Medicine

Last month, I had the pleasure of traveling to Orlando to speak at the HIMSS Global Health Conference and Exhibition about Adversary Infrastructure Analysis. There, I and others on the DomainTools team were able to connect with professionals with several different backgrounds in healthcare and see firsthand how they perceived the future of the industry. Despite ransomware and other cyberattacks making headlines just days before the event kicked off, there was a lot of optimism about the direction healthcare was going. Many in the industry seemed ready to embrace new technology and there was excitement surrounding the growth of cybersecurity related exhibitors and talk tracks.

Enthusiasm is necessary in the fight against financially motivated adversaries. Malicious actors see healthcare organizations as groups that will do anything to resume business as quickly as possible. If they can compromise an online system, adversaries believe they can get a ransom paid with little resistance. But SOC teams can safeguard these critical assets against evolving threats and give them a taste of their own medicine! Learn what tools your security team can use, not just for defense but for disrupting the operations of financially motivated cybercriminals giving them more bad days.

Challenges in Healthcare

Financially motivated cybercriminals are aggressively targeting healthcare organizations with no regard for the lives they put at risk. While not a new behavior, hospitals and the rest of the healthcare industry have been targeted more frequently, now the second most targeted industry by ransomware groups. Thus, it is crucial for organizations to stay alert on infrastructure intended for these activities to strengthen their overall security posture. Two of the biggest problems facing healthcare SOC teams are identifying and responding to these threats faster and enforcing strong defenses across the organization’s network, especially for large healthcare organizations with several attack vectors.

Phishing Discovery and Response: Healthcare organizations rely on gifted security teams to protect patient outcomes. Data and insight enables them to understand potential threats and provides as much situational awareness as possible. To make that happen, phishing analysts and incident responders need tools that help them identify and classify evidence for phishing and other related incidents so they can reduce the efficacy of these attacks. Doing so will result in a reduction in financial losses and an ability to disrupt criminal campaigns in the early stages.

Network Defense: Healthcare organizations often outsource online resources such as patient portals and the management of Internet of Medical Things (IoMT) Devices. This is often an approach taken to online threats as well. Bringing in outside service providers like MSPs and MSSPs can be a great way to scale network defenses, but it can be a lot to manage all of these solutions and turn their discoveries into actionable Internet Intelligence. Enrichment for network defenses allows analysts to quickly assess connections made to any domains identified as high-risk, newly created, or both. Armed with this information, analysts can then make informed decisions about which domains might merit further investigation.

Five Ways to Give Bad Actors A Taste of Their Own Medicine:

• Early-Stage Campaign Disruption: DomainTools Iris Detect provides a near real-time Internet infrastructure discovery, monitoring, and enforcement platform and API that can help your team combat threats to your brand, your employees, and your customers. Use Iris Detect to monitor the names of vendors for potential imitations. When spoof domains are discovered, work with Detection Engineering to set up monitoring of any outbound connections to the spoof domains. These insights can be leveraged with the rest of the DomainTools Iris Intelligence Platform to provide your SOC teams with investigation and enrichment capabilities, enabling your team to disrupt bad actors swiftly and efficiently.
• Flexible Search for a Personalized Phishing Response: Armed with Farsight DNSDB’s Flexible Search and Regular Expression capabilities, analysts can turn the tables on bad actors, unearthing hidden connections and blunting the effects of malicious campaigns with precision. With its historical DNS data and Flexible Search capabilities, Farsight DNSDB allows analysts to not only uncover hidden connections but also proactively disrupt the meticulously orchestrated campaigns of nation-state adversaries. This can be incredibly useful to healthcare organizations who may require a more personalized experience into investigations that identify threats most relevant to an organization of their size, location, etc.
• Predictive Risk Scoring for Identifying High-Risk Domains: In response to the HIPAA Security Rule and the Data Protection Act of 2018, both requiring appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information, healthcare organizations typically keep sensitive information restricted to only employees that need that access and can be held accountable should those assets fall into the wrong hands. DomainTools Threat Intelligence Feeds with predictive risk scoring enable Incident Response teams to identify young or high-risk domains and flag or block them in a trusted environment.
• Identifying Indicators of Compromise (IOC) for Strengthened Network Defense: By importing domain centric IOCs from a trusted group, threat actor report, or other sources into DomainTools Iris Investigate, analysts can pivot and expand to uncover additional indicators. You then query these data sources to quickly and efficiently uncover potential cybercrime and cyberespionage; this allows for the identification of connections between IOCs and the uncovering of broader malicious campaigns before their next attack occurs. Use the Iris Enrich API to add additional context to these domains, displaying these insights in your SIEM, SOAR, or TIP of choice for a seamless view of data.
• DNS Data for Unmatched Insight and Visibility: Timely domain discovery can help thwart phishing and fraud campaigns before they are launched. Data within the DomainTools Iris Intelligence Platform and Farsight DNSDB allow users to paint a more complete picture of their adversaries infrastructure, and enable them to act proactively. DomainTools is the only provider that covers over 97% of the Internet in near-real-time, providing users more data, more frequently, and with more full-Internet risk context than anyone for deeper insight.

DomainTools enables your team to actively disrupt the plans of bad actors, ensuring that they’re stuck with pain so you can get back to providing relief to your patients. In the high stakes landscape of healthcare, the emphasis is not merely on defense but on strategically prolonging the struggle for sophisticated and financially-motivated adversaries.

DomainTools Iris Intelligence Platform and Farsight DNSDB, as integral components of healthcare SOC arsenals, actively disrupt the effects of the operations of adversaries seeking to compromise healthcare organizations. As these organizations strengthen defenses, the resilience against financially motivated cybercriminals grows, ensuring that every adversarial move is strongly resisted, prolonging their headaches while safeguarding patient data. If you’re interested in learning more we highly encourage you to check out our Best Practices Guide for Healthcare.