Moving Target “Polymorphic” Defense

Before reading this blog, watch the webinar above, featuring myself and DLT's Don Maclean, to learn more about how innovative technologies such as polymorphic malware are effective on a technical level, but offer a much-needed boost to the morale of the security industry.  This positive outlook, I believe, can entice talent into this industry, as it promises to put them on the winning team.

As we discussed in our previous blog Security = Foundations + Innovation, economies of scale favor our adversaries. In addition, while emphasizing the importance of security fundamentals, I also urged attention to innovative technologies to keep pace with the evil but inventive actions of the enemy.

One way our adversaries keep us on our toes is through polymorphic malware: malware that “shape-shifts” to avoid simple means of detection, but still does what our foes want. It would be great to flip the script, to create a defensive structure that constantly morphed into new forms, endlessly complicating the attackers’ task, while still doing what we want. Defending against entire classes of attack, instead of swatting away one mosquito at a time, would also make life easier and safer for the defender. Polymorphic defense does both of these things, tipping the economy of scale in favor of the “white hats”.

What is polymorphic, or “moving target” defense? Simply put, it is the mirror image of polymorphic malware:  no two systems are exactly alike, and each is different from the entire range of known exploits available to the attacker.

Many exploits, particularly file-less malware, install in known locations in memory, intercept calls to code in known memory addresses, or steal data from known locations in memory. Fileless attacks are on the rise, so defending against this class of attack – note that we are talking about an entire class of attack – is a lofty but achievable goal.

By scrambling memory and even altering the use of CPU registers (the miniature memory locations on a CPU that control program flow and store critical pieces of data), polymorphic defense makes file-less attacks less likely to succeed.  More importantly – and this is critical – if an attack does succeed, it only works on one machine. This means the attacker’s task is more difficult at the outset, but becomes economically disadvantageous because they cannot leverage a successful exploit across many systems. These advantages are tangible, but the satisfaction of getting a leg up on the bad actors is an intangible, but powerful factor.

While we are clearly losing the cybersecurity war, we must stay positive. The opposition can innovate, but so can we.  The opposition may have the upper hand now, but we can turn the tables.