Cybersecurity Tech Investment Planning: Use annual loss expectancy to build a business case
arrow-white arrow-white Download now

Moving Target Defense Explained
Video - 1 min 8 sec

Despite massively expanding investment in cybersecurity, damage from cyberattacks continues to rise at an unprecedented rate, projected to reach over $10 trillion by 2025. If existing solutions were working, ransomware and supply chain breaches wouldn’t be happening and inflicting so much financial devastation, brand erosion, and business loss. Today’s solutions are manifestly not countering threat actors’ advanced attacks.  

Next generation antivirus (NGAV), endpoint protection platforms (EPP), and endpoint detection and response (EDR and XDR) solutions stop known attacks with recognized signatures and behavioral patterns. But they often do not detect or prevent the more disruptive advanced attacks organizations are experiencing today - the undetectable attacks such as zero-days, malware variants or supply chain attacks that lead to ransomware. A new technology recognized by Gartner is proven to stop advanced threats on both Windows and Linux systems, making prevention-first security a reality: Moving Target Defense (MTD), also known as Automated Moving Target Defense (AMTD).



What is Moving Target Defense?

MTD prevents ransomware, supply chain attacks, zero-day attacks, fileless attacks, in-memory attacks, and other advanced threats. It uses system polymorphism in memory to hide operating system and application targets from adversaries in an unpredictable manner. This leads to a dramatically reduced attack surface and lower security operating costs.


“Assume an expert thief is able to pick the lock to any door. The goal of MTD is not to build a better lock. This is, without doubt, a laudable and necessary goal for improving the door’s security, but this mission is left to other security solutions. Instead, the goal of an MTD security strategy is to make the door and the door’s lock difficult or impossible for the thief to find.”


“Controlled change across multiple network and system dimensions to increase uncertainty and complexity for attackers by reducing their window of opportunity and increasing the costs of their probing and attack efforts.”


Moving Target Defense Explained
Video - 1 min 8 sec

Why is Moving Target Defense Needed?

Almost all malicious software, or malware, used to use executable files on disc or the operating system (OS). These executables leave behind evidence of their existence. Tools like antivirus (AV), NGAV, EPP, EDR, and XDR evolved to spot telltale signs of malware deployment, such as attack patterns and signatures. They would then isolate threats before they could do real damage.  

But sophisticated threat actors are wise to traditional cybersecurity tools. Attack chains increasingly hijack legitimate system processes for malicious ends or target device memory at runtime rather than the disc or OS. Hijacked legitimate system processes and in-memory threats offer little, if anything, in the way of signatures to detect or behavior patterns to analyze.  

Legitimate system processes must work in memory at runtime, but this environment is mostly invisible to current cybersecurity tools. To catch an attack in progress, they need to scan device memory multiple times while an application is running and listen to the correct triggering operations to find malicious patterns. But in a typical application’s runtime environment, there might be 4GB of virtual memory. Even when dialed to the most aggressive alert settings, it’s impossible to scan this volume of data often enough. At least without slowing down an application so much as to make it barely usable. 

To ensure usability, memory scanners can only look for highly specific parameters, at specific memory locations, and at specific timeline triggers. In a best-case scenario, a scanning-focused solution might scan a small fraction of application memory. But threats also now use polymorphism to obfuscate their presence, so catching malicious activity in such a small sample of device memory would be miraculous.  

Gartner Report on Continuous Threat Exposure Management

Aggressive alert settings also result in a vast number of false positive alerts that require extra resources to analyze. If a high number of alerts and false positives aren’t an issue for an organization using current cybersecurity tools, their alert setting is probably too low. They are almost certainly missing the most disruptive advanced attacks.  

This is why organizations need MTD.  

Automated Moving Target Defense technology morphs the runtime memory environment to create a continually changing, unpredictable attack surface. This means that even in the highly unlikely event a threat actor can find their target once, they’re unable to reuse that attack on another device or even later on in the same device. MTD uses an ultra-lightweight agent to block unauthorized processes deterministically, as opposed to probabilistically. This means MTD generates a few false positive alerts and doesn't noticeably affect system performance. It integrates seamlessly into a tech stack to augment NGAV, EPP, EDR, and XDR with Defense-in-Depth to stop in-memory, fileless, zero-day, supply chain attacks, and other advanced threats.

Learn about Zero Trust & Moving Target Defense, the ultimate strategy against ransomeware in this free eBook!

Moving Target Defense Explained
Video - 1 min 8 sec

Moving Target Defense: Innovative and Disruptive Technology

Moving Target Defense uses techniques similar to those of attackers, such as polymorphism, deception, and evasion. It obfuscates targets by randomizing application memory runtime so a threat actor can’t accurately identify their target. 

Imagine a fork in a road with a road sign. In one direction is a mansion full of riches. In the other direction is a dangerous, sheer cliff. MTD switches which way the road sign points. 

Threat actors who travel this imaginary road are diverted to the sheer cliff. Meanwhile, legitimate traffic is still sent to the mansion. Employees get work done, while threat actors are refused entry. 


What are the Benefits of Moving Target Defense?

The mainstream paradigm of cybersecurity has long focused on detection and response. This approach is inherently reactive, and cedes the innovation advantage to threat actors. 

MTD changes the calculus of protecting critical systems. It is a proactive, prevention-first system. It interrupts the progression of cyberattacks and stops threat actors’ ability to gain persistence in target organizations.

The US Department of Homeland Security defines Moving Target Defense as, “controlled change across multiple network and system dimensions to increase uncertainty and complexity for attackers by reducing their window of opportunity and increasing the costs of their probing and attack efforts.”

Automated Moving Target Defense lowers IT and security team costs and effort by slashing ‘false positive’ security alerts, IT support tickets, and analyst alert triage time. 

It protects critical systems through the same kind of polymorphism and evasion that adversaries have used to great effect in the past 10 years. It provides a proactive approach for defenders, rather than waiting for threat actors to breach their systems and find the holes. It empowers organizations to prevent breaches on the endpoint before they can spread and perpetrate ransomware. 

Proactive reactive defense

Proactive rather than reactive defense doesn't wait for attackers to breach before working.

Polymorphic defense

Polymorphic defense hides exploits from polymorphic attacks.

attack persistence

Stops attackers' ability to gain persistence.

Virtual patching

Virtual patching protects vulnerabilities until a patch is issued.

false positive alerts

Slashes costs, false positive alerts, and required IT resources.

See how Morphisec can help you implement a Moving Target Defense strategy on a free demo!

How Morphisec’s AMTD Works

Unlike other endpoint protection solutions which must first detect an attack in order to stop it, Morphisec prevents advanced attacks from executing by dismantling their delivery mechanisms and kill chain. Morphisec uses patented Moving Target Defense technology to morph the memory space layout so adversaries cannot find an entry point, or the resources required, to execute an attack. This real-time, one-way randomization prevents highly sophisticated attacks, including the most advanced exploits and fileless malware.

  • Morph & Conceal
  • Protect & Deceive
  • Prevent & Expose Attacks

As an application loads to the memory space, Morphisec morphs the process structures, making the memory constantly unpredictable to attackers.


Legitimate application code memory is dynamically updated to use the morphed resources; applications load and run as usual. A skeleton of the original structure is left as a trap.


Attacks target the original structure and fail as they cannot find the resources they expect and need. Attacks are immediately prevented, trapped and logged with full forensic details.

Schedule a demo to learn how Automated Moving Target Defense prevents ransomware, zero-days, & more.