REvil ransomware attack illustrates IT systems need for epidemiological investigation

The recent REvil ransomware attack has revealed that our computer systems are vulnerable to unknown and surprising pathogens, similar to our vulnerability to Covid-19. The hackers claim that the attack penetrated more than a million workstations, and demanded about $70 million to unlock them. However, the most important question is how the damage could have been reduced or prevented.

Let’s take a step back. Antivirus software comprises the first defense line (the IT immune system, if you will). The antivirus operating principle is simple: if malicious code is detected, it is signed by the various antivirus manufacturers and its hash is distributed as an update to the local antivirus installation. Thus, antivirus software can identify most malware and prevent them from damaging the computer.

Nevertheless, similarly to biological systems, some viruses and vulnerabilities are unrecognizable by antivirus software. About 30-50 IT companies, including many Israeli ones, work to discover the meager number of yet undiscovered malware and yet unabused vulnerabilities. This activity is expensive and carries large premiums, but numerous organizations around the world would pay for such protective measures. Think about it - if a security operation is attacked by 1,000 different malware a month, the damage of even a single penetration would be catastrophic. Therefore, an antivirus that prevents 99.9% of attacks will not suffice.

However, systems identifying unrecognized threats are prone to false alarms. No wonder - anyone trying to find a new type of threat is likely to be sensitive to any anomaly or change. Yet the high number of false alarms that these systems provide causes many to ignore them or to disable the systems, quite similar to muting the sound of a cardiac monitor, thus remaining unprotected yet again.

One of the methods of containing the damage might sound familiar in the post-COVID world - isolation. For example, in the latest REvil attack, Kaseya software, serving as part of the supply chain, was damaged. The company warned customers over the weekend to disconnect their devices from the internet to prevent encryption of their information, as the malware was raging outside and a cure for it was yet to be found. A network control system, like an internal epidemiological investigation array, can sometimes be useful in stopping the malware spread and preventing some of its damage.

Isolate, test, and decide

NAC (Network Access Control) systems test every device and every user individually - who is the user attempting to connect? What is his role? What hardware does he use? Does he have an antivirus? Are there security updates installed? All these parameters are calculated to a security ranking, according to which network access is granted or denied. In some cases, it is possible to prevent or restrict the use of plug-in USB devices, and in extreme cases, it is even possible to deny usage completely and isolate the "sick" computer from the outside world.

An internal epidemiological investigation array mitigates the risks instead of trying to eliminate them completely. The truth about the Covid-19 pandemic, as well as for computer systems, is that complete isolation of our homes or computer stations will prevent us from catching the virus, but it will also prevent us from functioning. Therefore, IT systems and humans need to establish risk-mitigating measures which will balance the existing threat of infection and the need to connect, meet and interact with the outside world.

The author is Portnox VP of products, a leading cloud-based Network Access Control solution.