Healthcare Industry Spotlight: Tips for Detecting and Investigating Common Insider Threats

In the healthcare industry, insider threats typically take the form of an authorized individual abusing access to resources such as healthcare networks or electronic healthcare systems. In order to protect the business from unauthorized access, disclosure, modifications, or destruction, you need visibility into your information and information systems.

A recent example of an insider threat attack in the healthcare industry involved a privileged user abusing their privileges. A former employee of a medical packaging company was charged with sabotaging electronic shipping records. This user had “Administrator Access” to critical systems, which allowed him to 1) Create two fake accounts with “Administrative Privileges” without being detected and 2) Edit approximately 115,581 records and delete approximately 2,371 records.

This is an example of one of the common insider threat attacks we see in the healthcare industry – a privileged access user who had Administrative Access to critical systems attempting to create persistence onto the network before they were terminated.  Other common insider threats in the healthcare industry include users attempting to access files outside their permissions, clear their tracks, or exfiltrate data.

Below are some tips and recommendations to detect and potentially prevent suspicious insider activities at the different stages of the cyber kill chain.

Exploitation

Accessing Network Models/Schemas

Insider threats may attempt to access network models or relational database schemas to understand how the network or database is designed. Tracking who accesses these files can help detect malicious activity. You can enable “Audit object access” in Group Policy Management Editor to track who accesses/reads files on your Windows File Servers for the first time. Monitoring anomalous behavior such as unexpected users or new users accessing these files can help detect malicious insider threats.

Event ID 4663: An attempt was made to access an object. (4663, is logged the first time one or more of the requested permissions are exercised)

Event ID 4656: A handle to an object was requested

Persistence

Account Created with Abnormal Naming Convention

It’s good practice to create a systematic naming convention for Active Directory accounts based on job roles. For example, regular user accounts may be created with the following criteria: Initial of first name and complete last name or first three characters of the first name and first three of last name. System Administrator (SA) accounts may have similar naming conventions with a “sa-“ or “adm-“ in front of their username. For example: Regular user: “JDoe”, whereas a Systems Administrator: “SA-JDoe””, Adm-JDoe”.

This strategy will allow auditing for user creation in Active Directory not meeting the naming convention set in place. Start your audit by enabling the Account Management in Group Policy Objects at the primary domain controller. Active Directory administrators are often trained in account creation in order to stay in line with expected account names. If an unauthorized account has been created, it could indicate nefarious activity.  Additionally, it could help indicate where accounts are over provisioned, but are accessing things outside of scope.

Exfiltration

Usage of Removable Storage Devices

Blocking installations and usage of removable storage devices (USBs or Cellphones) will reduce the number of malicious software/PUP (Potentially Unwanted Program) installed on critical systems or the exfiltration of electronic health records.

TIP! For mitigating exfiltration via removable storage devices: The following tip applies to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

  1. Sign into the Microsoft Azure portal.
  2. Click Intune > Device configuration > Profiles > Create profile
  3. Use the following settings:
    1. Name: Type a name for the profile
    2. Description: Type a description
    3. Platform: Windows 10 and later
    4. Profile type: Device restrictions
  4. Click Configure > General
  5. For Removable storage and USB connection (mobile only), choose Block. Removable storage includes USB drives, whereas USB connection (mobile only) excludes USB charging but includes other USB connections on mobile devices only.
  6. Click OK to close General settings and Device Restrictions.
  7. Click Create to save the profile.

USB Flash Drive Usage with Windows 10 Event Viewer

Additionally, some techniques in Event Viewer can be used to log USB flash drive usage on a system (not enabled by default). By enabling “Microsoft-Windows-DriverFrameworks-UserMode/Operational”  @

%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx

Application and Services Logs > Microsoft > Windows > DriverFrameworks-UserMode > Operational

Actions > Properties > Enable logging (check)

Event ID 2003 will be logged when a USB flash drive is connected and Event ID 2102 event records for a disconnection. By subtracting the time stamps, you can determine how long a device was plugged in on a host. This type of analysis can be used for forensic investigations or threat hunts. Reoccurring “Acceptable use policy” violations can increase the risk of disclosing valuable data records.

Post-Exploit

Audit Log Cleared

Insider threat actors may attempt to erase their tracks and inhibit forensics by clearing logs that contain records of their malicious activity. Investigating why the Windows security log was cleared on a host may help detect insider threats.

examples of 517 audit log cleared

Effective for Windows Server 2000, Windows 2003, and XP

Effective for Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10, and Windows Server 2019

Actions on the Objective

EHR Systems Suspicious Behavior (EPIC App)

An electronic health record (EHR) system such as EPIC will log when a user downloads a file. By determining a baseline of what normal downloading activity looks like, we can easily detect anomalous behavior.

Multiple downloads by a single user could indicate an attacker or insider threat attempting to gather large amounts of documents for exfiltration.

Detecting and preventing insider threats is a challenging task for security experts. These threats come from people within the organization and therefore their tracks may appear like normal activities. Configuring systems properly, creating baselines of expected behaviors, and monitoring suspicious events are just three of many detection techniques that help with common insider threats within the healthcare industry.

How ReliaQuest GreyMatter Can Help

ReliaQuest GreyMatter integrates and normalizes data from disparate technologies including SIEM, EDR, multi-cloud and point tools, on demand, so you always have a unified view to immediately and comprehensively detect and respond to threats from across your environment all within the GreyMatter UI. By aggregating, de-duping, and enriching alerts from across your security ecosystem, ReliaQuest GreyMatter serves up a research package that provides analysts with all of the information they need in one place to detect, investigate, and respond.

Ready to detect and respond to threats faster?
Get started by rethinking your approach to security automation. View the whitepaper.

More Articles

Best Practices for Detecting 5 Common Attacks Against Kubernetes

Container orchestration tools like Kubernetes have risen in popularity within the past few years and have enabled organizations to more efficiently deploy and manage applications. However, these tools also come with their own security risks. All tools are susceptible to misconfigurations and insider abuse, in addition to more serious vulnerabilities that exploit the tools’ code […]

Best Practices for Monitoring and Investigating AWS Events

Cloud computing is a resource that is becoming more affordable, efficient, and widespread in today’s enterprise environments. Having a well-hardened environment will thwart most attacks on your organization’s assets and resources, but what happens when an S3 bucket that your team created years ago was misconfigured along the way and auditing of the security configuration […]

Detect Solorigate and SUNBURST Attacker Techniques with the MITRE ATT&CK Framework—We’ll Get You Started

As folks are continuing to work to address the Solorigate/ SUNBURST compromise, our team has been mapping the tactics and techniques used by the attackers to the MITRE ATT&CK framework, and building detection content to deploy for our customers.  If you haven’t already, please read this blog first to get the basics. What follows is […]