Malware Patient Zeros: How Threat Intelligence and Herd Immunity Can Help Prevent the Spread of Infections
What can we learn about containing malware from infectious disease research and response?
Ebola nurse Kaci Hickox was in the news quite a bit last October. After returning to the United States from West Africa, where she had been treating Ebola patients, Hickox was held in quarantine for three days in New Jersey. After leaving New Jersey, she was asked by her home state of Maine to follow a 21-day in-house quarantine that she rather infamously didn’t strictly adhere to. Hickox made the case that because she was symptomless, she was not a health risk. However, the governors imposing the quarantines argued that without a vaccine or cure for Ebola, it made more sense to quarantine Hickox than to risk the disease spreading and a possible pandemic.
Quarantines are used in networks and IT, too. A laptop or mobile device that hasn’t been patched or appears to be infected with malware is taken off the main network completely or placed in a protected zone while the patching or infections are addressed.
While there are no vaccines or cures for Ebola yet, the disease has one trait that helps prevent it from spreading: patients are only contagious after they begin to show symptoms. Unfortunately, the very nature of modern-day computer malware is that it attempts to hide itself and behave in extremely stealthy ways. In other words, today’s malware tries hard not to show symptoms. However, that doesn’t mean we’ve lost the battle against malware; it just means we need to be smarter. The following is a look at two ways malware spreads and how they can be limited through the concept of herd immunity, early detection and information sharing:
Herd Immunity and Malware
Herd immunity, also known as community immunity, is the term used to help explain the benefits of vaccines. Simply put, if most of a community is immune to contracting a disease, even if one member is infected, the spread will be limited. Since contact is required between those susceptible for the disease to spread, there’s a point where the infected don’t have enough contact to susceptible (nonimmune) people for the disease to propagate. When that point is reached, the community as a group is immune. This is why vaccination works. You don’t have to vaccinate everyone — you only need to vaccinate enough to cross the magic threshold where the contagion can no longer spread.
The same concept applies nicely to computer systems. Let’s say an organization has installed anti-malware on 9 out of 10 devices and has also implemented automatic updates to those devices to ensure patch levels are current. Even if that one device is infected, the spread of malware will be limited. That’s not to say no harm can come from infecting a single device, but it does mean the “vaccinated” devices can’t be infected, too. It also means the malware may not be able to run rampant since it may not encounter enough nonimmune machines to really cause havoc. So, a nasty piece of ransomware such as Curve-Tor-Bitcoin Locker might be able to lock up the one unprotected device but wouldn’t get any further into the company.
Early Detection and Information Sharing
Another way to limit the spread of infection on IT systems is also borrowed from the medical community: early detection and information sharing. In the case of Ebola, a failure of early detection led to the death of Thomas Eric Duncan, who was treated for a fever and stomach pains but was released from the hospital because health workers did not realize he was infected with Ebola. There is no way to know whether Duncan would have lived if he had been treated for Ebola immediately, but others have recovered from the virus after early detection.
The sooner an infected IT device can be identified, the better the chance the security and IT operations team has of eradicating the infection quickly before it can affect the host or spread. Much has been written about the failure of signature-based antivirus to keep up with quickly morphing malware and zero-day exploits. For the earliest detection, behavioral scanning and profiling are needed. Organizations that still rely only on signature-based antivirus are missing the opportunity for early detection and risking a rapid spread of malware.
A bright light in all this rather dark infection talk is how early detection can lead to better information sharing and preventative measures before an attack or infection. This is the concept behind many of the industry information sharing and analysis centers such as the Financial Services Information Sharing and Analysis Center. If, for example, Bank A detects a phishing scam coming from a specific IP address, it can let banks B, C and D know about it, allowing them to take immediate action such as putting a new detection rule on the firewall or intrusion prevention system and/or blocking that IP address.
Threat sharing information portals, such as the X-Force Exchange, provide continuously updated data on threats and emerging attacks so IT teams are aware of the latest risks. Threat sharing portals also gather in one place information on available patches, fixes or compensating controls that can be put in place to limit the impact of those risks.
As social engineering techniques continue to evolve and grow evermore sophisticated, threat sharing groups can help educate the community by sharing new methodologies quickly. This enables security awareness professionals to send up-to-the-minute alerts to employees and update awareness program materials. While most of us know to delete the email asking for $1 million so $10 million can be transferred, Dyre Wolf showed us that even advanced users will trust what looks like a legitimate alert pop-up from their bank’s website and provide sensitive information to the person on the other end of a fake 1-800 help desk.
Malware is out there, but that doesn’t mean your organization has to become the victim of the next InfoSec pandemic. If patient zero can be detected early on and the infection’s spread can be limited through herd immunity and community information sharing, the damage can be limited.
What are you doing for early detection? Do you belong to an information sharing community? How do you limit the spread of malware infections? Let me know on Twitter at @dianakelley14.