Security by Kill Chain

Privacy by Design

1

Reconnaissance

Reconnaissance Definition

Reconnaissance defines how the Threat Group gathers information previous to and during the computer network operations they
engage in. This may be through open source research, scanning, Web, the theft of intellectual property, or human sources.

AcuteNet Reconnaissance

Regular log collection is critical for understanding the nature of security incidents during an active investigation and post
mortem analysis. AcuteNet has effective audit logging in place. Log events in an audit logging include:

Operating System (OS) Events:
  • Start up and shut down of the system
  • Start up and down of a service
  • Network connection changes or failures
  • Changes made OR attempts to change
    system security settings and controls

OS Audit Records:
  • Log on attempts (successful or unsuccessful)
  • Successful/failed use of privileged accounts
  • Account changes (e.g., account creation and deletion,
    account privilege assignment, password change)
  • The functions performed after logged on (e.g., reading
    or updating files, software installation, etc.)

Application Account Information:
  • Successful and failed application
    authentication attempts
  • Application account changes (e.g., account creation
    and deletion, account privilege assignment)
  • Use of application privileges

Application Operations:
  • Application startup and shutdown
  • Application failures
  • Major application configuration changes
  • Application transactions

At AcuteNet we have developed a unique built-in system of application logging. The details logged for
each application event capture the following:

Application Account Information:
  • Timestamp
  • Event, status, and/or error codes
  • Service/command/application name
  • User or system account associated with an event device
    used (source and destination IPs, terminal session ID, web browser, etc)

To prevent attackers from hiding their activities, strong access control is configured around audit logs to limit the number of accounts that can view or modify audit logs.

Leveraging the power of Open Source technologies, AcuteNet has implemented a 24×7 monitoring system. Monitoring alters infrastructure team in real time in case of any suspicious activity or service errors or warnings. This includes but is not limited to: account changes, account privilege assignment, password changes, application failures, environment application failures and network or disk suspicious activity.

2

Development

Development Definition

This step is used to capture useful information about the development of infrastructure and tools behind operations.

AcuteNet Development

To provide the highest level of information security, AcuteNet is using the Dell Private Cloud solution. Dell and it’s associated services are constantly audited using industry standards such as ISO 27001 certification and SOC 2 and SOC 3 Type II audits. These are the most widely recognized, internationally accepted and independent security compliance audits.

In addition to using Dell Private Cloud’s robust security architecture, AcuteNet’s application security architecture provides for multilayer encryption. This enables AcuteNet’s customers to take full advantage of cloud computing and Software as a Service (SaaS) innovation in both online and offline mode through the following design framework:

Record-Level Depersonalization and Encryption
  • Depersonalization of personal identification information by removing and/or encrypting user-defined sensitive data
  • Two-level encryption of all sensitive data at record and index level
  • Unique encryption key per patient
  • Both encrypted and decrypted data is only accessible by AcuteNet application

User-Level Monitoring and Encryption
  • Offline user access encryption enabled with unique key
  • Automated synchronization of offline activities
  • Online and offline total user activity logging with play-back feature
  • Single Sign On integration with client infrastructure
  • Entity level access control and authorization
  • Comprehensive password and access policy enforcement in accordance with segregation of duties

In-Transit and At-Rest Data Encryption
  • 2048 SSL Certificate
  • 256 Bit Encryption
  • FIPS 197 Standard
  • Hyper Text Transfer Protocol Secure (HTTPS)

This combination of security and privacy leads to a strong ecosystem that keeps customer information safe.

3

Weaponization

Weaponization Definition

Weaponization describes the “coupling of a remote access Trojan with an exploit into a deliverable payload.” This is often done through an automated tool commonly called a “weaponizer,” but sometimes referred to as a “builder.” These “weaponizer” frameworks are often detectable by artifacts left within the files.

