{"vertical":"healthcare","vertical_display":"Healthcare & Life Sciences","total_incidents":189,"threat_actors":["LockBit","BlackCat/ALPHV","Clop","Royal","Hive","Rhysida","Black Basta","Vice Society"],"patterns":{"initial_access":{"spearphishing":{"pct":2,"technique":"T1566.001"},"vpn_exploit":{"pct":51,"technique":"T1190"},"rdp_exposed":{"pct":0,"technique":"T1133"},"valid_accounts":{"pct":47,"technique":"T1078"}},"common_chains":[{"name":"Classic Ransomware","steps":["T1566.001(Spearphishing Attachment)","T1059.001(PowerShell)","T1021.001(Remote Desktop Protocol)","T1003.001(LSASS Memory)","T1490(Inhibit System Recovery)","T1486(Data Encrypted for Impact)"],"step_details":[{"technique_id":"T1566.001","technique_name":"Spearphishing Attachment","tactic":"initial-access","observed_in_data":true},{"technique_id":"T1059.001","technique_name":"PowerShell","tactic":"execution","observed_in_data":true},{"technique_id":"T1021.001","technique_name":"Remote Desktop Protocol","tactic":"lateral-movement","observed_in_data":true},{"technique_id":"T1003.001","technique_name":"LSASS Memory","tactic":"credential-access","observed_in_data":true},{"technique_id":"T1490","technique_name":"Inhibit System Recovery","tactic":"impact","observed_in_data":true},{"technique_id":"T1486","technique_name":"Data Encrypted for Impact","tactic":"impact","observed_in_data":true}],"frequency":"67% of incidents","avg_dwell_time":"4.2 days","data_coverage_pct":100},{"name":"Double Extortion","steps":["T1566.001(Spearphishing Attachment)","T1059.001(PowerShell)","T1003.001(LSASS Memory)","T1048(Exfiltration Over Alternative Protocol)","T1486(Data Encrypted for Impact)"],"step_details":[{"technique_id":"T1566.001","technique_name":"Spearphishing Attachment","tactic":"initial-access","observed_in_data":true},{"technique_id":"T1059.001","technique_name":"PowerShell","tactic":"execution","observed_in_data":true},{"technique_id":"T1003.001","technique_name":"LSASS Memory","tactic":"credential-access","observed_in_data":true},{"technique_id":"T1048","technique_name":"Exfiltration Over Alternative Protocol","tactic":"exfiltration","observed_in_data":true},{"technique_id":"T1486","technique_name":"Data Encrypted for Impact","tactic":"impact","observed_in_data":true}],"frequency":"72% of ransomware","avg_dwell_time":"6.1 days","data_coverage_pct":100}],"tool_effectiveness":{"crowdstrike":{"detection_pct":57,"avg_detect_time":"minutes-hours","misses":["T1021.001","T1041","T1048","T1070.001","T1490","T1562.001"],"detections":25,"total_observations":44},"fortinet":{"detection_pct":100,"avg_detect_time":"hours","misses":[],"detections":2,"total_observations":2},"palo-alto":{"detection_pct":44,"avg_detect_time":"hours","misses":["T1053.005","T1055"],"detections":4,"total_observations":9},"palo-alto-firewall":{"detection_pct":100,"avg_detect_time":"hours","misses":[],"detections":7,"total_observations":7},"proofpoint":{"detection_pct":100,"avg_detect_time":"immediate","misses":[],"detections":4,"total_observations":4},"sentinelone":{"detection_pct":76,"avg_detect_time":"minutes-hours","misses":["T1003.001","T1021.001","T1048","T1070.001"],"detections":26,"total_observations":34},"splunk":{"detection_pct":0,"avg_detect_time":"hours","misses":["T1003.001","T1021.001","T1055","T1059.001","T1070.001","T1190","T1562.001","T1566.001"],"detections":0,"total_observations":19}},"technique_frequency":{"T1190":{"pct":39,"name":"Exploit Public-Facing Application"},"T1078":{"pct":35,"name":"Valid Accounts"},"T1486":{"pct":11,"name":"Data Encrypted for Impact"},"T1490":{"pct":4,"name":"Inhibit System Recovery"},"T1059.001":{"pct":2,"name":"PowerShell"},"T1566.001":{"pct":2,"name":"Spearphishing Attachment"},"T1021.001":{"pct":2,"name":"Remote Desktop Protocol"},"T1003.001":{"pct":1,"name":"LSASS Memory"},"T1055":{"pct":1,"name":"Process Injection"},"T1070.001":{"pct":1,"name":"Clear Windows Event Logs"},"T1562.001":{"pct":1,"name":"Disable or Modify Tools"},"T1048":{"pct":1,"name":"Exfiltration Over Alternative Protocol"},"T1053.005":{"pct":1,"name":"Scheduled Task"},"T1041":{"pct":0,"name":"Exfiltration Over C2 Channel"}},"remediation_insights":{"most_effective":["Isolate RDP (stopped 89%)","Deploy VSS deletion detection (stopped 71%)","Email gateway with attachment sandboxing (blocked 85%)","Network segmentation between IT/OT (stopped 64%)"],"avg_recovery_time":"2.1 weeks","with_backups":"0.4 weeks","ransom_paid_pct":0,"data_exfiltrated_pct":67,"incidents_analyzed":91},"minimum_viable_stack":{"tools":["edr","ndr"],"coverage":"88% of attack patterns","estimated_cost":"$30-60/endpoint/yr","top_vendors_per_category":{"edr":["sentinelone","crowdstrike"],"ndr":[]}}}}