The Decision to Adopt Machine Learning for Telemedicine

Telemedicine is fast-growing as a mobile health care information system (HIS) in most parts of the world. Fast Internet, smart phones and increased comfort of physicians in using electronic communication are also helping telemedicine become more widely adopted. Telemedicine consultation can contribute to reducing cost, lessening the stress of patients and improving accessibility to specialized consultations. However, it is difficult to schedule correct telemedicine sessions without a deep understanding of the health care needs of the region. The use of machine learning for decision making and better treatment has been a highly researched topic. Machine learning is also used to monitor patients remotely. However, this technique is not currently used to monitor telemedicine session broadcasting. In our recent Journal article, we present the case of an Indian health care organization that broadcasts telemedicine sessions to associated hospitals in remote locations. For the purpose of telemedicine governance, we suggest the following steps while using machine learning techniques through the department-session-organization (DSO) model proposed in our article:

  • Understand the specific IT governance problem using organization mission and vision to determine the purpose of the prediction model.
  • Past data collection, data cleaning to remove incomplete data and analysis of the data is required.
  • Perform data transformation for simplification and improved decision making if needed. For example, we simplified our model by clustering hospitals based on regions and identified teaching and nonteaching hospitals for better distinction and prediction.
  • Based on the data set, the organization needs to determine the kind of machine learning technique suitable for its decision making. In our study, as the variables were categorical and best suited for a classification model, we tested multiple classification techniques. Based on the results, we observed that a classification tree provided us the best prediction accuracy.

It is also important to balance the cost of information retrieval and resulting profit out of the prediction technique. While determining the return on the additional investment, we accounted for the risk associated with misclassification by the telemedicine decision support system (TDSS). A clear understanding of the risk and return on investment will help the hospital to understand the pros and cons of going forward with such a prediction technique.

Read Shounak Pal and Arunabha Mukhopadhyay’s recent Journal article:
A Machine Learning Approach for Telemedicine Governance,” ISACA Journal, volume 1, 2017.

Shounak Pal and Arunabha Mukhopadhyay, Ph.D.

[ISACA Journal Author Blog]

Campaign Evolution: pseudo-Darkleech in 2016

Darkleech is long-running campaign that uses exploit kits (EKs) to deliver malware. First identified in 2012, this campaign has used different EKs to distribute various types of malware during the past few years. We reviewed the most recent iteration of this campaign in March 2016 after it had settled into a pattern of distributing ransomware. Now dubbed “pseudo-Darkleech,” this campaign has undergone significant changes since the last time we examined it. Our blog post today focuses on the evolution of pseudo-Darkleech traffic since March 2016.

Chain of events

Successful infections by the pseudo-Darkleech campaign have generally followed a set sequence of events. This happens regardless of the EK used or the payload delivered. The sequence is:

  • Step 1: Victim host views a compromised website with malicious injected script.
  • Step 2: The injected script generates an HTTP request for an EK landing page.
  • Step 3: The EK landing page determines if the computer has any vulnerable browser-based applications.
  • Step 4: The EK sends an exploit for any vulnerable applications (for example, out-of-date versions of Internet Explorer or Flash player).
  • Step 5: If the exploit is successful, the EK sends a payload and executes it as a background process.
  • Step 6: The victim’s host is infected by the malware payload.

In some cases, the pseudo-Darkleech campaign has used a gate between the compromised website and the EK landing page. However, we far more frequently see injected script from the compromised website lead directly to the EK landing page. To get a better idea of the relationship between EKs and campaigns, see our previous blog on EK fundamentals.

Figure 1: Chain of events for the pseudo-Darkleech campaign.

EKs used by pseudo-Darkleech

The pseudo-Darkleech campaign used Angler EK until that EK disappeared in mid-June 2016. Like many other campaigns, pseudo-Darkleech switched to Neutrino EK after Angler EK disappeared.

Pseudo-Darkleech stayed with Neutrino EK until mid-September 2016. At that point, Neutrino EK ceased operations. The pseudo-Darkleech campaign then switched to Rig EK, and it has stay with Rig since then. We still see indications of a Neutrino EK variant, but at much reduced levels compared to before.

