Keywords

Introduction

The landscape of cyberattacks is constantly evolving. Cyberattacks evolve in terms of sophistication while the effort to perform cyberattacks is decreasing given that attackers use different set of tools and tactics in order to attack their targets [1, 2]. Well-resourced threat groups can use a variety of Tactics, Techniques and Procedures (TTPs) to attack organisations in various sectors. Among the most critical and most targeted sectors is the healthcare sector [3,4,5].

The continuous adaptation of automated systems in the healthcare domain with regards to medical data processing and sharing poses critical threat [6]. Specifically, the adaptation of the Internet of Medical Things (IoMT) devices by healthcare organisations increases the threat landscape considering that IoMT devices are susceptible to various cyberattacks. Considering the vulnerable nature of IoT, the integration of such solutions might expose the organisation to numerous threats [7]. Specifically for AI, healthcare industry applications are considered one of the most critical fields [8]. Furthermore, there is a constantly increasing number of common medical devices, which are connected to the Internet, hospital networks, as well as other medical devices in order to provide features that facilitate the provision of healthcare [6], and, therefore, the organisations become further susceptible to more cyberthreats. A critical measure to address the ever-evolving threat landscape is the gathering and analysis of Cyber Threat Intelligence (CTI). In particular, over the past years, CTI has emerged as a critical component of an organisation’s security. The content of CTI contains information that can help identify, assess, monitor and respond to cyberthreats [1] in a timely manner.

Related Work

In order for organisations to prevent, respond or mitigate the cybersecurity threats that affect their assets, they need to be informed about cyberthreat trends and defend themselves against a wide range of adversaries with various levels of motivations, capabilities and access to resources [2]. Therefore, organisations must collect relevant CTI data from different sources and utilise the gathered knowledge in terms of enhancing the overall security of the organisation. Among other organisations, the Cybersecurity and Infrastructure Security Agency (CISA) maintains the ICS-CERT Alert that provides comprehensive timely notifications concerning critical infrastructure, including alerts affecting medical devices. Furthermore, most manufacturers of medical devices maintain a repository with CTI [6].

The authors in [6] propose a system for gathering CTI concerning various medical devices from sources that include medical manufacturer and ICS-CERT vulnerability alerts. The solution utilises a named entity extractor to extract CTI and other cybersecurity information from the gathered data. Subsequently, the CTI is augmented with data from sources such as WikidataFootnote 1 and public medical databases (e.g. US FDA AccessGUDID DatabaseFootnote 2) by integrating this information in a cybersecurity knowledge graph (CKG) from previous research of the authors.

A novel platform called Intelligent Mitigation Platform for Advanced Cyber Threats (IMPACT) is proposed in [9] which, according to the authors, is well-suited for the increasingly connected complex healthcare ecosystem. The proposed platform utilises a decentralised Collaborative Intrusion Detection Networks (CIDN) architecture to allow IDS nodes to gain knowledge by sharing information. Moreover, the proposed solution leverages machine learning (ML) and federated learning, allowing the detection and prevention of sophisticated multi-stage attacks. Therefore, the platform is able to meet the needs of complex healthcare ecosystems, enhancing their resilience against sophisticated cyberattacks. A CIDN comprises several IDS workers that collect and share security events, as well as analysis units that provide functionalities for correlation of events and extracting useful threat intelligence information.

The authors in [10] perform a systematic literature review to investigate the threat intelligence issues and solutions concerning vulnerabilities that affect IoMT devices. The authors propose path search algorithm that incorporates threat intelligence, solutions, stakeholders (i.e. medical practitioners, system or network administrators, and patients) and infrastructure.

Main Aim

Healthcare is considered to be among the most critical and targeted domains, with an annual increase of cyberattacks against this domain. Especially during the period of the COVID-19 pandemic, the cybersecurity incidents in healthcare increased significantly [11, 12]. Successful cyberattacks against healthcare organisations can lead to devastating results for the system, as well as the loss of human lives (e.g. in case of violating the integrity of lab results). Consequently, healthcare organisations must safeguard their systems by implementing both proactive and reactive measures. An important asset in this matter is the use of CTI, which allows the organisation to maintain visibility in the modern threat landscape. The TIM module of SECANT provides functionalities that enable the gathering, enrichment, sharing and utilisation of high-quality CTI.

