Wednesday, July 6, 2011

Bacterial Resistance/Tolerance or Prepared Environments

A significant problem currently faced in the field of immunology is the proliferation of bacteria which have gained resistance or tolerance to antibiotics.  Bacteria can gain resistance or tolerance by a number of different methods; 1) by evolving genes which allow them to survive, 2) by acquiring genes via from other bacteria (transduction by a bacteriophage or conjugation [e.g. horizontal gene transfer]), or 3) uptake of genetic material from the environment (transformation).  Bacteria such as these are responsible for a large number of infections that are difficult to treat and are becoming more common in environments such as hospitals.  Methicillin-resistant Staphylococcus aureus (MRSA) is one such example.  Although MRSA is resistant to most antibiotics, it has a lower fitness than non-antibiotic resistant Staphylococcus aureus (Staph) in an environment without antibiotics.  This trait means that if the antibiotics treatments are stopped, the common forms of Staph will out compete and replace MRSA as the dominant form of bacteria in a colony.

It is possible that such observations could lead some people within the information security community to believe that possibly reducing the barriers to malware could cause malware to become less sophisticated or more easy to observe and subsequently easier to remediate.  Although this is a possibility, it is unlikely since the costs involved in maintaining genes are different than those in maintaining attack strategies.  Evolutionary trade-offs or costs manifest themselves in different ways.  They are paid by the reduction of the fitness of an organism.  An organism is said to have a higher fitness with the more off-spring that survive into subsequent generations.  An organism which must reallocate resources away from the production off-spring runs the risk of reducing its fitness.  As an example, removing resources away from reproduction to defense, reduces the theoretical number of off-spring and organism can produce.  Defensive strategies can allow an organism to survive and reproduce.  Mutations in a genome cause an organism to reallocate resources and depending on the phenotypic effects, they can increase or decrease the fitness of an organism.  Evolutionary costs can be thought of as having three different costs and benefits: 1) there is a cost of evolving a strategy (e.g. the costs associated with the creation of a new strategy), 2) there are developmental costs of a strategy (e.g. the specific implementation of within an organism), and 3) there is a cost for maintaining a strategy (e.g. the day-to-day costs associated with maintaining a strategy or maintaining the ability to utilize a strategy).  These three costs combined with the benefits of maintaining a set of strategies work in conjunction to raise or lower the overall fitness of an organism.

With bacteria, the reduction of any non-essential genes results in an increased fitness as the costs associated with replication are reduced.  The replication of a smaller genome utilizes less resources than the replication of a larger genome.  This reduction means that anytime a gene can successfully be removed from the bacterial genome without reducing its fitness, it will benefit for the bacteria to do so as it will reduce the costs associated with replication.  This process is referred to as genome economization and has been observed with the Mimivirus in a controlled laboratory setting and the resulting genome reduction in an environment in which its competitors have been removed.  In the case of tolerance or resistance genes, the costs to the bacteria are greater than just occupying a portion of the genome and increasing its size.  There are production costs associated with tolerance or resistance genes.  These genes create proteins and the production of these proteins consumes resources that the bacteria could have utilized elsewhere.  Beyond the simple consumption of resources due to the production of these proteins, these proteins that are being produced can interfere with common intracellular functions.  All of these factors combined mean that bacteria can make substantial gains in fitness if they are able to remove these genes when they are no longer required.  In the case of malware or the tools of determined attackers, the replication and storage of the software used is not a significant issue.  In the case of exploits with stagers or malware with droppers being able to remotely load software the advantages of maintaining a smaller code base are not a limitation as resources can be remotely accessed as needed.  Actually having a smaller code base to utilize during an attack can limit the options of an adversary as they may not be able to try all of the possible avenues of attack.  Blind application of the strategies and methods used by organism for survival may not function as expected within information security without understanding the costs and trade-offs associated with these strategies.  The adaptations that bacteria and other micro-organisms utilize for dealing with evolutionary costs are different than those encountered within information security.

Another thing to consider is that even if antibiotics are not applied in the environment to reduce the population of tolerant or resistant bacteria, it does not mean that the human immune system is not going to react to an infection.  A substantial portion of the human genome is dedicated to the immune system.  Of the entire genome (estimated at 27,478 genes), it is estimated that there are approximately 1,562 genes are dedicated to the immune system.  This quantity of genes represents a significant amount of resources dedicated to fighting pathogens.  Furthermore when the immune system is actively fighting a pathogen an average metabolism of a human host increases by 14%.  Maybe simply reducing the application of security controls to fight malware is not the best solution.

Looking at the issue of bacteria gaining tolerance and resistance from a different perspective may provide another insight into the issue.  The problem is not that MRSA exists in the environment but it exists within an environment in which the potential hosts are already suffering from weakened or compromised immune systems.  The resistance of MRSA means that the application of traditional antibiotics is ineffective.  It seems that the main issue is that MRSA already has the tools to defend itself against the common defenses in that environment.  To rephrase this, MSRA has the tools to persist in the prevailing environmental conditions otherwise it would not have survived.  From the perspective of information security, attackers have already acquired the necessary tools and techniques to persist in the common computing environments otherwise they would not be successful.  Furthermore the tools and techniques that have used previously in compromising similar security controls means that if those security controls are encountered else where they can also be compromised as they have been primed with the necessary experience.

