This article discusses:
- The state of adoption of Moving Target Defense (MTD) within enterprises
Today’s Cyber defenses are focused on defending unchanging (sprawling, distributed, & untrusted) infrastructure by monitoring, detecting, preventing and remediating threats. Asymmetric uncertainty / Moving Target Defense (MTD) introduces a shift in paradigm by imposing asymmetric disadvantages against cyber-adversaries. The cyber-adversaries face an increase in uncertainty and complexity as the target systems are induced with multi-faceted changes. Higher level of uncertainties and complexities increase the cost of malicious probing and attack efforts preventing and limiting system intrusion. The common means through which MTD can be introduced are virtualization and workload migration, widespread and redundant network connectivity, instruction set and address space layout randomization, just-in-time compilers etc. This is an upcoming area that is yet to see more adoption within enterprises. MTD techniques are often evaluated against system performance and increased ongoing management effort. This document describes in general about MTD and puts forward a point of view towards its current adoption within security product vendors and enterprises.
Data breaches have been all over the news for a while now. Early September 2017 witnessed the Equifax cyber-attack. The attack vector used at Equifax was based upon the Apache Struts web application. The specific vulnerability in Apache Struts allowed the use of file uploads and the attackers were able to send malicious code and commands directly to the targeted server. 1 Year 2019 witnessed major breach at Blur where unsecured server exposed a file containing 2.4 million user names, email addresses, password hints, IP addresses, and encrypted passwords. Numerous breaches have been reported since the start of year 2019 with notable ones involving tech giants, such as Microsoft email service, Citrix, Wyzant, WhatsApp and Instagram.
The message is very clear. Enterprise CXOs are aware that this is a running war. Every day, new exploits, new tools are developed to breach the networks. The techniques are sophisticated and operated by determined cyber criminals. Current cyber defense strategies within enterprise are insufficient to detect and prevent such attacks, as these attacks proliferate in possible directions within the network, conducting inspection, identifying resources and exfiltrating valuable data.
It is an attacker’s world
The core of current malware attacks and corresponding defense are focused into the utilization of network and systems vulnerabilities. The root cause of MTD is derived from the current defensive techniques used in Cyber-attack prevention. At a high level, Cyber kill-chain is a multistage segmental type intrusive model:
- Penetrate the network
- Construct assault collection
- Lateral movement
- Privilege escalation
- Identify & compromise host/hosts
The current defense mechanism is stationary with obstruction and system remodeling as two categories. Obstructions are physical and logical isolation, access rules, segmentations etc. Obstruction method is oblivious to side channel attackers and suffers from complexity of rules and storage constraints. System remodeling involves modification to existing system structure via patching and upgrades to cope with inherent flaws. System remodeling is limited to partial changes and known flaws. Hence, existing defensive methods are ineffective to resist continuous reconnaissance and analysis in the attack phase. The situation is further complicated by interconnectivity and vulnerable environments like missing software updates and patches, networks with internet of things (IoT) devices, end of support and end of live processors in turnkey systems.
The static nature of network and systems, homogenous network elements and certainty of composition often work in the attackers’ favor. For example, zero down to a target system by collecting information about the network and remaining knowledge gaps can this knowledge with zero day and known vulnerabilities to reach assault collection. Defense mechanisms that are based on prior knowledge will grapple to enumerate all possible attack scenarios and sources of vulnerabilities. Therefore, the gap between attackers’ ability to comprehend target systems and their vulnerabilities versus defenders’ little knowledge of security threats leaves an information advantage for attackers.
Asymmetric Uncertainty Constructs
“Shell Game /Thimblerig/Three Shells and a Pea," ages back to ancient Greece in which a target (usually a pea or ball) is hidden under one of three shells or cups. The object of the game is to find the target after the shells have been moved. The same analogy can be drawn to the concept of asymmetric uncertainty. The premise of defense is based on dynamic or continuous changing of system, network attributes with respect to configurations. The change increases difficulty of an attacker’s intrusion and capability of acquiring and maintaining system privileges. This concept is still developing and currently we can see the following types of constructs to change the attack surface: