“Guys, make sure you keep your facemasks on at all the times and exercise utmost hygiene”, I repeated again and again that morning while dropping my kids at the school gate. The message became a daily routine, a spam to my kids maybe, as it made me feel better, but at the same time it dangerously made me feel more relaxed that all my children are fully protected against coronavirus. Why am I calling it a “dangerous” feeling? Here is why.
That sunny day, my daughter decided to walk back home from school together with her friend. On the way, her friend convinced her to pass by their house for few minutes to show her the latest cool stuff she ordered online and just arrived. Of course, driven by the social pressure and the false feeling of low risk we established ourselves within the home environment, my daughter took off her facemask and got close to her friend to see the new cool stuff. You can guess what happened at that moment. Yes, my daughter inhaled the virus transmitted in the respiratory droplets of her friend, whom we came to know later that she was positive and one day away from showing symptoms. My daughter put back her face mask and continued her walk back home not aware of what she has just got into her system. At home, of course we do not wear facemasks (do you?), though we practice utmost hygiene at arrival starting from leaving the shoes at the door, rushing to wash hands and face…etc. after that protection levels are at minimum as long as we are not aware of any exposure among us. That evening, I enjoyed a long heated debate with my daughter around the US elections while her mother took her side in the debate (nothing unusual here :)), she then decided to call the debate off, and watch an On-demand movie with her sister. You can see how the virus was easily spreading among us and you can guess what happened to all of us next over a period of few weeks.
I look back today and try to point out observations and extract the lessons learned that might benefit me in life and possibly at work. As a Cybersecurity professional, I tried to draw analogies between COVID-19 protection practices and Cyber defense practices. Here are two observations
Observation One: COVID-19 Infection Conditions have Similarities with Cyber Threats
COVID-19 best infection conditions are in environments where little protection (facemasks, social distancing…etc.) is enforced such as inside our own homes. Similarly, Cyber Threats work best inside the organization network boundaries where little protection (such as Firewalls) is established.
Almost all organizations today have their perimeter firewalls in place (compare firewalls to facemasks or gloves) and the vast majority sanitize the incoming traffic looking for known attack signatures using their Intrusion Prevention Systems, IPS (compare IPS to disinfection liquids or guns). These protection layers create the same false sense of security just like facemasks and gloves do in protecting against the coronavirus and set Cyber defenders mindset towards the dangerous state of relaxed mode trusting that these perimeter protection layers are ample. Inevitably, this what happens next. One of the organization’s employee’s devices gets compromised using a spear-phishing message or simply while working remotely connected to an ill secured network (compare this to coronavirus exposure without a facemask), and that device will soon be connected again to the organization’s internal network and become a huge internal threat. The compromised device while on the internal network has already bypassed all the perimeter protection layers and will now take advantage of little to no protection of communication in-between internal devices to execute maybe some reconnaissance activities, lateral movements, and other actions it needs to complete the attackers’ kill chain (compare this to what happens within the same home where we do not wear facemasks nor disinfect our hands each time we share an object).
Observation Two: Cyber Defenders Have Access to Tools that Detect Insider Attacks While in Action, Healthcare Workers and the Public Do Not.
Unlike the Coronavirus situation where outside Labs we can only detect its presence today using physical testing (such as PCR nose swabs) or after the Symptoms start showing up, Cybersecurity defenders do have access to tools and technologies that would help detect the internal threat while the kill chain is in the making and in many times before the damage is done.
Cyber Detection and Respond Tools
I will pinpoint here two of the tools and technologies that rely on Behavioral Analysis to detect threats: Network Detection and Control (NDR), and Cyber Deception. Of course there are other technologies such as Zero Trust Network Access (ZTNA) and other detection tools, such as Endpoint Detection and Response (EDR), Next General Security Information and Event Management (SIEM), that can work in tandem to enhance detection and response. I will leave those for later articles.
Tool 1: Network Detection and Response (NDR)
NDR systems use Artificial Intelligence, Supervised/Unsupervised Machine Learning, and Deep learning and other technologies to detect attackers while in lateral move attempts, or while communicating with Command and Control centers hiding within legitimate traffic types, or while elevating their privileges or maybe using other techniques. These NDR systems are also capable of continuously assessing the risk level of each and every device on the network, setting risk priorities, enabling the automation of responses, enabling threat hunting, and furnishing the data needed for Forensics.
Tool 2: Cyber Deception
Cyber Deception in fact falls under the category of Active Defense. Cyber Deception technologies lure insider attackers towards deceptive assets (servers, databases, credentials) and derail their kill chain, alert the security analysts and respondents, all while providing the evidence needed to take the right actions against the attacker.
Conclusion
Cyber threats’ risk levels and attack success rates increase when they are internal within an organization network and not behind the perimeter firewall, similarly, coronavirus infection is at its highest when in environments where protective measures such as facemasks are not strictly applied. Health organizations wish they have capabilities available to Healthcare workers or to the public such as detecting the coronavirus in respiratory droplets flying in the air or when on surfaces, imagine if that was available? Well, in the Cyber world threat detection tools are available, however, organizations need to start exercising critical thinking of their defense strategies, question their reliance on the false assumption that protection layers are ample and start adding new assumptions that threats are already inside their networks.
WHO Link on Coronavirus 2019: https://www.who.int/emergencies/diseases/novel-coronavirus-2019
