A significant problem currently faced in the field of immunology is the proliferation of bacteria which have gained resistance or tolerance to antibiotics. Bacteria can gain resistance or tolerance by a number of different methods; 1) by evolving genes which allow them to survive, 2) by acquiring genes via from other bacteria (transduction by a bacteriophage or conjugation [e.g. horizontal gene transfer]), or 3) uptake of genetic material from the environment (transformation). Bacteria such as these are responsible for a large number of infections that are difficult to treat and are becoming more common in environments such as hospitals. Methicillin-resistant Staphylococcus aureus (MRSA) is one such example. Although MRSA is resistant to most antibiotics, it has a lower fitness than non-antibiotic resistant Staphylococcus aureus (Staph) in an environment without antibiotics. This trait means that if the antibiotics treatments are stopped, the common forms of Staph will out compete and replace MRSA as the dominant form of bacteria in a colony.
It is possible that such observations could lead some people within the information security community to believe that possibly reducing the barriers to malware could cause malware to become less sophisticated or more easy to observe and subsequently easier to remediate. Although this is a possibility, it is unlikely since the costs involved in maintaining genes are different than those in maintaining attack strategies. Evolutionary trade-offs or costs manifest themselves in different ways. They are paid by the reduction of the fitness of an organism. An organism is said to have a higher fitness with the more off-spring that survive into subsequent generations. An organism which must reallocate resources away from the production off-spring runs the risk of reducing its fitness. As an example, removing resources away from reproduction to defense, reduces the theoretical number of off-spring and organism can produce. Defensive strategies can allow an organism to survive and reproduce. Mutations in a genome cause an organism to reallocate resources and depending on the phenotypic effects, they can increase or decrease the fitness of an organism. Evolutionary costs can be thought of as having three different costs and benefits: 1) there is a cost of evolving a strategy (e.g. the costs associated with the creation of a new strategy), 2) there are developmental costs of a strategy (e.g. the specific implementation of within an organism), and 3) there is a cost for maintaining a strategy (e.g. the day-to-day costs associated with maintaining a strategy or maintaining the ability to utilize a strategy). These three costs combined with the benefits of maintaining a set of strategies work in conjunction to raise or lower the overall fitness of an organism.
With bacteria, the reduction of any non-essential genes results in an increased fitness as the costs associated with replication are reduced. The replication of a smaller genome utilizes less resources than the replication of a larger genome. This reduction means that anytime a gene can successfully be removed from the bacterial genome without reducing its fitness, it will benefit for the bacteria to do so as it will reduce the costs associated with replication. This process is referred to as genome economization and has been observed with the Mimivirus in a controlled laboratory setting and the resulting genome reduction in an environment in which its competitors have been removed. In the case of tolerance or resistance genes, the costs to the bacteria are greater than just occupying a portion of the genome and increasing its size. There are production costs associated with tolerance or resistance genes. These genes create proteins and the production of these proteins consumes resources that the bacteria could have utilized elsewhere. Beyond the simple consumption of resources due to the production of these proteins, these proteins that are being produced can interfere with common intracellular functions. All of these factors combined mean that bacteria can make substantial gains in fitness if they are able to remove these genes when they are no longer required. In the case of malware or the tools of determined attackers, the replication and storage of the software used is not a significant issue. In the case of exploits with stagers or malware with droppers being able to remotely load software the advantages of maintaining a smaller code base are not a limitation as resources can be remotely accessed as needed. Actually having a smaller code base to utilize during an attack can limit the options of an adversary as they may not be able to try all of the possible avenues of attack. Blind application of the strategies and methods used by organism for survival may not function as expected within information security without understanding the costs and trade-offs associated with these strategies. The adaptations that bacteria and other micro-organisms utilize for dealing with evolutionary costs are different than those encountered within information security.
Another thing to consider is that even if antibiotics are not applied in the environment to reduce the population of tolerant or resistant bacteria, it does not mean that the human immune system is not going to react to an infection. A substantial portion of the human genome is dedicated to the immune system. Of the entire genome (estimated at 27,478 genes), it is estimated that there are approximately 1,562 genes are dedicated to the immune system. This quantity of genes represents a significant amount of resources dedicated to fighting pathogens. Furthermore when the immune system is actively fighting a pathogen an average metabolism of a human host increases by 14%. Maybe simply reducing the application of security controls to fight malware is not the best solution.
Looking at the issue of bacteria gaining tolerance and resistance from a different perspective may provide another insight into the issue. The problem is not that MRSA exists in the environment but it exists within an environment in which the potential hosts are already suffering from weakened or compromised immune systems. The resistance of MRSA means that the application of traditional antibiotics is ineffective. It seems that the main issue is that MRSA already has the tools to defend itself against the common defenses in that environment. To rephrase this, MSRA has the tools to persist in the prevailing environmental conditions otherwise it would not have survived. From the perspective of information security, attackers have already acquired the necessary tools and techniques to persist in the common computing environments otherwise they would not be successful. Furthermore the tools and techniques that have used previously in compromising similar security controls means that if those security controls are encountered else where they can also be compromised as they have been primed with the necessary experience.
Instead of reducing the security controls in an enterprise to possibly make the detection and remediation of malware based on observations of various bacterial adaptations to antibiotics, security should instead attempt to understand how the environment is being prepared for attackers and focus on making it more difficult for attackers to persist in the enterprise.
Wednesday, July 6, 2011
Subscribe to:
Posts (Atom)