It’s been a while since the last outbreak of a serious, large scale computer worm. Unlike the early 2000s, when big worms such as ILOVEYOU, Code Red and MyDoom broke out almost every year, the current procedures and security practices in place by most of the large software vendors and enterprises have helped to make these rare (with the largest recent one being the infamous WannaCry outbreak).
But today, in the midst of a pandemic outbreak of Coronavirus (COVID-19) and while governments and global organizations work to contain and eradicate the virus, we’re hearing of a new wormable vulnerability in Microsoft’s SMBv3 protocol.
How can we learn from these unfortunate events to provide us with a different context and an opportunity to rethink our level of readiness for unexpected, viral cyber events?
What do Computer Worms and Real-Life Viruses Have in Common?
At first glance, one might argue that this comparison has little value. Computer worms spread almost instantly, whereas viruses such as the Coronavirus can be dormant, yet contagious for days, before showing symptoms. However, Computer worms, much like real viruses, take time to settle in before they start infecting, and tend to infect before they start causing damage.
The difference is mainly time: the digital environment is, naturally, quicker. Whereas Coronavirus would take hours or days to settle down in the infected body, and days to weeks to show symptoms — a computer worm needs only seconds to minutes. It too can remain dormant for a relative long time until activating its actual payload, be it denial of service or ransomware.
Now that we’ve established that they are, in fact, quite similar in nature, let’s look at some strategies that different countries have applied in an attempt to contain the virus.
Containment Strategies: Early and Painful vs. Late and Extremely Painful
The harshest, yet most important, understanding is that the best way to deal with a pandemic outbreak comes at the cost of our routine and day-to-day lives. Failing to take this hit early on, results in increased infections and an even greater hit later on.
The Total Lockdown
When weighing the disruption to daily lives versus the prevention it offers, China is has taken most extreme measures. When Coronavirus broke at full scale in Wuhan and its surrounding region, China made the harsh decision to keep the entire region in a strictly enforced lockdown. This has proven itself as an effective step, with no new Coronavirus patients identified in Wuhan for the last few days. Arguing that this may be too extreme can be contradicted when looking at the situation in Iran and Italy, where even with the knowledge of the severity of the problem, insufficient measures were initially taken, allowing the outbreak to progress quickly and painfully, and leading to lockdown policies only after great damage was done.
In the cyberspace world, when dealing with a virally spreading malware, the total-lockdown strategy is the equivalent of shutting down your entire network. It’s aggressive, but it works, and may be better than exposing each and every node on your network to compromise, resulting with an even more catastrophic outcome. It is also very disruptive for the business, making it is a decision that no one wishes to take, especially early on.
The Selective Quarantine
There are other measures that can be taken, and have been taken by some countries, to prevent the spread of the outbreak, while reducing the disruption to daily lives: selective quarantine. Since isolation of anyone who has been identified to be carrying the virus is insufficient with Coronavirus, many countries have been enforcing symptomless quarantining for individuals who have even the slightest chance to having contracted the virus or who belong to high risk groups. This strategy seems to be effective in slowing the outbreak, especially when decided upon early on, and strongly enforced.
Translating this approach to the cyberspace is harder. The time scale of a computer worm outbreak is in orders of magnitude shorter than that of Coronavirus. It takes seconds from being infected to start infecting others, so the response needs to be fully automated.
There is an upside too though — while we can’t physically see Coronavirus spreading in the air, we can see traffic coming out of a host trying to infect other hosts. This means we need a shorter timeframe to determine if a node is compromised, which allows us to cast a much wider net for selective quarantine while keeping the quarantine period much shorter.
Preparing for a Pandemic Cybersecurity Worm?
As it stands now, the new Microsoft wormable vulnerability will not trigger the big cybersecurity pandemic outbreak. Running over SMB alone, it is not sufficiently contagious to infect the cyberspace quickly enough. And while this is true for many of the recent discovered vulnerabilities, combining two or three such vulnerabilities that work across different infection paths, could create that ultimate worm that would be the cyber equivalent of the Coronavirus.
The question now asked is, are we ready to take such measures against our own networks and users in the face of such an outbreak? As human beings, it takes us time to process the magnitude of the catastrophe before becoming open to extreme measures. The more important question is, therefore, are we ready to sign off such responsibility to an automated system, one that could shut us down at the mere suspicion of an outbreak?
As of today, there are very few, if any, organizations who would be willing to sign up for such a system. But given the fact that such a worm outbreak in cyberspace will not give us the time to process and make a decision, it might just be worth considering.