This is the first of a multipart blog. I want to advocate a process change to continuously monitor an organization’s digital population, healthy or otherwise, modeled after Dr. John Snow and the Center for Disease Control and Prevention’s Epidemic Intelligence Service (CDC EIS). This Snow–and-CDC inspired process will help in detecting outliers or indicators of early stage digital disease onset, limiting the exposure time to hosts, and limiting the total cost of loss. Instead of waiting for a digital disease outbreak to engage responders, we should engage in the constant day to day analysis of population health data to find the digital disease pathogen before it becomes an epidemic and possible pandemic. In this paper I’ll discuss Dr. Snow’s investigation of cholera and how his investigation method relates to digital disease detection, response and prevention. I will also cover some tools used in epidemiology that demonstrate epidemiology’s applicability to advance the information security field.
Digital diseases are endemic; similar to how bacteria, parasites and viruses maintain a continued presence in the human population. In the field of medicine, epidemiologists are constantly on the lookout for patterns that indicate a new disease pathogen is causing unwanted health outcomes in the human population. Information security researchers have already taken a page from epidemiology for such things as malware distribution frequency, and transmission pattern analysis. It is no surprise that the popular word used to identify malicious code is “virus.”
We need to move beyond passive monitoring of our digital population. I have observed a large number of organizations passively waiting for their hosts to report into their respective security management servers or helpdesks for hosts which have detected something is awry. In the medical field, this would be the equivalent to waiting for people to walk into the emergency room to get emergency treatment. By the time the patient is noticeably sick and reporting to the emergency room, the disease has typically already progressed to dangerous levels, and has probably spread to other people.
If we actively survey our populations and proactively share the information with other teams, we are more likely to find the originating host, possibly before the host realizes they are sick. In this writing, I will outline and argue that epidemiology is the field to emulate in order to better protect our digital hosts from digital diseases in the continuously evolving digital disease landscape. I will introduce the terms epidigitalogist and epidigitalogy to represent the ideas posited in this writing. The word epidigitalogy is inspired by epidemiology. Epidemiology is composed of three latin words; epi meaning "upon," demos meaning "people," and logos “the study of.” So “epi-demos-logos” means the study of what is upon people. In that light, I have created the word “epi-digital-logos” to mean “the study of what is upon the digital.” As you read this document, please keep that in mind when you see words referencing epidigitalogy; it means that epidemiology concepts are applied to digital resources.
Today's information security professional typically waits for alerts to arrive from intrusion prevention systems, firewalls, endpoint protection, and operating systems before taking action. Information security professionals traditionally monitor event aggregators, separate management consoles or centralized security information event management appliances to become aware that they need to take an action. Unfortunately, most logging technologies alert only when they have a preexisting signature that identifies a specific type of attack, or type of known behavior. In other words, logging technology must have a vaccine that was written for a previously seen digital disease pathogen. Some very advanced security technology solutions look for patterns indicating that an infection or unwanted code is present based on some form of local process behavior, with less specific signature or behavior descriptors. This approach tends to identify more, but is also prone to false positives. Information security professionals tend to shy away from these fuzzy threat identification approaches with prevention enabled, due to their fear of high false positive rates impacting business productivity.
I have observed a large number of organizations who employ a ticket-based approach to security. These corporations have highly skilled people waiting for tickets to be generated to tell them what to fix. Their emergency room equivalents or Information Technology Help Desks, Incident Response teams are overwhelmed with extremely sick hosts. If security professionals continue passively waiting for tickets or alerts to be generated, digital disease pathogens will have more time to dig deeper and spread further before being noticed. This leads to the typical security practice of wiping and reimaging the diseased host. The time and resource constraints of working in the equivalent of an information security emergency room which is handling hosts does not afford the information security professional the time to investigate the functionality, purpose, or origin of digital disease pathogens. If our information security professionals are too busy acting like emergency room technicians performing heroic efforts to fight the non-stop influx of diseased hosts, they will never become epidigitalogists capable of preventing or slowing the digital sickness before it has an opportunity to spread.
In epidemiology, the idea of a disease triad is used to identify the three key factors to control diseases: the host, the environment and the pathogen.
[1] Epidigitalogy: a proposed branch of security that deals with the incidence, distribution, and possible control of digital diseases and other factors relating to digital resources inspired by epidemiology.
Only when all three components converge does a digital disease take effect.
I am proposing numerous ways to leverage epidemiological investigation techniques. One of the techniques is active surveying of the population. A second technique is conducting cohort studies and case-control studies on the digital population data. Both techniques may be utilized to make changes to the environment of the population and to recommend behavioral changes to the users, or apply digital controls to hosts. Ideally, active surveying continually analyzes large quantities of host and environmental data already collected from the organization’s existing logging resources to generate reports or visualizations that help the epidigitalogist to spot trends, similarities, differences, or outliers across different hosts and environmental attributes. For example, an external security feed reports that digital disease pathogens are exhibiting symptoms A, B, and C where A, B and C are associated with USB usage, network share access, and new file creation respectively. These symptoms may be based on externally-provided or internally-generated Indicators Of Compromise (IOC) descriptions. A survey conducted on the environment for symptoms A, B, and C may provide some tables and graphs with hosts matching the described symptoms. A graph’s results may not provide 100% assurance that the machines in question are infected, but may provide some guidance on which machines are likely to have a digital disease. A different approach, without an external feed, would require plotting of all internal applications on a frequency distribution curve to illustrate which applications are most prevalent and which are least prevalent. The applications with the least prevalence would most likely be targets for further investigation. Of course, prevalence is not the only marker of interest; low prevalence applications may simply be internally developed software installed on a small number of hosts. Once digital disease pathogens are identified, a follow-up survey report across the enterprise on the time of origin and where the digital disease pathogens have been seen may indicate if further investigation is warranted. For example: a set of files that only exist on five systems, and all files arrived through a web browser within the last two days, followed by critical system file modifications may be something worth investigating further. All of this investigating may be perceived as a waste of resources and time. However, it is much better to sweat running around surveying hosts during peacetime on a corporate defined schedule, rather than to run around bleeding data during a diseased state caused at an adversary’s chosen time.
Applying different policies to different host groups under study will help in identifying differences in digital disease pathogen handling. For example, one host group is given a digital disease mitigating control in the form of an application control policy that monitors and prevents USB drive execution activity and monitors network share autorun.inf write activity, while a different group does not. The results over time will show the differences in the exposure to a digital disease pathogen and the resulting host health outcome; obtaining a digital disease health outcome. The benefits illustrated by the experiment will help in obtaining approval from management to activate a specific prevention capability that may impact some productivity or specific function, but the benefits can be shown to outweigh the risk. Management’s reluctance to implement a control for fear of productivity loss can be weighed against the productivity loss due to a digital disease epidemic.
Go to next blog post titled "Origins of Modern Epidemiology".
What do you think of this post? Please let me know what you think.