Friday, February 27, 2009

Selection Pressure, Yesterday's Strategies, Resource Exploitation and Evolutionary Costs

When attempting to think of information security from an evolutionary perspective, there are a few concepts from evolutionary biology to consider. Selection pressures, adaptive time lags, and resource/population exploitation are important to how an entity's strategies evolve.

Evolutionary pressures, selection agents, or selection pressures usually refer to the same entity within evolutionary biology; a thing or a force which causes an organism to respond and/or adapt. Selection pressures originate from the natural environment of the organisms and include things like: resource availability, changing/adverse environmental conditions, interspecies predation and intra-species competition. The more pronounced the selection pressure, the quicker an entity must respond in order to survive. Those entities that are not able to adapt (i.e. contain the required characteristics to survive) are eventually eliminated. Stronger selection pressures will eliminate maladapted entities more quickly than those which already are surviving or are able to acquire the necessary characteristics to survive.

Selection pressures can select for a characteristic to evolve in a directional, stabilizing or disruptive way. Directional selection pressures force a characteristic in a "direction." For example, directional selection pressures select for a larger or smaller characteristic. Stabilizing selection pressures force a characteristic to remain the same, and select against larger and smaller characteristics. Disruptive selection pressures select against a specific characteristic in the population. A disruptive selection pressure could select for the larger or smaller characteristic and select against the average value of the characteristic which results in the selecting characteristic to diverge.

In information security, the security controls that are implemented can be considered to be the survival strategies of an information system and even selection pressures acting upon an adversary. If an adversary does not have the ability to compromise any one of the implemented security controls, they will not be able to access the resources which the system is protecting. So in order to survive, an adversary must develop counter-strategies which are capable of exploiting the strategies that were implemented in order to survive.

Organizations should understand that their strategies will succeed and fail based on the counter strategies employed against them. While the root cause of a compromise is being analyzed, one should also investigate what selection pressures should be applied to move the organization in the direction towards secure business processes. If an organization consistently receives poor quality applications from their vendors, they should determine what selection pressures could be applied early in the process to affect the desired changes. Should the organization hold the developer responsible for a compromise of the application? The organization is contracted to provide an application that supports the business processes. A compromised application/system does not support the business goals of the organization.

Some selection pressures are strong enough that they will exert enough evolutionary pressure on a population that all of the resulting entities within the population are identical as a response to the selection pressures. Because of the strength of the selection pressure operating on the population, all of the variance of a characteristic has to be eliminated in order for members of the population to survive. Stronger selection pressures will remove the variance from the population faster than smaller selection pressures. Stated another way, some strategies exert enough of a filtering pressure that all entities must develop a specific counter strategy in order to survive.

Most malware and BotNets have a characteristic which is hard to escape; their reliance on a method to make initial contact with their controllers and join the BotNet. Initially these control channels were handled over IRC (this method has not been abandoned and is still in use), and since then they have now migrated to Peer-to-Peer communications. More recently the bots are attempting to contact their controllers via HTTP requests as Peer-to-Peer communications are filtered by boundary protection devices. Now these HTTP requests carry a name that must be looked up in DNS (e.g. part of a fast-flux DNS network). This method is becoming more common as organizational selection pressures push the bots in this direction. The reliance making initial contact with the bot-net is essentially a bottle neck which can be exploited. If the DNS look up is always a consistent or predictable string then it can be blocked by either filtering the appropriate Internet addresses even if they are part of a fast-flux network.

In evolutionary biology, it takes time for organisms to adapt to their environment. There is a time lag between when a counter strategy is employed against a population and when an entity has evolved a strategy to deal with the counter strategy. The current generation is better adapted to the previous environment than the one in which it exists (or selected for) based on conditions that existed previously. The current environment and the previous environment may have changed.

This lag commonly expresses itself in information security when systems are designed. If they are designed properly they are designed to counter all of the existing exploitation strategies that are known. Depending upon how long it takes to go from design to implementation and to delivery, the threat environment may have drastically changed. The delivered system may not be able to address all of the current threats in the environment and may need to be modified. Additionally a few years following the deployment of a system, if it is not updated, there may be emerging threats that the existing design is incapable of addressing.

This time lag also appears in the conflict between malware and anti-malware tools or attacks and intrusion detection/prevention systems, which rely on signatures to detect, identify and remove malware or attacks. A signature must be created to detect the malware, and pushes out to all of the clients before they can respond to a malware infection. In order to create a signature, a new malware variant must have been identified. Occasionally a rule will be created that was general enough that it may detect/prevent attacks that have not yet been implemented due to similarities in the way an attack's strategy attempts to exploit a target.

In evolutionary biology there is competition for resources and the easiest or the most abundant resources are typically exploited first. Sometimes the most abundant resources are not exploited right away as a population must evolve the ability to consume those resources. The abundance of a resource does not mean that it must be abundant every where, only that it is encountered frequently enough in the environment and there is sufficient competition for other resources that evolution will move an entity in that direction. Developing the ability to exploit a resource takes time and resources.

In information security this is similar to having a sufficient base of similar operating systems, browsers, databases, or frameworks to make the effort of developing an attack strategy worth while. This does not mean that just because a resource is not very common in the environment, it will not be exploited. Some operating systems will claim that they are more secure than the dominate competition, but as the number of systems increase so do the attacks against that platform. Although Microsoft Windows composes an overwhelming majority of the market, Apple has been gaining market share and the gains have been large enough that malware authors have begun to more frequently target the platform. Within the last year there has been an increase in the number of Trojans that target the Apple platform.

Although resource availability is important in determining if a platform will be exploited, another factor is apparent in the case of information security; the value of the resource being exploited. In the case of financial or government systems, which may be hosted on less common platforms there is additional incentive in targeting and exploiting these resources due to the perceived value of the system. There is some value in being able to compromise a home user's system (less so if it has a slower connection to the Internet) and there is more value in being able to compromise a web application server, but in reality some of the highest value resources are the databases which contain important information.

In short, selection pressures cause the survival strategies of entities to evolve. If they are unable to evolve, they will not survive. Responding to selection pressures, either directly (i.e. developing counter strategies) or indirectly (i.e. exploiting an unused resource) does not occur instantaneously, there is almost always delay between when the selection pressure first begins to work and a population's adaptive responses.

No comments:

Post a Comment