Gabrielle Hempel - Outbreak! Virus vs. Virus:

hello my name is gabrielle um a lot of you might know me from twitter that's where i spend most of my time um gab smash on there so my presentation today is called outbreak virus versus virus how we can apply current legislation and handling of the covid19 pandemic to the spread of malware all right so usually the first question i get is who are you and why do you feel like you're qualified to give this talk um so i am a graduate of the university of cincinnati where i studied neuroscience and psychology i started my career in pharmaceutical development and regulatory compliance and then i led special committees targeting phase one infectious disease and emergency

research i still serve on a board as a regulatory and genetic science consultant for nih studies utilizing recombinant dna synthetic nucleic acid molecules in genetic engineering moved to cyber security in 2018 and i work as a cloud security engineer in healthcare and i've also worked as a pen tester as well so

and this meme like i put it in here a long time ago and i think it's getting more relevant as the year goes on which is not a good thing but at least we have funny internet pictures at the end of the day all right so first let's talk about pandemics most people don't know the difference between outbreaks epidemics and pandemics so i will explain that to you an outbreak is when there's a greater than anticipated increase in the number of endemic cases of something endemic cases are something that happens to a particular people or country it can also be a single case in a new area for example one time this entire family in west

virginia got norovirus gastroenteritis at a family reunion supposedly there were two different strains caused by two different dishes so grandma's cooking skills apparently run strongly in the family anyway this is what an outbreak is an epidemic is when a disease affects a large number of people within a community population or region the zika virus could be considered an epidemic because it affected a large number of people but it wasn't globally widespread a pandemic is an epidemic that spreads over multiple countries or continents that would be what we're going through right now

so carbon 19 was declared to be a pandemic i'm not sure if this map needs updating i don't remember specifically what parts of africa were affected um but i know that most most of the world has been at this point so

all right so first let's look at a history of pandemic see if we see any trends so first we have the antonin plague it was a pandemic that broke out around 165 a.d and it was either smallpox or measles nobody's really sure and it was brought to rome by soldiers returning from mesopotamia it killed roughly 5 million people the plague of justinian happened in 541 and 542 this was the bubonic plague and it killed 25 million people it's thought to have offed half of the population of europe at the time the black death was also the bubonic plague not sure how many people it killed exactly but between 75 and 200 million it was split spread via fleas and rats

the third cholera pandemic occurred between 1852 and 1860 and it was found to be due to contaminated water it killed around a million people the flu pandemic in 1889 was a subtype of h3n8 it killed over one million people the sixth cholera pandemic occurred in 1910 and killed roughly 800 000 people because the us had learned from the past they were able to isolate the infected and only 11 deaths occurred here the 1918 flu pandemic was an oddly deadly flu virus with a mortality rate of 10 to 20 percent it killed between 20 and 50 million people and that has been one of the pandemics that you know the current covid pandemic has been most compared to

the asian flu an h2n2 subtype took out roughly 2 million people between 1956 and 1958 the 1968 flu pandemic was an h3n2 subtype and it took only 17 days to spread across asia and three months to reach worldwide it killed roughly 1 million people and finally the peak of the hiv aids pandemic was from 2005 to 2012 while now manageable with treatment it took over 36 million lives since 1981.

all right so looking at all these we can ascertain a couple of things one a main concern is containing the spread of a virus especially between continents it's a skill we have not yet mastered we also have learned that many of the recurring infections are mutations these are very common among viruses oftentimes viruses are made of rna and not dna and therefore they are less stable and they're more prone to making mistakes because they don't have a proofreading step at the end of their replication the mistakes often lead to a mutation finally we see a lot of repetitiveness there are certain strains that are hardier and can easily become recurrent all right now let's talk about cyber

attacks so um i'm assuming that pretty much everyone here knows what malware is but just in case you don't malware is malicious software it is basically an umbrella term to describe malicious programs or code that are harmful to systems it's like a termite it tries to invade damage or disable systems networks etc malware can be like a biological virus in that it interferes with regular functioning of a system malware is spread in a few ways one of the most common is via email people clicking on things that they shouldn't attackers can be super good at making things look like they're coming from legitimate senders there are also types of malware that exploit system vulnerabilities causing users to inadvertently put

malware on their machine it can also be struck directly spread directly like via usb here is the emote infection chain this is a super nasty type of malware that's been around for a while and it's usually exploited by links to malicious word documents or by attached malicious word documents all right so in contrast to the worst pandemic viruses here are some of the worst malware and or massive data breaches that have stuck struck around the world first we have stuxnet which was created by the us government in israel the worm was used in 2010 was the first malware to physically damage equipment the worm targeted microsoft windows and then located siemens step 7 in order to manipulate

