Moving target defense vs. moving target attacks: The two faces of deception
Deception techniques have traditionally been among the favorite methods in the attackers’ arsenal. Surprise and uncertainty provide the attacker with an inherent advantage over the defender, who cannot predict the attacker’s next move. Rather surprisingly, however, the broken symmetry can also be utilized by the defender.
Moving Target Defense (MTD) aims at creating asymmetric uncertainty on the attacker’s side, by changing the attack surface. The US Department of Homeland Security (DHS) defines MTD as, "the concept of controlling change across multiple system dimensions in order to increase uncertainty and apparent complexity for attackers, reduce their window of opportunity and increase the costs of their probing and attack efforts."
This point of view comes from the understanding that absolute security is not an achievable goal; there is an asymmetry between the attackers' and the defenders' costs and efforts. Therefore, there is a need to implement a new paradigm for changing the costs and efforts in this adversarial game.
Over the years, numerous techniques have been developed to enable recurring modifications of cyber-attacks. The below table lists the more common moving target attack techniques, followed by an explanation of each:
Polymorphism is commonly used by malware authors in order to evade AV detection. By encrypting the malware’s payload, including its code and data, the attackers gain two main advantages. First, they can easily generate different instances of the same malware by using multiple encryption keys. Obviously, this renders the signature-based anti-malware facilities ineffective, as new instances have a new and unknown static signature. Secondly, the malware can bypass even deeper static analysis since its code and data are encrypted, so not exposed to scanners. Using metamorphism techniques, the malware’s author complicates the detection further by changing the in-memory code at every execution.
While polymorphism and metamorphism aim at evading automatic file and memory scanning, obfuscation is also effective against manual inspection of the code. Using obfuscation, the malware’s author creates code which is extremely difficult for a human analyst to understand. This is achieved by creating payload with obscured strings, dummy code and complicated function call graph which can be re-generated randomly with each instance of the malware.
Sandboxes and virtual machines are essential tools for malware analysts. Consequentially, modern malware can employ anti-VM and anti-sandbox mechanisms to detect if they are running within a virtualized sandboxed environment. If a VM or sandbox is detected, the malware alters its behavior and avoids any malicious activity. Once executing on real systems, after being tagged as benign, the malware starts its malicious activities. In the same manner, malware can use anti-debugging techniques to void debugging and run-time analysis.
Encrypted and targeted exploits have been used recently as part of exploits delivered through web pages ('exploit kits'). To avoid detection, URL patterns, host server, encryption keys, and file names are being changed on every delivery. These exploits can also evade honeypots by limiting the number of accesses to the exploit from the same IP.
Finally, some types of attacks are beginning the exploitation phase only after some real user interaction (e.g., web-page scrolling). By doing this, the attacker ensures execution on a real machine rather than automated dynamic analysis.
Those effective deception methods have rendered the defensive mechanisms inefficient over the years, and have led the attackers to a point of superiority. The defender is endlessly chasing the attacker, investing massive resources and efforts merely to detect and prevent previous kinds of attacks. Consequently, the traditional symmetry between defenders and attackers is broken. The attacker knows whom he is going to attack, when, where and by which weapons, while the defender is in a state of constant uncertainty.
There are three main categories of MTD security: (1) network level MTD, (2) host level MTD, and (3) application level MTD.
Network-level MTD includes several mechanisms developed over the years. IP-hopping, for example, was used to change the host's IP address, thus increasing the network's complexity as seen by the attacker. Transparency is achieved by keeping the real host's IP address and associating each host with a virtual random IP address.
Some techniques aim at deceiving the attacker at the phase of network mapping and reconnaissance. The techniques include using random port numbers, extra open or closed ports, fake listening hosts, and obfuscated port traffic. Other techniques aim to provide the attacker with fake information about the host and OS type and version by, say, generating random network services responses which prevent OS identification.
Host-level MTD includes changing the hosts and OS level resources, naming and configurations to trick the attacker.
Application MTD involves changing the application environment in order to trick the attacker. For example, Address Space Layout Randomization (ASLR), which was introduced by Microsoft, involves randomly arranging the memory layout of the process’s address space to make it harder for an adversary to execute its shellcode.
Other techniques involve changing the application type and versioning and rotating them between different hosts, or using different settings and programming languages to compile the source-code, generating different code in every compilation. Table 2 lists the common techniques used in the different categories of MTD.
The “Moving Target Defense” paradigm promises to break the (a)symmetry between the attacker and the defender. Now the attacker must also operate under uncertainty and unpredictability, where previously these were the concerns of the defender alone.
While network-level MTD is an interesting concept, randomizing IP addresses, network topology and configuration is not sufficient. The final destinations for attackers are the hosts, servers and end-points located behind the networks, firewalls and routers. The Operating System and applications are the lucrative target for zero-day exploits, malware and Advanced Persistent Threats (APT), and hence they serve as the main playground in the attacker-defender game.
Admittedly, the MTD paradigm is still in its infancy, yet it is safe to predict that it's best focused on applications and operating systems.
Some new technologies are taking the MTD paradigm to the next level, by creating environmental modifications of the application and the operating system, in a manner unknown to the attacker. Consequently, the elementary presuppositions used by the attacker in planning and deploying the offensive steps are made irrelevant. Each function call, jump to address or resource access entails potential failure, along with full exposition of the attack. Under these conditions, the costs of the attack rise steeply, while its probability of success sharply declines, making the attack practically and economically less feasible.
Over the near future we are going to witness an adoption of MTD in the seemingly endless cyberwarfare between defenders and offenders. Does it bring this war to its unexpected end It is still too early to tell, but MTD stands out as a new factor that forces new rules in this old adversarial game.
Mordechai Guri is the Chief Science Officer of Morphisec, an innovator in moving target defense. He is also a security researcher, project manager and lecturer at the Ben Gurion University of the Negev, in the cybersecurity labs division.