Time for change: Moving Target Defense
The Current Situation
Moving Target Defense – In the modern-day realm of cybersecurity we, the participants, have all been immersed in the cat and mouse game of attack, defense and in some cases very grey areas in between. But time has shown us a pattern that is somewhat undeniable: the solutions that worked yesterday have a “lifetime” before they become less effective. That “lifetime” varies but will inevitably become a reality as attackers have proven their resilience, creativity, and effectiveness in adapting and overcoming. Moreover, attackers have proven over time that they generally stay ahead of the defending sides.
Look no further than recent successful ransomware campaigns. Those victim entities had patch management in place, they had next generation firewalls in place, etc. Yet with all those effective cyber security solutions in place, a piece of nefarious and ill-intended code still made its way through and wreaked havoc. One major issue with most traditional protective solutions, and with the overall posture of most victim environments, is that they presented a static pattern-based target for attackers.
Attackers thrive on patterns. Easy bounty for them comes in the form of static data entities. These static entities can be stored data at rest or can be a complete message being moved across network links. Ultimately that static nature of interest is that the target data exists in some contiguous block form that creates a potentially appealing attack surface. The problem for the defensive side lies in the fact that data in its complete and identifiable contiguous block form, especially at rest, is an easy static target for attackers. This is difficult to defend because network, and operating system (OS), security measures have proven themselves to be bypassable.
The typical mistake made in this defensive respect is to rely on network security and/or file server/desktop security to protect data at rest. What happens when those traditional mechanisms fail? Files, for instance, sit in their stored location naked and exposed for the picking by the entities looking to steal/exfiltrate data from them. Thinking on the effectiveness of ransomware cases, the ransomware is successful only because a victim’s files are static and stationary targets that the malware can act upon.
The ebb and flow between attack and defense is a never-ending cycle that some of us live on a daily basis. Defenders implement solutions to hopefully prevent threats and mitigate exposure while attackers simultaneously create new attack techniques to thwart these defensive mechanisms and gain an advantage. The day and age that the defensive side step things up is here. Cyber security practitioners need to truly increase the work factor that hostile entities face instead of just trying to foresee the next set of threats or trying to reactively go into a forensics mode, after some damage has been done. We, as an industry, are at a point where we can truly make scenarios nightmarish for attacking entities as opposed to the opposite, and our norm, which is attackers making our lives somewhat miserable.
Moving Target Defense
Enter one new modern-day technique with great promise: Moving Target Defense (MTD). This concept truly represents a new paradigm in securing environments and introduces a potential shift of advantage to the defensive side of the cyber security realm. MTD can exist on a networking level and to date has been used as a mechanism of tricking attackers into exposing themselves. Theoretically this would then give the defensive side threat intelligence that can be used for protective mechanisms. But this still puts the protective part of the equation on the reactive front. At nTropic Security our product KDisperse™ has brought MTD down to the data level in a true pro-active protection stance.
KDisperse™ introduces a constantly evolving, and/or morphing, attack surface, across multiple layers. But most importantly it empowers the data, in its native form, to be protected. There is no reactive process necessary. A proactive and dynamic approach of this type natively protects elements of interest (i.e. the data) and radically increases the work factor an attacking entity faces. As an added layer it also does away with the patterns attacking entities thrive on. The uncertainty set forth with an MTD data-level solution complicates things for hostile entities in a way that historically has only been achieved by entities with tremendous resources and motivation to secure their crown jewels from attacks. Ultimately, like a boxer who effectively bobs and weaves, attacking entities will have a hard time touching what they cannot see.
MTD mechanisms can operate at various layers and possibly span dynamic application code (software) to shifting network elements (IP addresses, etc.) to encryption keys and then data itself. Threat detection and many of the other traditional cyber security concerns start to diminish once a defensive entity starts to understand the benefits of MTD. Focusing on MTD and actual sensitive data there is one main benefit to be aware of. MTD techniques achieve a no-pattern state by actual physical change action. They raise the work factor at hand based on a constant change of the real attack surfaces one is defending – in essence the entire data attack surface becomes dynamic in nature.
This is the exact opposite of what we have had in place to date where static patterns are the norm. MTD solutions actually physically change and dynamically move real data across a storage ecosystem, making it harder for hostile entities to identify and attack anything in its protection scope. Imagine a data-based example where there is effective sharding across a distributed storage ecosystem. Add some new storage resources to the ecosystem and the solution intelligently adjusts to this reassembling and restructuring the secured data to utilize the newly added resource(s). Along that process there is a physical changing of the face of what an attacking entity would see.