plc's shamoon was developed by iranian state-backed hackers the windows wiper was used in 2012 in an attack against oil company saudi aramco and works by collecting a computer's data before wiping and destroying the master boot record effectively bricking the computer the malware resurfaced in 2017 and 2018. the sony hack was supported by the north korean government a group calling themselves guardians of peace attacked sony pictures entertainment in 2014 stealing 100 terabytes of data deleting files and configurations and later releasing the stolen sensitive information including employee information like social security numbers um the opm breach was a really big one it was a series of breaches orchestrated by china in 2013 and 2014 against the office of personnel

management which stores sensitive data about all past and present federal employees in 2013 the hackers entered the opm network to collect its blueprints then in 2014 they entered it again to gain control of the administrative server and stole employee information and information about other u.s citizens through 2015 when the opm became aware of the situation the ukrainian blackouts were spearheaded by russia as part of its physical war against ukraine the first attack occurred in 2015 as a suite of malware that stole credentials allowing the hackers to gain access and manually turn off circuit breakers which caused a massive blackout the second attack in 2016 was against a single transmission station targeted by an evolved malware

known as crash override or in destroyer this malware allowed the hackers to manipulate control systems but a technical mistake didn't allow for the intended physical equipment destruction so that was lucky shadow brokers after resurfacing in 2016 the shadow brokers hacker group released an extensive collection of the national security agency's tools including the microsoft windows exploit eternal blue in 2017. eternal blue then branched into the wannacry malware which used uh which was built by north korean hackers and was used to attack public utilities in large corporations worldwide the 2016 u.s presidential hack two groups of russian hackers apt 28 or fancy bear and apt 20 or cozy bear ran social media disinformation campaigns along with email phishing attacks to breach the

democratic national committee and release information via wikileaks i know a lot of us are really trying to make sure that something like that doesn't happen this year we will see not petcha was developed by russian hacking group sand worm it was a destructive malware built to lock down computers devastate networks and create chaos the malware sped around the world eventually coming back to infect systems in russia itself and it disrupted a lot of companies and sectors including pharmaceutical shipping power public transit and more equifax this well-known data breach in 2017 exposed personal information of nearly half of the u.s population due to the company's handling of the breach the situation only got worse as phishing attacks and imposter sites

asked for people's personal information which is how the company itself was relaying to individuals whether their information had been compromised equifax is only one example of corporate data breaches in the 2010s which also included the target data breach home depot breach and the ashley madison data breach finally we have adhar in 2018 alone it's estimated at 1.1 billion at our numbers of associated data were breached and shared on the black market ad har is the indian government's identification database and is used in everything from opening a bank account to signing up for utilities or a cell phone due to all the connections data has been exposed by third parties or the government itself improperly sorting data

all right so now that i have bored you with those long descriptions we can talk about the similarities between some of these all right most of you are probably familiar with the life cycle of a computer virus so i want to bring you up to speed on the life cycle of a human virus there are generally four stages on the human virus entry replication shedding and latency during entry a virus must enter cells of the host organism and use these cells materials much like a computer virus needs a host next a virus must take control of the host cell's replication mechanisms it's at this stage a distinction between susceptibility and permissibility of a host cell is made

permissibility determines the outcome of the infection after control is established and the environment is set for the virus to begin making copies of itself replication occurs usually very quickly by the millions after a virus has made many copies of itself the progeny may begin to leave the cell by several methods this is called shedding and is the final stage in the viral life cycle some viruses can hide within a cell which means that they may evade the host cell defenses or immune system and may increase the long-term success of the virus this hiding is deemed latency during this time the virus does not produce any progeny it remains inactive until external stimuli such as light or

stress prompts it to activate

all right so now we can compare the life cycles during the entry phase for the biological virus the virus enters cells of the host organism and uses the cell material similarly with the computer virus it has access target users computer or software during replication they both take control of the replication mechanism and begin to propagate during the shedding phase the biological virus leaves the cell or host while the computer virus is triggered and executed potentially spreading finally they both have latency periods where the virus can main idle or hide there are other similarities as well computer viruses target specific entities as do biological viruses when they seek out host cells they both technically contain executable

code the biological virus has genetic code that can be transcribed and translated they both have specificity for what they target i.e an operating system versus a species and finally they have different degrees of harmfulness or virulence all right so from that life cycle we can do vector analysis you know how we do vector analysis with attacks but did you know we use vectors with viruses as well in the biological sciences a vector is anything that can pass an infection to another organism here we have a diagram of some of the good ways that we use vectors we remove cells from a patient then alter a virus so that it cannot reproduce we insert a gene into the virus then

grow similar cells that are also genetically altered the altered cells are injected into the patient and produce the desired protein or hormone this is used often in cancer treatment etc

