Behind the Anthem hack: A tale of 2 info-sharing centers
The data theft at Anthem Inc. sent shockwaves through the health care industry last week, underscoring the urgent need for the Obama administration and Congress to come to an agreement on cybersecurity information sharing.
Without rapid exchange of what security practitioners refer to as indicators of compromise, or IOCs, there was no telling how many other health care organizations may have been vulnerable to the attack that put more than 80 million Anthem customer records at risk.
But how much technical alert information companies received, and how soon they received it, depended a lot on which information sharing and analysis center they belonged to. While the government’s officially recognized National Health Information Sharing and Analysis Center sent out its first alert containing an initial list of IOCs within 12 hours of the breach becoming public, the health care industry’s leading information-sharing organization — the Health Information Trust Alliance, known as HITRUST — limited its assessment to its own member companies and decided an industrywide alert was not necessary.
According to a notice published Monday by the Frisco, Texas-based HITRUST, the targeted nature of the Anthem hack did not warrant a broad industry alert.
“Upon further investigation and analysis it is believed to be a targeted advanced persistent threat (APT) actor. With that information, HITRUST determined it was not necessary to issue a broad industry alert,” HITRUST said in a statement posted on its website.
According to HITRUST, Anthem shared various indicators of compromise with the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3), including MD5 hashes, IP addresses and threat actor email addresses. However, once these IOCs were not found on various HITRUST member company networks, the decision was made not to share the information more broadly.
Leslie Kesselring, a spokeswoman for HITRUST, said the Anthem IOCs were shared with its own member companies within one hour of HITRUST receiving them. “The HITRUST [Cyber Threat XChange] required a subscription to participate. Recently, many organizations, not subscribing, called us to ask for the information,” Kesselring said in an email to FedScoop. “To avoid any obstacles to them having this and other cyber threat intelligence and information we are making a basic subscription free.”
HITRUST has now announced changes to its C3 programs in light of the Anthem incident and a significant increase in demand from health care organizations for information on the attack. “HITRUST has received an enormous number of requests for information on the Anthem cyber related breach including IOCs and response countermeasures, including many requests from organizations that have not previously been sharing IOCs with industry,” the alliance said in a statement.
Changes include making a basic subscription to the HITRUST Cyber Threat XChange free of charge “to allow online access to a comprehensive array of cyber threat intelligence and industry indicators of compromise (IOCs) including recently identified and future information associated with the Anthem breach,” according to the statement. HITRUST has also announced plans to issue communications and educational material to help organizations confirm they have not been compromised by the same attack that affected Anthem, and to warn organizations and individuals about various scams that seek to take advantage of security concerns stemming from the attack.
Josh Singletary, chief information officer of the NH-ISAC, told FedScoop the organization issued an industrywide security alert, including the IOCs it could verify, by 2:00 p.m. ET Thursday.
“But it was sent out not only to our members but it was shared with all of the other ISACs and other trusted organizations received those indicators as well,” Singletary said. “We also shared the indicators with other intelligence providers outside of the NH-ISAC membership so that they could be properly distributed.”
NH-ISAC Executive Director Deborah Kobza said although there are strict information-sharing agreements that govern how the ISAC can share sensitive information, membership in the ISAC should not prevent critical information from reaching organizations at risk. “The membership lines go away when there’s an emergency or a massive attack,” Kobza said. “If you have information-sharing organizations that are siloing themselves and not working to share information during attacks of this size, that’s a detriment to us being able to protect our infrastructures.”
The NH-ISAC currently lists its threat level as “Guarded – Blue,” which indicates a “general risk of increased hacking, virus or other malicious activity.” This is the second lowest of five threat levels. “The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred,” states the website.
Security experts are raising questions about the industry’s response to the Anthem attack, particularly the decision by HITRUST not to issue a broad alert beyond its paying customers.
“It is imperative that IOCs — and indicators of threats, IOTs — are quickly and broadly shared, without fee, both within the health care industry and across industry verticals,” Simon Crosby, chief technology officer and co-founder of Cupertino, Calif.-based security firm Bromium, said. “It is time for all of us — vendors and enterprises alike — to recognize that the era of expensive, proprietary signature and threat formats is over, and we need to collaborate to secure customer data.”
“In hindsight, the decision not to share was not necessarily in the best interest of the health care community,” a federal security official told FedScoop. “Cybersecurity professionals have long practiced the close hold of information. In this new environment we find ourselves in, past practices of close hold of information does not allow public and private organizations to proactively protect themselves,” the official said, speaking on condition of anonymity because the person was not authorized to speak publicly about the incident. “The rapid sharing of information is critical to help industry protect itself.”
IOC sharing benefits
Security experts define indicators of compromise as digital artifacts that are left behind after an intrusion. They could be metadata, registry entries or more complex code samples, and even observable system behaviors that are out of the ordinary.
Stephen Boyer, CTO and co-founder of Cambridge, Massachusetts-based BitSight Technologies, said many other organizations and industries outside of those that are breached could benefit from immediate and specific disclosure and sharing of indicators of compromise. “Many of the systems that end up being exploited by an attacker are also resident elsewhere,” he said, in an email response to FedScoop. “The faster other organizations can look for or defend against the attacker’s methods, the sooner those organizations and industries can begin to recover or limit the potential damage. The speed of response and recovery is critical. Sharing of IOCs both within industries — and with other industries — has demonstrated value in thwarting additional compromise.”
Tom Gorup, security operations manager for Rook Security, an IT security and consulting firm located near Anthem headquarters in Indianapolis, said there’s a fine line between releasing the details of a breach quickly and providing additional attackers with the information they need to hack other organizations.
“I believe this was a responsible disclosure,” Gorup said. “Anthem claims to have released the information within eight days of identification and plans to inform customers as soon as they have identified those affected. Quick disclosure is good, but we also have to be wary of other criminals looking to capitalize on events such as these. It’s a fine line, everyone wants to know quickly, however, too quick can be painful as well. Full remediation and understanding of the attack should take place before releasing information that could put the company in this situation once again.”
Rich Reybock, CTO of San Mateo, California-based Vorstack Corp., agreed and said the one caveat to immediate release of IOCs is if it is an ongoing attack and releasing early could jeopardize the ongoing investigation or forensic process. “It’s always a balance but the only way to truly understand the scope of impact is if the industry, as a whole, knows what to look for as quickly as possible,” he said.
Kobza said the NH-ISAC completed the deployment in January of a national health cybersecurity information-sharing platform known as Soltra Edge that automates intelligence sharing at machine speed. Developed by the Financial Services ISAC in cooperation with the Depository Trust & Clearing Corp., Soltra Edge is a free, open source software platform that collects massive amounts of cyber threat intelligence, converts it to a standard language and routes the information to users and devices.
“To be able to share something in real-time from machine to machine — that’s a game-changer,” Kobza said.