SECANT

There has been an unprecedented number of changes in the healthcare sector during the last years such as new models of remote delivery of services and the excessive use of IoT devices for different functionalities. While the various changes can offer many advantages, at the same time they introduce novel cybersecurity threats. Furthermore, the integration of IoT devices can facilitate critical procedures such as the clinical status reporting of patients which require continuous medical supervision (e.g. in-house surveillance) [13]. Nevertheless, considering the vulnerable nature of IoT, the integration of such solutions might expose the organisation to numerous threats [7]. A large amount of sensitive data that is produced and exchanged among IoT devices is usually transmitted over insecure networks (e.g. wireless network). Consequently, this raises several security and privacy issues, resulting in more susceptible infrastructures against a vast amount of cyberattacks. Despite these critical issues, the level of security awareness is still disproportionately low compared to the criticality and potential of a security breach in critical sectors.

SECANT is an EU-H2020 project, which recognises these challenges and aims to deliver a holistic framework for cybersecurity risk assessment to enable strengthening the understanding of cybersecurity risks, at both human and technical levels, as well as for enhancing the digital security, privacy and personal data protection in complex ICT infrastructures such as the healthcare domainFootnote 3,.Footnote 4 SECANT comprises of four major pillars which contribute towards the enhancement of the organisations’ cybersecurity capabilities providing (i) collaborative threat intelligence collection, analysis and sharing; (ii) innovative risk analysis specifically designed for interconnected nodes of an industrial ecosystem; (iii) cutting-edge trust and accountability mechanisms for data protection and (iv) security awareness training for more informed security choices.

Threat Intelligence Module (TIM)

The Threat Intelligence Module (TIM) of SECANT enables the collection, extraction, enrichment and sharing of CTI from both external (i.e. online) and internal sources. External sources include sources such as vulnerability databases, CERT feeds, databases with proof of concept (PoC) exploits, social media, forums and relevant web pages from the Surface, Deep and the Dark Web. Figure 37.1 illustrates the UI of the web crawlers of TIM. On the other hand, internal sources of TIM include different honeypot instances. TIM filters the collected data to avoid storing Personal Identifiable Information (PII) by leveraging rule-based techniques and extracts CTI from the collected sources using rule-based and ML-based techniques.

Fig. 37.1
A screenshot of the web crawler interface. It has 3 sections titled Web Results, Reddit Results, and Twitter Results, each with 2 subdivisions web sources and documents, subreddits and submissions, and Twitter and tweets.

TIM web crawlers

Full size image

Subsequently, the collected data from all sources is further analysed and enriched by leveraging correlation and dynamic taxonomy allocation techniques. Possible correlations between the information are identified leveraging both simple (e.g. MISP correlation) and advanced (e.g. ML-based) techniques. The collection process is achieved both (i) manually through a user-friendly GUI as well as (ii) automatically on a daily basis, leveraging appropriate scripts and configurations.

The generated CTI is stored on MISP as MISP events and is available via the MISP platform and MISP API as depicted in Fig. 37.2. The MISP platform was selected since it offers many advantages compared to other available platforms, including the ability to include technical and non-technical information. MISP also facilitates the interoperability of TIM since it supports the export of the stored data in various data formats, including the STIXFootnote 5 standard.

Fig. 37.2
A screenshot of the M I S P platform. It has a table with 10 columns with some of the columns highlighted.

Genereated CTI stored as MISP events

Full size image

The functionalities provided by TIM allow the organisation to remain updated on the current as well as emerging cyberthreats. The user is able to gather, utilise and share CTI in a secure and efficient manner. Furthermore, TIM enriches the extracted CTI, thus allowing the creation of more complex rules to prevent, identify and mitigate cyberthreats within the infrastructure of the organisation.

Demonstration Cases

SECANT will be demonstrated and validated across four realistic use cases which are discussed in this section. In particular, the performance of the relevant modules will be validated in four realistic pilot use case scenarios applied within the healthcare domain. With regards to TIM, the evaluation of the module will be performed within three out of four use cases, namely (i) Protecting the Connected Ambulance of the Future, (ii) Cybersecurity for Connected Medical Devices and Mobile Applications, (iii) Health Data Protection in the Healthcare Supply Chain and (iv) Cybersecurity Training.

