In thispost I talked about sampling bias. I’m going to expand more on that subject, because I think it’s interesting and useful.
Cavemen is a popular trope. We like to think that our ancestors spent all their time in caves, because that’s the evidence we’ve found. The caves protect the artifacts, so of course they’re found there. That doesn’t mean that our ancestors spent all their time in caves at all. It just means that’s where the evidence is.
We run into similar problems when studying malware. We often use a sandbox to contain the malware, but that often means we only see what the malware authors want us to see. We’re stuck in a cave, in other words.
The problem is that outside of the cave is the potential to affect other computers who aren’t interested in being part of the experiment. We want to know how malware works outside of the cave, but as old maps used to say, “Here be dragons”. (Well, they didn’t say that, but it works for this analogy). Outside of the cave, dragons. Inside of the cave, misinformation.
We want containment to avoid the dragons, but at the same time we must be aware that we are dealing with potential misinformation. This makes generalizing on malware difficult, but in order to study it appropriately, we must try.
DTRAP promotes containment in studying all cybersecurity, not just malware. We want to be responsible researchers and not release the dragons.