Monday, May 4, 2009

Risk Management with an Evolutionary Perspective

Evolutionary biology can provide useful insights into the risk management process that is used in information security. The current risk management process as described in NIST Special Publications 800-30, Risk Management Guide for Information Technology Systems and 800-39 Rev 1 (Draft), Managing Risk from Information Systems, could be summarized simply as: 1) identify the risks present in the environment, 2) counter/mitigate the risks that have been identified, and 3) repeat. This cycle is ultimately reactive in nature as flaws are only uncovered when vulnerabilities or new attacks are announced. SP 800-39 Rev 1 (Draft) is more focused on categorizing a system, and applying a set of requirements based on the system's categorization and security control customization based on tailoring. This methodology requires that the system's sensitivity rating has been appropriately determined and the predefined security controls appropriately address the threat environment.

If the assumption is made that information security is indeed a system which operating under the rules of a Red Queen hypothesis and that the security controls that are implemented are acting as selection pressures on our adversaries, the risk management process appears to be lacking as that there is nothing that takes into account how an adversary will respond to the environmental selection pressures (i.e. implemented security controls).

When a risk is identified, there are a number of ways that it can be handled within the current risk management framework. A risk can be corrected, accepted, mitigated, or transferred/insured. Each of these methods for dealing with an identified risk can be treated as one of the three types of selection pressures: directional, disruptive or stabilizing.
  • Corrected risks can act as disruptive selection pressures. It is a disruptive selection pressure in the sense that the risk has been removed; an adversary must abandon the strategy that could be used to exploit the system. The adversary will be forced to evolve a new strategy if they are going to continue to exploit the system.
  • Accepted risks can act as a stabilizing selection pressure. It is a stabilizing selection pressure in that it encourages an adversary to continue to use the existing exploitation strategy and discourages the use of other strategies in that they will cost resources to evolve and develop (which could be used elsewhere). Some would argue that an entity can also deny that a risk exists in the first place, if so then by default they are accepting the risk and treated it as an accepted risk.
  • Mitigated risks can act as either a disruptive or directional selection pressure. If the mitigation causes an adversary to abandon their exploitation strategy it will be a disruptive selection pressure on the adversary. If the mitigation simply causes the adversary to modify their existing strategy it will act like a directional selection pressure.
  • Transferred/Insured risks can act as a stabilizing selection pressure. Like accepted risks, transferred/insured risks will not exert a selection pressure on an adversary's strategy which causes them to either modify or abandon their existing strategy. If the risk is transferred or insured, it should be noted that it does not transfer the risk of an incident occurring. Just as when car insurance is purchased, the insurance company does not actually assume the risk of getting into an accident, the driver still carries that and the insurer carries the risk of having to payout out after an incident.
Each type of selection pressure exerts evolutionary costs in response. When multiple methods for dealing with a risk are identified, the evolutionary cost of the adversary to overcome the strategy should be considered in addition to the organization's cost for implementing (or not implementing as the case may be) a strategy. In general, disruptive selection pressures will exert the highest evolutionary cost on an adversary, while stabilizing selection pressures will tend to exert a minimal or non-existent evolutionary cost on an adversary.
  • Disruptive selection pressures are the most likely method to extract the highest evolutionary cost from an adversary in that they will force them to not only evolve/develop a new exploitation strategy, but also waste the effort of continuing to maintain a strategy that may not succeed.
  • Directional selection pressures will tend to exert minimal evolutionary costs on an adversary, as they must only modify an existing exploitation strategy to continue to be successful. The adversary does not need to abandon their existing strategy or develop a new strategy, just refine an existing one. There is an evolutionary cost associated with this but it will be less than if they had to abandon their current strategy and evolve a new one.
  • Stabilizing selection pressures will tend to cost an adversary the least, as they do not need to modify their current strategies therefore experiencing no change in to their evolutionary costs. There may be evolutionary costs associated with stabilizing selection pressures as the maintenance of an adversary's strategies may have a cost associated with them. Stabilizing selection pressures are not likely to force an adversary to incur any additional evolutionary costs as they have already adapted to the environment, but even then an adversary may be able to reduce their costs further by evolving a more efficient method for existing in the environment.
Using the principles of selection pressures and evolutionary costs from evolutionary biology, the risk management process can be updated to anticipate how an adversary will respond to the survival strategies of a system. When responses to a risk are proposed, they should be investigated to see how an adversary could respond. In the case of SSH brute forcing, the rules act as a directional selection pressure which caused the attacker to modify but not abandon their strategy. With the implementation of virtualization throughout an environment, it can act as either a disruptive or stabilizing selection pressure on malware. Depending on the potential costs associated with an adversary's response, the one that is likely to inflict the highest evolutionary cost should be chosen as the solution. If a solution is chosen has little or no impact evolutionary cost on an adversary to over come, it will not be long before an attacker has compromised the system.

