Security Experts:

Lessons from Bees & Sewage: Data Security Needs More Investigative Initiatives

I used to keep bees. I turned in my veil and smoker one July afternoon after a ride in an ambulance, laying on a gurney and facing the “death clock” mounted above the rear doors. I’d been stung by bees before, one at a time, with no troubling reaction, aside from the expected swelling and tenderness at the sting site. In fact, I would occasionally get stung on purpose for joint pain from an old injury, a treatment known as apitherapy.

This day, however, this bee found a gap between my glove and sleeve, was annoyed by the heat of the summer afternoon and the poking around in their hive, and stung me. Stinging bees release pheromones, signaling to other bees that a threat is present, and two more bees got their licks in. I backed away and removed my veil as I was starting to feel the day’s heat as well, which turned out to be my face swelling to twice its normal size, my eyes cratered and red in my now pumpkin-sized head. Spoiler alert!—I survived, and a subsequent allergy test confirmed I’m allergic to the venom of mixed vespids, which turn out to be honey bees, yellow jackets, hornets, and wasps, and not European motor scooters. Expert tip: find out if you’re allergic to bee stings before you take up beekeeping.

Honeypots for SecuritySome people keep bees for honey, some to pollinate orchards; I kept them to help protect against colony collapse disorder. And now a U.K. researcher, Thomas Thwaites, is working on a project to use bees to locate genetically modified plants in urban areas. The application is primarily focused on detecting violations of pharmaceutical copyrights, such as the research being conducted by a Korean company to create a genetically modified tomato containing an edible version of the vaccine for Alzheimer’s disease. The techniques to insert genes into plants are within reach of the amateur—and criminals—who might create a genetically modified organism, or GMO, which on the surface looks like an innocuous (although tasty) tomato, but contains THC, the “active ingredient” in marijuana.

The project is only in the research stage at the moment, and is based on pollen forensics. Pollen from different areas has unique fingerprints, and sampled in hair, on clothes and furniture, and inside cars, can be used to identify where an individual has been. The makeup of the pollen can also be analyzed to determine the plants it came from.

In the police project, a pollen trap is installed at the entrance to the hive to capture a sample when a bee arrives with material in its pollen basket. An internal camera records its “waggle dance”, a series of movements that precisely communicates to other bees where it found the lucrative foraging spot. Police can test the pollen sample and decode the “waggle dance” to identify and locate narcotics growers and intellectual property thieves.

A similar project in actual production can identify substance use and abuse in populations by testing sewage from public sources. That is to say, without breaking into your house and dipping a ladle in your toilet. The data only reveals the aggregate levels of a host of elements in a community, including caffeine, alcohol, illegal drugs, and abused prescription drugs such as oxycodone. However, this data could be used to target a community with a high volume of drug use, or consuming a specific element, like synthetic versions of pharmaceuticals, indicating possible illegal GMO patent infringement, then deploy police bees in that area.

There are lots of hurdles with both projects, such as decoding the “waggle dance” accurately, compensating for potency levels in the original drugs and distinguishing between legal prescription drug usage and recreational use of the same. The data is being refined through correlation with emergency room visits, police reports— for example, to account for a spike in concentration when a dealer flushing his stash down the toilet during a drug bust—and demographic context, such as the number of drug research facilities in the test geography.

Besides being fascinating research projects, both strike me as being relevant to information security, specifically the gathering and correlation of data.  As with both projects, information security needs to invent novel approaches to solve problems such as profiling user activity and uncovering suspicious behavior, and identifying the miscreants; our current spate of security technology isn’t the answer.

And because both projects involve police activity, it’s useful to look at the functions of modern police departments. Police are a constituted body of persons empowered by the state to enforce the law, protect property, and limit civil disorder; generally their charter is the preservation of order. In most Western police forces, the most significant division is between preventive and investigative roles. Military police distinguish between law enforcement and security, the latter of which is the defense of territory and property, such as military bases and aircraft. One can broadly superimpose police organization into information security:

Function

In Real Life

In Digital Space

Security

Uniformed police, watching the day-to-day activity, defending property.

