©Morphisec, 2016 | All rights reserved.

Deception and Counter Deception

By Mordechai Guri,Chief Science Officer at Morphisec

Moving Target Attacks vs. Moving Target Defense

Share this!

What’s Inside?

1

The cyber arms race between organizations and their attackers has reached unprecedented levels of sophistication and intensity. Organizational defenders constantly expand and strengthen their security systems with detection and response mechanisms, while cyber attackers develop new tactics to bypass those systems as quickly as they are formed.

Deception techniques are among the favorite methods in the attackers’ arsenal. Surprise and uncertainty provide an inherent advantage as the defender cannot predict the attacker’s next move.

Current and emerging defense strategies borrow from the attacker’s game plan but are they drastic enough?

Read on!

Table of Contents

1: Deception – The Name of the Game

2: Moving Target Attacks

3: Moving Target Attack Techniques

4: Fighting Deception with Deception

5: Moving Target Defense – Common Practices

6: Moving Target Defense – OS and Applications Are the Real Playground

7: Morphisec Moving Target Defense –Changing the Rules of the Game

8: About the Author

9: About Morphisec

Share this!

Sun Tzu

CHINESE GENERAL, MILITARY STRATEGIST, AND PHILOSOPHER

Deception is the Name of the GameCybercriminals do not stand there proclaiming their intent. They arm and outfit their malware with polymorphism, obfuscation, encryption and self-modification to evade detection. New forms of attacks can be regenerated in a matter of hours. These Moving Target Attacks render traditional security measures – such as AV, scanners, behavior and anomaly detection –ineffective.

Moving Target Defense (MTD) has emerged in recent years as a way to level the cybersecurity playing field. By dynamically changing the attack surface, MTD makes it more challenging for adversaries to strike. Organizations no longer stand there proclaiming their vulnerabilities.

Moving Target Defense leverages the tactics of Moving Target Attacks – deception, modification and polymorphism – to put businesses on equal footing with attackers in the modern arena of cybersecurity.

2

Share this!

Moving Target AttacksNumerous techniques enable recurring modifications of cyber-attacks, including their source, static signatures, and behavioral signatures. Among these techniques, the most effective ones hide the malicious intent from defense systems while exhibiting benign or unknown behavior.

The table below describes some of the common types of moving target attack techniques. The following chapter explains how attackers use these techniques.

Technique Deception Method

Polymorphism Changes malware signature

Metamorphism / self-modification Changes malware code on the fly

Obfuscation Hides malicious activities

Self-encryption Changes malware signature and hides malicious code and data

Anti-VM/sandboxes Evades automated forensic analysis by changing behavior in forensic environments

Anti-Debugging Evades automated/manual investigation by changing behavior in forensic environments

Encrypted exploits Evades automated/manual investigation by changing parameters & signatures

Behavior changes Waits for real user activity before executing

3

Share this!

Polymorphism is commonly used by malware authors in order to evade AV detection. By encrypting the malware’s payload, including its code and data, the attacker gains two main advantages: First, an attacker can easily generate different instances of the same malware by using multiple encryption keys. This renders the signature-based anti-malware facilities ineffective, since new instances have a new and unknown static signature. Second, the malware can bypass even deeper static analysis since its code and data are encrypted – hence not exposed to scanners. Utilizing metamorphism techniques, the malware’s author complicates the detection further by changing the in-memory code at every execution.

While polymorphism and metamorphism aim at evading the automatic file and memory scanning, obfuscation is also effective against manual inspection of the code. Using obfuscation, the malware’s author creates code which is extremely difficult for a human analyst to understand.

This is achieved by creating payload with obscured strings, dummy code and complicated function call graphs which can be regenerated randomly with each instance of the malware.

Anti-VM and anti-sandbox mechanisms are another moving target attack method, since sandboxes and virtual machines are essential tools for malware analysts. These methods detect if the malware is running within a virtualized or sandboxed environment. If a VM or sandbox is detected, the malware alters its behavior and avoids any malicious activity. Once executing on real systems, after being tagged as benign, the malware starts its malicious behavior.

Moving Target Attack Techniques

4

Share this!

In the same manner, malware can use anti-debugging techniques to avoid debugging and run-time analysis. If, during runtime, the malware detects debugging tools running, it changes its execution flow to perform benign operations. Once the malware is not under runtime inspection, it starts its malicious behavior.

Encrypted and targeted exploits have been used recently as part of exploits delivered through web pages ('exploit kits'). To avoid detection, URL patterns, host servers, encryption keys, and file names are changed on every delivery. These exploits can also evade honeypots by limiting the number of accesses to the exploit from the same IP address. Finally, some types of attacks begin the exploitation phase only after real user interaction (e.g., web-page scrolling). By doing this, the attacker ensures execution on a real machine rather than automated dynamic analysis.

These effective deception methods render traditional defensive mechanisms insufficient, ceding superiority to the attackers. The defender endlessly chases the attacker, investing massive resources and efforts merely to detect and prevent invasions from all angles. Symmetry between defenders and attackers is non-existent. Attackers know whom they are going to attack, when, where and with what weapons, while defenders are in a state of constant uncertainty.

5

Share this!

Interestingly, counter deception techniques used by attackers can be utilized by defenders to shift the balance back. Moving Target Defense (MTD) aims at creating asymmetric uncertainty on the attacker’s side by changing the attack surface.

