Tracking Patient Zero

June 19, 2014 | Xavier Mertens

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

In medical science, the patient zero is defined as "the initial patient in the population of an epidemiological investigation” (Source: Wikipedia). Information security has many links with medical science, after all, the term “virus” is used in both worlds. Wikipedia defines virus as "a small infectious agent that replicates only inside the living cells of other organisms.” Lot of similarities with digital viruses: they also replicate into online computers (the living cells) or other organisms (the organisations).

Today, attacks against organisations are becoming more and more precise and are developed to hit one victim with a precise goal, like stealing critical information. I don’t like buzzwords, but such scenarios are commonly called “Advance Persistent Threat” or “APT”. The scenario is always based on the following steps:

  • The initial compromise
  • The established foothold
  • The privilege escalation
  • The internal reconnaissance
  • The internal move (pivot)
  • The persistence
  • The exfiltration

In the case of our patient zero, we will focus on the first step - the initial compromise - which is usually performed using social engineering and spear phishing over email (with a zero-day malicious attachment) or a website that employees of the target organisation are likely to visit.

Even today, many managers rely on their AntiVirus solutions. So often, I hear comments like “I’m safe, I have an antivirus”. In case of an APT, your AntiVirus will not protect you, keep this in mind. Today, there are plenty of technical solutions which analyse in real time your network traffic for malicious code. Such solutions can run at your firewall or proxy level or can be a stand alone tool. As opposite to a classic AntiVirus which uses signatures-based detection methods, the malicious code is executed in a sandbox and its behaviour is analysed. If it looks to be suspicious, a signature is created and added in the system to block further infections. Great, but there is a huge caveat to this system: the very first person who will visit the link or open the file attached to a mail will be infected because the process described above requires time! It’s not possible to warn the user with a waiting page “Please wait, your file is being analysed…”. This is our patient zero!

Image courtesy of

If the targeted organisation deployed tools to perform dynamic analysis of malicious code and if the initial attack is performed from inside the victim organisation, we have a chance to catch the patient zero immediately - the system will report the malicious code and who (the IP address) at the source. But it’s not always so easy. Today, users are mobile and infections may occur everywhere: at home, on the road while using public WiFi or simply by inserting a rogue USB key into the computer! The infected laptop, once connected back to the corporate network, will behave in suspicious ways. That’s where a good SIEM solution is mandatory to handle events generated by the infrastructure. Tracking the patient zero is a 3-step process:

  • Identify the patient
  • Understand how it was compromised
  • Implement changes to prevent the same attack to occur again

A “Security Information and Event Management” (SIEM) is a great tool. It comes on top of a set of tools dedicated to the management of the logs generated by all components of your platform. By accessing this (huge) amount of information, useful stuff can be extracted. But a SIEM is in fact just a dumb toolbox. It’s reliability is directly related to the value of data that have been injected in its database!

When a computer is compromised, tons of actions are performed by the malicious code:

  • files and processes are created
  • URLs are visited
  • Domains are resolved
  • Network flows are generated
  • etc…

All these data are called “Indicator of Compromise” or “IoC’s” and are like symptoms used by doctors to find which virus is affecting the patient’s health - headache, couch, aches, etc - we have again a similitude with the medical science. Not only network evidences are useful but also the activity on the local file systems. To achieve this, a HIDS (“Host based IDS”) tool is always interesting on the end-point. Think about OSSEC, which includes a FIM tool (“File Integrity Monitoring”). OSSEC can track and report changes on dangerous files in a computer (think about /etc on a UNIX machine or C:WindowsSystem32 on a Microsoft machine.)

Once your SIEM has been deployed, the next step is to feed it with IoC's to increase your chances to detect suspicious activities. There are plenty of public sources where you can download lists of:

  • IP addresses
  • domain names
  • file names
  • URLs

Correlating this information with your firewall logs, your DNS logs, IDS or any device managing network traffic, will reveal who seems to be infected. More you collect, more chances you’ll have to detect interesting stuff.

Now, we have two solutions: playing aggressively or smoothly. The smooth way is simply to send an alert… and to hope that somebody will handled it in time. On the other side, most SIEM solutions have a way to trigger actions when specific conditions are met. Whatever it is called (“Automatic-Response”, “Active-Response”, “Auto-remediation”, …), the principle remains the same. A script is called to perform external actions. In our case, the patient zero could be disconnected from the network, could be placed in a quarantine VLAN or all its traffic being dropped at firewall level. This can be very interesting to avoid a propagation of the attack (this is called the “containment phase” in an incident response process) but can be very touchy: What will happen is the device placed in quarantine is the Active Directory or a production server? Think about it...

The next step will be to find how it was compromised. If you found interesting IoC’s, build a timeline of the user activity on the compromised devices (note: you may understand at this point why synchronising the devices via NTP is a must have!). Which URLs did he visit? Did he insert a storage in a USB port? Did he receive a mail with attachment? The computer itself contains a lot of useful information: what were the latest WiFi network connections? What where the latest IP addresses used, who was connected? This steps often use forensics techniques to access such data.

The ultimate goal is to find how the patient zero was infected. Got it? It’s now time to take corrective action to prevent the same incident to occur again… and don’t forget to re-image the patient zero with a fresh OS installation!

As you can see, there is no magic recipe to prevent against infections. They are plenty of tools, technologies and also… best practices! Do not rely only on vendors’ solutions. They can be of a great help, but remain only a part of your security architecture design.

Xavier Mertens is an independent security consultant and security blogger. His job focuses mainly on protecting his customer's resources by applying "offensive" (pentesting) as well as "defensive" security (log management, SIEM, security visualisation). Instead of using out of the box solutions from security vendors, he prefers to advise on best ways to solve security issues. In parallel to his daily job, Xavier maintains his security blog, is a BruCON co-organizer, and offers some spare time and resources to initiatives like the EuroTrashSecurity podcast.  

Learn More!

Xavier Mertens

About the Author: Xavier Mertens, Handler at SANS Internet Storm Center

Read more posts from Xavier Mertens ›



Watch a Demo ›
Get Price Free Trial