REQUEST A DEMO

Protecting the Heart of Your Healthcare Network: The Domain Controller

How attackers use domain controller penetration for large-scale compromises

Download Whitepaper

Introduction

Healthcare is the most targeted industry for cyberattacks. Over the past three years, 93% of healthcare organizations experienced a data breach, and 57% had more than five breaches.1 To stay safe, healthcare organizations like yours need to be vigilant to protect against these cyberattacks.

One primary focus area for improving your cybersecurity posture should be the domain controller. Ransomware leads the headlines in terms of quantity, but exfiltration and weaponization of intellectual property should be an emphasis for your healthcare organization to not only safeguard protected health information (PHI) but to avoid regulatory consequences like hefty fines.

At Pondurance, we spend considerable time analyzing common attack patterns to better reduce compromise, shorten dwell time, and prevent damaging breaches for our healthcare clients. In doing so, we identified the compelling common factors associated with most successful large-scale breaches, and the biggest business impact is the domain controller compromise. In this whitepaper, we analyze domain controller compromises, common techniques for unauthorized access, and tips for preventing an attack on your domain controller.

  • Healthcare is one of the largest industries and is expected to grow 5% through 2024, guided by technological innovation.3

Prioritize the Domain Controller as a Potential Attack Vector

A domain controller is a server that enables security authentication requests and allows host access to domain resources. It authenticates users, stores user information, and enforces security policies for a domain. 

From an overall business perspective, relatively small investments focus on creating a strategy around domain controller security and ongoing monitoring and testing, and those may be some of the best dollars spent in your security program. When prioritizing assets, many overlook the domain controller as a critical asset, but in most cases, it should be at the top of the list. Several exploit paths are attributable to the success of a compromise, often blurring the lines between conduit, condition, and cause. For example, business email compromise is a leading exploit path for getting an attachment onto a user’s system. 

Limited security awareness training is another factor that contributes to the propagation of a number of systems and data compromises, including unauthorized system access and ransomware. The nature of the root cause is also worth examining when considering the capacity to broaden system access and ransomware deployment across an enterprise. That’s where the compromise of the domain controller comes into play. While completely eliminating unauthorized access and ransomware may not be an immediate reality, despite the hardening of the domain controller, reducing or eliminating the spread within your healthcare organization can be the difference between a nuisance and a business-crippling situation.

Compromises to the Domain Controller

The most common way a domain controller is initially compromised is through improper cybersecurity hygiene, like unpatched systems, outdated medical devices, open ports, misconfigurations, stolen credentials, and bad user behavior. However, there are more sophisticated attackers that break through even the most protected and advanced environments. While compromising a domain controller is not the only way, it is a common tactic that attackers use to quickly achieve their intended outcome and is by far the most common denominator related to large-scale breaches and sophisticated cyberattacks.

Ransomware receives a lot of attention, but the problem is not just with ransomware. Many other attacks are accomplished through the domain controller. Healthcare organizations of all sizes are constantly being targeted, and the number of attacks only continues to rise.

Classification of breaches typically falls into five categories:

  • Integrity breach – an unauthorized or accidental alteration of PHI
  • Availability breach – an accidental loss of access to or destruction of PHI
  • Intellectual property breach – critical information such as medical research, PHI, health insurance, and financial information can be used nefariously at a much larger scale
  • Confidentiality breach – an unauthorized or accidental disclosure of or access to PHI 
  • Safety – a recent addition because an attack can actually impact human life, such as when cyberattacks cripple hospital operations by forcing medical staff to turn away patients or leaving healthcare devices inoperable

The impact to an organization includes risk to:

  • Revenues

  • Medical research and other intellectual property

  • Medical devices

  • HIPAA compliance and regulatory fines

  • Reputation

  • Legal exposure and remediation costs

  • Human life and safety

Exfiltration and access 

The average dwell time — the amount of time where an attack goes undetected — is between three and nine months. Historically, the longer the dwell time, the more negatively impacted the target becomes, often due to the number of systems impacted and the amount of data exfiltration. For more sophisticated compromises, typically involving nation-states, the threat actor can often be in the environment for a year. The following types of data and access are vulnerable:

  • Credit card information (payment card industry-regulated data) 
  • Consumer and customer information (personally identifiable information or PII) 
  • Employee information (including PHI and PII)
  • User credentials and domain controller access 
  • Business email access 
  • Automated clearinghouse and wire fraud 
  • Intellectual property 

Third-party hop

Threat actors typically find the weakest link with third-party vendors, contractors, and connections. 

