December | 2019
This article discusses:
Today’s Cyber defenses are focused on defending unchanging (sprawling, distributed, & untrusted) infrastructure by monitoring, detecting, preventing and remediating threats. Asymmetric uncertainty / Moving Target Defense (MTD) introduces a shift in paradigm by imposing asymmetric disadvantages against cyber-adversaries. The cyber-adversaries face an increase in uncertainty and complexity as the target systems are induced with multi-faceted changes. Higher level of uncertainties and complexities increase the cost of malicious probing and attack efforts preventing and limiting system intrusion. The common means through which MTD can be introduced are virtualization and workload migration, widespread and redundant network connectivity, instruction set and address space layout randomization, just-in-time compilers etc. This is an upcoming area that is yet to see more adoption within enterprises. MTD techniques are often evaluated against system performance and increased ongoing management effort. This document describes in general about MTD and puts forward a point of view towards its current adoption within security product vendors and enterprises.
Data breaches have been all over the news for a while now. Early September 2017 witnessed the Equifax cyber-attack. The attack vector used at Equifax was based upon the Apache Struts web application. The specific vulnerability in Apache Struts allowed the use of file uploads and the attackers were able to send malicious code and commands directly to the targeted server. 1 Year 2019 witnessed major breach at Blur where unsecured server exposed a file containing 2.4 million user names, email addresses, password hints, IP addresses, and encrypted passwords. Numerous breaches have been reported since the start of year 2019 with notable ones involving tech giants, such as Microsoft email service, Citrix, Wyzant, WhatsApp and Instagram.
The message is very clear. Enterprise CXOs are aware that this is a running war. Every day, new exploits, new tools are developed to breach the networks. The techniques are sophisticated and operated by determined cyber criminals. Current cyber defense strategies within enterprise are insufficient to detect and prevent such attacks, as these attacks proliferate in possible directions within the network, conducting inspection, identifying resources and exfiltrating valuable data.
It is an attacker’s world
The core of current malware attacks and corresponding defense are focused into the utilization of network and systems vulnerabilities. The root cause of MTD is derived from the current defensive techniques used in Cyber-attack prevention. At a high level, Cyber kill-chain is a multistage segmental type intrusive model:
The current defense mechanism is stationary with obstruction and system remodeling as two categories. Obstructions are physical and logical isolation, access rules, segmentations etc. Obstruction method is oblivious to side channel attackers and suffers from complexity of rules and storage constraints. System remodeling involves modification to existing system structure via patching and upgrades to cope with inherent flaws. System remodeling is limited to partial changes and known flaws. Hence, existing defensive methods are ineffective to resist continuous reconnaissance and analysis in the attack phase. The situation is further complicated by interconnectivity and vulnerable environments like missing software updates and patches, networks with internet of things (IoT) devices, end of support and end of live processors in turnkey systems.
The static nature of network and systems, homogenous network elements and certainty of composition often work in the attackers’ favor. For example, zero down to a target system by collecting information about the network and remaining knowledge gaps can this knowledge with zero day and known vulnerabilities to reach assault collection. Defense mechanisms that are based on prior knowledge will grapple to enumerate all possible attack scenarios and sources of vulnerabilities. Therefore, the gap between attackers’ ability to comprehend target systems and their vulnerabilities versus defenders’ little knowledge of security threats leaves an information advantage for attackers.
Asymmetric Uncertainty Constructs
“Shell Game /Thimblerig/Three Shells and a Pea," ages back to ancient Greece in which a target (usually a pea or ball) is hidden under one of three shells or cups. The object of the game is to find the target after the shells have been moved. The same analogy can be drawn to the concept of asymmetric uncertainty. The premise of defense is based on dynamic or continuous changing of system, network attributes with respect to configurations. The change increases difficulty of an attacker’s intrusion and capability of acquiring and maintaining system privileges. This concept is still developing and currently we can see the following types of constructs to change the attack surface:
| Network Level |
|
| Host Level |
|
| Application Level |
|
| Parameter |
Description |
Defense Measure |
| Coverage |
Ratio Vulnerability Transformed / Vulnerability set exploited |
Higher coverage |
| Randomness |
Degree of uncertainty to the attack surface |
Higher randomness |
| Timeliness |
In time transformation before intrusive actions. Change frequency |
In time transformation ahead of attack |
| Stability |
Performance and availability of the system |
Less/No impact |
| Coexistence |
Variation MTD mechanisms, and ability to synergize with existing defense mechanism |
Integration capability |
Current state of adoption in the enterprise
While asymmetric uncertainty/MTD is a new concept with tools, techniques and processes emerging, US federal government has funded and made significant efforts in this area. Organizations like Polyverse offer services and solutions by leveraging the concept of asymmetric uncertainty. For example, compiler-based scrambling (polymorphic Linux) intended to recycle containers offers full suite of MTD functionality. These innovations have made it easier for much smaller enterprises to integrate MTD into their existing security suite. Similar to Polyverse other organizations, such as Morphisec are also involved with MTD strategies and related products/solution/services. Several other private organizations like Cylance, SentinelOne, Bromium, and Cybereason have their respective products and solutions in this space. The National Institute of Standards and Technologies has also been involved with various initiatives related to asymmetric uncertainty.
Conclusion
Moving Target Defense initiatives have been going very well since 2015. Next few years should be exciting for MTD in terms of commercialization of its concepts and integration with existing security infrastructure. Early products in the market will continue to solidify, mature and much innovation is expected in this space among end user organizations with respect to application and integration of MTD product.
References
1 https://www.pcmag.com/news/365672/blur-users-personal-details-potentially-exposed
Cyberattacks have moved on from traditional techniques and have become more targeted and sector-specific. Attackers are operating in stealth mode, making attribution of attacks more difficult.
The healthcare industry is shifting focus to personalized preventive care and an increasing number of patients are expecting healthcare to be delivered as a service.
With increasing willingness to use wearable and share personal information over the web, patients want healthcare to be delivered as a service.
