If the assumption is made that information security is indeed a system which operating under the rules of a Red Queen hypothesis and that the security controls that are implemented are acting as selection pressures on our adversaries, the risk management process appears to be lacking as that there is nothing that takes into account how an adversary will respond to the environmental selection pressures (i.e. implemented security controls).
When a risk is identified, there are a number of ways that it can be handled within the current risk management framework. A risk can be corrected, accepted, mitigated, or transferred/insured. Each of these methods for dealing with an identified risk can be treated as one of the three types of selection pressures: directional, disruptive or stabilizing.
- Corrected risks can act as disruptive selection pressures. It is a disruptive selection pressure in the sense that the risk has been removed; an adversary must abandon the strategy that could be used to exploit the system. The adversary will be forced to evolve a new strategy if they are going to continue to exploit the system.
- Accepted risks can act as a stabilizing selection pressure. It is a stabilizing selection pressure in that it encourages an adversary to continue to use the existing exploitation strategy and discourages the use of other strategies in that they will cost resources to evolve and develop (which could be used elsewhere). Some would argue that an entity can also deny that a risk exists in the first place, if so then by default they are accepting the risk and treated it as an accepted risk.
- Mitigated risks can act as either a disruptive or directional selection pressure. If the mitigation causes an adversary to abandon their exploitation strategy it will be a disruptive selection pressure on the adversary. If the mitigation simply causes the adversary to modify their existing strategy it will act like a directional selection pressure.
- Transferred/Insured risks can act as a stabilizing selection pressure. Like accepted risks, transferred/insured risks will not exert a selection pressure on an adversary's strategy which causes them to either modify or abandon their existing strategy. If the risk is transferred or insured, it should be noted that it does not transfer the risk of an incident occurring. Just as when car insurance is purchased, the insurance company does not actually assume the risk of getting into an accident, the driver still carries that and the insurer carries the risk of having to payout out after an incident.
- Disruptive selection pressures are the most likely method to extract the highest evolutionary cost from an adversary in that they will force them to not only evolve/develop a new exploitation strategy, but also waste the effort of continuing to maintain a strategy that may not succeed.
- Directional selection pressures will tend to exert minimal evolutionary costs on an adversary, as they must only modify an existing exploitation strategy to continue to be successful. The adversary does not need to abandon their existing strategy or develop a new strategy, just refine an existing one. There is an evolutionary cost associated with this but it will be less than if they had to abandon their current strategy and evolve a new one.
- Stabilizing selection pressures will tend to cost an adversary the least, as they do not need to modify their current strategies therefore experiencing no change in to their evolutionary costs. There may be evolutionary costs associated with stabilizing selection pressures as the maintenance of an adversary's strategies may have a cost associated with them. Stabilizing selection pressures are not likely to force an adversary to incur any additional evolutionary costs as they have already adapted to the environment, but even then an adversary may be able to reduce their costs further by evolving a more efficient method for existing in the environment.
Predicting the resultant strategies is not trivial, but understanding the selection pressures involved may make the situation more manageable. In the case of the SSH brute force and the adoption of Virtualization some strategies can be determined based on the attributes of the strategy implemented. Inspecting the strategies that are found within the natural environment could provide additional insight into how an adversary could respond. Any of the following could also be potential responses.
- Some organisms have developed adaptations which advertise to others that they are something they are not, or they are poisonous. An adversary could mimic the behavior of the system employed. Malware such as Anti-Virus 2009 or Anti-Virus 360 appears to be anti-virus software which protects a user from attacks on the Internet when instead it is actually a Trojan.
- Like parasites subverting the central nervous systems of hosts, an adversary could exploit the strategy that is used to help the system survive. Malware can attempt to exploit vulnerabilities in anti-virus software to attack a system, as anti-malware software usually operates as a privileged service making it a priority target since it has access to the entire system in addition to protecting the system.
- Some animals have developed better camouflage to help mask there presence in the environment. A smaller and less noisy profile means that an attacker is less likely to detect their presence. Malware is moving to HTTP command and control channels to help mask its presence in the traffic being sent across the network.
- Another response is to completely abandon the current strategy, and develop a new strategy which catches an organism unprepared. As part of an experiment in evolutionary biology, a predatory lizard was introduced onto several islands which were inhabited by Anoles. Initially the average length of their legs increased, which allowed them to survive by running faster to evade their predators. Eventually the average leg length decreased as the Anoles were able to avoid their predators entirely by spending more time in the trees. Malware can react to countermeasures by simply avoiding the countermeasures entirely or attacking an information system at different layers. A worm can be written to exploit web applications instead of targeting flaws in the operating system.
- Sometimes the best response is not to respond to the strategy employed. If the counter strategy will only be infrequently encountered, it is often more cost effective to ignore it. In the case of the natural environment some predators that interact with prey populations interact so infrequently that it is more effective to not response as a population then to evolve a response. Malware authors should be aware that almost all analysis of their binaries will be conducted in a virtualized environment, yet not all malware encountered is able to detect when it is operating in a virtualized environment.
The current risk management process has weaknesses when it is applied to an environment which evolving. The basic process is reactionary in nature and gives all of the initiative to the adversary and requires that the adversary first advertise their latest strategy before it could be countered. Instead of waiting for an adversary to attack an information system, the risk management methodology should include steps which attempt to determine how the current security strategies will force an adversary to adapt. Based the types of selection pressures that are applied to counter an adversary's strategy, anticipated actions can be made as to how an adversary will be forced to respond. When selecting among several different counter strategies, preference should be given to those strategies which have the highest evolutionary costs to counter (e.g. most likely disruptive selection pressures).