  • Threat actors use third-party relationships to attack by leveraging the vulnerabilities of their technology or engineering to gain access to other organizations
  • Another common exploit path is the use of shared local or domain administrator credentials across domain-joined devices and, in many cases within the same organization, nondomain devices

Impersonation

From phishing and business email hijacking to stolen credentials and social engineering, impersonation is a classic way to gain access, get information, or have someone take action on behalf of the threat actor.  

Weaponized IPS 

While not as common in the headlines, denial of service and distributed denial of service continue to be major issues for many businesses, especially those where online availability ties directly to revenue such as gaming, entertainment, and hospitality services. Compromise of a large number of systems is needed and often executed with significant dwell time before system owners, individuals, or businesses become aware. 

Ransomware

Ransomware attacks make up 46.4% of the total number of data breach threats reported by healthcare organizations.1 Unlike other compromises, a ransomware compromise may require a direct cost if the ransom is paid plus the cost for incremental cleanup, follow-up, and regulatory fines. Unlike other breaches, ransomware carries the heavy business decision burden of whether to pay or not pay.  

Medical devices and applications

Advances in medical devices play an important role in modern healthcare. Globally, 60% of healthcare providers use Internet of Things (IoT) devices in their facilities. These IoT devices have operating systems that connect to the internet and are vulnerable to compromise. These high-risk vulnerabilities could allow attackers to perform malicious activities such as stealing PHI, causing devices to malfunction, and accessing a facility’s network. Research shows that IoT incidents could account for 25% of all healthcare cyberattacks.1 

Ownership of your domain controller 

The sensitivity and totality of the domain controller is not novel regarding breach or systemic exploitation. In fact, gaining domain administrator or enterprise administrator privileges is often the proverbial crown jewel of the most basic penetration test. Once a threat actor gains credentials with expansive local administrator privileges, the actor can run through a number of exploits that allow data exfiltration, extended reconnaissance, and outright theft in addition to executing a ransomware payload. 

In almost all enterprise, big-impact, large-scale breaches, a compromised domain controller practically guarantees success. In fact, the actor can also weaken or entirely disable other controls with domain administrator privileges, which makes a defense-in-depth strategy so critical. If your organization places sole reliance on, for instance, an endpoint detection and response (EDR) platform to prevent a ransomware payload and the actor has gained access to the domain controller, you may be severely disappointed with the result. 

A defense-in-depth strategy contemplates ample prevention with dynamic detection controls to provide the most favorable outcomes. A key component of the preventive strategy should address technical and process controls related to your domain controller. 

There are many ways for a breach to occur. We’ve covered the nature of a broad ransomware infection distributed across the enterprise, but systems can be affected in much smaller numbers with stolen credentials, through email, via unpatched systems, using open ports, and more. In this case, the outcome is usually limited to a single or few systems. The impact of an event like this is relative.

Email scams related to COVID-19 surged by 667%.6

Common Techniques for Unauthorized Access to Domain Controllers

Let’s explore the methodologies that are the most common for accessing domain controllers:

  • Compromised user and administrative credentials continue to be a common vector for compromise. This technique takes advantage of human error, allowing user credentials to be captured or malware to be loaded.

  • Legitimate credentials via remote desktop protocol (RDP) are common. RDP is a legitimate tool that enables IT departments to remotely and easily access and manage Windows systems. When proper security is not applied, RDP can give attackers easy network entry or lateral movement routes. RDP exploit programs and services are easy to purchase and use, or the attacker can buy stolen credentials for organizations like the Conti, REvil, and DarkSide ransomware-as-a-service gangs. Many reported that RDP defensive measures are widely reported and less effective. However, all data supports the RDP is still the most frequently abused protocol when considering lateral movements, network entry, and exploitation.

  • Altering configurations over Server Message Block (SMB) to open access over certain protocols is another exploit method, targeting credentials but also using them as an initial entry point. SMB is a critical protocol for an active directory and also serves as a network file sharing protocol. It is widely deployed and used by billions of devices in most operating systems, including Windows, Linux, MacOS, iOS, and Android. Like RDP, administrators use SMB to access systems, but it is also used system to system for sharing files, data center replication, centralized data management, and mobile devices replicating storage to the cloud. Backdoor installation over SMB with legitimate credentials can occur based on the above technique and other user-initiated actions (i.e., phishing or clicking on a malicious payload such as a file).

For example, if your business is a primary care office, a ransomware event may be all it takes to close your doors forever if you are unable to pay the ransom or otherwise recover. To affect large, medium, or even small healthcare organizations with a fair number of distributed systems using ransomware, it requires a catalyst to deliver the payload with precision, timing, and a level of engineering elegance. Ransomware attackers frequently use a technique to host their payload on a server, where many systems in the network have lateral routes over the SMB protocol and typically use a domain controller as a catalyst. From there, the attackers can systematically detonate a ransomware payload to each connecting system. The economy of scale of such an attack is the objective for a skilled attacker looking for a big payout.

