Published on July 22nd, 2015 | by admin
Human Behavior and The Evolution of Cyber Security
In 1859, Charles Darwin published a book that took the world by storm, called The Origin of Species by Means of Natural Selection. It has been both embraced and ridiculed over the years, but the fact remains that it is the best explanation we have, to date, for how and why any life form on this planet exists.
In this article, we’ll explore in a simplified manner, the concepts of evolutionary theory and how they can be applied to cyber security. Once we understand these concepts, we can then use the same principles to counter cyber threats in a more successful and long term manner.
The Evolution of Cyber Security
When we talk of cyber security, we’re really talking about the same behavior that is related to any security need throughout our lives and throughout human history. Security is about the threat to, and protection of, resources. These resources can be anything: food, shelter, a nice warm cave, your wallet, or a database full of customer credit card numbers. The threat can be a marauding group from a neighboring tribe, a pickpocket in a metropolitan city, or a cybercriminal based in a flat in some far off location. Whatever the situation we find ourselves in, when protecting our resources, the same sets of behavior exist no matter if dealing with the real world or the digital world.
As human beings entered the Neolithic period, we developed farming. We stopped being nomadic and became more sedentary; we developed ways of storing items, such as food, in the form of pottery like granaries around 11,000 years ago. Once we started to own items, others started to want to take those items from us. Battles ensued. But as we developed the concept of ownership to a more sophisticated level, we then also developed the idea of stealing that ownership away. Human beings have always wanted what others have.
But what has Darwin got to do with any of this?
What Darwin proposed was not as is often misquoted, ‘the survival of the fittest,” but instead it is that survival (and reproduction) depends on the ability to change as environmental conditions change. Species that are effective in this, that are able to flourish even when the world around them changes, will reproduce and therefore survive. They often have to change themselves to compensate, but they continue to survive because of that ability to adapt. This concept of adaptation, or natural selection, is a key one that I will return to.
Taking another’s resources is a fundamental behavior that we humans have used to increase our chances of survival. In the past, this meant stealing food or invading places of living; but today, this has been extended to include stealing digital resources for financial gain, for cyber espionage purposes, or even for state reasons. Darwinian theory explains this as a natural part of being human: the need to survive to reproduce, to pass on our genes to another generation by whatever means necessary.
Another interesting application of evolutionary theory is looking at how cyber security technology has evolved to handle changing threat landscapes. This time we’ll use evolutionary game theory. Evolutionary game theory explores the dynamics of contests for resources, or in other words, how an agent (e.g. a human being) develops a strategy to gain a resource, testing this strategy out against other agents until one strategy comes out on top. This is called an evolutionary stable strategy or ESS.
The most classic example of this type of game theory is known as the Hawk and Dove contest. This is a fairly simple pay-off type exercise, where you have two strategies in an attempt to own a resource. The two strategies being either display or Dove (back down from a fight) – D, or escalate Hawk (take up the fight) – E. The outcome from the possible combinations being:
If v is the resource, c the cost of the strategy:
Or in other words, if you take an aggressive stance against someone who backs down from a fight, the aggressor wins.
How does this apply to cyber security?
If we take this to its natural conclusion and view cybercriminals as aggressors (hawks) against an enterprise, and that enterprise takes the stance of a dove and doesn’t defend itself well, then the cybercriminal will ultimately end up with the resources. However, if both are highly aggressive, both will suffer, and we’ll end up with an arms race, which is, in fact, where we find ourselves today.
We can also see how this is being played out in the real world of cybercrime. Cybercriminals have been playing strategies to see which is the best fit. These may not have been done with foresight, but they have had outcome. We have seen attacks evolve from simple virus infections through to the sophisticated, behavioral based intelligence gathering of APTs. We are currently at a place where the cybercriminal is taking the strongly hawkish position, while we, as enterprises, are trying to keep up with the aggressor with our current tools losing effectiveness as the security environment changes. We need to adapt to allow our strategies to evolve so we can take the position of a hawk and push the cybercriminal into the dove position.
Applying evolutionary theory to the development of effective security technologies
We’ve seen how evolution is based on adaptation to a changing environment. We’ve also seen that within any given environment we can take a stance and develop a strategy that allows us to compete for resources within that environment.
We need to apply this thinking to security tools. By learning the behavior of cybercriminals and watching the development of their strategies to try and take our resources, we can develop competing strategies. Just as cybercrime has adapted and worked out new strategies to become ever more effective in disrupting our business processes, procedures, chains and resources, we need to also adapt how we respond to this threat.
The old ways of hardening the network are long gone. As our environment has changed, bringing us internet connectivity across enterprise perimeters, the consumer driven economy has changed the way we interact with our customer base. And as working environments also change and BYOD becomes ubiquitous, we have to up our game and bring in security strategies and tools that can deal with this new landscape. This will give us a competitive edge over the cybercriminal, allowing us to adapt to the changing environment of work, the Internet and cyber threats that take advantage of them.
Security 2.0 will be about understanding behavior and watching evolutionary stable strategies evolve as cybercriminals change their tactics and go after different types of resources. We are already seeing a shift from a more simple, scatter gun approach attack – favored by the opportunist individual hacker – to the highly focused spear phishing and targeted breaches of personal data used by organized gangs and applied to continued subsequent attacks.
To become a hawk in the game of cybercrime we need to be watchful and learn. We need to use tools that allow us to analyze behavior: see the what, where and why of a cyber-attack so we can respond swiftly and accurately to close off the vulnerability as rapidly as possible. We can get to a place where we are winning the game if we create our own successful security strategy and use security tools and methodologies fit for new environments.
Discover SS8’s rapid remediation solution for enterprise security. Download: Rapid Remediation: Actionable Insight, Analysis, and Visualization for the Enterprise.