The pharmaceutical industry is an attractive target for cybercriminals as it regularly manages large volumes of sensitive data and high-level intellectual property. The focus on COVID vaccine manufacturing and distribution over the last couple of years has painted an even bigger target on the pharma companies. CrowdStrike’s 2021 Global Threat Report found that just last year-targetted intrusions focussed on infiltrating crucial networks to steal valuable data on vaccine research.
This interest in pharma companies continues unabated and security teams face an uphill battle to protect the business from further attacks. As digital transformation proliferates through most industry sectors, pharmaceutical companies are now operating more and more on a digital enterprise model. This includes collaborating regularly with various internal, external and outsourced partners in a technology supply chain to scale cloud environments. This increases the attack surface for potential intrusion activity and runs the risk of attack through compromised identities and credentials.
Security teams are overloaded and under-resourced and often lack visibility of potential vulnerabilities because the number of endpoints they need to monitor has grown. They have a partner supply chain who may have differing levels of cybersecurity posture and they are still challenged by a ‘work from home’ model where employees are often working on unmanaged devices. This is driving the need for a defence-in-depth strategy.
One of the biggest attacks of the last year or so, the Sunburst software attack, demonstrated, how, with a single code, an entire supply chain can be infiltrated. It was a complex supply-chain attack that injected malicious code into the software’s build cycle and initially infected about 18,000 customers downstream, including major firms and government agencies.
CrowdStrike Intelligence identified that ‘big game hunters’ have been actively targetting the healthcare sector throughout the pandemic. Phishing domains linked to VELVET CHOLLIMA were spoofing the UK, the US and South Korean pharmaceutical companies’ leading efforts on COVID-19 research. A month before this discovery, a similar decoy content was found in the environment of an Asian pharmaceutical sector organisation.
Closing the security gaps
As data sharing becomes more prevalent across the industry, companies are starting to grasp that a breach in their network that could subsequently spread to others will have staggering impacts on their reputation and may even lead to regulatory fines. The average time for cybercriminals to break out of their initial entry point to move laterally and access sensitive personal and financial information stored by organisations is now under four-and-a-half hours and this figure has dropped significantly in the last two years.
To better prepare against cyberattacks, companies must understand their security strengths, and more importantly, recognise the gaps in their security so they can bolster their defence against attacks and protect sensitive systems and data.
You can’t fix what you can’t see
First, it’s important to recognise that visibility and speed of detection and response are critical for stopping attackers who intend to steal information and disrupt business operations. While organisations need to be prepared in the event of a cyberattack, they can’t fix what they can’t see.
It is crucial to establish comprehensive visibility into on-premises and cloud environments across all endpoints and workloads, addressing potential vulnerabilities before they can be leveraged by criminal actors. This starts with ensuring security solutions are not only installed and deployed, but also patched and updated.
The other key to achieve comprehensive visibility is by establishing a cloud-native security architecture. A foundation in the cloud provides security teams with the visibility and agility necessary to address issues on any endpoint or workload no matter where it’s located – on-premises or in a remote work location. Cloud-native security also seamlessly scales with a business so there is no gap in the right level of security coverage.
Know who you’re up against
Waiting for a breach to occur before trying to deploy a response plan is not a good idea and can ultimately prove costlier due to an unsuccessful response. Cybercriminals and defenders are always vying for opportunities to break in. Hence, data on a threat actor’s next move becomes crucial to proactively tailor your defences and anticipate future attacks.
With threat intelligence and managed threat hunting, organisations stay ahead of adversaries. Threat intelligence is data that is collected, processed and analysed to understand a threat actor’s motives, targets and attack behaviours. It leverages data to reveal more about adversaries tactics, techniques and procedures, enabling security teams to make better decisions and empowering boards to invest more wisely and mitigate risk. Meanwhile, managed threat hunting is the ‘hand-to-hand combat’ component of a rigorous cybersecurity posture, relentlessly hunting for anomalous or novel attacker tradecraft designed to evade other detection techniques.
Zero Trust security
The 2020 Sunburst software supply chain attack demonstrated why organisations can’t put their guard down with even standard service accounts and previously trusted tools. All networks have automated updates within their technology stack, from web applications to network-monitoring and security. Automating patches is important for good network hygiene. However, even with scheduled automatic updates issues such as the Sunburst attack can arise. Adopting a Zero Trust approach means averting potential malicious actions.
More than 80 per cent of all attacks involve credentials’ use or misuse in the network. In the Sunburst attack, it was clear how any tool, especially one commonly used in a network, can be taken over from the update mechanism. Therefore, Zero Trust architecture principles should be applied to mitigate these threats.
Zero Trust and the principle of least privilege mandate strict policies and permissions for all accounts, including programmatic credentials like service accounts. Service accounts, in general, should have known behaviours and limited connection privileges.
As we look ahead, pharmaceutical businesses must be equipped with the tools, education and intelligence needed not just to prevent future cyber threats, but also to predict and avoid them.
Awesome article and the information shared by the author is really helpful for everyone.
I really like your site. The content shared by you is very helpful and informative. please keep sharing.