AcuteNet Weaponization

LAMP is an archetypal model of web service solution stacks, named as an acronym of the names of its original four open-source components: the Linux operating system, the Apache HTTP Server, the MySQL relational database management system (RDBMS), and the PHP programming language. Using LAMP technology stack with the combination of Open Source solutions and Privacy by Design implementation, AcuteNet is effectively protected from such attacks including cross-site scripting, injections, local or remote file inclusion, arbitrary code execution or any weaponized code used for penetrating potential openings in an application. To achieve this, AcuteNet is following LAMP security guidelines and technology standards like:

  • Disabling directory listing on the web server
  • Restricting access on basis of Directory, File and Location in Apache
  • Disabling server-side includes and CGI execution
  • Restricting remote SQL access

  • Limiting PHP Access to File System
  • Running automated security scans and audits
  • Regular security updates and patching

On all AcuteNet platforms Red Hat Enterprise Linux is used. It provides the stability and security needed to confidently deploy AcuteNet solutions.

4

Delivery

Delivery Definition

This step describes the transmission of the tools into the victim organization. The most common forms of delivery take the forms of Scan&Exploit, Credential-Access, Spearphish, Web-Delivery, or Physical delivery.

AcuteNet Delivery

AcuteNet is using security controls to prevent data loss, leakage, or unauthorized access to sensitive or restricted data through the following:

Physical Server Security
  • The physical machines hosting a database and web servers are housed in a secured, locked and monitored environment to prevent unauthorized entry, access or theft. The Dell Private Cloud solution is used as the industry leader in server/networking operations and security.
  • Application and web servers are not located on the same server as the database server.

Firewalls
  • All servers are located behind a firewall with default rules to deny all traffic.
  • The firewall is opened only to specific application or web servers, and firewall rules do not allow direct client access.
  • Firewall rules are maintained and reviewed on a regular basis by the Information Security Team.

Application / Data
  • Application code is reviewed for SQL injection vulnerabilities.
  • No “Spyware” is allowed on the application, web or database servers.
  • Database software is patched to include all current security patches.
  • Secure authentication to the application is used.
  • Users are granted the minimal permissions necessary for their job function.
  • Sensitive data is not stored in the non-production server.
  • Sensitive data never leaves customer’s jurisdiction, environment, location or country
  • Backup & Recovery solutions are in place

5

Exploitation

Exploitation Definition

Exploitation describes the methods used to execute the malicious code. This step details whether the adversary use new 0-days, appears to acquire 0-days and exploits second-hand, or relies upon social engineering to trick users. It may be possible to describe this step in greater detail with specifics.

AcuteNet Exploitation

To reduce the risks of Zero-Day vulnerabilities AcuteNet is performing next activities:

  • AcuteNet is using Red Hat Enterprise Linux as an operating system. As security vulnerabilities are discovered, the effected software is updated in order to limit any potential security risks. Red Hat, Inc. is committed to releasing updated packages that fix the vulnerability as soon as possible. Often, announcements about a given security exploit are accompanied with a patch. This patch is then applied to the Red Hat Enterprise Linux package, tested by the Red Hat quality assurance team, and released as an errata update.
  • AcuteNet has introduced 100% code-review coverage of the code developed by the team.
  • AcuteNet is regularly running penetration tests of the product
  • AcuteNet has rigorous testing procedure, used throughout the software development lifecycle (SDLC)
  • AcuteNet is regularly performing security training to the development team
  • Continuous integration is in place to make sure AcuteNet is able to create and roll out patches in the fast-timing manner
  • Logging and monitoring systems are in place which are constantly audited
6

Installation

Definition of Installation

Installation describes the methods and artifacts left behind by the actor while implanting malicious code on compromised systems. These artifacts can include notable aspects of the installation, and unique installation tools.

AcuteNet Installation

The measures to ensure informational security of AcuteNet systems include but are not limited to the following:

  • Access to all network devices or servers is restricted by a password.
  • AcuteNet staff members are only granted reasonable access to informational resources pertaining to their duties.
  • Every network device or server is managed and maintained by authorized and qualified personnel.
  • Authorized staff approves every major change of the infrastructure and/or configuration.
  • Authorized personnel install all software items.
  • Planned network or facility maintenance, which can lead to network outage is approved by authorized staff in accordance with AcuteNet Customer contractual obligations and SLA.
  • Authorized staff before implementation evaluates Patches and updates.
  • Every new piece of software undergoes security evaluation by authorized staff before installation.
7

Command and Control

Definition of Command and Control

Command and Control describes the methods used to interact with compromised resources left within the organization. This activity extends beyond communicating with implants to include hosts used to login with collected credentials, as exfiltration end points, and to interact with web shells. Additionally, hands-on-keyboard activity is often performed from different endpoints than the IP addresses used as call back addresses in RATs. Specific ports, domain names and IP addresses, traffic patterns, and custom protocols used in the interaction with those RATs are all indicators that are descriptive of this stage of the kill chain.

