Detect LIVE March 21 — CISO Insights: Early Warning Signs Before a Breach | Amedisys
![](https://cdn.prod.website-files.com/6453db2ad32b573c40a15c49/64986088be66cac867a4c353_lp-hero-background.webp)
After you have watched this Webinar, please feel free to contact us with any questions you may have at general@anomali.com.
Transcript
First up is Richard Kaufmann, who will describe his current environment, his journey, and the recent cyber attacks in health care due to the pandemic.
So Richard, let me join you in our fireside area.
And as I'm joining, if you want to give a little background-- I'll let you sit in that chair.
I'll sit in this chair.
If you want to give a little background on yourself, your role in Amedisys and then we'll get started.
Sure, absolutely.
Thank you, Maggie, and for not only for giving me the chance to talk to everybody today about some of the work that Amedisys is doing in the cyber threat space.
Wish it could be in person.
Hopefully, next year we can work on that, but love the virtual format of it.
As you mentioned, my name is Richard Kaufmann, I'm the chief information security officer at a Amedisys.
Most people may not be familiar with Amedisys as a company.
We're in the health care space.
We're, like you said, hospice, home health, and personal care.
We're about 25,000 employees, call it about a little over 400 care centers across the United States.
We're a national company in the US, publicly traded.
And one of the things that has been just incredibly interesting to me over the past year with regards to the pandemic, is not just how our businesses, especially within health care, have responded to this crisis, but, on the topics of cyber threat, how our adversaries, how the bad guys have responded to the pandemic as well.
And when I look back, when we did our year in review of 2020, two primary things really stood out to me.
The first event was COVID-19 in and of itself.
It's interesting because I think a lot of us are coming up on our one year anniversaries of the new normal, all of that stuff.
And so when you think about that, I think about my team started working from home, working remote.
And at the same time, adversaries ramped up.
They were trying to take advantage of the situation.
Hey, here's the thing, and so what did we see from the adversary space last year as COVID was just heating up?
Remember all of the fake COVID tracking websites that would download malware.
It seems so long ago now, but that was one of the first things that was stood up.
The bad guys were like, let's take advantage of the situation.
And then to me, even more of a major event last year for the bad guys was Bitcoin and just the explosion of that digital currency.
And so I think a little bit about some of the things we're going to talk about today and how Amedisys likes to approach our cyber threat intelligence, is we think about it as a business.
It is, right?
It's an illicit business, it's not a legitimate business, but we look at the adversaries as, in a way, if you want to pull a metaphor, customers.
We have a product and they want it.
The product is our health data.
They want that health data.
They're not willing to pay for it.
But when you really start breaking it down in terms of a business, supply, demand, we do adversary tracking.
That's like a CRM almost.
There's so many parallels to what cyber threat intel and what security teams are doing today, that a business development function would do.
And I guess that's one of the things if you think about it.
If you sat down-- if you're a CISO, if you're a security leader and you sat down with your CFOs and you said, hey, what if I told you that a year from now the euro is going to be valued at 10x what it is today compared to the US dollar.
You're CFOs would probably start figuring out a way to start getting paid in euros.
And it's really interesting, it's a gift and a curse from what we've seen on the cyber threat side in the response to that.
If you're a successful cyber criminal and you're motivated financially by money and your bank account looked like $2 million at the start of 2020 and it looks like $20 million at the start of 2021, that presents a lot of problems to you, doesn't it?
The ability to, quite frankly, launder that money, tumble that money, get it out of Bitcoin, get it into Fiat currency, we see through our intel investigations, we see people somewhat struggling at that scale.
And so it's interesting to think about it in terms of the business, and then starting to see a little bit of the cracks in that foundation from a business perspective, you know bad guys being able to cash out from their exploits.
So you've really touched on quite a lot of topics already.
You're welcome, as a moderator.
Really, yeah.
Yeah.
We've got a lot a lot to cover in this conversation.
And I think I want to take us back a little bit to the beginning of what you were talking about with it being about a year since the pandemic started, or officially-- we were seeing the reactions of businesses and the government and everything of our lives changing.
RICHARD KAUFMANN: Yup.
And you alluded a little to how the bad guys changed and reacted to this.
But can you go into, from your perspective and maybe from an overall health care perspective, can you share a little bit of what maybe more specific that you've seen from the start of the year, and then we can do a year in review from Richard's perspective.
Yeah, absolutely.