Instead of reducing the security controls in an enterprise to possibly make the detection and remediation of malware based on observations of various bacterial adaptations to antibiotics, security should instead attempt to understand how the environment is being prepared for attackers and focus on making it more difficult for attackers to persist in the enterprise.

Thursday, June 2, 2011

Shared Strategies and Shared Costs

Within evolutionary biology there are essentially two pathways in which genes are transferred.  They can either be transfered vertically or horizontally.   The vertical passing of characters is inheritance, sometimes referred to as Vertical Gene Transfer (VGT).  In VGT, genes are passed from one generation to the next inherited from parents.  Horizontal sharing, commonly called Horizontal Gene Transfer (HGT), is something only a few types of organisms participate.  These organisms are unicellular such as bacteria.  Bacteria use HGT as a way of obtaining genes which are immediately beneficial to their survival.  Some bacteria utilize HGT to "steal" genes from their hosts or other organisms in the environment and acquire immunity to antibiotics or host defenses.  There are a number of different examples in which bacteria acquire tolerance or even resistance to antibiotics or heavy metals via HGT presented within Microbial Ecology: An Evolutionary Approach by McArthur.

If the methods of VGT and HGT are to be considered within the framework of information security, they have to be applied in a more general sense such that instead of applying to the transfer of genes they are applied to the transfer of strategies.  One of the basic principles of evolutionary biology is that even the most perfectly adapted organism has a fitness of zero if its characters are not passed along to subsequent generations (typically via VGT).  Within information security, an enterprise must be able to retain and pass along desirable characters to new developers and engineers otherwise it may continue to suffer from persistent and/or reoccurring issues.  This transfer can occur via training staff or acquisition of outside expertise.

The methods of transfer can work in different ways within information security as strategies are ideas that can easily and quickly replicated between different enterprises and organizations.  A strategy only needs to be replicated.  Strategies can be of different sizes.  A smaller strategy can be the sharing or reuse of code within application frameworks or even the reuse of code within malware.  As a possible  example of replicating code, with the recent release of the Zeus bot's source code, variants of Zeus may become more common or other malware families can replicate and incorporate that code into their code base.  On the larger scale, strategies of implementing demilitarized zones (DMZs) or virtualized application hosting systems can be shared.  In evolutionary biology there is the unwanted replication or transfer of strategies.  This method is prevalent in microbiology in which bacteria utilize HGT to gain immunity from antibiotics or parasites covering themselves in proteins from a host to prevent an immune response (Roitt's Essential Immunity or Foundations of Parasitology by Roberts and Janovy).  In information security unwanted transfer of strategies most likely relates to the exfiltration or release of information outside of the organization.  Examples of this exfiltration include data breaches, breaches which are commonly reported or the theft of intellectual property in which trade secret, research and/or ideas is transfer to other parties which did not spend the time or resources developing it.

Beyond sharing genes between generations or organisms, some animals are capable of forming social units such as flocks or herds.  With social animals, there are a number of benefits for sharing information between individuals. 
  • Social animals benefit from safety in numbers against predation.  As a single individual is more likely to be foraged upon by a predator during a single encounter, if alone rather than in a group.
  • A single individual can alert the entire herd to danger.  Multiple eyes are more likely to identify a threat.  Even if not everyone is actively searching for threats, multiple sentries may offer an opportunity for better detection.  If the sentry role is shared or rotated, then all within the community can benefit from increased vigilance and they are able to spend more time foraging.
  • For social animals experiences can be passed between individuals by social learning.  Social learning allows learned strategies that are successful to be passed on to other individuals within the community.
By forming large social units, prey are able to reduce the individual risk to themselves per encounter with a predator.  Instead of a single one on one encounter, now the predator must identify and choose between all of the prey in the herd.  Predators typically invest time in searching through a herd to identify prey that are injured, sick or otherwise uniquely identifiable.  Injured and sick prey have a reduced handling time which means that predators have the greatest potential energy gain (ratio of energy spent handling the prey compared to the amount of energy gained by consuming the prey item) and the predator has a reduced likelihood of being injured while handling the prey.  Despite being well armed and capable of inflicting significant damage during an encounter, typically a predator will not attempt to forage upon a healthy prey item.

