Thursday, June 2, 2011

Shared Strategies and Shared Costs

Within evolutionary biology there are essentially two pathways in which genes are transferred.  They can either be transfered vertically or horizontally.   The vertical passing of characters is inheritance, sometimes referred to as Vertical Gene Transfer (VGT).  In VGT, genes are passed from one generation to the next inherited from parents.  Horizontal sharing, commonly called Horizontal Gene Transfer (HGT), is something only a few types of organisms participate.  These organisms are unicellular such as bacteria.  Bacteria use HGT as a way of obtaining genes which are immediately beneficial to their survival.  Some bacteria utilize HGT to "steal" genes from their hosts or other organisms in the environment and acquire immunity to antibiotics or host defenses.  There are a number of different examples in which bacteria acquire tolerance or even resistance to antibiotics or heavy metals via HGT presented within Microbial Ecology: An Evolutionary Approach by McArthur.

If the methods of VGT and HGT are to be considered within the framework of information security, they have to be applied in a more general sense such that instead of applying to the transfer of genes they are applied to the transfer of strategies.  One of the basic principles of evolutionary biology is that even the most perfectly adapted organism has a fitness of zero if its characters are not passed along to subsequent generations (typically via VGT).  Within information security, an enterprise must be able to retain and pass along desirable characters to new developers and engineers otherwise it may continue to suffer from persistent and/or reoccurring issues.  This transfer can occur via training staff or acquisition of outside expertise.

The methods of transfer can work in different ways within information security as strategies are ideas that can easily and quickly replicated between different enterprises and organizations.  A strategy only needs to be replicated.  Strategies can be of different sizes.  A smaller strategy can be the sharing or reuse of code within application frameworks or even the reuse of code within malware.  As a possible  example of replicating code, with the recent release of the Zeus bot's source code, variants of Zeus may become more common or other malware families can replicate and incorporate that code into their code base.  On the larger scale, strategies of implementing demilitarized zones (DMZs) or virtualized application hosting systems can be shared.  In evolutionary biology there is the unwanted replication or transfer of strategies.  This method is prevalent in microbiology in which bacteria utilize HGT to gain immunity from antibiotics or parasites covering themselves in proteins from a host to prevent an immune response (Roitt's Essential Immunity or Foundations of Parasitology by Roberts and Janovy).  In information security unwanted transfer of strategies most likely relates to the exfiltration or release of information outside of the organization.  Examples of this exfiltration include data breaches, breaches which are commonly reported or the theft of intellectual property in which trade secret, research and/or ideas is transfer to other parties which did not spend the time or resources developing it.

Beyond sharing genes between generations or organisms, some animals are capable of forming social units such as flocks or herds.  With social animals, there are a number of benefits for sharing information between individuals. 
  • Social animals benefit from safety in numbers against predation.  As a single individual is more likely to be foraged upon by a predator during a single encounter, if alone rather than in a group.
  • A single individual can alert the entire herd to danger.  Multiple eyes are more likely to identify a threat.  Even if not everyone is actively searching for threats, multiple sentries may offer an opportunity for better detection.  If the sentry role is shared or rotated, then all within the community can benefit from increased vigilance and they are able to spend more time foraging.
  • For social animals experiences can be passed between individuals by social learning.  Social learning allows learned strategies that are successful to be passed on to other individuals within the community.
By forming large social units, prey are able to reduce the individual risk to themselves per encounter with a predator.  Instead of a single one on one encounter, now the predator must identify and choose between all of the prey in the herd.  Predators typically invest time in searching through a herd to identify prey that are injured, sick or otherwise uniquely identifiable.  Injured and sick prey have a reduced handling time which means that predators have the greatest potential energy gain (ratio of energy spent handling the prey compared to the amount of energy gained by consuming the prey item) and the predator has a reduced likelihood of being injured while handling the prey.  Despite being well armed and capable of inflicting significant damage during an encounter, typically a predator will not attempt to forage upon a healthy prey item.

Standing out in a herd or in a community can work against an individual.  Unique identification works against individuals in a herd as it allows predators to identify and focus on specific individuals when the herd scatters.  Herds are an organized collection which are typically sub-divided into three segments: (a) the females and young, (b) the alpha males/females, and (c) the sick, elderly, and/or injured.  When a predator encounters the herd, it scatters.  Because of the structure of the herd, group (b) guarding (a)'s retreat while (c) is sacrificed as a distraction.  Encounters may not always function this way as predators can actively target other individuals within the herd.  Within the natural environment and within information security no single entity wants to be sacrificed for the well being of the herd but sometimes this happens as no one is immune from predation.  It would be possible to design an infrastructure which is scarified during an attack, but typically enterprises attempt to enforce a homogeneity over the community so there does not exist community of sick and injured systems which can be sacrificed so that the enterprise can respond.  Sometimes the legacy systems exist within the enterprise because they are performing a function essential to the enterprise, and as such this elderly systems must be protected.

