Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/7/2014
01:00 PM
TK Keanini
TK Keanini
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

If Mother Nature Were A CISO

There are many defensive patterns in nature that also apply to information security. Here's how to defeat your predators in the high-stakes game of corporate survival and resiliency.

People say the Internet is a hostile network (which is true), and that got me thinking about other hostile environments, where a successful strategy results in resiliency and continuity. What if Mother Nature were the CISO? What would her strategy be? What capabilities could she give the prey species, so they could survive in the presence of many predators?

To get a better understanding of the defensive tactics of prey species, it is worth spending a minute talking about the dominant strategies of predators. The three that I'll highlight are cruising, ambush, and the blend of these, which I'll call cruising-ambush. All of these offer similarities to the threat landscape we have been experiencing on the Internet.

  • Cruising: This is where the predator is continually on the move to locate prey. It's a pattern we can see reflected when the adversary broadly scans the Internet for targets. These targets are stationary in the sense that, once a target is found, a connection can be made repeatedly.
  • Ambush: Here the predator sits and waits. This strategy relies on the prey's mobility to initiate encounters. On the Internet today, we see this ambush pattern in a compromised web server sitting and waiting for prey to connect and pull down the exploits. The majority of malware is distributed in this ambush pattern.
  • Cruising-ambush: The blended cruising-ambush is by far the most effective predator pattern. The idea is to minimize exposure when cruising and employ effective ambush resources, which, in turn, cruise and create a loop in the pattern. A few threats exhibit this, such as a phishing campaign that broadly cruises for prey. Once the victim clicks on the phishing link, it quickly shifts to the ambush pattern, with a compromised web server sitting and waiting for the connection to download the malware.

Patterns of prey
There are many documented defensive patterns for prey species, and I'd like to explore the ones that can be applied to Internet security. In all of these cases, Mother Nature's common pattern is making the prey marginally too expensive for the predator to identify and/or pursue.

Certain prey species have raised the cost of observation and orientation so much that they are operating outside their predators' perceptive boundaries. Camouflage is one technique, and another is having parts of the organism be expendable, as in a gecko's tail or a few bees in the colony. Camouflaging can be accomplished in Internet security through cryptography or in the random addressing within a massively large space like IPv6. For the latter, where parts are expendable, one can imagine a front-end system where there are 100 servers behind an application delivery controller (ADC).

Another effective countermeasure to cruising found in nature is the dispersion of targets or the frequent changing of nonstationary targets. This raises the observation and orientation requirements of the predator. If the predator has to do more probing and searching in the reconnaissance phase, it becomes more easily detected.

The last prey species pattern I find useful is one of tolerance to loss. Some species have found a way to divert the predator to eat the non-essential parts and have an enhanced ability to recover rapidly from the damage. Likewise, subsystems should be able to fail, and this failure information be used as inputs to the system for recovery processes.

Species resilience
The game of survival and resiliency is at the level of species and not at the level of organism. Diversity, redundancy, and a high rate of change at the organism level provide stability at the species level. When we look at this pattern in information technology, we can quickly see the need for abstractions. For example, a web server farm of 10 servers (10 organisms) sits behind a load balancer that offers a service (the species).

Abstractions are available to us in our design of these systems, and we need to leverage them in the same way Mother Nature has over the past 3.8 billion years. Virtual servers, software-defined networking, virtual storage -- all the parts are at our disposal to design highly resilient species (services).

Prey species have found a way to establish a knowledge margin with their environment, and this is what we must do with our information systems. The systems you protect must continuously change based on two drivers: how long you think it will take your adversary to perform its reconnaissance and the detection of the adversary's presence. Each time your systems change, the cost for your adversary to infiltrate and, most importantly, to remain hidden is raised substantially, and this is the dominant strategy found in nature.

TK Keanini brings nearly 25 years of network and security experience to the CTO role. He is responsible for leading Lancope's evolution toward integrating security solutions with private and public cloud-based computing platforms. TK is also responsible for developing the ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
4/8/2014 | 11:54:18 AM
Re: Great analogy and analysis
I like the analogy. Now if we only have a few million years to adapt to the predators' tactics, and an unlimited amount of species to sacrifice in the adaptation, plus unlimited funds to maintain pace or overcome those tactics, we should be in good shape ...
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/7/2014 | 5:34:56 PM
Great analogy and analysis
Thanks for breaking down the threat landscape in such a vivid and imaginative way, TK! 
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.