Using deception to shield the insurance sector

Let’s cut to the chase, insurance companies are under siege from cyberattacks. An Accenture report from 2020 shows that attacks on insurers have more than doubled from 240 to 519, on average. Insurers also sit on top of sensitive customer data and are at risk of losing it – 44% exposed more than 500,000 customer records in 2019 compared to 15% for cross-industry peers.

As more people around the world come under the ambit of insurance policies, the risk to insurers continues to grow. In this post, we take a look at some of the key pieces of an insurer’s infrastructure that adversaries target, why they go after it, and how you can use deception to build active defenses that mitigate the risk of these attacks and put you in a better position to detect and contain these threats,

For a moment, step into the shoes of a malicious entity targeting an insurance company. Your goal is to get $$$. What are your best opportunities?

Opportunity #1 – Compromise the database cluster or core application

The database of all policyholders and their policy details, complete with confidential and protected information is perhaps the most valuable asset of an insurer. This would be the holy grail of compromises. Given that a lot of this information is distributed across many systems (some of them legacy), protecting them is a challenge for the sector. 

Adversary Opportunities

Not only would this data sell for a neat sum on the underground market, but it can also be weaponized in numerous ways, including and not limited to: 

• Selling to competition (Corporate Espionage).
• Blackmail with public data release.
• Monitise via channels for spam and other nefarious activities.

Adversary Considerations

To achieve this target, adversaries will have to invest time and money into:

• Getting a foothold inside the organization.
• Build tooling to evade security defenses.
• Reverse engineering how insurance companies operate.
• Finding the cluster.
• Finding credentials to the cluster.
• Exfiltrating information (probably in the order of GBs and TBs).

Adversary Decision Criteria

Cost-benefit analysis reveals Low to medium risk with an extremely high payout. 

Adversary Profiles

Advanced and organized criminal syndicates.

Opportunity #2 – Deploy Ransomware

Insurance companies deal with lots of files. Lots and lots of files. If an adversary succeeds in encrypting as many files as possible, the payout from this activity can be significant. 

Adversary Opportunities

• Off-the-shelf attack tooling is easily available.
• Attack a wider base of companies across the sector.
• A lower initial investment in research, saving time and money.

Considerations

• Backup of files can minimize returns.
• Manual effort to gain privileges may be required.
• Decision criteria.
• Low effort with medium to high payout.

Adversary Profile 

Ransomware operators of any sophistication. 

Opportunity #3 – Attacking public-facing Direct-to-Consumer applications

Insurance companies worldwide are expected to digitize their interactions with consumers. Everything from pre-sales to claims management is expected to be made available to consumers directly in a bid to simplify the consumer experience. This involves the adoption of cloud services, moving previously internal systems to Internet-facing infrastructure, and spinning up even more infrastructure to support business objectives. Adversaries now have a wider attack surface available to them to exploit. 

Adversary Opportunities

• Off-the-shelf attack tooling is easily available.
• Attack a wider base of companies across the sector.
• A lower initial investment in research, saving time and money.

Adversary Considerations

Mapping external infrastructure is a trivial task and therefore there are minimal considerations for groups adopting this approach. 

Decision Criteria

Low effort with payout equivalent to the criticality of the infrastructure they compromise.

Adversary Profile

Cybercriminals of any sophistication. 

Your Defense Plan in a nutshell

• Detect attempts to compromise the core application and database layer at any cost.
• Prevent the spread of sophisticated ransomware.
• Defending Internet-facing infrastructure.

Enter Deception

Deception is about tilting the odds of winning in your favor. It’s about making reasonable judgments about what the adversary might go after and presenting that information to them on a platter. Deception is about abstracting defenses to individual attacker techniques with lesser effort and increased cost to the attacker. 

The core principle of deception is the idea that any interaction with a decoy can be viewed as suspicious and warrants immediate action.  

Using deception to beat adversary motivations

Broadly, the plan is to plant decoys across the network, from perimeter to end-point, to deceive the adversary. At a high-level, the following locations will be configured with decoys:

1. Decoys in the perimeter.
2. Decoys in the network.
3. Decoys on the endpoint.
4. Decoys in Active Directory.

By spreading decoys across the infrastructure, we maximize our chances of detecting adversaries. Remember, we only need to be able to detect the adversary once. 

The following is a break-down of what this might look like in practice. 

Decoy applications at the perimeter

• Create clones of your policyholder and vendor web pages and put them at the perimeter.
• As adversaries attempt to enumerate the internet-facing infrastructure, they will be presented with attractive targets. 
• Any interaction on these decoys warrants the immediate block of the IP and increases the cost to the attacker. 

Decoy Systems on the network

• Create clones of the core application and databases and place them in the DC/DR segments. 
• Create decoy file shares populated with interesting files that look like they have sensitive information and place them in server zones 
• As adversaries attempt to enumerate and discover systems on the network, decoy systems will generate an alarm. 
• Any interaction against these clones must be responded to immediately.

Decoy core application and database users in Active Directory

• In your primary Active Directory domain, create fake users for the application and database.  
• Also, create fake records for core applications and database computers. 
• Adversaries rely on Active Directory to understand the internal environment and any interaction with the fake records of users and computers will generate an alarm. 
• Monitor for any login activity and enumeration activities and chase them down to kill the operation.

Decoys on the endpoint

• Deploy file decoys, decoy credentials, fake processes, and deceptive ransomware detection capabilities to key endpoints. Roll-out endpoint decoys to all personnel handling sensitive information as well as administrators of the core application and databases. 
• As adversaries attempt to move across the environment, any attempt to interact with decoy files and credentials will be recorded. 
• Monitor for any interaction on endpoint decoys and block the source from being able to communicate on the network.

What’s the alternative?

Let’s say you don’t want to use deception. The alternative is to understand and defend yourself against every attacker technique. As per MITRE ATT&CK, these are over 100 and this does not account for variations in how these attacks might be executed. 

Deception is grounded in addressing the motivations of the adversary and presenting fake information on a platter that adversaries find attractive. It is technique-agnostic and abstracts away the complexity that arises from blocking individual tools, techniques, and behaviors. 

Deception is a form of Active Defense, where security teams take proactive steps to channel the adversary and make their life difficult. It varies from regular defense where you wait for an existing system to generate an alarm and then react.

MITRE new active defense framework, Shield, is being adopted by CISOs around the world and we see this approach being embraced by more and more security teams at insurance companies.