The scope of the first use case is to provide monitoring of the continuous assessment of the devices that are present within a smart ambulance environment in order to protect the systems which also include the data of the patients. The second use case of SECANT focuses on the monitoring and risk assessment of an infrastructure that handles electronic health records. In both use cases TIM facilitates the identification of vulnerabilities as well as the risk assessment process by providing enriched CTI. Specifically, TIM composes enriched CTI that is sent to IPL. IPL, in turn, sends the enriched CTI, including CVEs, CPEs and other CTI data, to the TVIA in order for the latter to map the existing vulnerabilities to the discovered assets. TIM can also send the list of threats and vulnerabilities to CO-CRAE in order to allow further configuration from the security administrator.

The fourth use case aims to provide an educational framework platform, covering the needs of both experts and non-expert users. Towards this direction, two distinct scenarios have been defined. The first scenario enables cybersecurity expert users that aim to gain insight into the SECANT solution to safeguard their infrastructure through the cyber range which is a safe environment though it is prone to mistakes. In conjunction with the other modules that are deployed in the cyber range, TIM facilitates the identification of vulnerabilities and the risk assessment process by providing updated and enriched CTI. The second scenario of the fourth use case aims to increase the cybersecurity awareness of regular users in terms of identifying possible cybersecurity attacks and what actions they could take in order to elevate and safeguard the posture of their organisation.

Open Issues

Despite the vulnerable nature of IoMT devices, their use is constantly increasing. While IoMT devices pose serious security risks, they facilitate critical medical tasks including the monitoring of the patient and in some cases allow the medical staff to save human lives. Therefore, the use of these devices cannot be limited. Furthermore, there is a constantly increasing number of common medical devices, which are connected to the Internet, hospital networks, as well as other medical devices, in order to provide features that facilitate the provision of healthcare [6]. This raises more security risks since there are various identified security gaps in contemporary interconnected medical systems, thus increasing the attack surface of the organisation.

Medical organisations can gather valuable CTI from several sources. Some manufacturers of medical devices such as PhilipsFootnote 6 maintain a repository with CTI [6]. Infrastructure Security Agency (CISA)Footnote 7 maintains the ICS-CERT AlertFootnote 8 that provides timely notifications concerning critical infrastructure, including alerts affecting medical devices. Nevertheless, there is a lack of sufficient IoMT CTI sources while the available sources might not include adequate technical details, resulting in the extraction of CTI with limited amount of Indicators of Compromise (IoC) which could decrease its actionability.

Apart from the technical security issues there is also a critical issue concerning the lack of security awareness from the medical staff. Considering the complex infrastructures of the healthcare domain and the increasing integration of IoMT and other IoT devices, it is crucial to train both the security expert and the non-expert (i.e. medical) staff how to identify and react appropriately to cybersecurity incidents.

Conclusions

This chapter presented the TIM module of the SECANT platform including the provided functionalities and the use cases for the evaluation of TIM’s performance. SECANT introduces a holistic approach which addresses the security issues concerning technical and human factors. TIM provides a variety of functionalities to the end users facilitating the collection and utilisation of CTI including (i) manual and automatic collection of information regarding threats and vulnerabilities from different sources, (ii) incorporation of new sources in an effortless manner, (iii) automatic extraction, correlation, as well as enrichment of the composed CTI and (iv) storing and sharing CTI in a secure and efficient manner.

Furthermore, the chapter stresses the advantages of utilising CTI in order to enhance the resilience of an organisation against cybersecurity attacks. In particular, CTI enables the organisation to be informed regarding the modern threat landscape and facilitate the implementation of appropriate security measures such as threat assessment as well as mitigation strategies. The IoCs that are included in the CTI can be leveraged to implement proactive measures (e.g. firewall rules, IDS rules). In conjunction with IoCs, CTI content could include the TTPs of the attacker, thus allowing the creation or improvement of security measures.

TIM module provides functionalities for the collection, enrichment and collection/acquisition, storage, enrichment and sharing of CTI. The quality of the generated CTI is significantly improved through the enrichment, resulting in more comprehensive information regarding the cyberthreat and increased actionability.