Stopping cyber pandemics with a digital vaccine
Let’s be honest, ransomware is a pandemic. A pandemic of epic proportions. Think about this WannaCry spread at a rate of roughly 140 computers infected every minute globally. And that single strain of malware infected machines in over 150 countries and caused billions of dollars as it wrought havoc across the globe. Even those organizations that were “protected” were brought to their knees in minutes once an infected machine began spreading that virus. And these types of infections continue to spread at catastrophic speed and are estimated to bring in billions of dollars for ransomware groups as they continue to cook up new methods and tactics for these digital diseases.
But why can’t we, or aren’t we, stopping these infections from occurring? Is there something unique to malware and specifically ransomware that we are unable to fix, or that we don’t know how to defend ourselves from? Let’s explore a bit about how a vaccine works in the physical space and then translate that to cyberspace and I think we can see that we have a fix here, a digital vaccine if you will.
In the physical space you can see that when a pandemic takes off, or breaks out there are groups of people, including scientists that start immediately pushing ways to help address the infection by doing things like washing your hands, or taking vitamins. Those are basic health steps and should happen anyway, they wont fix the infection or stop the virus but they might slow it’s spread down, albeit very little, but still it might help. Some viruses, especially respiratory diseases, like Covid19, that spread through the air, are more difficult to prevent and simply won’t be hindered by good hygiene. Additionally, these diseases aren’t actually totally “different” from the body’s own cells. They are aberrations, sure, and they are foreign invaders but many viruses aren’t totally different at the basic level from our body’s own cells. In some viruses the body doesn’t recognize there is even an infection until it is far too late and the infection has spread to a level that is unmanageable.
Does that sound familiar, it should.
In the cyber realm responding to a threat like ransomware’s spread is about the same thing as a security leader saying that they “have anti-virus” and that will “stop ransomware”. No, it wont. Ransomware works it’s way right around anti-virus and other very basic security solutions because it is native to the operating system in the way that it works. Powershell is the common method of spreading for ransomware and the exploit that occurs isn’t even really “malicious” so AV doesn’t stop it. If that worked then ransomware would have never taken down some of these global organizations. Do you think that Maersk or Norsk Hydro really didn’t have anti-virus?
But how does a vaccine work in the physical space? And can that translate to help our understanding of how we can better counter viral threats in the digital space. To understand how vaccines work, it helps to first look at how our bodies fight illness. When germs, such as the virus that causes COVID-19, invade our bodies, they attack and multiply. This invasion, called an infection, is what causes illness. Our immune system uses several tools to fight infection. Blood contains red cells, which carry oxygen to tissues and organs, and white or immune cells, which fight infection. Different types of white blood cells fight infection in different ways:
- Macrophages are white blood cells that swallow up and digest germs and dead or dying cells. The macrophages leave behind parts of the invading germs, called “antigens”. The body identifies antigens as dangerous and stimulates antibodies to attack them.
- B-lymphocytes are defensive white blood cells. They produce antibodies that attack the pieces of the virus left behind by the macrophages.
- T-lymphocytes are another type of defensive white blood cell. They attack cells in the body that have already been infected.
The first time a person is infected with the virus that causes COVID-19, it can take several days or weeks for their body to make and use all the germ-fighting tools needed to get over the infection. After the infection, the person’s immune system remembers what it learned about how to protect the body against that disease.
The body keeps a few T-lymphocytes, called “memory cells”, that go into action quickly if the body encounters the same virus again. When the familiar antigens are detected, B-lymphocytes produce antibodies to attack them.
So in the physical space vaccines such as the new ones for COVID-19 vaccines help our bodies develop immunity to the virus that causes COVID-19 without us having to get the illness.
Different types of vaccines work in different ways to offer protection. But with all types of vaccines, after a person is dosed with a vaccine the body is left with a supply of “memory” T-lymphocytes as well as B-lymphocytes that will remember how to fight that virus in the future.
Sometimes after vaccination, the process of building immunity can cause symptoms, such as fever. These symptoms are normal and are signs that the body is building immunity.
That’s how things work in the physical space to combat infections, in the digital space it’s really not that different if you think about the issue differently. What you should do to limit the likelihood of a cataclysmic infection is to “vaccinate” your organization’s technology stack by dealing with the primary means that an infection will spread. This is where the issue of misconfiguration, excessive connectivity, and poor credential management comes to light. Just as with an infection in the physical space the infection is likely going to occur, you will never be at a 0 risk level, and you should act as if you live in that reality. Second, by dealing with the issues of configuration management and limiting the ability of an infection to spread via “easy” means like bad shares, excessive connections, and poor credential management will help you isolate and stop the proliferation of the infection, which makes a potential massive infection simply a digital cold you must suffer through. Finally, if you approach the issue like a vaccine you will generate those virtual “lymphocytes” that help your organization remember how to deal with infections and manage their response when a future critical infection occurs. Added to that you will now be better positioned to find and eliminate remnants of infection that are hiding out in your infrastructure and more effectively remove those sick assets.
Stopping a pandemic requires using all the tools available and dealing with the real issues that cause an infection to go from a sickness to an infection where death is a very real risk. In cyberspace it’s not really that different, you have to address the fundamental issues and it is necessary to limit the spread of infection to prevent a cyber pandemic. Vaccines in the physical space work with your immune system so your body will be ready to fight the virus if you are exposed. In the digital space you should approach the threat of the ransomware pandemic the same way and “vaccinate” your company’s infrastructure.