‘Patient Zero’ Real-time Protection Policy

Netskope Global Technical Success (GTS)

KB - ‘Patient Zero’ Real-time Protection Policy

(Netskope Cloud Sandboxing)

Objective

Understanding the Significance of Patient Zero in Cybersecurity: Building a Robust Defense via Netskope

Prerequisite.

Netskope Advanced Threat Protection license is required.

Context

This article explores the significance of Patient Zero events, emphasizing the need to take it seriously in cybersecurity defense strategies. It outlines creating a Real-time policy to mitigate Patient Zero events and provides insights into addressing common queries associated with Patient Zero events

Reference https://docs.netskope.com/en/netskope-help/data-security/threat-protection/creating-a-threat-protection-policy-for-patient-zero/

Do you know?

Before we proceed, let me address some foundational questions:

1. What is Patient Zero?

"Patient Zero" typically refers to the initial infection or point of entry in a cyber attack scenario. It represents the first victim or system to be compromised by a new strain of malware or malicious activity within a network.

2. What is Patient Zero event?

A "patient zero event" happens when a user downloads a file that isn't caught by basic security checks like signature-based analysis. 

3. What is Signature-based analysis?

Signature-based analysis is a traditional method used in cybersecurity to detect and prevent malicious software, also known as malware. It works by comparing the digital signature, or unique identifier, of files against a database of known malware signatures. If a file's signature matches a signature in the database, it is flagged as malicious and blocked. Signature-based analysis is effective against known threats but may struggle to detect new or evolving forms of malware that have not yet been added to the signature database.

4. What is a Cloud Sandbox?

A cloud sandbox is a virtual environment that is isolated from the rest of the network. It is used for safely executing and analyzing potentially suspicious software, files, or activities. Cloud sandboxes allow security analysts to observe the behavior of these entities without risking damage to the actual network or system.

5. How Netskope can help their customers to prevent Patient Zero events?

With a Netskope Advanced Threat Protection (ATP) license, customers can prevent Patient Zero events by implementing a Threat Protection policy. This policy scans unknown files and permits users to download the file only after Netskope's advanced threat engines confirm that they are benign, not dangerous.

However, if the file is found to be non-malicious, the user will need to re-download the file to gain access.

Policy Configuration - ‘Patient Zero’ Real-time Protection Policy

Path - Netskope Tenant UI >>> Policies >>> Real-time Protection

• Category: Newly Released Domains, Newly Observed Domains, Uncategorized, Parked domains, Unreachable, Miscellaneous, and Web Hosting, ISP & Telco, Shareware/Freeware
• Activities: Upload and Download
• Activity Constraint : File Type - Binary and Executable, Spreadsheet, and Word Processor
• It is recommended to add Email Notification for each event. The recipient should be Netskope administrators

Questions attached to ‘Patient Zero’ Real-time Protection Policy

Question: What should be the position for the 'Patient Zero' Real-time Protection Policy?

Answer: The 'Patient Zero' Real-time Protection Policy must be positioned above all other threat protection policies.

Question: How much time can the Netskope ATP engine take to scan a file?

Answer: Up to 10 minutes

Question - What types of threats are typically associated with Patient Zero incidents?

Answer - Patient Zero incidents often involve zero-day threats, which exploit previously unknown vulnerabilities in software or hardware.

Question: What should an administrator do when they receive an email notification for a Patient Zero event?

Answer: The administrator should take at least two steps - 

• Review the Patient Zero event alert - Link
• Engage Netskope Customer Support to validate whether the Patient Zero event alert is a True Positive or False Positive.

Question: If Netskope Customer Support identifies a Patient Zero event alert as a Ture Positive, what will be the next action?

Answer: The Netskope Administrator at the customer's end should reach out to the end-user for whom the Patient Zero event alert was generated and verify the details regarding the intent behind uploading or downloading content from a source known to contain malware.

Question: If Netskope Customer Support identifies a Patient Zero event alert as a False Positive, what will be the next action?

Answer: If the Patient Zero event is identified as a False Positive, Netskope will whitelist the digital signature or unique identifier for the file/content in question. File that was previously being blocked by Netskope Cloud Sandboxing will no longer be blocked once that is whitelisted.

Question: While Netskope Customer Support verifies whether the Patient Zero event alert was a True Positive or a False Positive, does Netskope recommend creating a temporary custom URL category for the domain/URL from which the file was downloaded, triggering the Patient Zero event alert?

Answer: No, Netskope recommends allowing Netskope Customer Support to share their findings. Temporary whitelisting of the domain/URL may cause damage. Consider if the Patient Zero event alert is found to be true. In such a case, whitelisting could be akin to inviting zero-day threats.

Question: How much time will it take for Netskope to confirm whether a Patient Zero event alert is a true positive or false positive?

Answer: No specific timelines are defined.

Question: Can a customer create a 'Patient Zero' Real-time Policy with a Standard Threat Protection (STP) license?

Answer: No, customers need to have a Netskope Advanced Threat Protection (ATP) license to create a 'Patient Zero' Real-time Policy.

Question: What is the recommendation for customers who do not have a Netskope Advanced Threat Protection (ATP) license?

Answer: We recommend blocking the following web categories: Newly Released Domains, Newly Observed Domains, Uncategorized, Parked domains, Unreachable, Miscellaneous, Web Hosting, ISP & Telco, and Shareware/Freeware. For any destination falling into these categories, customers can opt for the custom category option.

Question: What is the price for a Netskope Advanced Threat Protection (ATP) license?

Answer: Please contact your Netskope Accounts Team for pricing details.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the feature’s functionality may be altered/updated by Netskope Engineering. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.