Incident Background and Initial Detection
Background
The incident occurred within a healthcare environment, specifically affecting a Remote Desktop Server (RDS) that played a crucial role in managing sensitive patient information. This server facilitated access to medical records, surgical notes, and other critical patient health information (PHI), primarily from a secondary location that relied heavily on this remote connection due to bandwidth constraints in direct application access across a wide area network (WAN).
Initial Detection
The critical alert was generated by Huntress, a security tool tasked with monitoring our network for suspicious activities. The system detected unauthorized attempts by a user named "hall" to perform Active Directory domain enumeration—a technique often used by attackers to gain further access to network resources and escalate privileges. This activity was particularly alarming as it suggested a potential precursor to more severe actions, such as lateral movement or data exfiltration.
The detection specifics included:
Timestamps: The unauthorized activity was first detected on 2024-06-13 at 01:09:09 UTC.
User Activity: User "hall" was observed running a domain enumeration command from IP address "192.168.1.38", which was not covered by Huntress’s monitoring, indicating potential blind spots in the network surveillance.
This detection triggered an automatic response from Huntress to isolate the RDS server from the rest of the network, preventing any further potential spread of the incident and limiting the immediate risk to the network's integrity.
Immediate Response Actions
Upon receiving the alert, I took immediate steps to contain the threat and begin a detailed investigation. Here’s how I approached the situation:
User Account Control
The first action was to address the immediate threat posed by the "hall" user account. I promptly disabled this account in Active Directory to cut off any access it might have to the network. This was a crucial step to prevent further unauthorized activities and potential damage.
Password Reset
Recognizing the possibility that other accounts could also be compromised or that the attacker might have gleaned other credentials during the enumeration process, I initiated a domain-wide password reset. This measure was disruptive but necessary to ensure the security of all user accounts across the organization.
Coordination with Security Partners
To further assess and mitigate any lingering threats, I coordinated with our security partner, Cytek, to conduct a comprehensive manual scan of the system. Despite the initial severity of the alert, this scan did not reveal any additional compromises or malicious activities. This was a reassuring sign, but the incident clearly highlighted areas where our security posture needed strengthening.
Reevaluation of Monitoring Coverage
The incident exposed gaps in our network monitoring, particularly the IP address from which the unauthorized activity originated. I took steps to expand our monitoring coverage to include all IP addresses associated with our network, ensuring no similar blind spots in the future.
Detailed Analysis and Network Configuration Corrections
After addressing the immediate threats, I conducted a thorough analysis of our network configurations to identify and rectify any underlying vulnerabilities that could be exploited in the future.
Analysis of Firewall Configurations
The network infrastructure at both the primary and secondary healthcare locations relied on Cisco ASA 5506 firewalls to manage and secure traffic. A critical part of my investigation involved scrutinizing these firewalls, particularly how they interfaced with our Active Directory for VPN access.
Identification of Misconfiguration
I discovered that the VPN access was supposed to be restricted to a specific security group via Active Directory synchronization. However, due to a misconfiguration, the setup was erroneously permitting all AD users to utilize the VPN, vastly increasing the risk of unauthorized access. This misconfiguration was a significant oversight, particularly in a healthcare setting where protecting PHI is paramount.
Corrective Steps Taken
Reconfiguring AD Sync: I adjusted the settings to ensure that only members of the designated security group could access the VPN, aligning with best security practices and organizational policies.
Testing and Validation: Rigorous testing followed the reconfiguration to verify that the new settings functioned as intended. This involved several rounds of authentication attempts under various user scenarios to ensure no unauthorized access was possible.
Documentation and Reporting: I documented the changes made and the findings from the testing phase. This documentation was crucial for maintaining a clear audit trail and for future reference in case of similar incidents or queries about the network setup.
Strengthening Network Security
Recognizing the broader implications of the incident, I also initiated a review of all network access controls and policies to identify other potential vulnerabilities. This proactive approach was aimed at fortifying the network against future threats and ensuring compliance with healthcare security regulations.
Strategic Recommendations and Enhancements
Following the thorough investigation and immediate remedial actions, I developed several strategic recommendations to enhance our cybersecurity posture and better protect sensitive patient information.
Enhanced Remote Access Security
Given the vulnerabilities exposed by the incident, I recommended the adoption of a more secure remote access solution. This new system would incorporate Multi-Factor Authentication (MFA), providing an additional layer of security to ensure that only authorized users could access the network, especially when connecting remotely.
Implementation of MFA: I proposed transitioning to ConnectWise Control (ScreenConnect), which supports MFA. This solution would mitigate the risks associated with stolen credentials and unauthorized access attempts, crucial for maintaining the integrity of patient data.
Training and User Education: Alongside the technical implementation, I emphasized the importance of training for all users on the new system. This education would cover not only how to use the new system but also best practices for secure remote work.
Infrastructure Upgrades
The incident highlighted the need for more robust infrastructure, particularly updating our firewall configurations and the servers hosting sensitive applications.
Firewall Upgrades: I suggested replacing the existing Cisco ASA 5506 firewalls with more advanced models that offer enhanced security features and better support for modern cybersecurity challenges.
Server Modernization: Proposals were made to upgrade the server hardware and software to better support the security and performance requirements of today’s healthcare environments.
Proactive Monitoring and Incident Response
To prevent future incidents and improve our response capabilities, I recommended enhancements to our monitoring and incident response strategies.
Expanded Monitoring Coverage: Extending our monitoring to cover all network segments and potential entry points, ensuring that any unusual activities are detected and addressed promptly.
Incident Response Plan Review: Updating our incident response plans to incorporate lessons learned from this incident, ensuring faster and more effective responses in the future.
Conclusion
This incident was a significant learning opportunity and a reminder of the continuous challenges in cybersecurity, especially in healthcare settings where patient safety and data security are paramount. My proactive approach not only resolved the immediate issues but also set the stage for long-term improvements in our security posture. Handling this situation highlighted my ability to manage complex security challenges and reinforced the importance of constant vigilance and ongoing enhancement of cybersecurity measures.