Building defenses around the most common ransomware attempts could help prevent attacks. Standing up these defenses can drastically limit potential credential exposures, say healthcare security specialists – but the work involved could represent a marathon exercise for IT and security teams and requires broad organizational buy-in.
The real-world experiences of healthcare organizations defending against recent cyber threats only serve to strengthen the case for their peers to deploy this recommended model, which is secure-by-design and based on secure-by-default standards.
“But your workforce, they won’t even know that it happened,” said Erik Decker, Intermountain Health’s vice president and chief information security officer. “This is a model to prevent ransomware attacks. This is not a model to protect data.”
Consider how attackers get in
Decker, speaking earlier this spring at HIMSS25, was describing the privileged access workstation concepts now implemented – and showing success – at the Salt Lake City-based health system.
From the first point of entry to the critical moments before ransomware is deployed, Decker described common network infiltration techniques.
“Why would they go after IT?” he asked. “They go after IT because we control all the systems – all the access – everything. So if you want to cause damage, you need to get to the control systems where all of that is in play.”
Most of those control systems – some 80% of an organization’s operations – are found in Active Directory, he said.
“Privilege escalation is really all about, at the end of the day – they’re moving in, they’re getting to privileges, they’re getting to those superuser rights, privilege access rights that your IT people have,” said Decker.
“Then they’re logging in, then they grab all the data and then push all the malware and blow up your environment. That is the playbook every time.”
After the initial break-in, the threat actor “goes forward, hits the workstation, moves laterally and then heads on up into the directory,” he continued.
Decker noted that Black Basta – a Russia-backed ransomware group that accelerated attacks against the healthcare sector last year – achieved “domain-wide dominance through a combination of privilege escalation, credential theft and lateral looming.”
First, they gained two privileges on an initial device.
“And then once they got system route access within three seconds – that had no log or anything associated with it – they had a 98% success rate in getting initial local intrusion,” he said.
From there, they credentialed out and pursued lateral movement.
“They took Mimecast. They installed it on that device, which was very likely an IT administrator’s workstation,” he said. Once installed, an attacker can leverage that software to pull users’ credentials and other details from a device’s memory.
“And if that IT person also has the domain credentials or the domain hashes in that workstation, it’s done,” said Decker.
Once the Black Basta operative in the example gained domain admin rights in the real-world ransomware attack case, which Microsoft provides natively by default, it was over.
“They figured out who the domain admins were by running a simple command that every computer in your network would respond to. … It tells you who the privileged access users are,” Decker said.
From there, they understood which devices to move over to and then used Cobalt Strike to deploy ransomware across every controlled asset of the victim organization.
Move their cheese
Decker said when he was presented with the idea to use the Bell-LaPadula model for privileged access security design five or six years ago, it was an “aha” moment.
“Why have I not been thinking like the adversary?” Decker said.
His colleague, Shawn Anderson, Intermountain’s cybersecurity director of data, endpoint and application protection, explained how Intermountain implemented these time-tested principles, which were first developed in 1973.
“Of course, we should be defending against the common pathways that they use,” he said. “They should be spending resources, so that it costs a lot of money to break into our environments.”
Decker has previously discussed federal cyber defense resources for healthcare. He told Healthcare IT News about this secure access model, which his health system was in the process of implementing.
At the time, he drew a crude schematic on scratch paper that explained how to protect essential IT control systems by closing off vectors.
Many national security systems are based on this privileged escalation design, which never allows a lower security principle to access a higher security principle.
“The whole idea behind it is that a level in a tier below can never access a tier above,” Decker said. “The idea is you secure and you lock these tiers. No control up, no exposure down.”
The higher tier never exposes a credential to the tier below.
“It can access tiers inside of whatever tier that you define,” he said. “But that level, your secret point, doesn’t get you to access the top secret points.”
For high-principle credentials, such as a domain admin account, domain equivalents or domain controllers, they’re in ‘Tier Zero,'” said Decker. “Everything that controls every asset on your entire network, that’s your Tier Zero. That’s your core infrastructure.”
There’s also the group of principles that have “the same level of domain admin rights that the bad actors go for,” he said. “All those principles need to be locked in a way that only allows Tier Zero access at Tier Zero.”
Tier One – servers and your applications – are micro-segmented.
“I wouldn’t go crazy with it,” Decker advised: “Maybe two or three” subsegments.
For every tier in the protective design, it does require a lot of work to manage the assets in the tier, he admitted.
“The more you bifurcate this, the more drag you’re introducing into your environment,” he said.
These are the most important assets in a healthcare organization – electronic health records, servers, imaging systems, labs and other very important operational applications – “but not infrastructure-level, foundational-level things.”
Tier Two is everything else: “It’s all the end points and everything else,” he said. “The idea behind this is privilege-to-access workstations.”
Set up privileged access
In most cases, bad actors use these three threat paths to gain access to IT management systems and Active Directory to launch cyberattacks that destroy, compromise or control a health system’s computer systems and data, Anderson said.
He helped to build Intermountain’s medical device cybersecurity program, leads efforts to modernize its cyber architecture function and architects its Microsoft Azure security functions, including Active Directory.