The US Department of Homeland Security defines MTD as, "the concept of controlling change across multiple system dimensions in order to increase uncertainty and apparent complexity for attackers, reduce their window of opportunity and increase the costs of their probing and attack efforts." [1]

MTD strategy understands that there is no such thing as absolute security; there is asymmetry between the attackers' and the defenders' costs and efforts. Therefore, organizations need a new paradigm that increases the complexity and cost for attackers

[1] http://www.dhs.gov/science-and-technology/csd-mtd

Fighting Deception with Deception

6

Share this!

(1) Network level MTD includes several mechanisms that have been developed over the years. IP-hopping changes the host's IP address, thus increasing the network's complexity as seen by the attacker. Later on, this idea was extended to allow maintaining the hosts IP mutation in a transparent manner. Transparency is achieved by keeping the real host's IP address and associating each host with a virtual random IP address. Some techniques aim at deceiving the attacker at the phase of network mapping and reconnaissance. These techniques can include using random port numbers, extra open or closed ports, fake listening hosts, and obfuscated port traffic.

Other techniques provide the attacker with fake information about the host and OS type and version. This includes random network services responses which prevent OS identification.

(2) Host level MTD includes changing the hosts and OS level resources, naming and configurations to trick the attacker.

Moving Target Defense – Common Practices

7

Practically, there are three main categories of Moving Target Defense security; (1) network level MTD, (2) host level MTD, and (3) application level MTD.

Share this!

(3) Application level MTD involves changing the application environment in order to trick the attacker. Address Space Layout Randomization (ASLR), which was introduced by Microsoft, implements a basic level of MTD. It involves randomly arranging the memory layout of the process’s address space to make it harder for an adversary to execute its shellcode. Other techniques involve changing the application type and versioning and rotating them between different hosts. Some application level MTDs use different settings and programming languages to compile the source-code, generating different code in every compilation.

The below list gives an overview of common techniques used in the different categories of MTD.

Information System Part Deception Method

Network Route change; random addresses, names and ports

Firewall/IDS Policy change

Host Change host address, replace host image

OSChange version and release; change host ID; Change memory addresses, structures, resource names

Application / Application code

Randomize addresses of storage fragments, filter input data that cause failures, rotate application among different hosts; multilingual code generation; different code generation

8

Share this!

The Moving Target Defense paradigm promises to break the asymmetry between the attacker and the defender. Now the attacker must also operate under uncertainty and unpredictability.

While network-level MTD offers some resilience, randomizing IP addresses, network topology and configuration are not sufficient defense. The final destinations for attackers are the hosts, servers and endpoints located behind networks, firewalls and routers. With the Operating System and applications being the lucrative target for 0-day exploits, malware and Advanced Persistent Threats (APTs), they serve as the main arena in the attacker-defender battle.

Although the MTD paradigm is still in its infancy, predictions point to a focus on applications and operating systems. MTD at the OS and Application levels holds huge promise; in order to launch a successful attack, the attacker must collect informative intelligence and make assumptions regarding the targeted operating system and application. This information needs to include relevant versions, configurations, memory structures and resource names, among other factors. If the attacker bases offensive steps on a faulty element – even a single memory address –the attack is doomed to fail.

Moving Target Defense – OS and Applications Are the Real Playground

9

Share this!

Morphisec takes the Moving Target Defense paradigm to the next level by creating environmental modifications to the application and the operating system, in a manner untraceable by attackers. Consequently, the elementary presuppositions used by attackers in planning and deploying their offensive steps become irrelevant. Each function call, jump to address or access to a resource entails potential failure – along with full exposition of the attack, its originators and its source.

Under these conditions, the costs of the attack rise steeply while its probability of success declines sharply. Taken together, these factors make the attack practically and economically less feasible.

By forcing attackers to fight on an uncertain battlefield, Moving Target Defense changes the rules of conflict.

Morphisec Moving Target Defense –Changing the Rules of the Game

10

Share this! 11

About the Author: Mordechai GuriMorchedai Guri, computer scientist and security expert, has more than 20 years of practical research experience. He is a lead researcher and lab manager at the Ben Gurion Cyber Security Research Center and has been awarded with the prestigious IBM PhD International Fellowship (2015-2016). Guri manages academic research in various aspects of cybersecurity to the commercial and governmental sectors.

Guri has led a number of breakthrough research projects in cybersecurity. His research focuses on state-of-the-art challenges in the field of cyber attack and cyber defense. Mordechai examines current paradigms and develops new methods for improved mitigation of security problems in the modern cyber environment. His research topics include OS security, advanced malware, Moving Target Defense), mobile security and embedded systems.

Guri earned his Bsc and Msc, summa cum laude, from the computer science department at the Hebrew University of Jerusalem.

Connect via LinkedIn

Share this! 12

Emerging from the national cybersecurity center and from some of the sharpest cybersecurity minds in Israel, Morphisec provides the ultimate in threat prevention by making sure attackers never find the targets they seek. Ever.

Morphisec fundamentally alters the cybersecurity landscape with its moving target defense, which keeps defenders consistently ahead of attacks.

Morphisec Endpoint Threat Prevention uses Moving Target Defense technology to effectively conceal vulnerabilities in applications, web browsers and OS’s from attackers. Its polymorphic engine scrambles the application’s runtime environment, randomly and without any trace, every time an application is loaded, making the memory space unpredictable to attackers.

Morphisec Endpoint Threat Prevention protects your endpoints from all exploit-based, memory injection attacks in your endpoint 32-bit applications such as browsers and productivity tools. It prevents evasive attacks, zero-days and attacks targeting known but unpatched vulnerabilities. It does so in a deterministic manner, with no false positives, via a lightweight, 1MB agent requiring no administration.

About Morphisec

Counter the terror of advanced cyberattacks: Schedule a demo with Morphisec today!