Sandboxes and virtual machines are essential tools for malware analysts. Consequentially, modern malware can employ anti-VM and anti-sandbox mechanisms to detect if they are running within a virtualized sandboxed environment. If a VM or sandbox is detected, the malware alters its behavior and avoids any malicious activity. Once executing on real systems, after being tagged as benign, the malware starts its malicious activities. In the same manner, malware can use anti-debugging techniques to void debugging and run-time analysis.
Encrypted and targeted exploits have been used recently as part of exploits delivered through web pages ('exploit kits'). To avoid detection, URL patterns, host server, encryption keys, and file names are being changed on every delivery. These exploits can also evade honeypots by limiting the number of accesses to the exploit from the same IP.
Finally, some types of attacks are beginning the exploitation phase only after some real user interaction (e.g., web-page scrolling). By doing this, the attacker ensures execution on a real machine rather than automated dynamic analysis.
Those effective deception methods have rendered the defensive mechanisms inefficient over the years, and have led the attackers to a point of superiority. The defender is endlessly chasing the attacker, investing massive resources and efforts merely to detect and prevent previous kinds of attacks. Consequently, the traditional symmetry between defenders and attackers is broken. The attacker knows whom he is going to attack, when, where and by which weapons, while the defender is in a state of constant uncertainty.
Moving Target Defense
There are three main categories of MTD security: (1) network level MTD, (2) host level MTD, and (3) application level MTD.
Network-level MTD includes several mechanisms developed over the years. IP-hopping, for example, was used to change the host's IP address, thus increasing the network's complexity as seen by the attacker. Transparency is achieved by keeping the real host's IP address and associating each host with a virtual random IP address.
Some techniques aim at deceiving the attacker at the phase of network mapping and reconnaissance. The techniques include using random port numbers, extra open or closed ports, fake listening hosts, and obfuscated port traffic. Other techniques aim to provide the attacker with fake information about the host and OS type and version by, say, generating random network services responses which prevent OS identification.
Host-level MTD includes changing the hosts and OS level resources, naming and configurations to trick the attacker.
Application MTD involves changing the application environment in order to trick the attacker. For example, Address Space Layout Randomization (ASLR), which was introduced by Microsoft, involves randomly arranging the memory layout of the process’s address space to make it harder for an adversary to execute its shellcode.
Sign up for CIO Asia eNewsletters.