  • Compromised virtual private network user credentials often make the first step of a compromise much easier. Obviously, multifactor authentication (MFA) makes this vector much more challenging, if not impossible.

  • Exploiting various vulnerable services running on the target domain controller due to lack of patching or from running an unsupported version is a common technique.

  • Exploiting other applications running on the domain controller is another method. Why would anyone have other applications running on the domain controller? Sometimes, it’s a legitimate need for security, monitoring agents, or diagnostic tools. In some situations, however, organizations put other applications on servers as a temporary solution and the applications simply never get removed. In a large number of audits for clients, our Pondurance cybersecurity experts found unauthorized applications running on domain controllers.

329 days The healthcare industry has the highest average time to identify and contain a breach.7

Ransomware Execution

Compromising the domain controller is not the only way to execute ransomware or steal credentials. For example, if a user clicks a bad link or exposes credentials and accidentally downloads malware on a device, the outcome can range from an isolated nuisance to a horrible business-ending scenario, depending on the nature and size of the healthcare organization. However, if an attacker parlays an exposed system, ultimately escalating gained privileges to the domain administrator as a pivot to gaining access to the rest of the network, it can be disastrous, no matter your size and in spite of the technical controls put in place to prevent such an occurrence. 

To think that the initial set of compromised credentials can come from any system — not just a domain controller as the starting point — can be daunting. That is certainly the desired end state of an experienced penetration tester: Start with simple gains and work toward the domain administrator. Since pen testers have proven time and again that this methodology is not difficult, it’s easy to imagine a threat actor or group using the same approach, though with complete malfeasance and disregard for any parameters of engagement scope. 

One other consideration is domain administration privileges. A threat actor does not need to execute malware to systemically encrypt enterprise systems. In fact, Pondurance’s Incident Response team was involved in a case where the threat actor leveraged the native BitLocker tool to encrypt the environment, and at that instant, the systems administrators of the affected organization were unable to undo the deed. They had expected their EDR platform to prevent the issue, and it took some convincing to assure them they were not hit with malware but rather a legitimate tool. Based on our forensic review, a set of credentials to a single system was leveraged to gain a foothold, upon which the threat actor escalated privileges to the domain administrator. From there, the threat actor used the privileges and the conduit of the domain server to roll out BitLocker. 

 

It was fortunate that the master key generated by the threat actor was captured by the EDR tool, so while it didn’t prevent the attack, the tool demonstrated its merit by logging the key for detective discovery.

Protection of Domain Controllers

The domain controller is the heart of any distributed network. Just like the heart of any living creature, it can deliver sustainability with every beat, or it can seize its host with paralysis or even death. Fortunately, prophylactic measures exist that, like with a living heart, can be employed to exercise and strengthen the domain controller, making it more resistant to defeat. In one final analogy to the living heart, despite adequate due diligence, there is no guarantee that the domain controller is impervious to all attacks or can stave off fluke conditions that might otherwise affect its rhythm (e.g., misconfigurations or other errors unrelated to a cyberattack). Healthy conditioning is the key, and a little bit of maintenance can make the difference without having to overengineer or overspend to protect your domain controller. Healthcare organizations looking to achieve compliance through configuration hardening (HIPAA, PCI-DSS, CMMC) can do so with real security in mind, not by simply checking a box.

At the highest level, known basic hygiene approaches to protecting domain controllers are the best long-term strategy. The following represent both simple and advanced approaches that your healthcare organization should take for protection, all of which can and should be baked into a system hardening program:

  • Ensure that MFA is enabled on compatible protocols, without exception, for all domain-level systems to protect against the use of stolen credentials. This simple and relatively inexpensive approach can avoid stolen credentials.

  • Maintain domain controllers with supported release versions and ensure they are patched.

  • If you must enable RDP, ensure that there are compensating controls associated with it such as registered origin IP addresses, destination-only access, and individual credentials with MFA added.

  • Implement an email defense filtering system, combined with URL/IP outbound blocking capabilities. Malicious emails are privileged vectors for exploit campaigns, while weaponized documents and click-through to malware payload-bearing websites are the main ingredients for almost any spam and phishing attack.

  • Similar to RDP, ensure adequate protections are enabled for SMB. SMB is a protocol needed among many applications, so it requires protection from attacks where a server or device might be tricked into contacting a malicious server running inside a trusted healthcare network or to a perceived trusted remote server outside the network perimeter. Segmentation, traffic monitoring, enhanced authentication, and firewall best practices can enhance security and prevent malicious traffic from accessing the system or its network.

