Viruses Still Spread, Get Ready for Containment

Could a digital equivalent of the Coronavirus pandemic emerge and proliferate global internet service providers, government systems and corporate networks?

Given the emergence of undetectable malware variants that escape detection by conventional firewall and anti-virus technologies, it's imperative that government and industry leaders recognize, and prepare for, the fact that viruses routinely compromise networks and critical platforms. Therefore, it’s essential that management be capable of immediate containment, isolation and eradication of these threats.

Containment and Isolation

The most critical measure needed to contain an intrusion, and restrict the spread of malware, is network segmentation. This requires that the network be divided into various sub-networks, with access to each segment restricted to only those with express permissions. By doing so, organizations are capable of containing the virus within various "segments" and preventing it from reaching other platforms, applications or databases.

When malware surreptitiously enters a "flat" network, one that hasn't been properly segmented, lateral movement to an organization's entire environment is possible. Within a properly segmented network, all critical platforms and technologies are isolated and thereby walled off from infection.

Consider this very real scenario - a well-organized cybercrime group, armed with a stealth and rapidly spreading malware, launches simultaneous attacks on global infrastructure targets today. Upon initially compromising the targeted networks, the hackers immediately transmit the virus to each of the victims subsidiaries’ third party vendors and business partners. A global contagion occurs and critical services decimated before the effected companies can react and eradicate the malware.

With the implementation of network segmentation, the intruders would be isolated and locked down within the segment they entered. This initial control is critical in that it provides a front line containment and buys time for the incident response team to activate and limit the damage.

A second, critical containment measure is email filtering. Given that inbound email continues to be the most widely used malware delivery method, management must implement robust user level controls to detect and quarantine suspicious messages. The user environment continues to be among the most vulnerable, therefore mandated containment capability must exist here.

User education must supplement email filtering. The workforce must be provided with clear, non-technical direction on whether, and under what circumstances, they may interact with quarantined messages. Without guidance, employees will arbitrarily retrieve isolated messages and thereby defeat the purpose for which the filter was intended.

I worked on the aftermath of a high-profile cyber-attack wherein an employee retrieved an email message from his spam folder, clicked on a weaponized attachment and opened the door to a catastrophic intrusion. As with any control, user awareness is critical.

Monitoring

Although containment of the infection is necessary, management need also perform real-time monitoring of network activity to detect anomalous behavior, identify the specific location of the virus and begin the eradication phase.

A vast array of automated tools provide the ability to detect predefined, suspicious events and generate real-time alerts that notify appropriate staff. In addition to monitoring on-premise architecture, continuous oversight must also be conducted within hosted environments.

The functionality to perform real time monitoring of cloud platforms is now readily available, therefore management must devote the necessary resources to do so. The installation of unauthorized software, off-hour access of critical technologies and successive failed attempts to access restricted segments are examples of potential unauthorized access and should be alerted on. These alerts require human intervention and resolution.

Segmentation will serve to isolate and "trap" the threat, but only through system monitoring may the virus be specifically identified and eradicated. Accordingly, system monitoring is essential to an enterprise's ability to eliminate the risk posed by the presence of a virus. Whether the mitigation requires a limited action, such as the replacement of an employee's laptop or a more dramatic measure, such as the replacement of an entire platform, monitoring will provide the information necessary to reach this determination.

Effective security requires foresight, anticipation and preparation. As we experience the fallout from the Coronavirus pandemic, we would be well served to make practical preparations to prevent a digital version.

What’s Hot on Infosecurity Magazine?