Despite massively expanding investment in cybersecurity, damage from cyber attacks continues to rise at an unprecedented rate, projected to reach over $10 trillion by 2025. If existing solutions were working, ransomware breaches wouldn’t be happening and inflicting so much financial devastation, brand erosion, and business loss. Today’s solutions are manifestly failing to counter threat actors’ advanced attacks.
Next generation antivirus (NGAV), endpoint protection platforms (EPP), and endpoint detection and response (EDR) solutions are adequate at stopping known attacks with recognized signatures and behavioral patterns. But they often fail to detect and prevent the advanced attacks most organizations are experiencing today. A new technology has emerged that is proven to stop ransomware and other advanced persistent threats, making prevention-first security a reality: Moving Target Defense (MTD).
Moving Target Defense (MTD) prevents ransomware, fileless attacks, zero-day, and other advanced threats. It uses system polymorphism to hide operating system and application targets from adversaries in an unpredictable manner. This leads to a dramatically reduced attack surface and lower security operating costs
“Assume an expert thief is able to pick the lock to any door. The goal of MTD is not to build a better lock. This is, without doubt, a laudable and necessary goal for improving the door’s security, but this mission is left to other security solutions. Instead, the goal of an MTD security strategy is to make the door and the door’s lock difficult or impossible for the thief to find.”
“Controlled change across multiple network and system dimensions to increase uncertainty and complexity for attackers by reducing their window of opportunity and increasing the costs of their probing and attack efforts.”
Why is Moving Target Defense Needed?
The static nature of a computer operating system makes it easy to attack and hard to defend. Windows and other computer operating systems generally launch the same applications in the same memory location every time.
This makes it easy for threat actors to identify applications they want to exploit. They can then bypass the reactive defenses corporations have built around their critical systems, including NGAV and EDR solutions—and wreak havoc.
EDR is adequate for well-known attacks with known signatures and behaviors. However, the most aggressive alert setting is required for EDR to stop advanced persistent threats that lead to ransomware. Such an aggressive setting results in a high number of alerts and false positives, increasing resource needs for analysis and degrading system performance.
If a high number of alerts and false positives aren’t an issue for an organization, their EDR setting is probably too low. They are most likely missing attacks and are at high risk of being hit by ransomware. Moving Target Defense augments EDR/XDR (providing “defense in depth”) to stop in-memory and fileless or runtime advanced persistent threats, while lowering false positive alerts.
Moving Target Defense: Innovative and Disruptive Technology
Moving Target Defense uses techniques similar to those of attackers, such as polymorphism, deception, and evasion. It obfuscates targets by shifting the address where an application loads in memory.
This means a threat actor can’t accurately identify their target because it doesn’t load in the same place.
Imagine a fork in a road with a road sign. In one direction is a mansion full of riches. In the other direction is a dangerous, sheer cliff. MTD switches which way the road sign points.
Threat actors who travel this imaginary road are diverted to the sheer cliff. Meanwhile, legitimate traffic is still sent to the mansion. Employees get work done, while threat actors are refused entry.
What are the Benefits of Moving Target Defense?
The mainstream paradigm of cybersecurity has long focused on detection and response. This approach is inherently reactive, and cedes the innovation advantage to threat actors.
MTD changes the calculus of protecting critical systems. It is a proactive, prevention-first system. It interrupts the progression of cyberattacks and stops threat actors’ ability to gain persistence in target organizations.
The US Department of Homeland Security defines Moving Target Defense as, “controlled change across multiple network and system dimensions to increase uncertainty and complexity for attackers by reducing their window of opportunity and increasing the costs of their probing and attack efforts.”
Moving Target Defense lowers IT and security team costs and effort by slashing ‘false positive’ security alerts, IT support tickets, and analyst alert triage time.
It protects critical systems through the same kind of polymorphism and evasion that adversaries have used to great effect in the past 10 years. It provides a proactive approach for defenders, rather than waiting for threat actors to breach their systems and find the holes. It empowers organizations to prevent breaches on the endpoint before they can spread and perpetrate ransomware.
Proactive rather than reactive defense doesn't wait for attackers to breach before working.
Polymorphic defense hides exploits from polymorphic attacks.
Stops attackers' ability to gain persistence.
Virtual patching protects vulnerabilities until a patch is issued.
Slashes costs, false positive alerts, and required IT resources.
How Does Moving Target Defense Work?
Morphisec’s MTD morphs the location of application memory. This occurs every time an application loads and every time a user takes an action.
Legitimate code that runs after the morphing occurs operates as normal. However, when the application memory is morphed by Morphisec MTD, a skeleton of the original code is left at the original memory location.
This skeleton serves as a trap for threat actors who try to attack the original memory location.
When an attack occurs, the malicious code injection is trapped in the skeleton where it harmlessly detonates. Defenders can then identify the attack in a safe location where it doesn’t impact critical systems.
Allowing defenders to identify the attack is a key part of MTD. It shares the idea of a trap with deception technologies. But the skeleton is not a ‘honey pot’ because it isn’t designed to attract threat actors.
Rather, the skeleton is a lightweight copy of the legitimate application. It is a diversion, allowing the targeted application to shift where it loads in-memory to avoid being attacked.
See how Morphisec can help you implement a Moving Target Defense strategy on a free demo!