Searching for EK activity in AutoFocus, we saw a significant drop in Neutrino and a corresponding rise in Rig activity starting in mid-September 2016.

Figure 2: Hits on Neutrino and Rig EK activity in September 2016.

Payloads sent by pseudo-Darkleech

When we last reviewed the pseudo-Darkleech campaign in March 2016, it was delivering TeslaCrypt ransomware. Since that time, pseudo-Darkleech has changed the ransomware payloads it delivers. In April 2016, this campaign switched to CryptXXX ransomware after TeslaCrypt shut down and released its master decryption key. By August 2016, pseudo-Darkleech had switched to a new variant of CryptXXX ransomware dubbed CrypMIC.

By October 2016, pseudo-Darkleech switched to distributing Cerber ransomware, and it has continued sending Cerber as of early December 2016. Below is a summary of EKs and payloads used by the pseudo-Darkleech campaign so far in 2016.

  • Jan 2016: Angler EK to deliver CryptoWall ransomware
  • Feb 2016: Angler EK to deliver TeslaCrypt ransomware
  • Apr 2016: Angler EK to deliver CryptXXX ransomware
  • Jun 2016: Neutrino EK to deliver CryptXXX ransomware
  • Aug 2016: Neutrino EK to deliver CrypMIC ransomware
  • Sep 2016: Rig EK to deliver CrypMIC ransomware
  • Oct 2016: Rig EK to deliver Cerber ransomware

Patterns of injected script

Any EK infection chain almost always starts with injected script from a particular campaign in a page from a compromised website. These pages are from legitimate websites that have been compromised and are being used by the campaign.

When we last examined injected script by the pseudo-Darkleech campaign, it was a large block of heavily-obfuscated text that averaged from 12,000 to 18,000 characters in size. It remained large and obfuscated through June 2016.

Figure 3: Start of injected pseudo-Darkleech script in page from compromised website in June 2016.

Figure 4: Middle of injected pseudo-Darkleech script in page from compromised website in June 2016.

Figure 5: End of injected pseudo-Darkleech script in page from compromised website in June 2016.

But by July 1st 2016, injected pseudo-Darkleech script stopped using obfuscation and became a straight-forward iframe. This iframe has a span value that puts it outside the viewable area of your web browser’s window.

Figure 6: Example of injected pseudo-Darkleech script from July 2016.

The injected script has changed slightly since then, but it remains short and unobfuscated as of early December 2016.

Figure 7: Example of injected pseudo-Darkleech script from December 2016.

Conclusion

With the recent rise of ransomware, we continue to see different vectors used in both targeted attacks and wide-scale distribution. EKs are one of many attack vectors for ransomware. The pseudo-Darkleech campaign has been a prominent distributer of ransomware through EKs, and we predict this trend will continue into 2017.

Domains, IP addresses, and other indicators associated with this campaign are constantly changing. Customers of Palo Alto Networks are protected from the pseudo-Darkleech campaign through our next-generation security platform, including Traps, our advanced endpoint solution that prevent EKs from compromising a system. We will continue to investigate this campaign, inform the community of our results, and further enhance our threat prevention.

[Palo Alto Networks Research Center]

How to Keep IT Employees Fully Engaged

In my last article, I wrote about the importance of training, and how I believe it is the missing ingredient to IT success. This is something I feel rather strongly about and will discuss with anyone who listens.

But as I mentioned, the word training comes with some negative connotations – at least for myself. I associate it with being a student in a structured classroom setting where I’m supposed to follow the teacher’s instructions. Unfortunately, I’m afraid that many of my peers feel the same way.

But this is just one surface-level symptom of a larger issue. The fact of the matter is that many organizations don’t understand how to fully engage their IT departments. As a result, continuing education suffers, employees begin to lose focus, and productivity wanes.

This is why I’m a major proponent of finding better ways to engage IT employees and make them feel like what they’re doing is important and appreciated. In doing so, the entire organization benefits.

