Blueprints from History — Series#3
BLUEPRINT#3 : CONFUSE THE ENEMY
“The Romans are trained to fight in one way only which makes them predictable. We will present them the unexpected and watch them fall apart” , says Hannibal Barca in the TV film Hannibal (2006). Hannibal is known to be one of the most brilliant tacticians the world has ever seen. He was at the vanguard of Carthagian’s forces from the great North African merchant empire who battled Rome for supremacy of the Mediterranean, famously known as Punic Wars. For nearly 20 years, Hannibal fought against the Romans , invaded Italy and brought terror to the doorstep of Rome itself. His tactics and methods on how to stage a battle in any kind of terrain and weather are taught in seminars today in Navy, Army, Marines and Air Force academies.
One of his signature maneuvers was deployed in the Battle of Cannae, 216 B.C against the Romans where his genius manifested itself in the way he positioned his army. The Romans were 70,000 soldiers, 6,000 cavalry while the Carthagians were 35,000 heavy infantry, 8,000 light infantry and 10,000 cavalry.
Hannibal lined up his men in a convex line formation, he set his elite and strong men on the rear side flanks so they would come into action only during the latter part of the battle. He set his weak and light soldiers in the middle so that as they retreat his formation moved from convex to concave. Once the battle started and as the romans surged forward their plan was working perfectly but in doing this they lose order and are crammed together in a very small space. At this point Hannibal brings his trap, his deadly African mercenaries cut into the undefended Roman flanks who are suddenly facing the Carthagians coming from different directions. They are unable to organize a proper fighting line and things turn chaotic for the Romans. Hannibal’s army completely encircle the Romans killing thousands of them.
The strategy followed here is fundamentally to confuse the enemy and attack them from unpredictable locations.
Exemplifying Hannibal’s strategy in developing cyber security solutions, Why present a static security system to the attackers thereby enable them to study a system, find its vulnerabilities, and plan an attack? Why not make the attack surface dynamic and confuse the attackers? This is the principle behind Moving Target Defense approach that aims at imposing uncertainty in attack reconnaissance and planning.
In order to make a system dynamic once cannot convert a static system into dynamic, we need to re-design and re-envision our system to have dynamic attributes. For e.g assume an adversary plans to attack a webserver exposing a particular IP address and starts their initial reconnaissance activity.
When they come back to compromise the webserver we could design the system such a manner that the webserver would have changed its IP address by then.
This increases the time taken by the adversary to penetrate and helps defenders to find them. MTD aims to create dynamic attack surface foiling zero day attacks and advanced persistent threats. There are a number of techniques in creating dynamic building blocks of an attack surface, typically the techniques aim at switching around data, network, software, runtime environments and platforms.
The switching strategy lies in the decisions for the three questions : what to move (configuration attributes such as IP address, port numbers, OS, software programs) , how to move (shuffle the configuration attributes, create a replica of the system or deploy the system in a variety of diverse environments) and when to move (decide the optimal time to switch from one state to another).
The switching can be reactive (as a response to an alert or an event), proactive (based on a decided time interval) or hybrid (time interval is adaptive based on an event).
The example shown in the illustration shows how you can create a MTD web application and make the attack attempt if any less effective thereby increasing it’s resiliency. Various aspects that support MTD approach in this case is switching between port numbers exposed by the web application or changing between a .Net application or a JSP application achieving the same functionality or switching between the hosted operating system, hardware or hypervisor. For instance, assume an attacker manages to penetrate into an enterprise network with an aim to compromise one of its web application. The IT security team has already created a replica of the application in an alternate programming language and made it compatible to be hosted in alternate OS Host and hardware. At a particular time t, the attacker does the study of the environment during which the web application is available as a Microsoft.Net application running in IIS server hosted in Windows 2019 server and accessible via port number 8080. The attacker visits back to perform the planned activity at time t1 during which the web application is no longer available in the same port number but at port number 9090 as a JSP application running in Apache server hosted in RedHat Linux which forces the attacker to restart their reconnaissance activity all over again.
One must note that Cloud platforms prove to be the right ground for creating applications and Infrastructures with speed and agility through Infrastructure As Code mechanisms which help them to dynamically respond to changes in the environment. This approach can be exploited to bring in continuous infrastructure regeneration and application surface modification capabilities. This would not only aid in confusing the attackers but also contribute to improve resiliency in the systems.
No doubt MTD provides a new perspective to building a defense system but triggering MTD operations too often leads to reducing service availability. The cost and effort required to arrive at the right switching strategy for an application and to perform the transition action from one state to another is also high. It is not a one-size-fit-all solution, every MTD needs to be adjusted based on the organization’s needs and specifications. But the good news is many startups have been innovating security products utilizing moving target defense approaches, the key ones being CryptoMove, Polyverse and Morphisec.
MTD can help deploy other security defense mechanism such as Intrusion Detection and Prevention and Honeypots by complementing with them as an additional layer of defense.
The recent trends in MTD has clearly shown that it is the next step in the evolution of security, it is no longer a luxury for an organization but a necessity.