Written by HITRUST Independent Security Journalist Sean Martin. 

Back in 2015, Gartner’s Lawrence Pingree projected that, by 2018, 10% of enterprises will use deception tools and tactics, and actively participate in deception operations against attackers.

More recently, during their Security and Risk Management Summit, Gartner vice president, Neil MacDonald, highlighted the top technologies for information security; Deception found itself third on the list, marking it as a staple for organizations looking to defeat attackers before they succeed in their deeds and make off with the goods.

This category continues to grow in popularity and capability and it just so happens that the information coming from these systems folds in quite nicely within an organization’s ability to spot the indicators of compromise that matter most to them.

But First. What is Deception?

Sticking with Gartner for a moment, the analyst firm describes deception as a set of technologies that “are defined by the use of deceits, decoys and/or tricks designed to thwart, or throw off, an attacker’s cognitive processes, disrupt an attacker’s automation tools, delay an attacker’s activities or detect an attack. By using deception technology behind the enterprise firewall, enterprises can better detect attackers that have penetrated their defenses with a high level of confidence in the events detected. Deception technology implementations now span multiple layers within the stack, including endpoint, network, application and data.”

Ultimately, the goal with this layer of defense revolves around the ability to detect nefarious activity taking place inside the organization such that the attacker can be thwarted and their damage avoided, or at least minimized sooner rather than later. With time-to-discovery still sitting squarely in the ‘months’ range, this is an important metric to measure. And, given that Verizon’s 2017 Data Breach Investigation Report captured the internal threat as part of this vertical’s summary, these indicators are clearly something healthcare organizations need to be able to spot and deal with.

Introducing the HITRUST CTX Deceptive Program

HITRUST has been innovating around indicators of compromise (IOCs) for many years, collecting and sharing this information with participating healthcare organizations, thereby giving them the upper hand when it comes to detecting attacks and breaches targeting their industry and their environments, while potentially thwarting US-based healthcare attacks.

HITRUST has taken this concept to the next level by designing a deception environment that spans across many healthcare organizations via the same HITRUST CTX threat sharing infrastructure that many have come to embrace as a critical component within their information security program. More specifically, HITRUST has joined forces with Trend Micro to launch the second phase of the HITRUST Cyber Threat Management and Response Center with the introduction of the HITRUST Cyber Threat XChange (CTX) Deceptive program.

Simply put, HITRUST CTX Deceptive is a deception-based threat detection collaboration platform that deploys decoys that work together to deceive attackers and gain knowledge of their methods, processes, tactics and targets of interest. This new program represents a key missing piece within the current IOC collection approach as CTX Deceptive is able to identify TTPs (Tactics, Techniques and Procedures) – providing insight into how threat actors are infiltrating and exploiting networks, applications and systems while capturing complete malicious activity throughout the stages of an attack.

One very important point to recognize is that the deception techniques used to deceive the attackers mimic elements commonly found within organizations doing business in the healthcare arena. For example, the decoys would emulate and mimic electronic health record systems (EHRs), commonly used medical devices, Protected Health Information (PHI) and other healthcare-specific systems found across multiple healthcare organizations. The activity detected and captured via these decoys is then shared in an anonymous manner via the HITRUST CTX threat-sharing infrastructure so all member organizations can be warned of nefarious activity taking place in the market.

With this advanced intelligence on attack behaviors, potential attack paths can be anticipated, and indicators of compromise (IOC) data and alerts on threats to specific applications and medical systems can be shared with organizations to prevent an attack and reduce the risk of breach or compromise by becoming proactive.

Early detection of attacks in the decoy environment can improve the industry’s time-to-respond, which, as noted above, is a key element in the battle against cyber-attacks targeting the healthcare industry. Furthermore, use of a deception program provides vendors in the healthcare ecosystem with attack information they may not have known otherwise until a breach had occurred, thereby providing insights into strengthening such tools used by this critical infrastructure environment.

Coming full circle, CTX Deceptive gives Trend Micro the opportunity to develop response rules earlier – rules that are more specific to the attack target. These targeted rules enhance the protections organizations have in place, better protecting the healthcare industry as a whole by improving the defenses across the board as the deceptions are triggered. This, of course, is the ultimate goal.

Accessing Deception-Based Threat Intelligence

The HITRUST CTX Deceptive program is designed for leading healthcare organizations possessing a mature information security program and that have both an interest in, and readiness to, leveraging advanced deception-based technology to gain a better understanding of their methods, processes, tactics and targets of interest.