Take a Pen Test Pill: Inoculation for Ransomware
Published On October 26, 2021
Blog Post by Kevin Sacco, Ethical Hacking Leader at Meditology Services
Ransomware attacks seem to have no end in sight. Many healthcare security leaders are seeing their friends and peer organizations get infected, their vendors are getting infected and spreading ransomware across the supply chain, and it seems like only a matter of time until everyone gets hit.
A great deal of attention and energy is appropriately being spent on preparing for ransomware infections and response activities, but isn’t there some way we can prevent or reduce the likelihood of infection in the first place? The good news is yes, there is.
Routine ethical hacking testing often referred to as penetration testing, is one of the most efficient and effective ways to inoculate an organization against ransomware infections. Before I dive into this phenomenon in more detail, I want to do some quick level setting on terminology.
What is Ethical Hacking?
Ethical hacking is an authorized technical security assessment that simulates the activities a hacker or malicious insider might carry out. Ethical hacking provides the closest thing to a real-life scenario for dealing with an attack. Ethical hacking tests simulate a wide range of potential attack vectors using the latest techniques deployed by ransomware and other malicious actors bent on gaining access to your organization's systems and information.
The term “ethical” refers to the hacker’s use of hacking tools and techniques for the defensive and purposes to help a business or product identify weaknesses before they are exploited by bad actors. The objective of ethical hacking is often to identify as many security vulnerabilities, misconfigurations, or technical exposures as possible to reduce the likelihood of those same weaknesses being discovered by malicious actors.
What is Penetration Testing?
Penetration is a type of ethical hacking, usually performed on a routine basis, that allows a certified hacking professional or team of professionals to assess the strength of an organization’s cybersecurity defenses. The objective of a penetration test is often to exploit one or more system vulnerabilities or misconfigurations to gain initial access to an organization’s network and then escalate access to other critical systems and information.
Performing a penetration test can help identify the current state of the security posture and actual technical exposures of your organization to support the prioritization of remediation activities. Penetration testing helps to validate if patching processes are operating effectively, users have strong passwords and access controls established, IT teams are securely implementing applications and infrastructure components, firewalls are securely configured, medical devices are protected, and other critical security controls are effective.
Ethical hacking and penetration testing are not the same as vulnerability scanning. Vulnerability scanning uses automated tools to technically survey IT systems for known security weaknesses such as missing patches. While ethical hacking testing often leverages a variety of vulnerability scanning tools, it goes much further in simulating a real-world attack. Ethical hacking attempts to exploit both technical and logical security weaknesses to gain access to your network the same way that ransomware or other malicious actors would.
How Does Ethical Hacking Provide Inoculation from Ransomware?
The industry is seeing a fairly sophisticated division of labor going on across cyber-criminal organizations that deploy ransomware. The ransomware business model continues to boom with high revenues and criminal groups are beginning to resemble large enterprises in the way they operate. Like any other business, ransomware operators are continually working to increase their return in investment.
These business adjustments include the increased reliance on independent contractors and individuals and groups that are being referred to as Initial Access Brokers or IAB’s.
The job of an initial access broker or IAB, is to gain internal access to a target company’s network. They can use a variety of techniques to do this including phishing, exploits of missing patches, and so on. The IABs then sell that access on the black market for a price that aligns with the value and demand for the target company. Other cybercriminals will then purchase that access and launch attacks using tools and processes where they specialize as a business including ransomware, extortion, or data theft and sale.
The black matter ransomware group, for example, is actively advertising and seeking IABs, with a focused request around remote access via RDP, VPN credentials, and web shells to use to launch the next series of attacks.  They are offering a self-proclaimed Ransomware-as-a-Service (RaaS) operation.
IABs have recently begun focusing specially on cloud accounts. They are realizing that the black market is willing to pay huge premiums for access to Amazon, Google, and Azure. Their biggest return on investment are administrative credentials for these environments.
So how does this relate to ethical hacking? The IABs, for all intents and purposes, are ethical hackers and penetration testers, they just perform their services for cyber criminals rather than enterprise security teams. Ethical hacking teams (the legitimate ones) have the same objectives and toolsets available as the IABs. Namely, their aim is to gain unauthorized access to sensitive information and systems and escalate that access to the highest level of administrative privilege possible.
The methodologies and toolsets used by IABs and ethical hacking teams are nearly identical. One of the most important distinctions is that ethical hacking teams, particularly those like Meditology that specialize in healthcare, will adjust their techniques to reduce or eliminate the possibility of adversely impacting patient safety or the availability of critical systems. Criminal hackers will rarely take such precautions, other than to avoid being detected.
Getting Your Ethical Hacking Booster Shots
Routine ethical hacking tests help to identify the access paths and technical security exposures used by criminal and nation-state malicious actors. Once identified, healthcare organizations can quickly move to change configurations, patch vulnerabilities, change passwords, and other remediation to shut down the potential avenues for compromise.
Performing ethical hacking on a regular basis, for example, quarterly or annually, is like getting infected and cured repeatedly, but without the painful cost and symptoms of a real ransomware attack. It is much like developing antibodies for your organization to resist future attacks and infections.
Meditology offers a full suite of ethical hacking and penetration testing services including network penetration testing, cloud security penetration testing, application security testing, PCI-DSS credit card penetration testing, and more. Our ethical hacking services are designed and developed specifically for healthcare organizations and deliver safe testing methods to protect patient safety. We also offer a ransomware-specific assessment service called Ransomware Defensive Posture Assessment that includes a deep dive assessment into your organization’s ransomware-specific defenses.
Contact us to learn more about how we can help your organization obtain and maintain a ransomware vaccine via routine ethical hacking tests.
What Our Clients Are Saying
“Pen tests are extremely valuable on many levels. Not just scan the network for things that could occur but things that do occur. Value in having Meditology as a partner is extremely high. We have already briefed the CIO and beginning on results roadmap so that level of value has been realized.” - Director, Cybersecurity Operations and CISO, Large Health System in the Northeast
“The Meditology Team is 5-star. We scheduled a call prior to the penetration test, then pretty much let them go and tell us what they could find. We had everything scheduled in advance and coordinated, stuck to timelines. Good follow-up and discussions around the findings. And we took some actions and additional steps based on the findings to remediate these issues.” - Manager, IS Info Security, Large Midwest Health Insurer
“You don’t know what you don’t know” What Meditology brought to the table during our Ethical Hacking engagement was of exceptional value to our organization.” - Information Services Security Manager, Large Health System in Texas
"We have done several Hacking engagements over the years and this was the most straight forward and best one we’ve had. We got a well-executed pen test and the ability to take crisp action items that gives us a head start versus list of findings we have to interpret." - CISO, Award Winning Academic Medical Center