AcuteNet Command and Control

AcuteNet has adopted the Access Control practice to ensure that only authorized users perform command and control procedures. As long as just restricting access isn’t enough to stop a user from misbehaving, AcuteNet performs additional steps to better administer user accounts, control access, and watch for signs of inappropriate access behavior:

  • Applied the doctrine of least access and ensure users are granted the minimal permissions necessary for their job function
  • Tied Access Controls to each environment separately
  • Segregated access using roles (read only role, release role, administrator, etc)
  • Audit accesses, login attempts and actions after login
  • Terminate accounts if required
  • Proactively monitor for unusual activity
  • Control remote access including applications and databases
1

Proactive Not Reactive Preventative Not Remedial

Proactive Not Reactive Preventative Not Remedial

  • Privacy embedded in the architecture
  • Full Adoption of OWASP principles
  • Only required data is stored

  • Depersonalization of personal identification information by removing and,or encrypting user-defined sensitive data

  • Unique encryption key per patient

  • Both encrypted and decrypted data is only accessible by AcuteNet application

2

Privacy as a Default Setting

Privacy as a Default Setting

  • Accessible over SSL explicitly with minimum of sou Bit SSL Key
  • Session expiry based on in-activity and policy
  • No data included in URL
  • Service cookies with no data
  • Sensitive data encrypted at-rest and in-transit
  • Granular permissions – “Need to know”
  • Online and Offline total user activity logging with play-back feature
3

Privacy Embedded into Design

Privacy Embedded into Design

  • Privacy features are built in the core of the system and can’t be turned off
  • System is designed to prevent information leakage and unauthorized access
  • No data is included in URLs
  • All user inputs are validated to filter bad requests
  • SQL queries are always parameterized to prevent SQL injection attack
  • System is configured to prevent cross-site scripting (MS) and Cross-Site Request Forgery (CSRF)
4

Full Functionality Positive Sum Gain

Full Functionality Positive Sum Gain

  • AcuteNet™ has developed standards based technology solutions that solve the interoperability challenges

  • A consistent and easy to use method to access and analyze data from a single view will make decisions more timely and accurate leading to higher quality care

  • Single access point to all health data
  • Single interface for all reporting and compliance needs
5

End-to-End Security Full Cycle Protection

End-to-End Security Full Cycle Protection

  • Sensitive data is securely managed at all levels by utilizing OWASP principles in the design and overall system architecture.

  • Depersonalization of personal identification information by removing and, or encrypting user-defined sensitive data

  • Two level encryption of all sensitive data at record and index leve
  • Unique encryption key per patient

  • Both encrypted and decrypted data is only accessible by AcuteNet™ application

  • Encrypted Secured Data Structure and Data Dictionary
6

Visibility and Transparency Keep it Open

Visibility and Transparency Keep it Open

  • The architecture is designed to provide Healthcare providers with a user-friendly reliable and secure platform.
  • The system is continuously monitored to ensure proactive issue prevention.
  • AcuteNet™ commitment to visibility and transparency is demonstrated in action through successful deployment for numerous healthcare providers around the globe.
7

End-to-End Security Full Cycle Protection

End-to-End Security Full Cycle Protection

  • The system is designed in full compliance with the following privacy legislations:
    • Canada: Personal Health Information Protection Act (PHIPA), Freedom of Information and Protection of Privacy Act (FIPPA).
    • USA: Health Insurance Portability and Accountability Act (HIPAA)
    • Australia: Privacy and Personal information Protection Act (PPIPA), Health Records and Information Privacy Act (HRIPA)
  • AcuteNet™ Software as a Service Products have been embedded with Privacy by Design principles at the Architectural level to ensure that Frontline Health Care Providers can deliver the right care to the right patient at the right time.

  • AcuteNet™ Software as a Service Products are designed to be re-used, re-purposed, and re-positioned to the specific needs of customers while providing customers with the financial benefits of cloud computing with the highest standards for security and protection of sensitive information.