The COVID-19 Kill-Chain: How working in cybersecurity helped me understand COVID-19.

  Reading Time:

I want to preface this with: I am not a doctor, lawyer, or really even a professional in anything; these are just my observations and opinions.

If you have worked in any information security field or taken any courses on cybersecurity you have probably heard the word “Kill-Chain”. This concept originated from the military, but has since been applied to a multitude of systems and network security frameworks. I am now applying the Kill-Chain concept to COVID-19. As seen in the figure below the pathway moves down through the phases to get to a full on “Actions on Objectives”. While not all of these stages are applicable the general concept works well. I want to focus on delivery, exploitation, and installation phases for this little mental exercise.

Figure 1 (https://www.sans.org/sites/default/files/cyber%20kill%20chain.png)

Well The CDC’s guidance on how to protect yourself from COVID-19 is pretty straight forward and it reads like a vulnerability report or a CVE (Common Vulnerability and Exposures) albeit prettier and with more graphics. It gives you a basic overview of the threat and its attack methods with a few “solutions” or mitigations you should implement in your daily routines. Like computers we need to patch and update… this means changes to the way we operate and changes our daily routines.

First, I want to go over the “delivery, exposure, and installation” (how it spreads), What do we know: First we know it spreads from person to person who are close through respiratory droplets, second through touching an infected surface, and third (also the lowest) through animal to human contact.  With the primary method theorized to be from person to person through respiratory droplets the first method of prevention and way to kill the chain is to stop person to person contact. Quick easy patch…… well that is the equivalent of “just unplug the server from the internet” while it may work in some scenarios, some services need to be on the internet to function. While this is one of the most effective method for preventing infections (computer or biological) and it can be applied to many services and people. The better recommendation is to reduced the number of exposed services to only those that “have to” be on the internet, and move the other services to an isolated host. Perfect, done…. problem solved.

Well not quite, how do you protect those services (people) that “have to” (critical services) be exposed to the internet (COVID-19) as they can bring it internal to your network and infect the isolated hosts. The general recommendation is to social distance at least 6 ft and keep those infected hosts away from your exposed services and limit the contact and time the public have with it. This is done in the cybersecurity world through limited API, firewalls, user/kernel space, packet inspection, filtering input, and rate limiting. These have real world analogs such as temperature screening, limiting the number of people in stores, disinfecting surfaces, plastic shields, masks, etc. So, this should be easy, boom, done, implemented, and the problem is solved.

Well not quite… if you have worked in software development or taken a programming course you know that implementing perfectly is nearly impossible, and even if it is securely coded people are often the failure point. People get to close not realizing what 6ft is, people outright refuse to wear masks,  have a flawed understanding about how to implement infection control, or just get lazy. Doctors and hospitals have been implementing infection control methods for years (Since ~1840) but still have to be careful with highly infectious diseases as people make mistakes.

So how do you do this when others are failing (intentionally or unintentionally) and putting you at risk. Implement a zero-trust policy and do what the doctors, nurses and experts are advising:

Wear a rated mask: people argue the effectiveness of this as people often point out how small the COVID-19 Virus is (100nm to 125nm) and how even N95 masks are only rated to protect against 0.3 microns. While this is partially true most ratings are done at this 0.3 micron range because it is one of the tougher sizes to filter out (See appendix E) “Although it seems contrary to expectation, smaller particles do not penetrate as readily as 0.3-micrometer particles. Therefore, these respirators will filter all other particle sizes at least as well as the certified efficiency level.” (DHHS (NIOSH) Publication Number 96-101 January 1996).

Wear a homemade mask: The next argument you get is “if its not a N95 its not doing anything” …. Also, partially true. While yes a rated mask such as ASTM or NIOSH is better homemade masks are surprisingly effective anywhere from 40% to 90+% at mean filtering efficiency.

Use proper donning and doffing procedures for PPE: using proper procedures when taking off a mask is important as you can just as easily infect yourself by improperly taking off your mask. Touching the outside of your mask is a bad idea as that is where any of the captured virus/bacteria are now located. Its all about preventing the virus from getting inside your nose, eyes, and lungs. Like in cybersecurity prevent it from getting inside your network/system perimeter.

Wash your hands: Soap and water for a minimum of 20 seconds or if soiled 40-60 Seconds or use an alcohol based sanitizer(at least 60%) or both if you are really paranoid (its typically recommend to use soap and water first if soiled and then an alcohol based sanatizer) .

Stay 6ft (1.5-2m) away from others: this was a pretty early study that ~6ft was the magic number as it was far enough to prevent reliable transfer of enough virus particles.

Sanitize contact surfaces: It is an important part of infection prevention to destroy/deactivate any microbes before they even have the chance of hitching a ride on your hands. However, it is important that this done effectively by following the required directions on your choice of sanatizing agent.

So, what does this have to do with the kill chain? Well you can stop an infection from taking hold at a few locations. You can stop it at the delivery stage by stopping it with a mask, sanitizing surfaces, or preventing contact at all. It becomes a game of percentages and numbers pretty quickly. It is theorized you need a certain viral load/exposure (some mythical number of virus particles, and I am sure this number is different for everyone) for the infection to take hold. So, if you kill (some arguments on whether you can kill a virus something not “alive”), deactivate, capture, or destroy a percentage of the virus when you wear a mask, sanitize, wash your hands; Every bit matters to get that number below the amount require for the infection to take hold.

Even if you touch an infected surface, but wash or sanitize your hands before you touch your face you have stopped the kill chain. You can stop the kill chain even earlier if you sanitize the surface or prevent the surface from becoming infected before you come in contact with it.

If you get to close to someone that is sick whether they are asymptomatic, pre-symptomatic, or symptomatic they must be shedding enough virus and you have to pick up enough over the period of contact time you have with them to constitute an infective viral load. (Which with the rate of infection of COVID-19 seems to be easily possible.) Then if they are shedding enough virus (which is highly probable) if they are wearing a mask this prevents most of the virus from transferring and if you are wearing a mask then only virus particles that get through both their mask and your mask are considered to be part of your viral exposure; This also stops the kill chain. You could also get lucky and the person is not infected at all and therefore not a risk.

This is why doctors and nurses can work directly with COVID-19 patients and not become infected. As they are reducing their exposure as much as possible ensuring the kill chain is broken in as many places as possible.

Finally implementing a monitoring system is an important part of a defense in depth approach to cybersecurity. It is hard to detect and infected host or a breach if you have no idea what’s going on inside. The idea is that if you can detect that you have a fever or other symptoms you can isolate. However, you may be one of the asymptomatic (silent infection) and the only way to know is through testing (such as PCR test or antibody test) which can be difficult to get or results can take a few days. Therefore, a zero-trust policy is important; wearing a mask and doing all the preventative things is important regardless of your perceived infection status or risk.

As always keep your systems updated, patched, and limit your exposure!

Post Image by National Institute of Allergy and Infectious Diseases (NIAID), (CC BY 2.0), via Wikimedia Commons.

Hello World

My first post....

Rainy North Carolina Photos

Collection of photos from a rainy North Carolina Afternoon...