How deception can provide critical security for IoT devices

The Internet of Healthcare Things can increase patient success rates as it eases processes for healthcare workers and cut costs. Telemetry embedded into vital sign monitors, EKGs and other devices provide nurses and doctors with proactive updates on patient status.

However, these IoHT devices expose a twofold cyber security risk. First, they dramatically increase the attack surface at healthcare facilities making these devices highly sought-after targets by cyber attackers. Second, the majority of these devices cannot support the operation of end point protection (EPP) agents—such hosts are called un-managed—rendering them moot for all types of industry standard signature and rule-based protections. These risks provide a unique challenge in protecting many healthcare organizations and facilities.

Current cybersecurity solutions rely on monitoring an abundance of data, much of it HIPAA- protected at the network level and determining what activity might be an intrusion. Many of these solutions are not able to manage effective monitoring of the volume of data required, nor do they have the ability to identify what data activity problems are normal or abnormal and thus signal malicious activity.

Cyber deception technologies have emerged over the past five years as an alternative to standard cyber security techniques and methods. These technologies rely on building a layer of decoys or hosts that project an appearance of being real machines with the intent of confusing and misdirecting adversaries.

Connections to decoys are a high-tech means of tracking cyber attackers, making them attractive alternatives in industries where a large portion of IT infrastructure is unmanaged. As one of those industries, healthcare organizations should consider deception technologies as a viable means of security and protection, to both deter attacks and prevent data loss.

In cybersecurity, an attack surface includes the number of exploitable devices that are accessible and vulnerable to cyberattacks. Most medical devices, unlike IT devices such as a computer, don’t support end-point (EP) detection and EPP software. This is the software that enables teams to monitor and track system usage, performance and activity at the device and host level. For connected health devices, monitoring must be done at both the network and host level. This is a huge undertaking on unmanaged hosts.

To monitor at the network level, IT and security teams must utilize different types of sensors that watch traffic being sent across the network, switching and routing fabrics. For example, a nursing station acts as a control room or a monitoring system, integrating many different devices that are gathering information across several patients, alerting nurses to potential health related issues. Healthcare data is collected on an ethernet-based network , correlated and analyzed at the nursing stations to provide near real-time healthcare status. Protecting

this infrastructure is of huge importance. Only a few cybersecurity platforms can handle monitoring the volume and integrity of this traffic.

The problem is that, at too many locations, it’s not working all that well. Embedding security in the devices themselves can cause cost and integration issues that require, at a minimum, middleware and authentication systems. Watching the entire breadth of network traffic has people scrambling to come up with rules and log analysis that can accurately identify an anomaly vs. normal network behavior. This is difficult when adversaries are continually modifying their tactics, techniques and procedures.

It’s time to inject new security methods into this ailing system. Deception security can help by deceiving and ensnaring attackers.

Deception is the act of planting digital fakes, or false exploitable devices called decoys, that intentionally lead an attacker down a harmless path. The adversary believes they are moving undetected through the network, but not only is the data they are mining fake, but when a false device is attacked, it alerts the security team so they can watch the intruder dig around and learn from their activity.

Breadcrumbs—in the form of files, email, documents, fake credentials, browser or application data—are distributed as bait among real-assets and decoys. Anyone who finds their way to a decoy is a threat, whether malicious or accidental, because there is no valid purpose to use these assets. Once they’ve attracted interest, decoys alert the system of the threat, block the attacker from accessing real assets, and then shunts the attacker off on in a fruitless search with additional fake services and data for engagement so their tactics can be observed in a safe manner.

Removing the attacker in this way has the added benefit of altering the appearance of the terrain by changing the attacker’s perception of what is exploitable. Additionally, well designed deception can be credited with reducing the “noise” across a cyber terrain, so that security staff can operationally focus on new or simultaneous active threats.

Modern deception uses emulation or virtual-machines for decoys and services and does not increase the risk profile. A deception system can be largely automated—from network and asset discovery, decoy creation, decoy and breadcrumb distribution, to adapting to network and resource changes—while alerting security operations of actively on a pre-determined basis.

Just as healthcare has shifted focus from reactive care focused on fighting illness to preventative care and how to proactively become healthier, security teams in these organizations can no longer get by fighting security threats as they arise. Organizations with mature cybersecurity operations have already begun adopting deception technologies. Many more small- and mediums-sized organizations initiating deployments every day to help support protection of un-managed hosts.

For an example, using the newer technology being introduced in healthcare today, the OpenAPS (Artificial Pancreas System) device was discussed at an industry conference. This device was born out of the noble desire to give diabetes sufferers a more elegant method of monitoring and controlling their insulin levels. Unfortunately, the device’s base operating system—a Raspberry Pi controller—does not easily support EPP technology or an agent. In this case, using emulation or virtual-machine based deception could confuse and misdirect attackers who seek to compromise an OpenAPS device by altering the perception of the attack surface.

In more traditional IT environments, healthcare organizations also find deception useful, and a key component of a proactive security architecture.

Deception technology can be used in limited areas or projects, but its true power can only be experienced after an organization has visibility across its entire cyber terrain, has a clear view on its attack surface and good understanding of cyber threats. The process by which deception technology is deployed can help healthcare companies start to audit their ability to full view and better protect their entire terrain.

Cyber threats are always on the offense. It’s time security teams in healthcare had the tools to better combat these adversaries.

Originally published in Health Data Management by Abdul Rahman on May 01, 2019