And I'll be the first to go into the strategy of Amedisys because I think it's an important provide context in the conversation.
Like I mentioned, Amedisys, our businesses is hospice and home health.
So our entire strategy is we want to provide the right care at the right time at the right place.
We also feel very strongly that the right place in a lot of instances is to provide care in the home.
And so for, again, the right care model, we don't want you going into a hospital.
We want to take care of you in your home, which provides its own challenges and all that good stuff.
And what we've seen, from a business perspective during the times of COVID, is that Amedisys has done quite well because our patient population is typically elderly and at risk, and we've seen a lot of people leave nursing homes, skilled nursing facilities, and go back into the home, which is where we want them to be to provide care.
And so our business has done quite well.
As less people have entered the standard care model of, let me go to my primary care physician or let me go to the hospital, and have really sought out more home health services, the company's done great.
Which is interesting because when you think about that growth from a business perspective while we're internally trying to figure out where is everybody going to be, what's our approach to work from home, do we have the right systems in place, do we have the right security methodology in place, all that stuff.
And what we found, from our perspective, was we were positioned very well at the onset of the pandemic.
And so we had always approached our architecture from a remote-- not that we were truly in a remote work posture-- but we already were kind of there.
So it wasn't much reaction for us to stand all of that up, but we found ourselves facing a lot of the same challenges that other organizations did.
We were laughing about it yesterday.
We're a big Microsoft shop.
There was a time where we didn't use Teams every day.
And it's just that exchange, that face to face exchange, like we're having right now, has just changed dramatically.
And again, not to belabor the point, but for us, it's changed.
But also, in the adversary space, we see that same working remote, not traveling as much, and I guess like from tracking people down, it's almost been a little bit more beneficial to say, look, this person can't hop on a plane and be in another country tomorrow.
They're probably going to be in the same area.
So all good insights.
Yeah, everyone's adjusted.
And it is funny to think about not being as on Zoom or Teams or everything as we are today.
Yeah.
So I think your perspective of really looking at the adversaries as your customers is a different kind of approach, of really thinking of it that way as, I have all these people who want things from me, but I don't want them to have my goods.
I want to try and prevent them.
So can you talk a little bit more in terms of how you see your business and try and protect that aspect of-- Absolutely.
Absolutely.
And I guess this is one of my favorite topics, is I just love this idea.
Probably everybody on this call is a security practitioner, like we get it.
But as you're talking to CFOs, COOs, CEOs, when you start talking about security, the movies and the news have done such a great job, it instantly goes to a guy wearing a hoodie-- [INAUDIBLE] Yeah.
And hacking away and that's it, that's what they think.
And it's not that at all.
And what we see, again, through cyber threat intelligence, what we've been able to see is these are very sophisticated organizations.
And I used to describe it as an ecosystem, but it's not, it's an economy where people are farmed out to gain initial access.
The people who gain the initial access sell that access to somebody who's good at extracting data or ransoming off the data.
And so these little niche players fit into this overall economy of what the bad guys do.
And when you think about it in terms of an economy, let's go back to just economics 101.
Supply, demand.
As a CISO, I can't do much to impact demand.
Hackers gonna hack.
That's going to be it.
But I can absolutely limit the supply.
But the first thing you need to do, if you're going to try to impact someone's supply chain, is understand the value of that good on the other side.
If a bucket of wheat costs $10, well, what happens if it costs $20, what happens if it costs $5, and all that good stuff.
And so that's one of the things that we've been working on is understanding, on the black market, on database dumps, how much is that data worth, and then flipping that value proposition.
Hey, if it's worth $10 an hour to get all the stuff out of it, I want you to expend $20 an hour to try to get to the data.
And I think that's the modern approach to a blue team is to be able to say understanding what the value is in the market and then creating enough friction on your side to make the value proposition just not worth it from an adversary perspective.
And so we do, I'll tell you, in practice, we have groups that we monitor or individuals that we monitor.
And what you find when you get to that level of understanding what the adversary economy looks like, you can start making some really, really smart decisions.
And I'm not saying that an organization can't be directly targeted, but more times than not, we see, especially for actors that are financially driven, it's more of, I'm good at this.
There's a specific CVE, there's a specific exploit, and they're looking for whoever fits into that model.
Which was which was really interesting, going back to the start of COVID, just for a second we saw a little bit of a health care truce.