Some MTD mechanisms, such as KDisperse™, also introduce, and couple, the use of deception technologies (such as disinformation and/or decoys) to raise the bar even further against attacking entities. The objective of these elements is to send hostile entities down a path that wastes time and leads to nowhere. These elements, if deployed properly, truly benefit the defensive side of the cyber security equation because attackers will never know if they are touching, and/or trying to decipher, crown jewels or useless data.
False servers and endpoints, well-masked honeypots and fake shards of encrypted fake data are some examples of MTD elements that start to skew the advantage to the defensive side while raising the bar of what hostile entities must bring to the fight. To be clear, an effective MTD solution need not rely on deception technologies but certainly can be enhanced by them. Ultimately MTD strategists are not really concerned with threat detection and the traditional cyber security areas of concern. They are creating strategies and implementing solutions that enact forward thinking physical change to increase an attacker’s work factor.
The time is right for MTD, as the defensive side of the cyber security equation must get ahead of the advantageous curve attackers have historically had. MTD solutions represent an unprecedented advantage or shift of balance towards effective defense. Take for example the proliferation and advances in the realm of Artificial Intelligence (AI). Couple this with the traditional pattern-based approaches that have been implemented for some time, for instance storing file data.
Modern day advances in AI make the detection of patterns, even over large data sets, far more possible than in times past. Think of a subset of AI, Machine Learning (ML). Some ML algorithms focus on creating clusters of data based on relationships or some similarities, some of them do so based on pattern detection techniques. These are powerful technologies that can be used by hostile entities and if you, the defending side, have data sets that are static, and pattern based at all, those can provide great targets for these algorithms to be used against you.
Cyber security practitioners, on the defensive side, have historically been playing catch up against smart, well-funded, and/or highly motivated attackers. The curve has certainly been against the defensive side to date. Introducing MTD solutions has a great positive impact of swaying some power back towards the defensive teams. One powerful benefit of implementing an MTD solution is that the defensive side obviously make themselves a difficult target for hostile entities. This can be across multiple layers as mentioned before. On the network layer for example an MTD solution can have attackers chasing a ghost IP address due to constantly shifting entities. On the data side an MTD solution can create a thick layer of bogus and/or physically changing shards that the defender can use to easily make an attacking entity’s work factor so high that there is little to zero success on the attacking side.
The concept of MTD is not new and has actually been used for years in the USA by federal law enforcement agencies and the military. “As an example, the military, for decades, has used frequency-hopping radios that protect the transmission of messages by rapidly switching carrier signals between a number of frequency channels. If adversaries know what frequency that a defender is using, they can put out so much noise, or “jam” the frequency. Frequency hopping makes that jamming more difficult.”
Cyber security practitioners get a hidden benefit from solutions that implement MTD technologies. This hidden benefit is that they can focus less on the traditional focal areas of the industry. When work factors are strongly raised on hostile entities then historical security measures become less important, since overall risk gets mitigated. Since MTD solutions change the physical face of a given attack surface there is a power shift in the favor of the defensive side. This in turn lessens the overall load that traditionally understaffed security teams deal with on a regular basis.
As with every piece of great technology there are always downsides and what can become weak points. In order to implement an MTD technology, there are obvious challenges. The solution must be an obvious good fit within the existing technology ecosystem of the environment in question. A seamless insertion would be the goal, even though that isn’t always entirely possible. A forward-thinking approach here will certainly include effective APIs because most modern day environments will have the capability to leverage APIs. But more importantly- modern-day environments will, and should, not accept any solution that corners or limits the usage model into a specific realm or platform. They will want their mobile apps to leverage the exact same protected data set that for example their users on the inside of the network leverage via Windows file shares.
MTD solutions must also result in a positively enhanced security posture for a given environment. One of the biggest challenges (and typical weak point) is that of the management, securing, and storing of the relevant meta-data that makes the overall MTD solution actually useable. For example, in a data sharding use case the order of the shards (each a subset of the original data set) must be maintained somewhere. This is so that the original superset of the protected data can properly be reconstructed when requested by an authorized entity. Another example of a serious challenge is encryption key and initialization vector (where applicable) protection because, while the encryption protects data, what protects the keys to that encryption? Of course, there are options such as the use of Hardware Security Modules (HSM) but the point of the challenge is the one to be considered here.
Ultimately, cyber security practitioners on the defensive side have to accept the fact that their networks, servers, and data will get attacked. Using MTD solutions, such as KDisperse™, pro-actively makes a defended environment a less appealing target to hostile entities. Even in environments that may not have sophisticated traditional cyber security measures in place MTD solutions give the defending side unprecedented advantages that have historically not existed.
References : Britton, Doug, “3 reasons why moving target defense must be a priority”, Government Computer News (June 10, 2019)
Time for change: Moving Target Defense