similarly when we're talking about malware a vector is the method that the code uses to propagate itself or infect a computer

when we look at the spread of a pandemic we use a lot of maps to visualize data in the location of the spread of the disease

there are some companies that offer live data but it does bring about the question of why we don't map malware spread the same way that we do pandemic spread

with the current virus we've seen a lot of open source and live data sets that are available this is pretty unprecedented we haven't had the technology to do this in the past when we've had pandemic level you know spread of viruses more data collection is being done with the prevalence of malware and innocuous looking apps however there's still a pretty big shortage of data analysis surrounding malware campaigns

with pandemic spread they're dedicated entities i'm sure you're so sick of hearing about the cdc but the cdc and who among others that have specific units and teams entire teams that are dedicated to continued monitoring of pandemic and outbreak spread this provides constant information on the spread and handling of a pandemic and again with malware spread there are a lot of tools for monitoring current attacks by private companies but is there a case to be made for watchdog and spread monitoring on a government or even worldwide level

and that brings us to pandemic responses

so the national pandemic strategy is comprised of three pillars the first pillar is preparedness and communication this is the epitome of planning for a pandemic the governing body will set community expectations and assign responsibilities produce and stockpile vaccines antivirals or treatments establish distribution plans for these treatments and continue to advance scientific knowledge and accelerate the development of breakthroughs and other novel treatment the second pillar is surveillance and detection this should sound super familiar this player focuses on ensuring rapid reporting of outbreaks to both public health entities and citizens and using surveillance to limit the spread of a virus finally the third pillar is response and containment this focuses on containing outbreaks leveraging national medical and public health surge capacity

sustaining infrastructure essential services and the economy and ensuring effective consistent risk communication

so this is just a i thought it was kind of an interesting chart that compared the world health organization phases with the federal government response page phases there's a little bit of a difference um when it comes to some of the action that's taken all right so now we're going to talk about malware and data breach response so the national cyber incident response plan describes a national approach to dealing with cyber incidents addresses the important role that the private sector state and local governments and multiple federal agencies play in responding to incidents and how the actions have all fit together for an integrated response this is built off of lessons from exercises real world happenings and policy updates

like the national cyber security protection act of 2014. this plan also serves as the cyber annex to the federal interagency operational plan that built upon the national planning frameworks and the national preparedness system it applies to cyber incidents and more specifically significant cyber incidents that are likely to result in demonstrable harm to the national security interests foreign relations or economy of the united states or to the public confidence civil liberties or public health and safety of the american people the plan has five guiding principles these are shared responsibility risk-based response respecting affected entities unity of governmental effort and enabling restoration and recovery the ncirp does have a relationship with the national preparedness system which covers a broader architecture that

establishes how the community is to prevent protect against mitigate respond to and recover from all threats and hazards when we further break down the capabilities of an affected entity we see more specific efforts that cover a broad range of activities all right so finally we can put it all together let's take a look at the current situation that we're dealing with i am sure that you have all heard of the novel coronavirus cova 19 but it's similar to sars it's rolling around the world and it's been extremely interesting to see what the response has been like um we can kind of break the response to the virus by the united states into four stages so first the virus was conveyed

as being of low risk to americans screening at airports was implemented if they had travelers from affected countries second a task force compromised of different agencies was formed a public health emergency was declared and it became clear based on the data from other countries that the effectiveness of a response depended on the testing capabilities of the local entities failure to test at a large scale initially kept the data available to the public at a low number third the cdc decided to widen the testing criteria as testing capacity expanded and the fda began to issue retroactive approval for non-standard testing the travel ban was expanded and a supplemental appropriation bill was passed fourth the phase that we are currently

in and it feels like we have been in forever the declaration of a national emergency and a broadened testing ability that we're starting to try to roll out in all of the states to reveal more accurate numbers of infection

based on the current situation and response what can we learn that can be applied to incident response in case of malware attack or a data breach first time is of the essence in both responses the longer it takes to implement a response plan in either situation the further the infection will potentially spread transparency is also extremely important and has been lacking in some of the incident response measures when it comes to a breach or attack ensuring that data is up to date accurate and widely available will assist not only affected entities but others that are potentially facing the same attack in the future and trying to secure against it adequate resources are another must removing any bottlenecks when it comes

to testing or detection can shorten the response time and prevent spread of infection proper analysis of the agent or the executable is absolutely required in order to determine the cause of the virus the vectors and how to mitigate it both in the current moment and in the future monitoring is another area where we can definitely improve incident response there has been so much data available mapping and monitoring the spread of covad19 and it could be extremely prudent to do the same thing with widespread known malware attacks and finally education is paramount you've seen so many articles and signs and commercials telling people to wash their hands and wear face masks etc in order to avoid the spread and

