MTD makes a defender a more difficult target, reduces the need for threat detection and enables scalable security.
In cybersecurity, the shifting advantage between attackers and defenders seems a never-ending cycle. Defenders develop and implement new tools to prevent, detect, monitor and remediate cyber threats while attackers simultaneously create new attack techniques to thwart defenses and give them the upper hand.
But a concept, originally conceived by the Department of Homeland Security, is creating a new paradigm in cyber defense that can for the first time potentially shift the power to the defenders for good. Known as moving target defense (MTD), this strategy introduces a dynamic, constantly evolving attack surface across multiple system dimensions. This increases uncertainty for bad actors and complicates their attacks. Ultimately, hackers cannot hit what they cannot see.
MTD can be implemented in different ways, including via dynamic runtime platforms and dynamic application code and data. However, it is the deployment of decoys -- such as false endpoints, servers and internet-of-things devices -- to misdirect attackers at the network, host or application layer of a tech stack that security teams benefit from the most. Such distractions create a constantly changing environment, prompting attackers to question if the vulnerabilities they find are real or fake, if systems are a decoy and if the layout of a network is genuine.
Why now is the time to implement moving target defense
For some chief information security officers and security managers, implementing MTD may sound like an enticing proposition, but the actual transformation can be daunting. It’s important to acknowledge that polymorphic malware, which changes its characteristics to avoid detection, has been weaponized for years. And now, with recently developed techniques, the right dynamic defense is available. Here are three ways that implementing MTD can help agencies reduce risk.
1. It levels the playing field between attackers and defenders. The single biggest benefit of implementing MTD is that defenders make themselves difficult targets for attackers to spot, regardless of the technology layer. In the network layer, for example, if attackers don't know what IP address to target because it constantly shifts, then they cannot easily identify attack locations from device-to-device. Creating a decoy software layer that the defender can easily navigate, drives up the attacker's costs to chase a defender and reduces the number of people that are qualified to attack, as the software layer continues to move.
As an example, the military for decades has used frequency-hopping radios that protect the transmission of messages by rapidly switching carrier signals between a number of frequency channels. If adversaries know what frequency that a defender is using, they can put out so much noise, or “jam” the frequency. Frequency hopping makes that jamming more difficult.
2. It reduces the need for threat detection. When defenders increase the difficulty of an attack, then the security team is less dependent on threat detection solutions. That’s because when applying MTD, defenders zig when an attacker zags. Changing the characteristics of the attack surface makes it very difficult for attackers to strike, again shifting the power to defenders while also lessening the burden on over-extended security teams.
3. It’s a scalable security solution. As more controllers, servers, remote terminals, monitoring equipment and sensors are tied to the internet, the attack surface increases exponentially, creating unprecedented vulnerabilities and threats that require additional resources to remediate. Because MTD makes an attack surface dynamic, it essentially decreases its size, creating more efficiencies in security at scale.
While these are all clear benefits of implementing an MTD strategy, it has to be noted that for MTD to work, the concept must be implementable. Specifically, it has to fit within the existing architectural infrastructure, have a near zero impact on the administrative behavior of the enterprise, be easy to “turn on” and require minimal customized knowledge. MTD must result in a net positive shift in security because if an attack surface is reduced, but requires leaving a back door open, then it is ineffective because attackers can still get in.
To revisit the radio jamming example, frequency hopping does not solve the underlying reliance on the RF spectrum to provide transport for signals, so vulnerabilities remain. The point is that frequency-hopping radios have provided decades of RF security, even with the risks and inherent vulnerabilities. It isn’t perfect, but it works, and the same can be said for MTD, which gives defenders an unprecedented edge against attackers.
MTD operates on the assumption that attacks will still happen. But because it makes a defender a more difficult target, reduces the need for threat detection and makes security more scalable, it's benefits outweigh the costs of implementing it as part of the broader cybersecurity strategy. Even in environments that are likely to be compromised, MTD gives defenders an advantage that simply wasn’t possible just a short time ago.