Learn about Zero Trust & Moving Target Defense, the ultimate strategy against ransomeware in this free eBook!
On-Demand Webinar: Automated Moving Target Defense is 'The Future of Cyber'
MTD prevents ransomware, supply chain attacks, zero-day attacks, fileless attacks, in-memory attacks, and other advanced threats. It uses system polymorphism in memory to hide operating system and application targets from adversaries in an unpredictable manner. This leads to a dramatically reduced attack surface and lower security operating costs.
“Assume an expert thief is able to pick the lock to any door. The goal of MTD is not to build a better lock. This is, without doubt, a laudable and necessary goal for improving the door’s security, but this mission is left to other security solutions. Instead, the goal of an MTD security strategy is to make the door and the door’s lock difficult or impossible for the thief to find.”
“Controlled change across multiple network and system dimensions to increase uncertainty and complexity for attackers by reducing their window of opportunity and increasing the costs of their probing and attack efforts.”
Why is Moving Target Defense Needed?
Almost all malicious software, or malware, used to use executable files on disc or the operating system (OS). These executables leave behind evidence of their existence. Tools like antivirus (AV), NGAV, EPP, EDR, and XDR evolved to spot telltale signs of malware deployment, such as attack patterns and signatures. They would then isolate threats before they could do real damage.
But sophisticated threat actors are wise to traditional cybersecurity tools. Attack chains increasingly hijack legitimate system processes for malicious ends or target device memory at runtime rather than the disc or OS. Hijacked legitimate system processes and in-memory threats offer little, if anything, in the way of signatures to detect or behavior patterns to analyze.
Legitimate system processes must work in memory at runtime, but this environment is mostly invisible to current cybersecurity tools. To catch an attack in progress, they need to scan device memory multiple times while an application is running and listen to the correct triggering operations to find malicious patterns. But in a typical application’s runtime environment, there might be 4GB of virtual memory. Even when dialed to the most aggressive alert settings, it’s impossible to scan this volume of data often enough. At least without slowing down an application so much as to make it barely usable.
To ensure usability, memory scanners can only look for highly specific parameters, at specific memory locations, and at specific timeline triggers. In a best-case scenario, a scanning-focused solution might scan a small fraction of application memory. But threats also now use polymorphism to obfuscate their presence, so catching malicious activity in such a small sample of device memory would be miraculous.
Aggressive alert settings also result in a vast number of false positive alerts that require extra resources to analyze. If a high number of alerts and false positives aren’t an issue for an organization using current cybersecurity tools, their alert setting is probably too low. They are almost certainly missing the most disruptive advanced attacks.
This is why organizations need MTD.
Automated Moving Target Defense technology morphs the runtime memory environment to create a continually changing, unpredictable attack surface. This means that even in the highly unlikely event a threat actor can find their target once, they’re unable to reuse that attack on another device or even later on in the same device. MTD uses an ultra-lightweight agent to block unauthorized processes deterministically, as opposed to probabilistically. This means MTD generates a few false positive alerts and doesn't noticeably affect system performance. It integrates seamlessly into a tech stack to augment NGAV, EPP, EDR, and XDR with Defense-in-Depth to stop in-memory, fileless, zero-day, supply chain attacks, and other advanced threats.
How Does Moving Target Defense Work?
Morphisec’s MTD morphs the location of application memory. This occurs every time an application loads and every time a user takes an action.
Legitimate code that runs after the morphing occurs operates as normal. However, when the application memory is morphed by Morphisec MTD, a skeleton of the original code is left at the original memory location.
This skeleton serves as a trap for threat actors who try to attack the original memory location.
When an attack occurs, the malicious code injection is trapped in the skeleton, where it harmlessly detonates. Defenders can then identify the attack in a safe location where it doesn’t impact critical systems.
Allowing defenders to identify the attack is a key part of MTD. It shares the idea of a trap with deception technologies. But the skeleton is not a ‘honey pot’ because it isn’t designed to attract threat actors.
Instead, the skeleton is a lightweight copy of the legitimate application. It is a diversion, allowing the targeted application to shift where it loads in-memory to avoid being attacked. 
© 2023 Morphisec Ltd. | All rights reserved
.png?width=571&height=160&name=iso27001-(2).png)