Standing out in a herd or in a community can work against an individual.  Unique identification works against individuals in a herd as it allows predators to identify and focus on specific individuals when the herd scatters.  Herds are an organized collection which are typically sub-divided into three segments: (a) the females and young, (b) the alpha males/females, and (c) the sick, elderly, and/or injured.  When a predator encounters the herd, it scatters.  Because of the structure of the herd, group (b) guarding (a)'s retreat while (c) is sacrificed as a distraction.  Encounters may not always function this way as predators can actively target other individuals within the herd.  Within the natural environment and within information security no single entity wants to be sacrificed for the well being of the herd but sometimes this happens as no one is immune from predation.  It would be possible to design an infrastructure which is scarified during an attack, but typically enterprises attempt to enforce a homogeneity over the community so there does not exist community of sick and injured systems which can be sacrificed so that the enterprise can respond.  Sometimes the legacy systems exist within the enterprise because they are performing a function essential to the enterprise, and as such this elderly systems must be protected.

Another way in which larger social structures enable survival is by allowing a division of tasks.  Some individuals assume vigilant/sentry roles and actively attempt to identify and alert the community of threats while others are allowed to perform their normal tasks.  If the sentry role is rotated, individuals are allowed to spend more resources and energy on other tasks then scanning for threats.  In this way, an individual spends some time foraging and some time acting as a sentry.  By sharing the role of sentry, each individual is allowed to increase their time foraging but overall a higher level of vigilance is obtained by the community.  By sharing information and alerts in the information security community the danger signs of predation can be shared and the entire community can be alerted.  This works well in environments in which predation is not constantly occurring, in these types of environments alerts are constant and become meaningless so the threshold for alerting needs to be adjusted and it needs to be reserved for appropriate events.  Depending upon what is going to happen, simply making the community aware of an event can prevent it from occurring or minimize its impact.  Although it is possible that the level of vigilance has increased for the herd, as discussed in Natural Enemies by Crawley, this may not be the primary reason for organizing into herd structures.  Furthermore the effective level of vigilance the community may decrease to a level below that which a single individual would normally have expended. 

Another process that can occur when tasks are divided among individuals is cheating.  Microbial Ecology: An Evolutionary Approach by McArthur, defines the term cheating as “obtaining benefits from a collectively produced public good that disproportionately large relative to the cheater's own contribution to that good”.  By cheating, an entity should be performing a task such as watching for predators but instead it opts to collect resources for itself or the sentry watches for predators and does not alert when they are detected, instead fleeing without warning the community.  The second method of cheating is less likely as others in the community would be able to notice when the sentry behaves as though it is attempting to evade or flee a predator.  There are similar behaviors that can occur within the information security community as companies are not always willing to admit that they have been attacked or successfully compromised.  This results in an opportunity to share information about the methods of compromise or even at the most fundamental level letting the rest of the community understand the rate at which attacks are occurring.  In these instances they are benefiting by receiving the alerts but they not performing the sentry role, they are not sharing their information so no one else can benefit.  Similar to cheating in nature, the second method is less likely to occur as conceptually it is more difficult for an organization to and flee from an attack.

Developing a new strategy to exploit or compromise a system takes time and resources.  It is not a trivial task but in some cases it can occur fairly quickly.  By sharing (or alerting) a newly discovered exploitation strategy, the community can act upon the alert thus time and effort of the adversary can be effectively  wasted or the amount of gain can be minimized as the entire community is now aware of the strategy and it can be countered.  If the community acts upon the alert and effectively counters the strategy, in order for the attackers to remain successful they must continue to expend time and resources to develop new strategies.  The problem occurs when the strategy is not known or it is known and fails to be countered.  It allows the attackers to leverage existing attacks and effectively forage on defender systems and resources with very small handling times.

Predators are able to leverage the benefits of existing in social units.  Predator benefits are different since they are searching for and foraging on the prey items.  By being social, predators can also reduce their individual risk of injury.  Prey that attempts to retaliate when attacked will have a more difficult time if it is attacked by multiple predators. 

Similarly, black hats or hacktivists can organize into online communities.  Anonymous is an example of an online community which has performed large scale Distributed Denial of Service (DDoS) attacks  and even successfully compromised the HBGary website with relatively little organization.  In  Anonymous the wide range of experience levels help to contribute to successful attacks as those who lack the skills to perform a specific attack can easily locate some one in the community with the required skill set.  Cybercrime is an industry with many different individuals, each of which specializes in a different task.  There are those who develop exploits, individuals who develop the bots, develop the software to prevent reverse engineering with packing and obfuscation, and others who collect and manage the deployed bots.  The black hat and/or cybercrime community can also watch the open security community and
  1. gain new inspiration and methodologies for attacks,
  2. discover which attacks and techniques have been disclosed and allow them to determine when it is time to research new attacks and/or utilized previous undisclosed attacks,
  3. gaining a better understanding of the techniques used to detect/identify/mitigate their attacks and develop new strategies for defending their acquired systems. 
Banding together and forming social communities allows individuals to share the costs of defense by reduction of individual risk, gaining more time to forage with other searching and alerting on identified threats and sharing successful strategies by social learning.  Single otters are unable to get an alligator out of there territory but a gang of otters can harass an alligator until it leaves.  These communities  survive by increasing the costs of successful predation but predators are capable of leveraging the benefits of social communities.