contraction of this virus many security incidents can be avoided by educating the user and making sure they know the risks and how to avoid an infection or breach so let's apply what we've learned from pandemic response to a security incident here we have covid c0v1d a trojan that is primarily spread through mouse bam this can arrive either via malicious script macro enabled document files or malicious links covid will ransack your contact list and send itself to your friends family and co-workers and clients since the emails are coming from your hijacked email account they look less like spam so the recipients feeling safe are more inclined to click bad urls and download the infected files if a connected network is

present covid spreads using a list of common passwords oftentimes guessing its way onto other connected systems in a brute force attack and if it continues to spread it can cause damage worldwide amounting to millions of dollars so first let's say your corporation picks up on some suspected covet infections the computer version let's also say this is a cool perfect world and there is a world health organization but for information security incidents when a large company detects this infection they can notify the global reporting authority of the case the authority tracking all reported cases can gauge at what point there is enough spread to warrant an emergency while this is happening researchers can go to work they begin to outline the

causes of the infections and how we can potentially remediate these eventually think genetic reverse engineering of the covid virus you know the researchers that were trying to develop vaccines and cures to also disseminate this information publicly so users can begin to understand how they can prevent this type of attack from happening to them finally once the spread begins to slow and business returns to normal the reporting authority can continue to globally monitor the spread of these infections oftentimes they recur and it would be helpful to keep track of these spikes and recur resurgences as they occur so they're better handled so i mean the big question is how much time data and money could we save by responding to malware

like a pandemic so future implications for communications um i mean we'd have more effective communication to consumers resources better preparation and structure for incident response mitigation proper steps and preparedness for remediation and monitoring global and visual widespread monitoring and for conclusions from the first true global pandemics the name for awareness has become super apparent if the same easily accessible information was pushed as publicly for malware campaigns the impact could be lessened and the average user would become more literate in cyber threats as a byproduct the containment of spread is another lesson that has been learned through the plute pandemic in 1968 the flu pandemic in 1918 and the current covert 19 pandemic it became apparent that a main concern is

containing the spread of the virus especially between continents once proliferating it's easy for the number of cases to spread exponentially we see this in malware also and it's worth looking at the ways in which we contain the spread of biological viruses and whether these can be applied to mitigation of malware spread mutations are extremely common in biological viruses and this can often be the same in the spread of malware albeit by intent the same viruses can come back in different forms slightly tweaked or with different execution we also see repeats very often by looking at the way the strains of the flu especially subtypes h2n2 and h3n8 continue to recur we can draw many parallels among

the recurrence of malware what changes in the world climate cause the same types of malware to be brought out of retirement and how can we potentially track this similarity to the statistical recurrence of biological viruses

there could be great value added in malware and data breach incident response if we further examine the pandemic responses and work as a whole to apply some of the transparencies and data collection methods that are utilized among other things

and that is everything so i left plenty of time for different questions i'm not sure what popped up during the presentation but yeah there's uh at least one question so the first one is what would you specify as a vaccine in regards to cyber viruses biological is very specific to a certain strain but cyber seems to be broad yeah that is one of the things although you know some of the newer vaccines that they're talking about some of the rna-based ones are kind of a little bit broader you can think of them as they'll target every mutation of a certain type of virus so some of the ones that are you know being investigated for

covid right now will essentially attack any kind of coronavirus and i think there's actually hope that it'll start to overlap with some of the flu viruses out there as well um so in that regard it's a little bit more similar but yeah definitely i think that they're i think you could almost think of it more like a patch in some ways because you're essentially fixing something specific so that you cannot become um you know vulnerable to a certain type of attack or any a certain type of malware anything along those lines so i guess a patch is more similar to a vaccine in that way than just a general prevention mechanism awesome and the next question is from

the same person do you think there is a barrier in the development of biological vaccines due to the need of oversight unlike cyber where pretty much anyone can reverse engineer malicious.exe to find the root cause and potential fix absolutely um i don't think it's necessarily a bad thing i mean i've worked on that side of things i worked in the regulatory side of um you know vaccine development and pharmaceuticals and things like that so i understand and have seen the benefits of having all of those you know phase one through four uh pre-clinical um you know the different trials the different reviews their safety reviews constantly um i think that's really important because you're talking about human lives

here um so yeah i think there's definitely i would consider that to be a very big bottleneck compared to you know anyone who wants to can take malware and reverse engineer it if they have the skills to or they can build those skills most random people should not be reverse engineering viruses and creating vaccines in their homes if you are then don't know there might be some people that have a problem with that please please don't ally don't don't tell me i don't want to know right right