The privileged access workstation is one of the core technological pieces for implementing the model.
“The privileged access workstation is not a JMP server, it’s not a [virtual desktop infrastructure], it’s not a random server that you happen to log into with a privileged account,” he said. “The privileged access workstation is a physically separate machine specific to the tier that it’s in.”
Each tier has a different privileged access workstation that’s used to access that tier.
IT staff could be Tier One, Tier One-A, etc.
“It can get really challenging, and that’s OK,” Anderson said. “Again, the reason is that we’re trying to control the access to the tiers above and make sure that we don’t have any credential exposure down.”
“With the example that [Decker] talked about from Black Basta, the reason that that attack occurred is because they found domain admin modules somewhere on the network through Mimecast,” he said.
“None of this is a surprise,” Decker added. “The point is about focus, and knowing how to build our defenses around the most common scale attempts.”
Convincing your IT team
To convince an IT team and justify the value that’s being brought in versus the amount of effort they have to make takes a great deal of patience, said Anderson.
“As we were talking about this model, I had this conversation, this exact same conversation, repeatedly – dozens of times – for hours and hours and hours to different audiences, to the same audiences, to third parties, to internal people, to cyber people,” he said.
“Just get really comfortable with the idea that you’re going to have to repeat yourself a lot,” Anderson advised.
“You’re going to have people challenge you every single step of the way,” he said. “You’re going to need to make them feel comfortable with the model, but you also have to assert that this is a security decision.
“If your organization is like ours, there’s probably a lot of focus on simplification, a lot of focus on trying to reduce costs based on processes that take extra time,” he added. “This is one of those where you’re going to have to just hold the line.”
The model will cause “a slight decrease in productivity for the administrators who are part of these tiers.”
But, the message that resonated the most with Intermountain’s administrators, Anderson said, is that they would not use their pods – the stations that host one or more containers, along with shared storage and networking resources – all the time.
“You only use your pod when you need to take advantage of those highly privileged credentials or those highly privileged roles,” said Anderson. “The rest of your time, you’re using your productivity workstation.”
As a gut check, he suggested that session attendees ask their IT managers how often they actually need a server administrator’s permission to do their job.
“If they’re like ours, 50% of their time at least is in meetings,” Anderson said. “The other 50% is in email, and then somehow they find another 10% to do work.”
That means most of the time, they’re going to be on their productivity workstations, he said.
Some will argue that they don’t want to carry two laptops. While it might be a burdensome initiative, security leaders should hold their ground, he said.
“You get to carry two laptops until we have a virtual option available for you,” said Anderson. “It’s just going to be a thing. Back in the day, people carried multiple laptops because they had to have laptops for different types of systems.”
Complete the process
The marathon will begin with identifying all system administrators because to implement the model, there is one credentialed administrator per tier.
“It seems like a super-easy question,” Anderson said. “It’s not.”
It’s a hard question to answer because it’s not just the domain admins that healthcare security leaders implementing the model may need to consider, he explained.
“You might have a handful of those, a couple of those. Those aren’t the only people that have credentials that fall into Tier Zero.”
There could be cloud operations staff, he said.
“They don’t report to security. You have IT people that don’t report to security. They all have credentials that can take control of a tier zero resource, a domain control or server admin account that can reset the root password, that can reset your domain admin password, that can take a backup of your directory and install it somewhere else.”
The next mile in the marathon is considering which machines have those credentials.
“As you go through this exercise, what you’re going to find is that your domain admin credentials are going to be everywhere,” said Anderson. They will be found on regular workstations and servers across an organization’s IT environment.
“They’ll all have to be cleaned up. And it’s not easy, and it’s not quick, and it is painful – but it is worth it,” he said.
Once the model is implemented, however, the work is not done. Organizations will still need monitoring 24/7, 365.
“Account pods will get used inappropriately,” said Anderson. “It’s just part of human behavior. We make mistakes.”
In addition to monitoring the pods, “make sure your policy engine that’s making determinations about whether or not that pod is safe is still functioning.”
Gain leadership buy-in
To convince an organization’s chief technical officer that the effort is a good thing to do, “talk about the big why,” Decker suggested.
“The entire system could go down for 60 days,” he said. “This is going to be painful,” he said by way of example.
“I promise them, ‘You’re going to go through five stages of grief.’ They will start by trying to negotiate on certain things that come into play. I’m telling you right now, we’re not negotiating. We need our patients to be safe inside our environment, and we need our front doors open.”
It takes endurance to stay in the adversarial mindset and convince leadership that privileged escalation prevention is worth all the effort, according to Decker.
Another potential response? “Because this is how bad actors are breaking in and shutting it all down. That’s why.
“We are going to be putting a barrier on,” he continued by way of example. “But it’s a meaningful barrier. We would not do this if the risks and the stakes were not as high as they are.”
The goal of such a high level of effort – to prevent a ransomware takedown and maintain patient safety by becoming a hard target to hit – requires a commitment to stay in the adversarial mindset, said Decker.
“We want to make it so expensive, and so hard, that at some point the attacker bails out of the attack because it’s just not worth it anymore because there are softer targets out there,” he said. “We want everyone to be a hard target in healthcare, so they just leave us alone.”
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.