And it was like, as the bad guys saw that, we saw, they were like, hey, we're not going after hospitals, we're not going after health care, they've got their hands full.
And to quote my favorite character from my favorite TV show, Omar from The Wire, "It's all in the game." And so I just love that they were just that cool.
And then what we saw over time is they were like, well, maybe, we leave health care.
And then one of the things I'm sure we'll talk about here in a moment is with Ryuk and the direct targeting of health care in Q4 of last year.
But again, going back to that value proposition, is flipping it and understanding that I've got all of these defenses and that's going to have this impact to the supply of my data.
Yeah.
And having that type of conversation and explaining that to a CFO or a CIO or a board of directors in terms of business and economics, I'm sure their eyes aren't as glazed over-- RICHARD KAUFMANN: That's right.
--envisioning, as you said, the classic hoodie person typing with green figures.
And we talk to a lot of health care organizations.
And quite honestly, I know it's a question I get asked a lot, how do you justify the spend of cyber threat intel?
Easy.
Are you justifying the spend for a CRM?
You've already identified that you want to track information on one group of people that you're providing services to.
It's a surprise service offering when the bad guys show up.
Going in and being able to track what they're good at, what they're actually doing in the wild, that's just as valuable from a brand perspective as, I've got this customer who's showing up and wants to purchase my services.
And so again, I would say to any CFO, if we're tracking our customers, we have to track our adversaries as well.
So you talked about, it sounds like what you guys have, really tracking certain individual adversaries or groups, et cetera, is a mature approach.
For organizations who are just starting to look at it this way, how would they start?
Yeah I would say number one, start by starting.
My experience with cyber threat Intel, overall, there's so many free sources of intelligence.
The problem with those sources of intelligence is that it's old.
It might be a little bit stale.
What I've seen, when you're paying for services, you're getting to more real time of what the bad guys are doing.
And so, if you're going to dip your toes in those waters, understand that you might have a chronological lag in the data, but you can start building the program based off of that.
The approach that we've taken on Amedisys is twofold.
I consider adversary management and risk management.
Some of my thoughts on risk management is that it takes too long.
It's very long form.
If I'm going to sit down and do a risk assessment on a certain thing, that might take three weeks, six weeks to do, and by the time I've got the results and then an action plan to address, you're six months down the road.
Six months ago, solar winds was just being published.
The exchange vulnerability that we're seeing exploited in the wild right now just came out three weeks ago.
And so the adversary space moves so much faster than most organizations' risk management function can keep up.
And so what we do is we overlay our adversary management outputs with our risk management.
And what that does is it gives us a view of what's happening in real time and what's going on from a more strategic controls perspective.
And what you'll find is if you do that, you get such a powerful deliverable of where your true gaps are.
I see so many people, it seems like everybody is at some phase of a NIST implementation or a high trust implementation or some of that.
That's great.
But at the same time, why would you focus on something in access management if you haven't closed the doors on what these adversaries are doing somewhere else with a drive by download or something like that?
And so you have to bring those two things together to create that prioritized list of things your team should be working on.
Just start.
RICHARD KAUFMANN: Just start.
Do it.
Yup..
OK, great.
And then, you mentioned earlier about around the September time frame-- Yeah.
MAGGIE SANCHEZ: Health care.
It was so great.
To me, I think what this story will do will highlight a little bit of product, to be quite frank, because we leverage anomaly, obviously, and we see an enormous amount of value there.
And what we saw with our organization is, for any other health care companies on the call, if you remember back in late October, there was a national advisory on health care organizations being targeted specifically for ransomware.
And before that advisory had ever been published, we had detected it and not only detected it, but shared our information with some of our health care friends.
And the attack was such a was such a cool thing to get to participate in.
And I know that sounds weird.
But again, I love the economy of it, I love learning what the bad guys are doing.
And what it looked like to us was we got lucky.
And I think one of the things that cyber threat intelligence does is it gives you more opportunities to be lucky.
And as a CISO, I'll be the first one to admit I'm on borrowed time.
It really is.
As much as I move defenses around and I feel like I'm being strategic in our approach, if I'm betting on myself or the adversary, I bet on the adversary because they don't have to follow rules.
I have to follow rules.
But what we saw with Ryuk was the first email that hit was so well crafted.
And it was from an HR person in our organization, and it was to one of our employees, and it said, hey, thank you for your time, but you're being let go from the company.
Your last day will be on Friday.
