HME COLUMN
The Anatomy of a Hack
An end-to-end view of a typical data breach from a hacker’s point of view
By Jason Kirkhart
A significant amount of time in the news is spent discussing data breaches in health care and other industries. Change Healthcare made headlines last year due to the size of the organization and the volume of records it handles (according to its website, it processes approximately one out of every three American health care records); approximately 192.7 million individuals were affected.
What’s not often discussed is how these breaches occur. A clear understanding can help better inform us on how we can prevent these threats.
ONE
Finding a Potential Target
To get things started, a hacker will build a target list. These lists can range from completely arbitrary (i.e., scraping data from Google or buying existing lists of verified information) to highly specific (i.e., taking down the biggest processor of health care data in the country). Effort levels can vary from only being interested in low-effort lists that can be gathered quickly, up to complex, long-ranging plans to infiltrate supply chains to reach bigger targets.
There are many ways to attempt to compromise an organization. Different types of email phishing, social engineering via email or phone, or more direct penetration attempts against websites and corporate networks are all ways that can help a hacker to establish a foothold and begin their hacking in earnest.
TWO
Probing for Weaknesses
Once a list has been compiled, the hacker will use various means to try to uncover weaknesses in the defenses of these potential targets. They may send links, attachments or build trust through conversation to trick targets into taking actions they otherwise wouldn’t. Similarly, they might make phone calls where they spoof phone numbers and caller IDs in order to establish trust and trick victims into making mistakes. They use tools to look for known weaknesses that have not been patched up or mitigated in firewalls, websites, networks, servers and laptops on unsecured public networks amongst many other options.
Some of these activities can be done quickly and cheaply on a massive scale. Others require far more costly investment in time to cultivate a relationship and trust. Which approach is used largely depends on the target and the goal. For most attacks where the hacker doesn’t care who the target is, large-scale email blasts and website or network probes can quickly reveal a list of targets that have known issues ready to take advantage of. I bet we can all think of someone who still uses their computer without a password or a business that purchased a cable modem or firewall that was plugged in and turned on without changing the default password.
If a hacker finds a list of 1 million Netgear router public IP addresses and knows the default factory-set password for these devices, they can probe each one to see if the device is configured to allow access from the internet and if the default password was ever changed. Even if 0.1% of those businesses never changed the password, a probe could net 1,000 vulnerable devices in a matter of minutes.
A survey conducted by IBM showed that 89% of respondents never updated their router firmware or changed their default network name. Seventy-two percent of respondents never changed their Wi-Fi password.
THREE
Exploiting Discovered Weaknesses in Exposed Targets
At this point, a hacker has identified a large number of vulnerable routers, has had a set of email links clicked on or used another method to trap their targets. Now they move onto the next phase: taking advantage of that weakness.
If they can log into that router, they can begin to plan how to manipulate it into gaining greater access into the network, perhaps by monitoring traffic, looking for credentials being used or probing inside the network for other vulnerabilities that can be further exploited. Similarly, once they have tricked users into clicking a link in an email or opening an attachment, they can attempt to push malicious code to that computer. Some computers will be protected from these sorts of attacks, others may not, but there’s a high chance the list of improperly protected computers is greater than zero. From there the hacker will do the same thing: explore how they can increase their foothold in the environment.
FOUR
Land & Expand
This process of gaining a foothold and leveraging it for maximum access is commonly referred to as "land and expand." It is an iterative process of looking for everything that can be touched, performing further discovery of where weaknesses exist and exploiting those weaknesses until they have much, or all, of a network system.
Examples of weakness could be a printer’s firmware that grants access to scanned documents, an unpatched flaw in a file server’s network sharing protocols or an old domain administrator account with an unchanged password previously revealed in a data breach, which could give a hacker access to log into any computer on the network.
A hacker can follow user traffic to see where they are going on the network to conduct their day-to-day activities. Time clock? Maybe that’s connected to the accounting server. Intranet? Maybe that also houses human resources or financial data.
While this is happening, the hacker is using a deep knowledge of the systems they are hacking to cover their tracks by deleting or rewriting logs, using built-in system tools that won’t raise red flags with antivirus and other security tools. Depending on the size or complexity of a network, this can take anywhere from a few hours to months.
FIVE
Look for Exploitable Material
Along the way, the hacker will look for sensitive material that they can leverage to get paid. Customer credit cards, patient electronic protected health information (ePHI), company bank accounts, intellectual property, passwords to other systems, personal photos on the CEO’s laptop or the questionable browsing history of the CFO. They are looking for data or compromising information that they can directly steal and threaten to release for ransom, use as blackmail or sell to interested parties—anything that might help the hacker increase their payday.
All of this information is catalogued on premises until they have expanded as far as they can, have gathered as much information as they can or until they worry about being caught.
SIX
Attempt to Exploit Material
Everything has built up to this point: probing, cultivating trust, repeating cycles of bootstrapping more access and identifying lucrative data. In the earlier days of ransomware, the hacker would then attempt to encrypt every single device they had gained that level of access to. That introduces other problems for the hacker, including certain defenses—like air-gapped backups—that may help victims recover somewhat quickly from an encryption event.
These days, the preferred action is to pull a copy of as much of the exploitable material that they can from the network, fast enough to avoid detection.
SEVEN
Time for the Big Ask
Once the data is securely in the hacker’s hands, there is nothing a victim can do but either pay a ransom and hope the hacker honors the deal to return or destroy the data, or deal with whatever consequences arise. This can include selling data on the black market, publishing embarrassing information and breaking into bank accounts, stealing money and using stolen credit card details to make fraudulent purchases and many other malicious actions.
Sometimes, a hacker may take certain actions to encourage the payment of ransomware, including publishing a sample of the data to show proof of possession.
No one wants to be in that situation. I read a story recently about a doctor in Georgia whose practice was hit by a similar attack. They had to close their doors because they couldn’t afford the ransom or the fallout. All it took was the acquisition of 1,714 patients’ records.
EIGHT
Pay Day
Not every hack will uncover sensitive data, and not all sensitive data will come from an organization that has the means to pay a ransom. But a hacker can still make money with data in hand by selling it on the dark web or using it to conduct further attacks elsewhere, like insurance fraud, identity theft, funds transfers and more.
Prevention Tips
Noticeably, there are a lot of ways a hacker can get into a network, expand their access and turn that into money. Fortunately, there are a lot of ways that their efforts can be halted, or at least severely restricted.
Strong perimeter defenses, such as properly configured firewalls past the basic default settings, are a great start. Spam filtering can fend off early threats from emails. Employee training to raise awareness of these kinds of threats and how to avoid them will further support that perimeter protection.
Make sure logging is turned on and cannot be edited or deleted. This will help keep a hacker from covering their tracks. Monitoring logs for suspicious activities can give early warnings that a hack may be unfolding, allowing you to catch it before maximum damage can be done.
Patching up systems and regularly rotating complex and unique passwords can also help keep hackers from expanding throughout the network. Isolating network segments will minimize lateral movement. Using, updating and monitoring antivirus solutions on servers, PCs and firewalls can help protect against zero-day unpublished threats that a hacker might try to take advantage of.
Jason Kirkhart is the founder and CEO of Beetoobi IT Solutions, an IT services firm specializing in cybersecurity for health care organizations. With a background in technology and a passion for helping, Kirkhart works closely with health care and home health providers to keep their systems secure, their data compliant and their teams free to focus on caring for patients. Visit beetoobi.com.
Framestock, r_tee, Who is Danny - adobestock.com
