Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Moving target defense vs. moving target attacks: The two faces of deception

Mordechai Guri, Chief Science Officer | Jan. 5, 2016
The unceasing arms-race between cyber attackers and cyber defenders has gained unprecedented levels of sophistication and complication.

whack a mole security threat
Credit: Flickr/Mike Towber

The unceasing arms-race between cyber attackers and cyber defenders has gained unprecedented levels of sophistication and complication. As defenders adopt new detection and response tools, attackers develop various techniques and methods to bypass those mechanisms. And deception is one of the most effective weapons on both sides of the game.

Deception techniques have traditionally been among the favorite methods in the attackers’ arsenal. Surprise and uncertainty provide the attacker with an inherent advantage over the defender, who cannot predict the attacker’s next move. Rather surprisingly, however, the broken symmetry can also be utilized by the defender.

Moving Target Defense (MTD) aims at creating asymmetric uncertainty on the attacker’s side, by changing the attack surface. The US Department of Homeland Security (DHS) defines MTD as, "the concept of controlling change across multiple system dimensions in order to increase uncertainty and apparent complexity for attackers, reduce their window of opportunity and increase the costs of their probing and attack efforts."

This point of view comes from the understanding that absolute security is not an achievable goal; there is an asymmetry between the attackers' and the defenders' costs and efforts. Therefore, there is a need to implement a new paradigm for changing the costs and efforts in this adversarial game.

Moving Target Attacks

Over the years, numerous techniques have been developed to enable recurring modifications of cyber-attacks. The below table lists the more common moving target attack techniques, followed by an explanation of each:

Deception techniques used by the attackers

Technique

Deception method

Polymorphism

Change malware signature

Metamorphism / self-modification

Change malware code on the fly

Obfuscation

Conceal code and logic

Self-encryption

Change malware signature and hide malicious code and data

Anti-VM/sandboxes

Evade forensic analysis by changing behavior in forensic environments

Anti-Debugging

Evade automated/manual investigation by changing behavior in forensic environments

Encrypted exploits

Evade automated/manual investigation by changing parameters & signatures

Polymorphism is commonly used by malware authors in order to evade AV detection. By encrypting the malware’s payload, including its code and data, the attackers gain two main advantages. First, they can easily generate different instances of the same malware by using multiple encryption keys. Obviously, this renders the signature-based anti-malware facilities ineffective, as new instances have a new and unknown static signature. Secondly, the malware can bypass even deeper static analysis since its code and data are encrypted, so not exposed to scanners. Using metamorphism techniques, the malware’s author complicates the detection further by changing the in-memory code at every execution.

While polymorphism and metamorphism aim at evading automatic file and memory scanning, obfuscation is also effective against manual inspection of the code. Using obfuscation, the malware’s author creates code which is extremely difficult for a human analyst to understand. This is achieved by creating payload with obscured strings, dummy code and complicated function call graph which can be re-generated randomly with each instance of the malware.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.