In football, it’s called an all-out blitz. In cybersecurity, it’s called a multi-vector attack.
Five years ago, most cyber attacks were of the single-vector variety: a phishing expedition or a distributed denial of service (DDoS) attack. Now cyber criminals are more sophisticated, launching multi-vector onslaughts that might simultaneously involve those tactics plus attempts at data exfiltration, account takeover and credential stuffing.
By probing for multiple vulnerabilities at the same time, attackers improve their chances of success. It’s difficult to assess the full scope of the attack because one of the vector probes (like DDoS) might be a decoy for the other ones. These multi-front attacks are difficult to remediate because the incident response team has to identify and extinguish each line of attack. This can allow the attacker to have access to your system for a longer period.
Many hospitals and healthcare companies still take a siloed approach to using security tools. It’s not uncommon for an organization to have 20 security solutions from a dozen vendors. When hit with a complex, multi-vector blitz, chaos ensues.
Better Protection Starts With A Platform
To withstand multi-vector attacks, a healthcare organization needs a centralized response platform that functions like a single pane of glass. This eliminates the need for multiple portals and log-ins when a crisis hits.
A state-of-the-art Security Operations Center (SOC) should employ a unified dashboard that offers a real-time view of an organization’s cyber risk management and threat defense capabilities across the enterprise. This dashboard makes it easy to benchmark your performance over time and quickly find risk documentation.
Poor communication is the #1 obstacle to effectively responding to a multi-vector attack. The platform dashboard allows an organization to customize communications and configure alerts to coordinate the team response and eliminate duplication of efforts.
Staying On The Lookout
An effective centralized cyber platform should have robust capabilities for scanning the threat horizon 24/7 like a watchman at a frontier fort. This event management software needs to continuously look out for things like ransomware, data exfiltration and authentication-based attacks. Your initial line of defense should make it easy to assign and track escalations – and to chat live with SOC analysts around the clock. All relevant data should be easily accessible via desktops, laptops or mobile devices.
Endpoint Detection and Response
A centralized response platform should also help reduce “alert fatigue” that can burn out a healthcare IT team. Endpoint detection and response capabilities can help streamline key information and improve visibility into genuine threats. That means fewer unnecessary alerts so the IT staff can focus on what’s truly important.
A Well-Choreographed Response
With a centralized platform, it’s much easier to streamline incident response processes. Instead of a panicky, haphazard response, every person on the response team knows exactly who to call and what Microsoft Teams meeting to join. Team members can even be given specific responsibilities in the event of a multi-vector attack so that two staffers aren’t both battling data exfiltration while an account takeover goes unnoticed.
Multi-Prong Attacks Are Getting More Sophisticated
Bad actors are now using AI tools to hit healthcare organizations faster with greater frequency. These attackers are adept at using decoys to buy time as they look for new vulnerabilities.
For example, a DDoS attack is bold and attention-getting. While an IT staff is responding to that, the attacker may be simultaneously trying something much more subtle.
Some cyber thieves are now using HTTP headers to exfiltrate data – a tactic that’s difficult to detect. They use the HTTP headers as a conduit so that it looks like ordinary web traffic. Small chunks of an organization’s data are encoded and hidden in headers such as User-Agent, Cookie, or other custom fields, then sent to attacker-controlled servers over standard HTTP or HTTPS sessions. Since this traffic often looks like routine browsing, it can bypass traditional security controls if not carefully monitored.
A Centralized Response To Multi-Vector Attacks
Without a unifying platform to monitor and remediate multi-vector attacks, a healthcare organization may repel four out of five vector attacks but get hit by the one it didn’t see coming.
To use the football analogy again, your response team needs to account for every pass rusher in order to be successful. That requires preparation, teamwork and clear communication throughout your entire organization and with your security partners.
About Scott Doerr
Scott Doerr is a vCISO at Fortified Health Security headquartered in Brentwood, Tennessee.
