How an Immune System Works
I believe that a cyber-defence system would be more effective if it borrows more heavily from how biology handles the namesake attack. ( In Part 1, we highlighted the problem with cyber-defence systems based on a military metaphor. You can read Part 1: here )
In biology, the body’s immune system is organized around two elemental principles: A sense of self & a whitelist. These principles allow a biological system to respond to a threat rather than react to it.
Let me outline broadly what that means:
To an immune system everything that is not part of ‘itself’ is a threat and is destroyed, without exception. This pre-supposes that the defence mechanism knows what is itself – achieved by means of markers identifying every cell as ‘self’. When it encounters something without a marker, that thing is destroyed. This the reason that cancer is such an insidious disease – the body cannot identify it as harmful.
When the body requires an exception that is specifically provided, for example when the sperm is introduced into a woman’s body, with one of 14 or 15 markers called respectively CD1 to CD14 with an appropriate independent confirmation mechanism. These exceptions are subsequently treated as not-hostile as long as the marker is present. This is like a firewall
There is a graduated set of defences come into play when there are intrusions – a physical layer, like the mucous membrane, which prevents entry to everything without discrimination. The human immune system has two main branches – the humoral and cell mediated response mediated by B and T cell respectively
The next line of defence is antibodies that are available for ‘known’ infections. This takes the humoral response path. Whenever an antigen is spotted in the blood stream, the B-Cells signal the type of infection so that the correct antibodies are triggered and they take care of the infection by binding with the antigen. Bacterial infections are handled this way. This is also the way that newer strains of bacteria of older infections are able to infect the body again – they mutate so that the old antibodies no longer work. This is very similar to how an anti-virus works.
A virus, on the other hand, hijacks the cell’s replication mechanisms to replicate themselves. This kind of infection triggers the cell mediated response. Various subpopulations of T cells recognize antigen presented. The immune system makes the cells respond to antigen by developing cytotoxic T-lymphocytes which mediate killing of virus infected cells. Simply put, when the replicated virus cells hit the bloodstream, the T-Cells message the immune system with the signature of the infection initiating a new set of defences that try to craft an antibody to this new infection. The way the immune system destroys an antigen is by neutralizing its reactive surface by basically creating a negative of that surface and plugging it. Multiple plugs & sockets are tried simultaneously, and once one works, there is a confirmation message that is sent to the body via specific cells. That defence is then propagated to the entire infected area and the threat neutralized.
Once a working antibody is produced, the immune system now knows how to handle that type of infection – the reason why vaccination works.
This response is local and largely, allows the rest of the system to continue to function. .
That is a school child level understanding of how the body’s immune system works.
The key points are that the immune system is not threat specific and hence resilient. It is also graduated in response – it does not deploy big guns up front for a small infection or an infection it knows how to handle. It is economical of resources and matches the response to the severity of the threat.
While it works on a whitelist basis, it also creates a blacklist, in the form of antibodies, known threats and this blacklist works at the operating layer of the antigen – where it interfaces with the body. Therefore, it is not fooled by minor changes in presentation.
Finally, the immune system, by the operation of B-Cells & T-Cells, has a sophisticated detection mechanism for when it is under attack. This detection takes cognizance of anomalous behaviour, intrusion and confirmation. The approach is abundantly suspicious without compromising the functioning of the organism. The immune system does not assume that the authority is granted just because access is achieved.
Characteristics of an Immune System Based Cyber-Defence
A cyber-defence organized around those principles should also embrace the same principles:
- No assumptions should be made about the threat vector. Any anomaly either in behaviour or signature should be isolated and neutralized. This implies that all transactions that are part of the system be marked without the threat of repudiation.
It also implies that the cyber-defence system is intelligent enough to discern between anomalous behaviour and outliers and respond appropriately.
This intelligence in cyber-defence is being worked on in research labs but has not become mainstreamed yet.
- All exceptions have to be independently validated before being granted. These exceptions need to be renewed continually.
Encryption at a transaction level achieves this currently.
- The threat should be isolated and handled locally allowing the rest of the system to function. When under a broad scale attack, the system should be able to escalate the response locally while allowing the rest of the system to function even in an impaired fashion or failover gracefully.
This approach requires a rethinking of both the underlying system and the cyber-defence layer.
- All threats that are successfully handled should be identified at the operating level and shared publically – an equivalent of a vaccine. This is an extension of the current blacklist based systems.
This is treated as IP currently and comes into public domain only after some delay. May be governmental regulation and industry bodies could step in to open source this more effectively.
As you can see from the characteristics listed above, cyber-defence can move away from being reactive if it substitutes a biological metaphor for its current military metaphor. A cyber-defence that is modelled on a biological immune system will be more effective in handling current and future cyber-threats. This article identifies the characteristics of such a cyber-defence system.
Future articles will explore individual components of such a cyber-defence system in greater detail and rigour.