Predicting the resultant strategies is not trivial, but understanding the selection pressures involved may make the situation more manageable. In the case of the SSH brute force and the adoption of Virtualization some strategies can be determined based on the attributes of the strategy implemented. Inspecting the strategies that are found within the natural environment could provide additional insight into how an adversary could respond. Any of the following could also be potential responses.
  • Some organisms have developed adaptations which advertise to others that they are something they are not, or they are poisonous. An adversary could mimic the behavior of the system employed. Malware such as Anti-Virus 2009 or Anti-Virus 360 appears to be anti-virus software which protects a user from attacks on the Internet when instead it is actually a Trojan.
  • Like parasites subverting the central nervous systems of hosts, an adversary could exploit the strategy that is used to help the system survive. Malware can attempt to exploit vulnerabilities in anti-virus software to attack a system, as anti-malware software usually operates as a privileged service making it a priority target since it has access to the entire system in addition to protecting the system.
  • Some animals have developed better camouflage to help mask there presence in the environment. A smaller and less noisy profile means that an attacker is less likely to detect their presence. Malware is moving to HTTP command and control channels to help mask its presence in the traffic being sent across the network.
  • Another response is to completely abandon the current strategy, and develop a new strategy which catches an organism unprepared. As part of an experiment in evolutionary biology, a predatory lizard was introduced onto several islands which were inhabited by Anoles. Initially the average length of their legs increased, which allowed them to survive by running faster to evade their predators. Eventually the average leg length decreased as the Anoles were able to avoid their predators entirely by spending more time in the trees. Malware can react to countermeasures by simply avoiding the countermeasures entirely or attacking an information system at different layers. A worm can be written to exploit web applications instead of targeting flaws in the operating system.
  • Sometimes the best response is not to respond to the strategy employed. If the counter strategy will only be infrequently encountered, it is often more cost effective to ignore it. In the case of the natural environment some predators that interact with prey populations interact so infrequently that it is more effective to not response as a population then to evolve a response. Malware authors should be aware that almost all analysis of their binaries will be conducted in a virtualized environment, yet not all malware encountered is able to detect when it is operating in a virtualized environment.
Each of different responses carries an associated evolutionary cost. Some of these like abandoning a strategy and evolving a new strategy can be high as the cost of evolve and develop a strategy are discarded and a new strategy must be evolved and developed. Other strategies can carry no additional evolutionary costs such as ignoring the threat and not modifying the current survival strategies.

The current risk management process has weaknesses when it is applied to an environment which evolving. The basic process is reactionary in nature and gives all of the initiative to the adversary and requires that the adversary first advertise their latest strategy before it could be countered. Instead of waiting for an adversary to attack an information system, the risk management methodology should include steps which attempt to determine how the current security strategies will force an adversary to adapt. Based the types of selection pressures that are applied to counter an adversary's strategy, anticipated actions can be made as to how an adversary will be forced to respond. When selecting among several different counter strategies, preference should be given to those strategies which have the highest evolutionary costs to counter (e.g. most likely disruptive selection pressures).