ZORRO stands for "ZOrg Redteaming Resilience Oefeningen" ("CARE Red Teaming Resilience Exercises") and is a Red teaming exercise especially for healthcare.
Are you unsure whether your organization can stop a major cyber attack on your organization and operation?
We attack your organisation, while you try to defend.
Evaluate your detection & response capabilities.
Learn from a specific scenario to minimize real damage from a real attack.
We stage a planned (cyber) attack on your organisation while recording every step.
You try to detect & mitigate the incoming attack.
Z-CERT has developed a framework for red teaming in healthcare together with the institutions of the Dutch healthcare sector. This framework is called ZORRO, which stands for “ZOrg Redteaming Resilience Exercises” and is based on the TIBER-NL program used in the financial sector.
With the ZORRO framework, we carry out red teaming in which we test the organization against realistic threats in healthcare. Here we use Tactics, Techniques and Procedures (TTPs) of cyber criminals who are active in the healthcare sector.
Z-CERT is an abbreviation of Computer Emergency Response Team for the healthcare sector. In other words: Z-CERT employs cybersecurity experts who help to keep healthcare institutions digitally safe. Every day, Z-CERT's first-line security specialists scan various sources for threats to the healthcare sector. The healthcare organizations themselves are responsible for the security of their digital systems, but if things go wrong Z-CERT can come to the rescue. For this reason, Z-CERT is also referred to as the 'digital fire brigade of the healthcare sector'.
(source: https://www.z-cert.nl/over-ons/)
In 2021, the Antoni van Leeuwenhoek Hospital (AVL) was the first party in the Netherlands to carry out a ZORRO test. The ZORRO test went very well, with AVL, Z-CERT and Securify working closely together to safely carry out a realistic attack. Our case study with experiences of all parties can be found here.
A Red Team Test always proceeds according to a preconceived plan. The scope, duration and purpose of the test is determined in consultation with the client.
This is followed by the reconnaissance phase, in which the red team collects as much information as possible about the organization, the existing systems and the target of the attack. For example the crown jewels. The scenario is also created during this phase. The choice of scenario depends on how mature the IT security of the organization is. And whether an organization wants to know whether they can withstand a certain TA, where they will recreate the path of a certain TA.
This is followed by the Initial Foothold with which access to a system, a workplace or a user account is obtained. Once inside, the Red Team tries to extend control by increasing user permissions. They also try to achieve remote control over internal resources in the network. Then the search for the most valuable assets of the organization starts. Consider, for example, access to the payment system. This is the Trophy Hunt.
After the test, the client is presented in a findings meeting what the Red Team has done and how far they have come. An extensive report also contains recommendations and advice for improving security. If desired, an advisory process can be started. In an advisory process, our security specialists help to solve the identified issues.
Our team of experienced cyber experts has extensive knowledge in healthcare. We understand the specific challenges and regulatory requirements facing hospitals, enabling us to deliver targeted and effective ZORRO testing.