Ideas for Keeping Employees Engaged
How do we engage our IT employees? That’s a question that organizations need to consider as we move forward. And while there are some IT-specific strategies, a larger organizational perspective is critically important. Committing to engaging the company as a whole will lead to benefits for the IT department.

The first idea is to pull back on mindless restrictions that aim to establish pointless uniformity in the organization. This is something Zappos, the online shoe retailer, is adamant about.

“Zappos has a casual work environment where employees can be their most authentic selves,” according to an article in U.S. News & World Report. “The dress code is relaxed so they can feel comfortable. As long as their outfits are respectable and work-appropriate, employees have the freedom to express their individual style.”

When employees feel like themselves, they’re more engaged. It tears down the imaginary barrier between work and personal life and starts to feel more natural.

The second thing I recommend is for companies to invest in regular departmental team-building outings. Your IT employees would do well to get out of their comfort zones and try something they’ve never done before. I would recommend an activity like whitewater rafting. I did this while working for a previous employer, and we all left feeling like we knew each other better.

The goal of a team-building outing is to force employees to rely on one another. This increases trust and allows each individual to better understand the strengths and weaknesses of his or her co-workers. Upon returning to a work setting, everyone feels like they have a better picture of what they’re doing.

The third key is to be clear with your company’s vision and the IT department’s goals.

“People want to understand the vision that senior leadership has for the organization, and the goals that leaders or departmental heads have for the division, unit, or team,” according to Dan Crim, an expert in organizational behavior. “Success in life and organizations is, to a great extent, determined by how clear individuals are about their goals and what they really want to achieve.”

Make the Investment in Engagement
I’ve worked in a number of organizations and can tell you that there’s a huge difference between companies that focus on employee engagement and those that ignore it.

Become a company that prioritizes engagement, and your IT employees will appreciate your investment.

Larry Alton, Writer, LarryAlton.Com

[ISACA Now Blog]

TechDocs: Protect Your SaaS with the Latest Aperture Features

The Aperture team is working hard to make your life easier and keep your SaaS applications secure. New features introduced recently include:

  • Automatic Risk Remediation: The Aperture service introduces a powerful new feature that can automatically discover and remediate risks. You can create policy rules that automatically quarantine compromised assets, change sharing to maintain network security, and notify owners when an asset is vulnerable. When you automatically remediate risks, the Aperture service can process and fix large volumes of risks in record time with minimal overhead. Aperture supports automatic remediation on Outlook 365, Google Drive, Box, and Dropbox.
  • Support for Salesforce Sandbox: SaaS applications supported by the Aperture service now include Salesforce Sandbox applications. A Sandbox creates copies of your Salesforce organization in separate environments. You can use them for development, testing, and training, without compromising the data and applications in your Salesforce production account.
  • Enhanced Administrator Roles: Account choices in the Aperture service include a new Read Only administrator role. There are now three administrator roles you can manage to give you greater control over which tasks administrators can and cannot perform.

As always, you can find our content on our Technical Documentation page under the Aperture documentation page.

Happy reading!
Your friendly Technical Documentation team

Have questions? Contact us at: documentation@paloaltonetworks.com

[Palo Alto Networks Research Center]

2017 Cybersecurity Predictions: Automation and Playbook Models Take On Key Roles in Threat Intelligence Sharing

Threat intelligence sharing among vendor and industry peers has come a long way, and in 2017 there will be more opportunities than ever to demonstrate its value; especially as conversations around sharing intelligence between the public and private sectors continues.

Crossing the Last Mile With Threat Intelligence

Security vendors and white hat researchers continuously seek new indicators of vulnerability. Once found, they convert them into prevention and detection controls and deploy them as quickly as possible. This is called actionable intelligence. The problem for the past decade is that most network defenders take days, weeks or even months to finish the last mile—if they do it at all.

What is needed is an automatic way to make the journey. Instead of analysts reading intelligence reports, deciding that the intelligence is pertinent to their environment, crafting prevention and detection controls for their deployed systems, and then deploying those controls, network defenders will, in the future, rely on automated systems which do that for them. They will have to trust that the automation will not take the network down.

Read more predictions on The Cipher Brief.

[Palo Alto Networks Research Center]

English
Exit mobile version