Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
Medical
News
Reports
Threat Landscape

HHS’ HC3 analyst note warns of growing threat of DDoS attacks in health sector cybersecurity

May 31, 2024
C3 analyst note warns of growing threat of DDoS attacks in health sector cybersecurity

The Health Sector Cybersecurity Coordination Center (HC3) in the U.S. Department of Health & Human Services (HHS) published an analyst note detailing that a distributed-denial-of-service (DDoS) attack as a type of cyber attack in which an attacker uses multiple systems, often referred to as a botnet, to send a high volume of traffic or requests to a targeted network or system, overwhelming it and making it unavailable to legitimate users. With the number of DDoS attacks increasing every year, they can come at any time, impact any part of a website’s operations or resources, and lead to massive amounts of service interruptions and huge financial losses. 

“In the health and public health (HPH) sector, they have the potential to deny healthcare organizations and providers access to vital resources that can have detrimental impact on the ability to provide care,” the HC3 said in the Wednesday note. “Disruptions due to a cyberattack may interrupt business continuity by keeping patients or healthcare personnel from accessing critical healthcare assets such as electronic health records, software-based medical equipment, and websites to coordinate critical tasks.” 

As such, this comprehensive DDoS guide is intended for target healthcare audiences to understand what DDoS attacks are; what causes them; types of DDoS attacks with timely, relevant examples; and mitigations and defenses against a potential attack. 

Not to be confused with Denial-of-Service (DoS) attacks, which usually attack from a single system, a DDoS attack originates from multiple sources and sends a larger volume of traffic into the system at once, making it difficult for network administrators to quickly detect and eliminate the threat. 

The HC3 said that the DDoS attacks have continually grown in size and sophistication, but 2023 accelerated this trend at an unforeseen pace. “Last year alone, cybercriminal groups, geopolitically motivated hacktivists, and malicious actors utilized the relatively inexpensive cost of launching DDoS attacks, the scale of massive botnets built from everyday digital and Internet of Things (IoT) devices, and protocol-level zero-day vulnerabilities to launch record-breaking attacks on businesses, government institutions, and, most disturbingly, on critical but vulnerable public infrastructure, including hospitals. In most cases, the assumed goals are to cause damage, productivity loss, and financial losses and to gain public attention, which is why these threat actors select an increasingly broad range of victims who are known to have insufficient IT security.” 

It is important to remember that DDoS attacks are targeted attacks for which the threat actors consciously select their targets. Threat actors utilize DDoS attacks due to the cost-effectiveness and relatively low resources and technical skills needed to deploy this type of attack as a hacker does not have to install any code on a victim’s server. Moreover, DDoS attacks are getting more sophisticated and complex while getting easier and cheaper to perpetrate as cybercriminals take advantage of the sheer number of insecure internet-connected devices. 

“DDoS attackers are often groups of attackers well known to authorities and use DDoS tactics to gain influence, disrupt government and military operations, or cause people to lose confidence in a market sector, company brand, or long-established institution,” the HC3 added. “While any type of cyber threat actor (i.e., advanced persistent threats, cybercriminal groups, individuals, etc.) could orchestrate DDoS attacks, one of the biggest shifts in the DDoS threat landscape is the rise of hacktivist groups and the emergence of political motivation, rather than financial motivation, as the main driver for DDoS attacks.”

Typical steps for responding to a DDoS attack include detection; filtering; diversion and redirection; forwarding and analysis; and alternate delivery. Early detection is critical for defending against a DDoS attack. DDoS detection may involve investigating the content of packets to detect Layer 7 and protocol-based attacks or utilizing rate-based measures to detect volumetric attacks. Rate-based detection is usually discussed first when it comes to DDoS attacks, but most effective DDoS attacks are not blocked using rate-based detection.

A transparent filtering process helps to drop unwanted traffic. This is done by installing effective rules on network devices to eliminate the DDoS traffic. When it comes to diversion and redirection, the step involves diverting traffic so that it doesn’t affect critical resources. 

Understanding where the DDoS attack originated is important. This knowledge can help develop protocols to proactively protect against future attacks. While it may be tempting to try and kill off the botnet, it can create logistical problems and may result in legal ramifications. Generally, it is not recommended. It is possible to use alternate resources that can almost instantaneously offer new content or open new networking connections in the event of an attack.

Earlier this month, researchers at Forescout‘s Vedere Labs revealed that a new prominent threat actor, named ‘RansomHub,’ has surfaced in the aftermath of the Change Healthcare cyber attack and ransomware incident. This group, considered new in the threat landscape, has been targeting additional victims following the significant ransomware and data breach attack in February.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published in March an updated joint guide that covers specific needs and challenges faced by organizations in defending against DDoS attacks. The document provides critical infrastructure organizations with detailed insights into three different types of DDoS techniques, including volumetric attacks aiming to consume available bandwidth; protocol attacks that exploit vulnerabilities in network protocols; and application attacks targeting vulnerabilities in specific applications or running services.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
Broadcom's Symantec solutions achieve IRAP certification, meeting Australian government standards
Broadcom’s Symantec solutions achieve IRAP certification, meeting Australian government standards
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix