Nonprofit Under Attack: A Cyber Defense Case Study
Call it extreme resilience under heavy fire. Amidst a steady stream of cyberattacks and attempted breaches for nearly two years by skilled hackers determined to shut it down, Planned Parenthood Federation of America is mounting a vigorous initiative to defend itself with limited resources. While no cyberattack or breach is ordinary if your business is interrupted, the nimble Planned Parenthood IT team faces an extraordinary set of hurdles to defend itself as outsized external forces escalate daily. Even more noteworthy is the extent to which its team is seeking help in the form of deep partnerships with leading and emerging IT and security providers steeped in the conviction that what those partners learn from the attacks targeted at Planned Parenthood could advance the state of threat detection and remediation.
It started out as a seemingly routine case of a decentralized organization planning to protect highly sensitive information by modernizing its IT operations and ensuring a secure and compliant environment. Just after sharing that plan, the nationwide provider of women's health care services abruptly found itself in the eye of an ongoing storm. It's not clear when or if it will let up and what damage will be left in its wake. In the midst of rolling out a multiyear plan to build out a mature and comprehensive information security stance, Planned Parenthood's IT team finds itself adjusting but undeterred by the sudden risk of losing a substantial portion of its source of funding.
While efforts to defund Planned Parenthood have been in the public eye since the beginning of last year’s presidential campaign, the ongoing cyberattacks during that time have remained largely under the radar. Not only are the attacks unrelenting, some are sophisticated and very much as formidable as some of the worst nation-state attacks, according to Planned Parenthood CTO Franklin Rosado. "We are targets of multifaceted attack attempts that are blended," Rosado explains. Asked whether the attacks stemmed from the political debate and those opposed to Planned Parenthood, Rosado pauses and offers: "I think I can say it’s fairly obvious that they are targeting us because of who we are."
"We are targets of multifaceted attack attempts that are blended."
Franklin Rosado, CTO, Planned Parenthood
Challenging Risk Factors
Planned Parenthood, which last year celebrated its 100th anniversary, provides what many call critical social services, but what others say shouldn’t exist in their current form. Regardless, Planned Parenthood shares many of the same security concerns that face any large health care provider, where it must secure private patient information and comply with HIPAA regulations. Millions of women, mostly those with low incomes, rely on the health care services provided by Planned Parenthood’s 650 clinics throughout the United States, including cancer screenings, prenatal planning and birth control. But because some of its clinics also provide abortions, opponents say the government should stop subsidizing Planned Parenthood. How that will play out over time remains to be seen.
Beneath that backdrop, the threat of reduced funding has historically weighed on Planned Parenthood and, likewise, is the basis of non-trivial physical and IT security risks. Moreover, Rosado and his team can’t overlook the outlying potential risk that a data breach or system compromise could bring physical harm to a patient, physician, or other medical and support personnel. Rosado believes this is a challenge from which any information security and systems professional and supplier could learn. That’s why Rosado and IT leaders at a couple of Planned Parenthood affiliates, through a series of interviews over the past two years, have candidly shared the problems they’ve faced and how they’re addressing them, such as:
- A unique coordinated threat vector and attack types targeted at Planned Parenthood
- Difficulty finding and retaining skilled infosec professionals
- Creation of a Center of Excellence (COE) blueprint based on National Institute of Standards and Technology (NIST) and SANS Institute best practices
- Evaluating and developing deep partnerships with the right suppliers
- Finding suitable, extensible and secure collaboration tools and an enterprise mobility and management (EMM) platform
- Engaging with Microsoft to potentially deploy Office 365 and its Enterprise Mobility + Security (EMS) service
Deploying Single Sign-On
The attacks experienced by Planned Parenthood unfolded just after our first meeting two years ago when Rosado outlined Planned Parenthood’s cloud modernization effort. During that meeting, Rosado’s initial invitation was for the explicit purpose of explaining how and why Planned Parenthood was reducing its reliance on Microsoft Active Directory by migrating its user accounts to a third-party, cloud-based single sign-on service for authentication to all networks and resources provided by Okta Inc.
Okta’s willingness to build those specialized connectors was critical, he recalls, because it provided single sign-on to systems and services used by many practitioners and employees (see "Cloud Identity Authentication Battle for the Enterprise Heats Up").
Providing a modern identity and access management framework created the foundation of Planned Parenthood’s emerging multiyear plan to move the applications running in its datacenters to the cloud and build a mature information security posture. At the time of that first meeting during the summer of 2015, Rosado described the migration to Okta as 50 percent complete, and said he’d be glad to follow up on his progress. Clearly, he did, but in retrospect, that first meeting was the calm before the storm for Planned Parenthood.
Cyberattacks and Their Aftermath
The release of a video implying that a Planned Parenthood clinic was profiting by selling tissue of aborted fetuses put the organization in the spotlight during the early stage of the presidential campaign, with several Republican candidates condemning the reported activity during the widely viewed debates. The accusations raised in the tightly edited videos, which were shared on social media, were ultimately discredited, but the campaign against Planned Parenthood by its opponents remained in full force.
Around that time in July 2015, a group of hackers breached database records that included names and e-mail addresses of 300 employees. The hackers, who said they were opposed to Planned Parenthood, claimed they were able to steal the information because of bad coding practices. Days later, a targeted distributed denial of service (DDoS) attack shut down the Planned Parenthood Web site. Planned Parenthood and its affiliates have since experienced ongoing attacks and phishing attempts and have detected all sorts of probes attempting malicious activity, according to Rosado and IT officials with several Planned Parenthood affiliates.
"I think Planned Parenthood is a very interesting organization due to the politics that are involved within the organization and what they have to deal with on a daily basis,"
says Ibrahim (Abe) Baggili, an assistant dean and assistant professor at the University of New Haven, Conn. Baggili, an expert in digital forensics, is quite knowledgeable about Planned Parenthood’s saga. He was among a number of outside speakers who addressed its IT and physical security readiness experts at a conference held by Planned Parenthood in Denver last fall.
"Planned Parenthood has been attacked where their Web site was defaced," Bagilli says. "But more importantly, the amount of information that can be spread about them over social media that is incorrect could cause people to think things about them in a way that’s not true. To me, besides being able to get into their networks and steal their customer data, that’s a threat that’s within the cyber domain."
Scope of Attacks
Arizona State University professor Kim Jones, who last year was named director of its New College of Interdisciplinary Arts and Sciences Cybersecurity Education Consortium, also spoke at the Planned Parenthood security conference. After Planned Parenthood gave Jones a deep dive on the attacks it has sustained over the past two years, Jones admits they were much more sophisticated and alarming than he initially had presumed.
"I’ve worked for defense contractors and financial institutions and having researched the attacks Planned Parenthood is undergoing, they have a very, very motivated and diligent set of threat actors."
Kim Jones, Professor, Arizona State University
"I’ve worked for defense contractors and financial institutions and having researched the attacks Planned Parenthood is undergoing, they have a very, very motivated and diligent set of threat actors, who over an extended amount of time have remained motivated and diligent regarding disrupting their operations," Jones says.
Vince Crisler, CEO and co-founder of Dark Cubed, who has worked in the White House, Pentagon and Department of Homeland Security, has seen all kinds of attacks. Crisler is working closely with Planned Parenthood, which is testing the Dark Cubed Cyber Security Platform, an appliance that prioritizes and provides real-time visibility to threats. In a typical deployment, the appliances will find hundreds of thousands of IP addresses and domains and, in larger ones, millions, he says, of which up to 5 percent to 8 percent are considered higher-risk threats. Some of those are automated scanning bots, botnets targeting all types of devices including DVRs and IP cameras, scanning these networks from the outside in.
Deployed at a number of Planned Parenthood affiliates, the Dark Cubed appliances receive feeds from the Planned Parenthood CloudFlare infrastructure monitoring service and scored by Dark Cubed. "There are a significant number scanning them or hitting them or trying to engage them and at that point we hand it off," Crisler says. "Once threats are observed, how do you jump in and see if it has done something malicious or not? That’s the second part of the chain. First is awareness and blocking and then the second piece is if you want to dig into it, you can also feed a Splunk deployment or other logging infrastructure to be able to do more advanced analytics."
As earlier noted, these attacks have remained under the radar, and certainly don’t sound as spectacular as some higher profile breaches happening at the same time. Consider last year’s higher-profile attacks alone, such as the e-mails leaked from the Democratic National Committee; a spate of cyber-heists by criminals who breached the SWIFT global payment network and stole hundreds of millions of dollars from several international banks, and the massive DDoS attack in which hackers unleashed the Mirai variant of botnets on DNS provider Dyn that brought down Amazon, Box, GitHub, Heroku, Netflix, Okta, Reddit, Spotify and Twitter.
Planned Parenthood has experienced many of the cyber risks and problems others have faced, but also has found, or is aware of, threats few are prepared to address, says John Jessop, information services program manager at Planned Parenthood. "We have people out there who want to shut us down and do us harm in any capacity they can," Jessop says.
Aaron Caine, CIO of the organization’s New England regional affiliate and chair of Planned
"It’s challenging and an uphill battle to get that cooperation from vendors."
Aaron Caine, CIO, Planned Parenthood New England Regional Affiliate
Parenthood’s National Information Security Committee (NISC), shares that view. "We have the political actors, state actors, those that are coming after us that may not be going after some of the other health care systems," Caine says. "We find that many vendors are not in a mature enough space to deal with this. A vendor with a large market cap, in a significant footprint in our space, said we don’t need any sort of Web application firewall or DDoS mitigation, just go after the top 10 issues that are reported and as long as we are dealing with the top vulnerabilities, we can’t be attacked. This comment was made to me two weeks before the whole Dyn outage. I don’t want to chuckle at this, but I chuckle a bit because thousands of customers were impacted and it shows we are not there yet."
By the standards of those larger attacks, Planned Parenthood’s woes may seem trivial. Rosado argues that given the scope, endurance and persistence among the threats and attempted breaches Planned Parenthood has seen, they’re comparable with some of those higher-profile attacks. Rosado shares that his biggest frustration is convincing prospective vendor partners
that while Planned Parenthood might look like a small- to mid-size business (SMB), its problems are at the scale that many large enterprises face. "We have a very unique security use case, which can help you develop your security products and your security strategy," Rosado says he tells prospective partners.
Jones agrees that while on the surface, Planned Parenthood may look no different than thousands of other SMBs based on its size, the attacks it has endured require an enterprise solution. "To say that their challenges are that of any SMB, I would submit, is an uninformed view of the challenges they are facing," he says. "They definitely have challenges beyond any SMB that I have had to deal with both in terms of structure and the level of threat and the level of attack that they are under."
Elaborating on that level of attack, Rosado says they’re targeted and require sophisticated threat analytics and incident response methods that aren’t readily available. "Unless you talk about a state actor or something like that, we have opposition that only comes after us," Rosado explains. "With things like threat intelligence, when the opponent has the capabilities to conduct cyber warfare themselves -- they’re not going to J.P. Morgan Chase, they’re not going after even Merck or another health company. They are only going to come after us. There are no signatures in the wild because they are coming after us. Our ability to detect and respond is going to require us to be very nimble and have good partners to define some nimble solutions for us."
In addition to looking for suppliers capable of addressing its various unique requirements, Rosado emphasizes Planned Parenthood is looking for deep partnerships who fit in with its Center of Excellence security maturity model, which is a 500-page document organized by the Planned Parenthood NISC with best practices recommended by the NIST, Computer Security Foundations (CSF) and SANS and tailored toward its efforts to cover all of Planned Parenthood’s core security requirements.
Access and identity management is at the top of the list of Planned Parenthood’s COE priorities. Among the other nine are:
- Data protection
- Threat and vulnerability management
- Endpoint protection
- Network protection
- Secure software development
- Security monitoring
- Incident response
- Insider threats
- Security awareness training
Seeking Deep Partnerships
Rosado says Planned Parenthood conducts exhaustive evaluations seeking the best technology for its environment, but equally he emphasizes his priority on establishing deep partnerships with strategic suppliers. While he doesn’t offer specifics, clearly that includes outsized discounts, but he does share that high-level and deep collaboration are critical. But in a world where organizations of all sizes are targets, why should Planned Parenthood get special treatment?
In addition to Dark Cubed and CloudFlare, a number of those who have committed to working closely with Planned Parenthood include Herjavec Group, a leading managed security and services provider (MSSP) that will provide the basis of a security operations center; security information and event management (SIEM) services by the likes of Suma Logic or Splunk; and Amazon Web Services Inc. (AWS), which will provide federation wide compute and storage infrastructure services. The plan is to migrate line-of-business applications using container tools from Docker Inc. and Kubernetes. Because Planned Parenthood uses the Django Web framework, AWS was the most suitable Infrastructure-as-a-Service (IaaS) platform, according to Rosado. "We have one of our affiliates already prepping all of the assets for creating [Amazon Machine Images] and throwing them out there," he says.
Asked if he considered Microsoft Azure, Rosado says by moving to Docker and Kubernetes containers, applications should be portable among cloud providers over time. For now, he says, AWS has gone out of its way to partner with Planned Parenthood. "Amazon is coming to the table, they are talking about nonprofit grant capabilities on their platform for us, they’re engaging with us," he says. "I can’t say we’ve gotten the same reception from Microsoft."
It’s not for lack of trying. Rosado has repeatedly expressed frustration with persistent efforts to partner with Microsoft. While Rosado holds out hope that the company will ultimately work with Planned Parenthood, he feels Microsoft would have a lot to gain if the EMS team and the Office 365 and security teams in Redmond would take a deep look at the Planned Parenthood environment.
Microsoft could play a big role in both its security modernization and creation of a modern collaboration platform, though Rosado isn’t ruling out Google Inc., among others, if it can’t make Office 365 and the Microsoft EMS service work. "We can share a lot of information from the threat environment," Rosado says. "Even companies like Microsoft, who are trying to establish themselves in the security space, we think we can offer them a unique data set and a unique business model, for them to learn from to replicate out."
Rosado points to Planned Parenthood’s work with Okta that enabled it to create commercial products out of the org-to-org connectors they jointly built, as an example. "We created a great partnership with Okta," Rosado says. "Okta had never worked with a federated model before and we helped them build on that federated model. They were able to sell it not only to nonprofits, but they started selling it to franchises. I heard from someone who worked at a hotel franchise who said they sold them on this org-to-org connector. They built it on our backs."
Two-Factor Authentication for Outlook
Planned Parenthood’s desire to align with Microsoft is understandable. As noted, access and identity management is one of Planned Parenthood’s 10 COE priorities. While the single
sign-on service from Okta described earlier is a key part of that, the identity work is far from complete. The COE also calls for identifying owners of data and applications for each critical storage location and application, respectively; establishing user roles; defining workflow processes that include audit trails; ensuring all software is tied to the identity management process and Rosado is still looking for a privileged account management solution. Standardizing on the latest two-factor authentication solutions is also critical on the identity management agenda.
Among those options, Rosado is looking at low-cost solutions such as YubiKey. Protecting e-mail with the latest multifactor authentication is one of the key priorities and the ideal way would be to standardize on an e-mail client, ideally a recent edition of Outlook. "The problem is you can't put multifactor authentication in front of Outlook unless you're using Outlook 2013 or 2016," Rosado laments, a problem faced by many organizations of all sizes.
In each of our meetings we discussed the option of configuring Microsoft's Office 365 and EMS, to most efficiently secure and keep PCs and other devices updated, as well as help employ some of the policies that fall under the COE. Rosado believes Microsoft has a lot to offer, but many of the piece parts still need to evolve. In the meantime, that will require integrating with solutions from various providers, depending on the environments in various locations.
"We are trying to get a collaboration suite where we can look at Office 365, Okta, Zixmail, Box or something that really handles all of the key aspects of a good and best-of-breed collaboration suite," Caine says. "I think it’s fair to say OneDrive isn’t quite there yet. The Microsoft Identity program is not designed to be completely agnostic. Their [mobile device management] product is focused on Intune, and driving use to the Microsoft application. We’re trying to provide a best in breed and engage all of the affiliates by saying there’s not really a better way to do this. We didn’t just sign with Microsoft [because] we’re trying to put together the best possible experience. It’s challenging and an uphill battle to get that cooperation from vendors."
Rosado is optimistic that over time many of the objections to Office 365 and EMS will likely be moot. Rosado believes his team and affiliates could play a role in helping Microsoft make Office 365 and EMS more secure. But he also says time is running out and if Microsoft doesn’t "come to the table" as other partners have, he won’t rule out alternatives, possibly Google. On the EMM side, Planned Parenthood is evaluating solutions from all of the major players including MobileIron and Okta.
"We need to be able to integrate the pieces where there may be a Phase 1 and 2 to get a best-of-breed packaged solution now," Rosado says. "We need Microsoft to come to the table so we can talk about how to do that. Over time, OneDrive, Skype for Business, these other products may dominate, but they’re not quite there yet. So, we need that cooperation so we can figure out how to offer a platform to our affiliates that meets our security requirements now and something that can evolve going forward. "Rosado has been angling to get on Microsoft’s radar since last summer but so far, he hasn’t received any meaningful response other than an occasional reply to an e-mail. In addition to seeking treatment as an enterprise rather than an SMB, Rosado wants to learn more about Microsoft’s EMS, if it can meet Planned Parenthood’s needs and whether the recently released Intune APIs and others in the pipeline will fit into its entire environment. Microsoft could benefit by collaborating with Planned Parenthood just as much as the organization itself, Rosado believes.
"We find ourselves challenged trying to explain the work that we are doing, the program that we’ve created, that has been reviewed and vetted by cybersecurity veterans," he says. "We are not looking to just go in and knock 5 or 10 percent off of their best possible nonprofit price, we are looking for partners to implement a repeatable cybersecurity program that can be resold."
The Federated Model
The scope and nature of the attacks notwithstanding, understanding how to address problems like the federated model is also a key challenge for many IT suppliers not accustomed to it, even though it’s common in the public sector and other environments. While Planned Parenthood is the central organization that provides medical and IT resources and best practices, each of its 56 affiliates have their own CIOs and operating structures. That creates several challenges. First, the federated structure means while Planned Parenthood can specify best practices and recommend software and hardware, each affiliate has its own CIO and budget and has the autonomy to make its own decisions. When it comes to major procurement, though, Rosado pitches the fact that together the affiliates can cooperate for better deals than they can independently.
Second, similar with most nonprofit organizations and government entities, the budget for IT staff and for technology at Planned Parenthood is markedly lower than its commercial counterparts. Rosado expresses frustration in the difficulty in finding the right skilled IT security talent capable of addressing both its federated model and able to oversee the implementation of its COE priorities.
Indeed, finding skilled IT security experts is difficult, as organizations compete for a limited and high-priced pool of talent. "The people who are the correct hires cost a lot of money," Baggili says. "That’s why the government is having a lot of problems hiring good cybersecurity talent because they offer them $60,000 a year. How do you compete when there’s such a difference in salaries between public and private sector? That’s a national security issue."
Planned Parenthood has no illusions that it faces huge challenges, and uncertainty about how much of its effort to deliver a modern and secure information service for its affiliates and clinics holds in the balance a lot of factors, especially now that its funding is in question. Regardless, Rosado, Caine, Jessop and others clearly have a deep and comprehensive commitment and sense of urgency to ensure that its information assets are available and protected, as are its patients and employees.
In the end, that could be a key factor, University of Arizona’s Jones says. "They have a hell of a boulder that they’re pushing uphill, and I have to tell you, some of the ways they have done it are not only fairly unique, but are probably the most effective and creative and efficient solutions that I can think of given their organizational situation."