alphaspirit - Fotolia

Hospital network security: Recursive DNS lookups yield threat insight

Phishing attacks, clicking on malicious links and visiting malicious sites is a problem for hospital network security. One health system uses Cisco Umbrella to solve this problem.

Too often it seems someone in a healthcare organization clicks on a malicious link or opens a phishing email, sparking a malware or ransomware attack.

This challenge to hospital network security is made worse given the many connected devices in a healthcare organization's environment.

For the University of Kansas Health System, based in Kansas City, Mo., the need to see the internet activity of all devices in its environment is a necessity to ensure hospital network security, and detect and prevent ransomware attacks.

"As a health system, there are many medical devices that connect to the internet," said Henry Duong, enterprise infrastructure security manager at the University of Kansas Health System. "We needed visibility into internet activity across all devices."

As a health system, there are many medical devices that connect to the internet. We needed visibility into internet activity across all devices.
Henry Duongenterprise infrastructure security manager at the University of Kansas Health System

Duong said the University of Kansas Health System decided to use Cisco Umbrella, which he said uses Domain Name Service (DNS) "to block those threats over all ports and protocols and help us reduce our exposure to ransomware."

Duong explained that Umbrella performs recursive DNS lookups and also leverages a feature Cisco calls Investigate. This tool gathers "context about malicious domains, for example, to find out if it's a bad site or a phishing site or if [your organization has] basically been syphoned for any type of data," Duong said.

The University of Kansas Health System has been using Umbrella since December 2015 and, Duong said, "we've seen a drop in malware and we attribute that to Umbrella delivering security at the DNS and IP layer, preventing command and control callbacks."

How Umbrella works

head of customer service for cloud security at Cisco OpenDNSChris Doell

Umbrella is able to pull threat intelligence from Cisco's global list of tens of thousands of customers, said Chris Doell, head of customer service for cloud security at Cisco OpenDNS.

"We monitor roughly 2.5% to 3% of the world's internet traffic. Because we redirect all that traffic we have a unique visibility into the dark corners and the threat actors across the internet," Doell said. "Based on all that … we can proactively, and in some cases, predictively lay down security policy and enforce those policies and protect our customers from going to malicious domains through the service."

Organizations can also lay down their own network security and policy enforcement, as well as hook up other security tools to Umbrella via APIs.

Duong explained that Umbrella integrates with two of the University of Kansas Health Systems' other security solutions including their external threat intelligence feed and their big data security reader.

Doell added that in addition to providing this visibility, Umbrella also has a policy enforcement layer where, when a malicious domain is found, it is automatically blocked.

Umbrella, with the help of Investigate, can also provide "deep inspection of any sort of specific customers' traffic patterns," Doell said. "[It] can identify malware, malicious domains and then apply security policy and enforcement to protect the users against that as well."

Duong added that Umbrella helps the University of Kansas Health System see how attacks are staged and they are able to access the threat intelligence of global DNS requests, giving them a complete view of the relationships between domains, IPs and malware.

"Umbrella gives us intelligence to correlate that information in real time. We're looking at current state prevention as well as future state because Umbrella processes billions of DNS requests from millions of users every day," Duong said. "It's very dynamic and gives us insight into the threat landscape, whether it be a ransomware attack, a phishing campaign or a site that is distributing a certain variant of malware."

The technology at play

For the Kansas health system, hospital network security begins with the connection to Cisco's global network, which gives Umbrella and users the visibility into internet and network traffic not only within their own organization but also outside their organization.

Doell said Cisco processes about 80 billion DNS requests per day for 160 countries. The company also has insight into the traffic patterns of 65 million daily active users.

"When I say that's our satellite view of the traffic patterns it really is a holistic view of where people are going across the internet and as a result petabytes of information that our security research team can sift and sort through," Doell said. "This team basically creates lots of data intelligence that sources the data, determines where the dark corners of the internet are and then creates automated policy enforcement across our security subscribers."

This is where Investigate kicks in to give the user a deeper inspection analysis around a specific domain, he said, with the next step being big data analytics.

"What our security research team builds is a lot of data analysis, a lot of data visualization tools, a lot of heuristics and classifiers that comb that huge data cube of traffic patterns and search for anomalies, search for associated domains," Doell said. "So for example if we know that is a domain that is known to host malware, a lot of what these tools do is look at 'Who's the owner of And what other domains do they own? Have they spun up a new domain recently? Are their domain names shifting around from what they're registered to?'"

Once that data is collected and Umbrella learns that the owner of also owns several other domains, Doell said they can assume the other sites this person has created are also malicious.

"You have to do this with big data analytics," he said.

Next Steps

Learn how to stop a ransomware threat targeting healthcare data

Here's why ransomware attacks are a growing threat to health IT

Prevention and backups critical to protecting against ransomware

Dig Deeper on Electronic medical records security and data loss prevention