Barrels of apples can go bad, both literally and figuratively, because of just one rotten apple. The rot spreads from one apple to another until the whole barrel is infected. Not so long ago (in 2014), experts from security company ESET discovered 25,000 servers infected with malware, some of these servers being grouped together in a network and infected together. The common factor was the installation of the Linux/Ebury malware, allowing login information to be harvested and communicated to the attackers that installed the malware. According to the experts, attackers needed to compromise just one server to then gain easy access to others in the same network. But was this one bad apple – or the whole lot?
The difference is of course important. You might be able to contain one bad apple, but if the whole barrel is at the tipping point for going rotten, it may not be possible to do anything. One of the defining features of the Linux/Ebury infection was the use of single-factor logins (user name and password), facilitating access from one server to another. If two-factor authentication had been used, it would have been significantly easier to contain isolated cases of infection.
A recent twist to the bad apple/bad barrel concept is to deliberately let one apple go bad and then apply threat information from that bad apple across the rest of the network. In this case, the security solution does not try to detect malware before it executes. Instead, it contains the malware via the isolation of user tasks on the computer in order to analyse it and capture information on its behaviour. Now one bad apple can save the rest of the barrel, instead of infecting it. Better still, the one bad apple does not have to stay bad either, but can be reverted to a healthy state after the malware has been investigated and countered.