Please click this link to learn more about the terms of your separation from the company.
As a lure, what a powerful thing, because just imagine getting that from someone in your organization.
All of your end user training, all of your phishing simulation, it goes right out the door.
You're like, oh my gosh, I've just lost my job, what are the terms of it?
What is it?
I don't know, I never thought about it, or yeah.
Right.
And so click and all of a sudden we start seeing a couple of these hit our inboxes.
And we run them through anomaly, run the through [INAUDIBLE] sandbox, all that good stuff.
And we could tell-- we could tell right from the jump street that this wasn't just your average, run of the mill, phishing campaign.
There was some sophistication to it and it was trying to download something that we knew was going to be nasty.
And we took that information and we went to another company that we love, Intel 471, and we said, hey, guys, can you give us some more context into what's going on here?
And very quickly they turned it around, they said, absolutely, this is [INAUDIBLE] loader, which is a precursor to the [INAUDIBLE] ransomware strain.
This is the campaign that your company is a part of right now, and not only should you be looking for these emails, but you should be looking for these other IOCs and these other emails that are going-- And again, to me, this goes all the way back to the value of cyber threat intelligence.
I detected something, I thought my scope was this.
I ran through cyber threat intelligence and I found out my scope should be that, and then when I went and looked for that, sure enough, there were the other emails, there were the other campaigns, there were the other artifacts.
And so it was just such a cool thing for us to be able to respond quickly, block all the offending links, all that good stuff, block Cinders, but then monitor for the IOCs that are in the environment.
And then again, what I think security should be doing is once we had that buttoned up and we were good, we immediately started telling our partners in the space.
Hey, guys, are you seeing this?
We're seeing that.
And so again, before that national advisory was published, we had already, within our trusted circles, within our networks, we had told them what to start looking for.
And it was great because, again, when that advisory was published, I would probably say that 90% of the content on there we already knew about.
Very little was net new to our security team.
So to me that great story about very real threat actor, Ryuk was the number one most profitable ransomware as a service adversary in 2020.
And they targeted us and we were successful in defending at that time.
It was a good story.
Yeah, that's a great story, and how you have those multiple layers of your plan to go after it.
The idea, the phishing email, of oh, you're being let go in COVID times is very real instead of them saying, oh you've been promoted, and here, click on this to get your bonus, most people might be a little bit more cautious.
[INAUDIBLE] My favorite one was part of the exact same campaign.
It was basically you're either getting fired or help us plan for the Halloween party.
So it was just either one of those.
I would have been equally excited about either email, to be quite frank.
[LAUGHING] The Halloween one sounds a little bit more fun than maybe-- That's right.
--probably getting fired, you'd click on that link a little faster than trying to plan a virtual Halloween party.
Yeah, that's interesting and that you guys were able to really share.
Based on the partners that you were sharing with, had any of them already started also seeing those emails or were you the leader of the first ones?
Yeah.
Well, I don't think that they had realized that the campaign was taking place, but there were a couple of people that came back and they were like, you know what, we got that a week ago.
Or we've seen actually after the communications, we saw people come back and say, we detected it and it was blocked.
So thanks for being proactive, it would have landed without the help.
Yeah.
Yeah.
So it sounds like you're taking it that next step of also sharing with other organizations.
Do you see a lot of bidirectional sharing within those trusted partners or trusted organizations that you work with?
Can you talk about that a little bit?
Honestly, not as much as I'd like to see.
And I would challenge all the CISOs on the call, is to really think about your approach to sharing.
Because everybody wants to have information shared with them, right?
MAGGIE SANCHEZ: Yup.
But that's a two-way street.
And so what I would say, if you're not willing to open the kimono and have very transparent, frank conversations about this stuff, understand that you're probably taking more from the ecosystem than you're providing back into.
At Amedisys, we just feel that patient privacy and any threats to that-- people don't just go to one health care provider.
My health care records are with several different providers.
I would want all of those providers to have a single pane of glass and do all threats that are to my health information.
And again, I know I legal teams are fun and all that good stuff, but where possible, show up.
Show up and share the information that you have.
Yeah.
Now, are some of your partners that you share with, are they regionally based?
I'm just curious if maybe there are certain pockets that you're seeing, or is it really, no, and everyone needs to do a better job at sharing.
Yeah.
It's really, again, home health and hospice is such an interesting, I call it a niche, of health care, where two of the largest providers in the country are actually located in Southeast Louisiana.
