Patient 0 (also “index case” or “first identified case”) is the first identified case in a malware outbreak or security incident, representing the initial entry point of a threat into a system, network, or organization. The identification of Patient 0 is crucial for forensic analysis, incident containment, and understanding how the threat spread, allowing incident response teams to track the origin of the attack, identify attack vectors, and implement appropriate containment and remediation measures to prevent further spread of the threat.
What is Patient 0?
Patient 0 is the term used to refer to the first system, user, or device identified as infected or compromised in a security incident.
Characteristics
Identification
- First case: First confirmed case
- Origin: Point of origin of the incident
- Timeline: Start of the timeline
- Reference: Reference point for investigation
Importance
- Investigation: Starting point for investigation
- Containment: Helps in containment
- Prevention: Improves prevention
- Lessons: Learning for future incidents
Identification Process
Detection
- Monitoring: Monitoring systems
- Alerts: Automatic alerts
- Analysis: Event analysis
- Confirmation: Case confirmation
Investigation
- Forensics: Forensic analysis
- Timeline: Event reconstruction
- Traceability: Activity tracking
- Correlation: Event correlation
Validation
- Verification: Case verification
- Documentation: Incident documentation
- Communication: Finding communication
- Follow-up: Case follow-up
Use Cases
Malware
- Virus: First infected system
- Ransomware: First victim
- Botnet: First bot
- APT: First compromise
Incidents
- Breaches: First exposure
- Access: First unauthorized access
- Leaks: First data leak
- Attacks: First successful attack
Investigation
Methodology
- Forensics: Forensic analysis
- Timeline: Temporal reconstruction
- Traceability: Activity tracking
- Correlation: Event correlation
Tools
- SIEM: Event management systems
- Forensics: Forensic tools
- Logs: Log analysis
- Network: Network analysis
Documentation
- Reports: Investigation reports
- Evidence: Evidence preservation
- Lessons: Lessons learned
- Improvements: Improvement recommendations
Prevention
Monitoring
- Early detection: Early incident detection
- Alerts: Alert systems
- Analysis: Continuous analysis
- Response: Rapid response
Controls
- Prevention: Preventive controls
- Detection: Detection controls
- Response: Response controls
- Recovery: Recovery controls
Related Concepts
- Security Breaches - Incidents that identify patient 0
- Attack Vectors - Methods that compromise patient 0
- IOC - Indicators that identify patient 0
- APT - Threats that compromise patient 0
- Incident Response - Process that identifies patient 0
- Forensic Analysis - Methodology that simulates patient 0
- Penetration Testing - Technique that identifies patient 0
- SIEM - System that detects patient 0
- EDR - Tool that detects patient 0
- Firewall - Device that prevents patient 0
- Antivirus - Tool that detects patient 0
- CISO - Role that manages patient 0