One hundred and forty pages strong, the Health Industry Cybersecurity Practices (HICP) Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations document (https://405d.hhs.gov/Documents/tech-vol2-508.pdf) is a technical volume that provides an overview of cybersecurity practices that have been outlined by the U.S. Department of Health & Human Services (HHS) as highly effective at mitigating risks in the healthcare industry.
There are many great insights in the document, and one that we were super excited to see was the inclusion of deception technology as a critical component of a comprehensive security posture. Cyber deception is a technique that many organizations have used to create decoys, traps, and other mechanisms that mislead attackers and divert their attention away from actual targets. The document suggests that deception technology is useful for detecting and responding effectively to attacks, and for gaining insights into an attacker’s tactics, techniques, and procedures (TTPs).
We applauded their recognition of the compelling reasons to add deception to an organization’s security posture. Some of these highlights include:
- Reduction of dwell time, which is achieved with early detection and by diverting an attacker’s attention, so they reveal their presence. Therefore, reducing the time they have to spend time in the network.
- Improvement in threat intelligence that is gained through insights into the TTPs of attackers.
- Increased situational awareness can be achieved by using decoys and other mechanisms, while providing early warnings of potential attacks.
The report (Section 8.l.F) includes how Healthcare Delivery Organizations (HDOs) can implement cyber deception techniques, such as deploying honeypots, honeytokens, and other decoys, to create a layered defense and make it more difficult for attackers to gain access to sensitive data. Benefits such as disrupting attacks, early warning of intrusions, and reduction to the impact of a successful attack were also noted.
The document goes on to suggest that using cyber deception as an additional layer of defense will improve an organization’s ability to detect and respond, gather threat intelligence, and reduce the impact of a cyber incursion.
The cyber deception landscape has undergone many changes since inception, ranging from technology enhancements to integration into other vendor technologies through partnership and acquisition. The Acalvio Defense platform is designed for AI- driven autonomous deception and carries the most patents, 25 in total, that protect complex environments across all industries, both on-premises, and in the cloud. Acalvio also has Federal Risk and Authorization Management Program (FedRamp) certification, further validating Acalvio cloud service offerings (CSOs) on their efficacy related to security assessment, authorization, and continuous monitoring.
The use cases for deception in healthcare organizations can be quite extensive. However, Acalvio has found Advanced Persistent Threat (APT) attacks, ransomware, insider threats, and identity threats to be amongst the most popular and consistently deployed.
APT attacks are particularly concerning to healthcare organizations because they are sophisticated, stealthy, and can go undetected for long periods of time. APTs are designed to infiltrate a network and remain undetected for extended periods, stealing sensitive data or causing damage. Acalvio deception detects APTs by creating false environments that appears to be legitimate but are actually lures and traps designed to detect and analyze malicious activity.
Insider threats occur when someone with employee, contractor, or third-party access to a network or system misuses that access to cause harm or the theft of data. Acalvio deception efficiently identifies insider threats by embedding deceptions into the data, deploying deceptive identities and creating false environments that are designed to accurately detect unauthorized access. Because deception does not have a production role, any attempt to use the deceptions creates a high-level alert that carries detailed evidence substantiation that can dramatically reduce investigation time.
Ransomware attacks have continually attacked healthcare organizations due to their complex environments, fluid workforce, and a range of challenges that can prevent the best cybersecurity operating environments. Ransomware groups generate new variants through Ransomware-as-a-Service (RaaS) affiliates, evading traditional security. Acalvio deception creates a variety of snares for attackers that will detect credential misuse, privilege escalation, deletion of backups and propagation attempts. Ransomware can move very quickly and since deception does not rely on baselines or trends, it is proven to be an imperative alerting mechanism for early ransomware detection, including evolving variants.
Identity Threat Detection and Response (ITDR) is another key deception use case. The misuse of credentials is not new, and as most know, is a staple in almost every attack. Gartner, Inc. coined the term ITDR in 2022 based on the need to educate organizations on Zero Trust architectures and why network-based security is not sufficient for detecting and deterring attacks using credentials and privilege escalation. Endpoint Detection and Response (EDR) vendors have taken note with SentinelOne acquiring Attivo Networks and CrowdStrike partnering with Acalvio.
You can read more about the CrowdStrike and Acalvio partnership at our web page. The highlight of this partnership is that it enables deceptions to be deployed at scale without requiring an additional agent. Now, CrowdStrike customers can deploy Acalvio deception and identity solutions across the organization and manage the detections in CrowdStrike’s incident response dashboard. Acalvio uses AI to refresh the deception environment for authenticity and scale.
Another recent document of worth noting is the technical report called the HHS Cybersecurity Program: Cybersecurity Framework Profile for Healthcare Delivery Organizations. This also discusses the importance of cyber deception as a key strategy for protecting healthcare organizations from a variety of cyber threats. In this report they included additional use cases for deception, which included social engineering and attacks against network connected medical devices.
Medical devices based on IoT can be challenging to protect against threats due to their inability to upgrade, inability to deploy EDR agents and limited downtime windows. Acalvio deception plays an important role in IoT because it can use decoy elements such as false credentials, simulated data, and decoys to detect malicious network activities without having to load software on the devices. It is another use case for deception for creating layers of defense in specialized networks.
Many healthcare organizations have successfully deployed cyber deception and have realized its benefits towards patient safety and well-being. It is exciting to see deception receive an important recommendation in this new journal. Deception technology serves to efficiently address a wide range of cyber threats, including APTs, insider threats, ransomware, identity, IoT, and social engineering attacks. By creating false environments that appear legitimate, cyber deception non-disruptively lures, detects, and diverts attacks making it faster and easier for security teams to eradicate the threat before it can cause harm.
Click here to request a consultation or for insights into what’s new in cyber deception in 2024.