One of the more disturbing things about a pandemic is the sense of helplessness it creates. Even when we ourselves are not getting sick, isolation and social distancing leave us unable to escape the seriousness of the situation. We find ourselves sitting and worrying when normally we would be out and about, and all we hear are further stories about how this situation is overtaking society - steadily climbing numbers of infected, with more and more extreme measures being taken to try and contain the disease. We know that by isolating we are contributing to making things better in the long run, but actively doing nothing doesn’t feel like we are actively doing anything to help the situation.
As a cybersecurity professional, I am fortunate enough to be working in an industry where it is at least possible to do much of my work remotely. In light of the situation, I wanted to reflect on the meaning of that work, and do something to share what the pandemic looks like from our vantage point. My hope is that this work may help you better understand how cybersecurity can manifest effects and impacts in the real world and the role it can play in protection of your business and clients.
At eSentire, we offer Managed Detection and Response (MDR). Essentially, we monitor for threats that get through automated defenses and then step in to neutralize and contain them. Many of the clients we protect are organizations on the front lines of the battle against COVID-19 today, or delivering critical infrastructure to them. In the background somewhere, our work is helping keep hospitals and medical research labs online, protecting them and critical services they need from cybersecurity attacks that could disrupt or shut them down.
To illustrate visually, the datastudio display below shows some of the security incidents we’ve seen from critical service sectors that eSentire MDR has protected over the last year. The various interactive toggles allow drilling down and exploring meta data on real security incidents that have occurred over the period of the pandemic. Keep in mind, to keep these clients anonymized we’ve changed a few things . Using this dashboard, you can drill down and interact with examples of real security incidents that have targeted healthcare services, medical research and critical infrastructure during this pandemic and see what we step in to prevent.
By far, the most frequent type of attack we’ve observed is also the least significant - exploits coming through perimeter security and touching briefly on internal systems. Mostly, this is just background noise of the internet being let through a hole in the perimeter (often one intentionally made in the interests of availability), but we’re working to identify the known bad and act as a second line of active defense where clients have left gaps in their firewalls for whatever reason.
The next most frequent type of incident we’ve seen is Suspicious Activity, which is when our Security Operations Center (SOC) investigations picked up something out of the ordinary that needed to be raised for additional investigation. These are usually benign, but a fair number of potentially serious problems are caught here and some preventable disasters averted.
Our continual investigations also regularly hit upon smaller numbers of other real, serious attacks in progress: events where someone is trying to brute force their way into sensitive systems, scam people into giving up their passwords, or deploying malicious code like ransomware or other payloads onto hospital systems. Our objective here is to contain and disrupt such incursions as we see them before the attacker can expand their toehold into a position where they can threaten to take an entire hospital or infrastructure system offline, and keep the cleanup to a manageable level for on-site IT.
In cybersecurity, these sorts of situations going undetected until it’s too late are the things we worry about constantly - imagine an already overloaded hospital in the middle of a pandemic suddenly losing computer powered diagnostic machines, test results, patient records, access to research - or even just the software helping with the logistics of organizing doctors to best effect. Today, that nightmare is an ever present possibility and we are all too often finding ourselves as the last line of defense in preventing it. After all, for some attackers, events today are being seen just as an opportunity - who wouldn’t pay up on a ransom if it keeps a hospital’s doors open during a pandemic?
Feel free to use this dashboard to look out on the fight against covid from our vantage point as events develop and get a sense for how we are working to help keep hospitals and infrastructure open and online during this emergency. If you drag over the pandemic timeline at the top, you can restrict the view to just a specific timeline (this will also resize and/or limit the dots shown based on activity), or you can drill down and explore on other properties by interacting with the map, pie charts, and tables.
At the end of the day, cybersecurity is helping to play its part in supporting reliable access to healthcare technologies. And when I consider that doctors and hospitals need those tools as they steer us through this pandemic, the knowledge that what we do helps allow them to focus on what matters makes me feel less helpless in this isolation.
 We’ve aggregated and altered things here slightly to avoid disclosing anything that could be used to identify our clients or help attackers: the actual locations attacked are moved and fuzzed to geolocations hundreds of miles away, the data is a cross section rather than a complete set, and we’re not disclosing any specifics about any of the incidents beyond a loose classification of what happened (and only after we've fully handled it)