Another way in which larger social structures enable survival is by allowing a division of tasks.  Some individuals assume vigilant/sentry roles and actively attempt to identify and alert the community of threats while others are allowed to perform their normal tasks.  If the sentry role is rotated, individuals are allowed to spend more resources and energy on other tasks then scanning for threats.  In this way, an individual spends some time foraging and some time acting as a sentry.  By sharing the role of sentry, each individual is allowed to increase their time foraging but overall a higher level of vigilance is obtained by the community.  By sharing information and alerts in the information security community the danger signs of predation can be shared and the entire community can be alerted.  This works well in environments in which predation is not constantly occurring, in these types of environments alerts are constant and become meaningless so the threshold for alerting needs to be adjusted and it needs to be reserved for appropriate events.  Depending upon what is going to happen, simply making the community aware of an event can prevent it from occurring or minimize its impact.  Although it is possible that the level of vigilance has increased for the herd, as discussed in Natural Enemies by Crawley, this may not be the primary reason for organizing into herd structures.  Furthermore the effective level of vigilance the community may decrease to a level below that which a single individual would normally have expended. 

Another process that can occur when tasks are divided among individuals is cheating.  Microbial Ecology: An Evolutionary Approach by McArthur, defines the term cheating as “obtaining benefits from a collectively produced public good that disproportionately large relative to the cheater's own contribution to that good”.  By cheating, an entity should be performing a task such as watching for predators but instead it opts to collect resources for itself or the sentry watches for predators and does not alert when they are detected, instead fleeing without warning the community.  The second method of cheating is less likely as others in the community would be able to notice when the sentry behaves as though it is attempting to evade or flee a predator.  There are similar behaviors that can occur within the information security community as companies are not always willing to admit that they have been attacked or successfully compromised.  This results in an opportunity to share information about the methods of compromise or even at the most fundamental level letting the rest of the community understand the rate at which attacks are occurring.  In these instances they are benefiting by receiving the alerts but they not performing the sentry role, they are not sharing their information so no one else can benefit.  Similar to cheating in nature, the second method is less likely to occur as conceptually it is more difficult for an organization to and flee from an attack.

Developing a new strategy to exploit or compromise a system takes time and resources.  It is not a trivial task but in some cases it can occur fairly quickly.  By sharing (or alerting) a newly discovered exploitation strategy, the community can act upon the alert thus time and effort of the adversary can be effectively  wasted or the amount of gain can be minimized as the entire community is now aware of the strategy and it can be countered.  If the community acts upon the alert and effectively counters the strategy, in order for the attackers to remain successful they must continue to expend time and resources to develop new strategies.  The problem occurs when the strategy is not known or it is known and fails to be countered.  It allows the attackers to leverage existing attacks and effectively forage on defender systems and resources with very small handling times.

Predators are able to leverage the benefits of existing in social units.  Predator benefits are different since they are searching for and foraging on the prey items.  By being social, predators can also reduce their individual risk of injury.  Prey that attempts to retaliate when attacked will have a more difficult time if it is attacked by multiple predators. 

Similarly, black hats or hacktivists can organize into online communities.  Anonymous is an example of an online community which has performed large scale Distributed Denial of Service (DDoS) attacks  and even successfully compromised the HBGary website with relatively little organization.  In  Anonymous the wide range of experience levels help to contribute to successful attacks as those who lack the skills to perform a specific attack can easily locate some one in the community with the required skill set.  Cybercrime is an industry with many different individuals, each of which specializes in a different task.  There are those who develop exploits, individuals who develop the bots, develop the software to prevent reverse engineering with packing and obfuscation, and others who collect and manage the deployed bots.  The black hat and/or cybercrime community can also watch the open security community and
  1. gain new inspiration and methodologies for attacks,
  2. discover which attacks and techniques have been disclosed and allow them to determine when it is time to research new attacks and/or utilized previous undisclosed attacks,
  3. gaining a better understanding of the techniques used to detect/identify/mitigate their attacks and develop new strategies for defending their acquired systems. 
Banding together and forming social communities allows individuals to share the costs of defense by reduction of individual risk, gaining more time to forage with other searching and alerting on identified threats and sharing successful strategies by social learning.  Single otters are unable to get an alligator out of there territory but a gang of otters can harass an alligator until it leaves.  These communities  survive by increasing the costs of successful predation but predators are capable of leveraging the benefits of social communities.

No comments:

Post a Comment