Step one – Reconnaissance
Before launching an attack, hackers first identify a vulnerable target and explore the best ways to exploit it. The initial target can be anyone in an organization. The attackers simply need a single point of entrance to get started. Targeted phishing emails are common in this step, as an effective method of distributing malware.
- (i) Assess the situation: Initiate the response by assessing the situation in terms of time, place and person distribution of those affected, routes of transmission, its impact on critical infrastructure and health facilities, the agencies and organizations involved in responding to the event, communicate to the public health responders, local, state and national level emergency operation centers for event management etc.
The whole point of this phase is getting to know the target.
The questions that hackers are answering at this stage are:
- Who are the important people in the company? This can be answered by looking at the company web site or LinkedIn.
- Who do they do business with? For this they may be able to use social engineering, by make a few “sales calls” to the company. The other way is good old-fashioned dumpster diving.
- What public data is available about the company? Hackers collect IP address information and run scans to determine what hardware and software they are using. They check the ICAAN web registry database.
Step two – Weaponization
In this phase, the hacker uses the information that they gathered in the previous phase to create the things they will need to get into the network. This could be creating believable Spear Phishing e-mails. These would look like e-mails that they could potentially receive from a known vendor or other business contact. The next is creating Watering Holes, or fake web pages. These web pages will look identical to a vendor’s web page or even a bank’s web page. But the sole purpose is to capture your user name and password, or to offer you a free download of a document or something else of interest. The final thing the attacker will do in this stage is to collect the tools that they plan to use once they gain access to the network so that they can successfully exploit any vulnerabilities that they find.
Corona Virus – COVID19 Outbreak
Step three – Delivery
Now the attack starts. Phishing e-mails are sent, Watering Hole web pages are posted to the Internet and the attacker waits for all the data they need to start rolling in. If the Phishing e-mail contains a weaponized attachment, then the attacker waits for someone to open the attachment and for the malware to call home.
- (iv) Implementation of the action plan: The RRTs/QRMTs investigate the outbreak/increase in the disease incidence, collect samples and send it to the identified state/national laboratory for testing. Hospitals are alerted for receiving the patients and their treatment. If necessary tented hospitals are set up. Methods to control the disease and quarantine measures are instituted. Once the disease is identified, treatment protocols are sent to all concerned by the fastest possible means. Standard operating procedures (SOP) for laboratory testing is made by the identified laboratory and the same is sent to all the hospital laboratories and district hospitals for implementation. Laboratory reagents are distributed to the concerned laboratories. Public is taken into confidence to prevent any panic. The list of ‘Do’s and Don’ts’ are circulated thorough the print and electronic media. Hospitals ensure appropriate isolation, quarantine, waste disposal and personal protective measures. All contaminated clothing and equipment are carefully disposed of by incineration. An impact assessment team assesses the impact of the attacks on humans, animals and plants.
Now that they have total control, they can achieve their objectives. This could be stealing information on employees, customers, product designs, etc. or they can start messing with the operations of the company. Remember, not all hackers are after monetizable data, some are out to just mess things up. If you take online orders, they could shut down your order-taking system or delete orders from the system. They could even create orders and have them shipped to your customers. If you have an Industrial Control System and they gain access to it, they could shut down equipment, enter new set points, and disable alarms. Not all hackers want to steal your money, sell your information or post your incriminating e-mails on WikiLeaks, some hackers just want to cause you pain.
The more time hackers spend gaining information about the people and systems at the company, the more successful the hacking attempt will be.
Step three – Exploitation
- (ii) Contact key health personnel: Contact and coordinate with personnel within the health department that have emergency response roles and responsibilities. Record all contacts and follow-up actions.
- (iii) Develop action plan: Develop initial health response objectives that are specific, measurable and achievable. Establish an action plan based on the assessment of the situation. Assign responsibilities and record all actions.
Step six – Command and control
Now they have access to the network, administrator accounts, all the needed tools are in place. They now have unfettered access to the entire network. They can look at anything, impersonate any user on the network, and even send e-mails from the CEO to all employees. At this point they are in control. They can lock you out of your entire network if they want to.
Step seven – Action on objective
OAS (On-Access Scan) shows malware detection flow during On-Access Scan, i.e. when objects are accessed during open, copy, run or save operations.
ODS (On Demand Scanner) shows malware detection flow during On-Demand Scan, when the user manually selects the ’Scan for viruses’ option in the context menu.
MAV (Mail Anti-Virus) shows malware detection flow during Mail Anti-Virus scan when new objects appear in an email application (Outlook, The Bat, Thunderbird). The MAV scans incoming messages and calls OAS when saving attachments to a disk.
WAV (Web Anti-Virus) shows malware detection flow during Web Anti-Virus scan when the html page of a website opens or a file is downloads. It checks the ports specified in the Web Anti-Virus settings.
IDS (Intrusion Detection System) shows network attacks detection flow.
VUL (Vulnerability Scan) shows vulnerability detection flow.
KAS (Kaspersky Anti-Spam) shows suspicious and unwanted email traffic discovered by Kaspersky’s Reputation Filtering technology.
BAD (Botnet Activity Detection) shows statistics on identified IP-addresses of DDoS-attacks victims and botnet C&C servers. These statistics were acquired with the help of the DDoS Intelligence system (part of the solution Kaspersky DDoS Protection).
What is syndromic surveillance? Henning KJ1.
Innovative electronic surveillance systems are being developed to improve early detection of outbreaks attributable to biologic terrorism or other causes. A review of the rationale, goals, definitions, and realistic expectations for these surveillance systems is a crucial first step toward establishing a framework for further research and development in this area. This commentary provides such a review for current syndromic surveillance systems. Syndromic surveillance has been used for early detection of outbreaks, to follow the size, spread, and tempo of outbreaks, to monitor disease trends, and to provide reassurance that an outbreak has not occurred. Syndromic surveillance systems seek to use existing health data in real time to provide immediate analysis and feedback to those charged with investigation and follow-up of potential outbreaks. Optimal syndrome definitions for continuous monitoring and specific data sources best suited to outbreak surveillance for specific diseases have not been determined. Broadly applicable signal-detection methodologies and response protocols that would maximize detection while preserving scant resources are being sought. Stakeholders need to understand the advantages and limitations of syndromic surveillance systems. Syndromic surveillance systems might enhance collaboration among public health agencies, health-care providers, information-system professionals, academic investigators, and industry. However, syndromic surveillance does not replace traditional public health surveillance, nor does it substitute for direct physician reporting of unusual or suspect cases of public health importance.