Security
Headlines
HeadlinesLatestCVEs

Headline

How Cisco Talos IR helped a healthcare company quickly resolve a Qakbot attack

A healthcare company recently detected a potential Qakbot infection early, and with the help of the Talos IR team, evicted the threat actor from their network quickly before any harm could come to the organization or its customers.

TALOS
#ios#cisco#intel

Thursday, September 14, 2023 08:09

Partnership and proactive measures reduce resolution time from weeks to mere hours.

Healthcare is one of the most popular targets for threat actors, as evidenced by the fact that it was the most-targeted sector in each of Cisco Talos Incident Response’s past two Quarterly Trends Reports.

But if these organizations are ready for when, not if, an incident occurs, they can avoid the worst-case scenario of potentially losing money, risking patient safety, or dealing with technology downtime.

Veradigm is a healthcare technology company that drives value through its unique combination of platforms, data, expertise, connectivity, and scale. The Veradigm Network features a dynamic community of solutions and partners providing advanced insights, technology, and data-driven solutions, all working together to transform healthcare insightfully. Veradigm recently detected an intrusion and potential information-stealing attack before bad actors could execute their plan.

Thanks to the Cisco Talos Incident Response Retainer service, Veradigm detected a potential Qakbot infection early, and with the help of the Cisco Talos Incident Response (Talos IR) team, evicted the threat actor from their network quickly before any harm could come to the organization or its customers.

Veradigm has partnered with Cisco for technology and services for years, with the ongoing goal of making Veradigm’s systems and network more resilient – the ability to protect every aspect of their business, withstand unpredictable threats or changes, and emerge stronger.

A few months ago, their team acted quickly when they noticed a potential security incident in a development environment and immediately reached out to Talos IR for assistance. The Talos IR team helped them swiftly deal with the attack which included attempts to deploy the modular information-stealer Qakbot.

Veradigm and the Talos IR team worked together to determine that adversaries had attempted to established command & control (C2) via DNS, and although Veradigm had the affected system isolated via Cisco Secure Endpoint with default settings, they found that the DNS traffic was not stopped by default. However, the traffic was blocked by Cisco Umbrella until the team could modify the isolation policy to stop the DNS beaconing. Veradigm’s ability to prevent C2 highlights the value of their robust defense-in-depth strategy. The adversary attempted to penetrate the network, but due to the security controls and quick response, could not successfully deploy Qakbot.

This incident was resolved in hours, not days or weeks, because of Talos IR’s established relationship with Veradigm. The Talos IR team shared remediation recommendations to Veradigm to implement in the event threat actors attempted another intrusion. The swift action of the Talos IR team, coupled with the proactive preparation of the Veradigm team, resulted in a faster and more efficient response to the incident.

Dr. Jeremy Maxwell, the CSO at Veradigm touted, “We avoided worst case scenario due to our experience, practices, and relationships … by having the ‘good guys’ from Cisco join with our ‘good guys,’ we can navigate each situation to success.”

This is one of many customer success stories in which Talos IR sees, responds, and helps organizations across the globe fortify their readiness and defense.

The recent Cisco Cybersecurity Readiness Index study found that a mere 15% of organizations globally are deemed to have a mature level of preparedness to handle security risks. Those in the sectors with the most to lose tend to have more companies in the mature state of readiness, including healthcare (18%) and financial services (19%).

Dr. Maxwell said that because of his company’s retainer with Talos IR, he was lucky enough to count his company among those organizations who were ready for a cyber-attack.

“Working in a highly regulated domain, it is important that we establish good relationships with all partners, but incident response in particular,” Maxwell said. “We have been partnering with Cisco Talos IR since 2017, and across that time we have established a solid relationship with the same cast of characters through both proactive and reactive incidents. This has built a special level of trust and efficiency in response when we have those knowledgeable about our unique environment on our side and ready to be there.”

Veradigm chose Cisco Secure solutions based on several factors: the ease of integration with their existing hosting and corporate environment tools, plus being known in the industry as a strong performer. It just made sense, then, to partner with Talos IR for their incident response needs.

“With the [Talos IR] retainer service we really appreciate established and met Service Level Agreements (SLAs). Plus, the knowledge of Cisco’s IR team on our unique environment, prior incidents, and their intelligence on the latest threats ensure we smoothly navigate, and balance preparation exercises and incidents based on our unique needs. Time to response in our SLA along with the unique knowledge, there isn’t a delay as one would expect. They are ready and we have ‘muscle memory’ from both tabletop scenarios and real-life situations. As a result of being in the highly regulated world of healthcare and with the constant need to consider patient safety, our circumstances can be tense from the start. They know how we need to react based on both exercises and incidents and can navigate smoothly in delicate situations/balances with our unique needs in mind,” Jeremy Maxwell, Veradigm CISO.

Having a trusted partner on Veradigm’s side who knows their environment, popular attacker tactics, techniques, and procedures (TTPs) and is familiar with regulatory obligations of the healthcare sector meant both sides could work together to achieve more. The strong connection is based on a solid foundational relationship grounded in expediency and knowledge, according to Maxwell.

“Cisco knows our structure, they know our IR plans, they know our privilege and information sharing practices, they know our regulatory obligations,” he said after the incident was resolved. “As a result of this unique relationship, we save precious minutes and hours in response time not having to bring them up to speed each time. They are already ready to go with our team side by side, step by step.”

Veradigm takes preparation seriously, not trying to formulate a plan during an active incident, but actively reviewing their IR plan and playbooks regularly. The company has also participated in multiple Talos IR tabletop exercises to stress test its processes and adjust as needed to respond and succeed more quickly.

“Preparation is crucial. During your IR, you cannot formulate a plan on how to respond and react,” Maxwell said. “When something does occur, we do what we planned, we have enabled ourselves to succeed with the IR plan in action. It’s not just theory — it’s practice.”

In this episode of the Cisco Security Stories podcast, Jeremy Maxwell talks through the incident step by step, and how Veradigm has benefitted from a close relationship with Talos Incident Response over many years.

An additional benefit Veradigm has from the retainer is the sharing of knowledge and experiences to not only apply during an incident but leveraging to boost the expertise of their in-house IR team.

“Another bonus is that due to the size of Cisco, their team is not only our ally, but also a fountain of information with their global network of responses and knowledge across the spectrum. We can leverage that experience and skillset to our advantage,” Maxwell said. “Cisco also brings professional backing and confidence to further expand our team of expertise and process.”

Are you looking to build or further enhance your incident response readiness program? We can help with the Cisco Talos Incident Response Retainer service. Connect with us to learn more:

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information