I
recently had an interesting conversation with Alex Gounares, the CEO at Polyverse. Alex calls Polyverse’s
security approach “Moving Target Defense.” Polyverse’s technology
basically causes your operating system to continuously morph into something
functionally the same and dynamically different, at a very high rate of speed,
while replacing the container with each morph. The idea is to give attackers virtually
no time to exploit a vulnerability before the vulnerability has been moved
somewhere else. If malware does enter the system, the OS is replaced with a
brand new, clean morphed OS almost as quickly as the malware had
arrived. Full disclosure: I had been referred by a friend to Polyverse for
contract work. There was not a synergy in current needs but the ensuing
conversation was engaging and thought provoking. This is the “evasion and
regeneration” I am talking about in the title of this blog.
One of my all-time favorite quotes goes something like this. “If you only see one solution you probably don’t understand the problem.” This sage advice that I found in the sidebar of a DIY robotics book applies to life. Sometimes when I do not like a solution. I discover I’m not actually trying to solve the real problem. Sometimes the first solution I see is the best solution. Other times I find multiple appealing solutions. Regardless, I am always more educated by remembering to apply this principle to my life.
I
really am intrigued by Alex’s classifications of defenses as “stationary” and
“moving target.” The moving target defense looks to me like a novel solution.
Damn. The “S” word… “solution.” “If you only see one solution…” Sigh .Now my
challenge became one to see if I could find better or equally appealing
solutions that use a stationary target defense. In other words “Can a stationary
endpoint be defended as well as an endpoint that is moving faster than the attackers
can catch and inflict damage upon?”
There
are many types of stationary target defenses but for this blog I am limiting
discussion to one class of stationary target defense – deception and decoy. The
reason is simple. It was the first to come to mind because my friend Gadi Evron
is everywhere I go. Facebook, email, countries all over the world… Gadi is
everywhere. In thinking about a stationary target defense solution that might
be able to provide the effectiveness of a moving target defense, I remembered
Gadi telling me about how his company, Cymmetria, uses decoys and deception
to keep an attacker away from a stationary target. TrapX, Attivo Networks, and CounterCraft are three other companies that use a deception and decoy strategy.
Aside from any technical merits of these solutions, I absolutely love the idea
of deceiving the bad guys. Digital karma. Ask me about the time I kept a PC
support scammer on the line for 45 minutes. He even waited for me to “cook my
breakfast.”
I
have an all-time favorite example of a successful stationary target defense.
The defense was called “Rope-a-dope” and it made the “Rumble in the Jungle” one of the most exciting
boxing matches in history. Muhammed Ali was essentially a stationary target for
almost 8 rounds. In the 8th round Ali stopped being a stationary target and
destroyed George Forman in an offensive flurry lasting less than 10 seconds.
Rope-a-dope worked for Ali. Although it was an offensive maneuver that ended
the fight, the defense was essentially stationary. I can’t imagine that getting
pummeled by George Foreman felt like an Ashiatsu massage, but I wasn’t there.
Unlike
Ali’s approach, companies employing decoys and deception do not let their
targets stand and take punches – no matter how hardened the target is. Different
companies use different techniques, but the high level concept is to use real
or virtual computers that keep attention drawn away from the target by making
the decoys look like they have the Holy Grail. One of the potential weaknesses
of the decoy approach is that there is still a stationary target. I’m sure that
all of the companies that use this approach are aware of this and have some
pretty cool counter-measures, but still, there is a stationary target. If the
decoys work all of the time then the actual target does not need to move.
My
favorite moving target defense analogy is the SR-71 Blackbird. This spy plane
was the fastest aircraft ever to fly.
The Blackbird had vulnerabilities. The Blackbird was designed for
stealth, but you don’t really fly at Mach 3+ without leaving a detectable heat
signature. To add to that, the skin around parts of the fuselage could be easily
damaged. How did the Blackbird defend itself?
It flew faster than the missiles could reach it, faster than any other
aircraft could fly, and it moved around a lot. Stealth was still a factor too.
By the time the missile got there, the Blackbird was not. It didn’t matter that
the Blackbird was in plain (no pun intended) sight.
Surveillance
is a critical part of moving target defenses, deception and decoy defenses, and
many other security approaches. Repelling attacks is good, but not everything. You
want to have a discreet, digitally intimate relationship with your attacker. You
just don’t want the attacker to know they are in the relationship. This should
be your relationship status
This
is what the adversary’s relationship status should be
You
want to stalk your enemy… watch them... What is my enemy after? How are they
going after it? How are their tactics adapting? Who is attacking me? What am I
going to do about it? And so on… Ah ha! The OODA Loop is back!
Update: Attivo Networks expressed concern that I may be making decoy and deception defense look like a passive technology. I am actually surprised that none of the other vendors raised this concern because they all fight the misconception that they are glorified honeypots.
Modern
decoy and deception approaches employ algorithms that can create a series of dynamically
changing decoys and potentially even dynamically changing network topologies in
response to the tactics of attackers. This is active engagement with the enemy,
not passive intelligence collection.
Again,
I am not recommending or endorsing any specific technology or security market
segment. We’re talking philosophic approaches and challenging assumptions. I
can’t imagine any single tactic working through the entire kill chain.
Given
multiple approaches to achieve the same goals, which strategy is best? I can’t
tell you, I don’t know your problem.
If
you are Schick you are defending trade secrets. Encryption,
DRM and data recovery probably address the real problem. Yes indeed, defend
your endpoints, but don’t lose focus on the problem. Get that IP protected,
then worry about the network and endpoints.
If
you are a hospital you are defending human lives first. Protecting the
equipment required to maintain the physical well-being of a patient probably
requires different protection technologies and/or approaches than protecting
the systems remotely monitoring a pacemaker. Banking Trojans may be the biggest
threat to the accounting department, where data theft is the major threat to
systems holding health records.
Make
sure you are clear on the problem, assess the suitability of the approach to
the problem, and them compare technologies and approaches. The right
technological approach for you may not have been mentioned in this blog.
I
really wanted to share with you the concept of diverse philosophical approaches
to security, and demonstrate what happens when I remember some of the wisest
words I know - “If you only see one solution you probably don’t understand the
problem”
This
is the official end of the blog, but feel free to read on if you enjoy the
diversions that research on the Internet result in. As you all know, the problem with research on
the internet is not attribution and not validation, it’s that you get diverted to
rather irrelevant information that is too compelling to ignore. In thinking
about analogies to use in this blog, holograms came to mind. I could think of
analogies using holograms for either type of defense, but they fell apart the
very first time an adversary tried to “touch them.” This analogy requires a hologram that can be
“touched” to really fly. With that in mind I remembered that George Washington
once said “if you can dream it you can find it on the Internet.”
Research
into my dream led me to a company called Ultrahaptics. Ultrahaptics is developing a holographic technology which can make
it seem like you are touching a hologram. How cool is that?
Randy
Abrams
Independent
Security Analyst (ISA)
Fan
of Historical Quotes (FHQ)
Chaser
of Internet Squirrels (CIS)
No comments:
Post a Comment