How To Fight A Virus: Lessons From Cybersecurity

By Yotam Gutman, SentinelOne

There has been a great deal of conversation around the similarities between the spread of the Covid-19 virus and that of computer viruses. And indeed, as the first global pandemic to occur during the age of connectivity, this comparison is valid. But while most focus on how we can leverage the knowledge gained in the “real world” in identifying and stopping the spread of plagues in the virtual world, I would like to offer another perspective.

Perhaps we in cybersecurity can return the favor. Perhaps the medical world can take the lessons learned in three decades of fighting “cyber viruses” and implement these in their fight to mitigate the Coronavirus?

History

Originally, the type of computer software described as “a program that can infect other programs by modifying them to include a, possibly evolved, version of itself” was named “Virus” by Fred Cohen in his 1986 Ph.D. thesis. Another biological reference made its way into the computer lingo when the first worm was unleashed (although the phrase was used in an earlier sci-fi novel).

In the last couple of years, computer viruses, or more widely the panoply of malware as we think of cybersecurity today, have undergone rapid evolution that has made them much more difficult to identify and mitigate:

More variants: 439,000 new malware variants were detected in 2019. That’s a 12.3% increase over the previous year.

More capable: Modern malware threats are far more capable than the old viruses spreading through illegal copies of software distributed via floppy-disks. Today’s malware can steal passwords, exfiltrate sensitive data, encrypt and delete data, and much more.

Harder to detect: Malware authors work hard to make their software difficult to detect. This includes hiding it in legitimate documents (aka “weaponizing” Word, PDF and Excel documents), utilizing detection-evasion mechanisms (like avoiding execution in sandboxed environments), and using legitimate software update mechanisms, all to make the work of the defenders harder.

More aggressive: Some malware types are extremely aggressive; they scan for open RDP ports, brute-force their way onto a device, and then move laterally within the organization’s network, abusing password-protected servers and seeking sensitive data, all without the knowledge of the victim.

Fast: contemporary malware is extremely fast and works at machine-speed to bypass protection mechanisms and achieve its goals—ransomware like “WannaCry” disabled entire organizations in minutes.

Adopting Cybersecurity Response to Fight Covid-19

To mitigate today’s plethora of rapidly evolving cyber threats, the cybersecurity industry has developed several methodologies. These (after adaptation) could be used to reduce the spread of malicious software and to mitigate its effects. I will refrain from discussing the obvious virus/Anti-virus analogy. Obviously, a vaccine for a computer “virus” would be the answer, but estimates suggest that such a vaccine would not be available in the next 12-18 months, and there’s a lot we can do until then:

Zero trust policy- A methodology that defies the traditional security assumption that everything inside the perimeter (protected by the firewall) is trusted. The main principle of Zero Trus is “never trust, always verify”. This means that every user is asked to verify their credentials every time they wish to “enter” the organization and that every file and process are being constantly monitored – even if they have been “authorized” to run on the computer.

In a similar manner, humans should consider that other humans are carriers, and only “trust” them after they have been tested negative (or at the minimum, have had their temperature taken).

Detection beats prevention: following a similar line of thought, most organizations today operate under the “Assume a Breach” paradigm. Instead of striving to identify and mitigate 100% of threats 100% of the time, they assume that some threats would be able to infect them and concentrate their efforts on quickly finding these and stopping them before they could do more harm.

Similarly, it is prudent to assume that humanity would not be able to vanquish this virus, and we will be playing “whack-a-mole” with it for the foreseeable time. Given that this is the case, it’s prudent to invest in rapid detection of the infection (quick detection kits, even home detection kits), ensure those that are sick are given quick treatment and continue to monitor the entire population for outbreaks.

Segmentation; an important principle that limits the “movement” within the organization, so that intruders cannot move freely and infect other parts of the organization.

The real-life manifestation would be to identify infection “hot-spots”, lock these down and they tend to these infected rather than to lock-down entire countries.

Risk modeling: it might be possible, perhaps, to provide 100% security, 100% of the time, but the cost to the organization would be detrimental; either the security costs would be through the roof, or the security restrictions imposed to maintain 100% security would cause the business to stand still. Instead, a CISO conducts risk assessments and prioritizes security spending to mitigate the most acute threats and secure the most valuable assets.

Healthcare officials should do the same and ensure that the most sensitive segments of the population (elderly, sick) are being shielded from the disease and if need be, are provided with better care.

Intelligence intake: fighting a stealthy enemy is hard because you don’t know what to expect. Security professionals, governments, and those in the security industry have been formally and informally sharing information about malware, cybercrime groups, and data leaks for a long time. This has proved to be immensely helpful in fighting and defeating cybercrime rings.

Such collaboration should also be adopted by global scientific, medical communities, governments, and healthcare organizations. As this threat is new to humanity, we should all share information about detection and treatment mechanisms and notify others when we think we’ve made breakthroughs in finding a cure or a vaccine.

Conclusion

We can debate the similarities between biological and computer “Virus” (which, some belief, more resembles a Bacteria than a virus), but the analogy is, for the most part, correct. Viruses are dangerous to the victims, and they spread quickly through the population until a cure, or a vaccine is found. The spread of the Coronavirus pandemic and its impact on our lives is nothing like the world has seen before. It spread almost at machine speed and overwhelmed countries and healthcare organizations. We believe that utilizing the lessons learned by the cybersecurity industry in the past 3 decades could help to thwart the Coronavirus pandemic.

About the Author

Lt. Commander AuthorLt. Commander (Ret.) Israel Navy, Yotam Gutman, has filled several operational, technical, and business positions at defense, HLS, Intelligence, and cybersecurity companies, and provided consulting services for numerous others. Yotam joined SentinelOne 6 months ago to oversee local marketing activities in Israel and contribute to the global content marketing team. Yotam founded and managed the Cybersecurity Marketing Professionals Community, which includes over 300 marketing professionals from more than 170 cyber companies. Yotam was chosen as one of the 5 Security Influencers to Follow on LinkedIn.