A Nemzetbiztonsági Szakszolgálat Nemzeti Kibervédelmi Intézet kibervédelmi gyakorlata az egészségügyi szektor számára

Abstract

The Special Service for National Security National Cyber-Security Center (SSNS NCSC) organized the HunEx cybersecurity exercise in 2023, specifically targeting the healthcare sector. The primary objectives of this exercise were to evaluate the cybersecurity capabilities of participating institutions, test internal procedures, and strengthen intersectoral cooperation. Given the critical nature of healthcare systems, ensuring that these institutions are well-prepared to handle cyber incidents is of utmost importance. The HunEx exercise provided a controlled environment in which participants could engage with realistic scenarios designed to test their readiness and response to cyber threats.

The exercise involved 14 technical and 5 communication tasks, each designed to simulate real-life situations that the participants might face in the event of a cyberattack. The technical tasks included activities such as log analysis, malware analysis, and incident investigation on virtual machines. These tasks were crucial in assessing the participants' ability to identify and mitigate cyber threats. For example, participants were required to analyze logs and identify indicators of compromise, investigate the presence of malicious code, and determine whether data breaches had occurred.

One of the most significant challenges presented during the exercise was the handling of ransomware attacks. Given the increasing prevalence of ransomware incidents globally, this aspect of the exercise was particularly important.

In addition to technical tasks, the exercise placed a strong emphasis on communication. The participants faced various challenges related to media relations and social media management, testing the organization's internal and external communication strategies.

Moreover, the exercise highlighted the importance of leadership decision-making and adherence to organizational procedures. Participants were tasked with making strategic decisions in response to the incidents, coordinating their teams' efforts, and ensuring that all actions were in line with the organization’s internal protocols.

Communication with authorities also played a key role in the exercise. Participants were required to prepare legal documents and reports and ensure that these were submitted to the relevant authorities in a timely and correct manner.

The feedback from participants indicated that the exercise was highly beneficial in improving their cybersecurity skills and organizational communication. However, the exercise also identified areas that need further development. One of the most frequently observed issues was the inadequate communication with both internal and external stakeholders. In many cases, communication was either insufficient or entirely lacking, which could lead to significant problems in a real incident.

Another significant area for improvement was the communication with authorities and the Computer Security Incident Response Team (CSIRT). During the exercise, there were instances where participants failed to report incidents to the authorities in a timely and correct manner. This is a critical weakness, as timely and accurate reporting to authorities is essential for coordinating an effective response to a cyber incident.

Phishing attempts were also a common problem among participants. Many participants failed to recognize phishing emails, highlighting the need for further training and awareness in this area.

Despite these challenges, the exercise also highlighted several positive outcomes. One of the most notable achievements was the proactive reporting of phishing attempts. Although many participants initially fell victim to these attempts, the majority recognized the threat and reported it. This proactive attitude and adherence to reporting protocols demonstrate that participants are aware of the dangers of phishing and are capable of responding quickly to such threats.

The exercise also demonstrated the high level of technical competence among participants. They successfully completed complex technical tasks, such as forensic analysis, log analysis, and malware identification.

Another positive outcome was the quality of communication with senior management. Participants were able to effectively inform leadership about the incidents, providing clear and comprehensive updates that enabled management to make informed decisions.