  • Ensure your organization has established a defense-in-depth strategy. With a distributed workforce (one that has seen the highest numbers of remote access in recent years), approaches that have been used in the past may not be enough. With the advent of software as a service, the cloud, and other hybrid models, it’s important to revisit logging and monitoring strategies to accommodate these evolutions.

  • Separate the use of local system administration from domain administration. If an endpoint such as a physician’s laptop or computer at the front desk is compromised and an attacker is able to discern local administrator credentials, those credentials will be tested at the domain. If they are the same, an attacker can easily facilitate an attack against the domain controller.

  • Monitor your domain controller at system and application log levels, check access logs for anomalies such as nondomain IPs and for failed attempts, monitor network traffic at port and payload levels, implement an EDR, and schedule more frequent enhanced audits.

  • Encrypt endpoints. The use of full disk encryption (FDE) makes a great deal of sense on a number of levels. Your healthcare organization should not make it easy for a bad actor to foster success. Since the healthcare industry has reams of regulated data, FDE is assumed as a basic, reasonable control, if not outright mandated. Your organization should decrease the attack surface to create a difficult target to exploit; otherwise, a threat actor can make easy lateral moves with the goal of escalating privileges. This can be accomplished through the effective use of a data classification program and least privilege and is mostly a continuous approach to hygiene and property prioritizing activities.

  • Prepare for the worst-case scenario and have an incident response plan in place. Test and practice your plan with key stakeholders across your organization.

$7.3 million is the average total cost of a data breach in the healthcare industry.7

Conclusion

As always, there is never absolute assurance where cybersecurity is concerned, and specifically, there is no single silver bullet that will fully protect your healthcare organization from all cyberattacks. However, Pondurance operates on both the red team side (performing penetration tests) and the blue team side (managed detection and response (MDR) solutions). We have analyzed varying attack methods and significant amounts of breach data, and the results support the commonality of the domain controller at the heart of nearly every ransomware attack. This whitepaper aims to identify controls and best practices that, when implemented, can reduce the likelihood and the risk of a successful cyberattack against your organization through protection of your domain controller.

In more cases than ever, data exfiltration is a viable threat that makes getting off unscathed a pipe dream, despite your ability to recover from something like a ransomware event. As a result, two other interesting are happening:

  1. There is now a question of legality relevant to paying a ransom.
  2. Your ability to simply and entirely transfer the burden of risk in terms of payment using cyber insurance is not assured.

All of this should provide ample motivation for your organization to reduce the likelihood of a compromise in the first place. It is costly and damaging to any organization that is not actively working to protect itself or otherwise is not fully prepared from a defense-in-depth perspective. As the trend for this type of attack increases in frequency and continues to evolve, it is critical that your healthcare organization be aware of current attack patterns that lead to an attacker’s success and what you can do to reduce your exposure. By following the steps discussed in this whitepaper, you can lower the probability of a successful attack.

ABOUT PONDURANCE

Pondurance delivers world-class MDR services to industries facing today’s most pressing and dynamic cybersecurity challenges including ransomware, complex compliance requirements, and digital transformation accelerated by a distributed workforce. By combining our advanced platform with our experienced team of analysts, we continuously hunt, investigate, validate, and contain threats so your own team can focus on what matters most.

Pondurance experts include seasoned security operations analysts, digital forensics and incident response professionals, and compliance and security strategists who provide always-on services to clients seeking broader visibility, faster response and containment, and more unified risk management for their organizations.

Visit www.pondurance.com for more information.

Sources:

  1. Financial Gain Drives 90% of Security Breaches: Verizon Research, MSSP Alert, May 21, 2020.
  2. Average ransomware payouts shoot up 171% to over $300,000, The State of Security, March 25, 2021.
  3. Profit pool of the U.S. healthcare industry in 2019 and a forecast for 2024, by sector, Statista, March 8, 2021.
  4. 53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months, HIPAA Journal, March 9, 2020.
  5. The Importance of Cybersecurity in Healthcare, Networks Group, September 5, 2017.
  6. COVID cybercrime: 10 disturbing statistics to keep you awake tonight, ZDNet, September 14, 2020.
  7. Cost of a Data Breach Report 2020, IBM, 2020.

500 N. Meridian St., Suite 500
Indianapolis, IN 46204
1-888-385-1702


Twitter

Linked-in

Facebook
Capabilities
Company

Sign Up for Our Communications

All Rights Reserved © Pondurance | Privacy Policy