Traditional security folks in information security, building out the infrastructure, administering controls, and monitoring activity.

Law Enforcement

Uniformed police, responding to illegal activity.

Incident responders, working with legislators, usually executives and HR, to enforce organizational policies.

Investigations

Detectives, investigating before a crime has been committed, at the first sign of illicit activity, and as a forensic activity

Hybrid of researchers and advanced incident response analysts.

We in information security are pretty good at the first, security as a preventative measure, and so-so at the second, incident response. For the most part we outsource investigations to both large security and consulting companies and boutique firms. However, research and investigation is crucial to understanding threats as they evolve and informing security so they can adapt their countermeasures effectively.

A lesson from bee police and sewage scrutiny are what we need to figure out ways to tag or watermark data so we can detect illicit activity. One tactic is to seed valuable data with false, but credible looking, records or documents, and monitor them. There’s no reason to legitimately access those records or documents, so when someone touches them, it’s inherently suspect. You can also monitor the internet, say through Google Alerts or regular searches on Pastebin, looking for the markers as early warning signs of a breach.

Another tactic is to deploy honeynets, which I’ve lauded the benefits of before. They’re a great tool for infosec investigation and research. And the tie in to bees is purely coincidental.

Certainly these aren’t the only two investigative tools we can employ. As with Thomas Thwaites, the trick is to come up with creative ways to combat threats. Who’d have thought pollen was useful for more than making your eyes itchy and manufacturing (beeufacturing?) honey? Or that human waste is the real-world version of big data?

But in order to come up with these moments of inspiration we have to stop relying so much on defensive technology and start hiring more people; rely not so much on circuits as on neurons, yet supported by our silicon-based helpers. The argument is that there aren’t enough security experts to staff the basic positions, although those claims largely emanate from the difficulty the U.S. government is having, and may be due to the need for candidates willing and able to obtain a security clearance, and that private startups have greater sex appeal to security geeks. Another consideration is the price tag on a seasoned security practitioner. I’d argue that you only need 10 - 15% of your security staff with significant experience; the rest can be trained in the trenches—a strong incentive to ambitious candidates—or offered a job ladder through the ranks of the infosec roles.

The world is complicated, particularly where security is concerned. It’s Spy vs. Spy: as soon as you believe you’ve profiled the enemy, they change their tactics. But what can you do but accept that the challenge is insanely hard and just get to the task? The beginning is usually difficult and frustrating, but eventually you end up making breakthroughs and reaching the inflection point, the sharp curve on the hockey stick where progress accelerates.

If you want proof just look at genetic engineering, the product of which Thomas Thwaites is targeting with his bees. Anyone with the wherewithal to cook meth can switch trades and create a mutant, narcotic potato (my colleague and friend, Diana Kelley, claims a trademark on “PotTots”). Just ten years ago this was PhD level work.

The thing that frustrates me about the information security industry is that for every researcher tackling an insanely hard problem, there are ten standing behind her, arms crossed and frowning at the wasted effort. I contend that defeatism is weakness; it concedes failure before even starting.

And so despite my near death experience, I still remain fascinated by bees. I’ll sit by the entrance to my brother in law’s hives and watch the foragers come and go with pollen in an array of colors stuffed in the pollen baskets on their legs, robber bees with shiny black bodies because their yellow fuzz was gone from countless tangles with hive guards, and undertakers dragging dead bees out of the hive and launching them off the landing board to an inglorious final resting in the dirt below. I never thought of it as research, but perhaps that’s where the real epiphanies happen—in zen moments unrelated to the problem you’ve been trying to solve elsewhere.

Related: ENISA Issues Comprehensive Report On Deploying Honeypots

Related: SCADA Honeypots Shed Light on Attacks Against Critical Infrastructure

view counter
Chris Poulin brings a balance of management experience and technical skills encompassing his 25 years in IT, information security, and software development to his role as Chief Security Officer at Q1 Labs. Prior to joining Q1 Labs in July 2009, Poulin spent eight years in the U.S. Air Force managing global intelligence networks and developing software. He left the Department of Defense to leverage his leadership and technical skills to found and build FireTower, Inc., an information security consulting practice.