So there's a little bit of regional sharing there, but also because our friends are right down the street.
But there are, there's other health care organizations that we reach out to all the time where we're like, hey, we saw something, your name was associated with it.
Do you to know more?
Which is always a fun conversation to have.
MAGGIE SANCHEZ: Yeah.
So yeah.
OK, good.
And then after this great ransomware campaign against you guys, did you see any additional attacks or interests from adversaries around the vaccine regarding COVID?
Have you guys seen anything about that?
I know it's not directly to your health care niche, but just overall.
We do.
There's lots of phishing campaigns right now that are using that as a lure.
Click here to learn more about the vaccine.
Is it impacting us directly?
No, I would say like those are probably more commodity based phishing campaigns right now.
But again, that theme, and again, this, to me, goes back to invest in cyber threat intelligence, guys.
And what you'll see there is you'll start seeing the themes of things that work.
Just like any business, there's a marketing campaign, hey, there's AB testing, did this work, did this not work, what words help out?
And so you'll see those, right now, the hotness, It's going to be some vaccine stuff.
Come mid April, it's going to be the next thing.
But without your pulse on that economy of threat intelligence, you're blind.
And so like I said, just like you have market data, you'll understand what's with the bad guys are doing.
MAGGIE SANCHEZ: Great.
I love it.
This has been a really good conversation.
You alluded to my final question for you and then I want to open it up to questions from the audience.
But what do you think is going to be coming?
You said, April, something new will be coming.
Are you-- Yeah.
--future, Richard?
Can you prepare us for something?
[LAUGHING] What are you really looking for forward in the [INAUDIBLE] Yeah.
And the themes that I see continually is ransomware as a service evolving.
What we saw between got really, really good at monetization, and they did that through ransomware as a service.
And so the next evolution of that service looks to be more like shaming.
Name and shame is a little bit of the adversary's MO there.
They want to steal your data, then they want to let everybody know that they stole your data to emphasize you making that payment.
And so from the adversary space, I see them doing more of that.
And continuing the activity, but being much more aggressive in getting you to pay the ransom.
And that's one of the things, from the other side of that, thing, again, going back to supply demand.
How do you impact these ransomware as a service groups that pop up multiple times a day?
You have to start slowing down the supply or start slowing down the demand.
And so as organizations continue to make the payments, as organizations continue to have, I would say, low hanging fruit from a vulnerability side, we're going to continue to see that the monetization from the adversaries is just through the roof.
And so with that trend-- and I think we all agree that's been proven over the last few years, that's where it's going-- but with this trend, are you seeing the board and the CFO and the other executives understanding the need and importance for not only security, but threat intelligence and expanding and providing budget or understanding for that?
Yeah, absolutely.
And I'll tell you again, it goes back to the way that we approach it and where I've seen success, it's a little weird.
You have to keep those conversations high level, but provide very specific examples.
Amedisys's story with Ryuk is a real world example of how we've benefited from having this knowledge.
But even sitting down and just saying, look, this is someone who's in this space, this is how they operate, and this is our exposure to them.
It's very easy to do your first exercise to say, here's a threat actor, here are their TTPs, and then say, they're exploiting this specific CVE, here's our latest vulnerability data, marry those together.
So if this person were to target us directly, here's their level of success.
That's a very real deliverable that you could sit down with the CFO, with the COO, CEO, and say, I'm trying to stop this.
And if I can't get that, then again, going back to the frameworks, our risk exposure is another variable out there.
So that's how I would start off.
I think by presenting that type of data, most people holding the purse strings are going to say, OK, I understand this and this makes sense.
And from our side, we're definitely seeing that progress.
I was just curious to see from your perspective, and from your colleagues that you're seeing, if that's moving in that direction?
Yeah, absolutely.
[INAUDIBLE] And you know this.
I mean I've been with Amedisys for three years now.
Anomaly was my first of three calls.
And if I get moved into a new CSO spot tomorrow or any type of security leader, I'm buying two things.
I'm buying a good IDR and I'm buying threat intel.
These are the first two things that I'm doing.
So what's happening in my environment, and then who is going to be able to take advantage of those things that are happening?
And so with those two things, go.
And what I would say is you can get a good head start for a little bit of investment if you take that same approach.
Richard, thank you, again, for the time.
Thank you.
Appreciate it, Maggie.