The Army Research Laboratory (ARL), working with an international team of researchers, is looking to implement a new type of cyber defense that operates on the principle that you can’t hit what you can’t see.
Called the moving target defense, or MTD, it’s an approach that confuses cyber attackers by making the attack surface dynamic, and thus harder to probe and infiltrate. It’s a new technique that represents a significant shift in cyber defense, which has primarily focused on the passive defense of static networks.
“MTD increases uncertainty and confuses the adversary, as time is no longer an advantage,” Dr. Terrence J. Moore, one of the ARL researchers on the project, said in an ARL release. A moving target makes life hard on hackers by shifting IP addresses, randomizing network configurations, and taking other steps. A hacker’s previous monitoring of a network is no longer valid, for instance, because weaknesses they may have spotted before are no longer in the same place.
“The adversary has to expend more resources, such as time and/or computational power, to discover vulnerabilities of a target system,” Moore said, “but will experience more difficulty in exploiting any vulnerabilities found in the past since their location or accessibility is constantly changing.”
ARL is collaborating on the project with researchers from the University of Canterbury in New Zealand and the Gwangju Institute of Science and Technology in the Republic of Korea, whom they reached out to through a program run by the U.S. Army International Technology Center-Pacific.
Hackers have always held a distinct advantage in cyber wars in that they only have to find one way in to a network while admins have to worry about every vulnerability. In recent years, hackers have added to their arsenals with tactics such as hiding their IP addresses, routing attacks through proxy servers, and altering their malicious code to avoid detection. For those charged with defending networks, it can be like playing Whack-A-Mole.
MTD, which originated within the Department of Defense and is also being promoted by the Department of Homeland Security, could give hackers a taste of their own medicine. One tactic the research team is working on is to frequently change IP addresses, so that attackers can’t keep track of their targets. The IP addresses change on the attack surface, that is, while the real IP address of a host server remains the same, ARL said. A conventional, passive defense gives hackers time to plot their attacks. But with MTD, those targets would keep disappearing. Instead of their long-standing asymmetrical advantage, hackers would have an asymmetrical disadvantage.
Other new MTD techniques being developed by startups such as CryptoMove and big companies like IBM include keeping data fragmented, encrypted, and on the move around a network. A company called Cryptonite NXT makes a hardware device that constantly changes the IP addresses of connected devices.
The added layer of security does come with extra costs tied to constantly shifting the attack surface, however. The ARL-led team is mitigating those costs by developing their MTD system with software-defined networking, which streamlines the operation through a centralized controller, rather than leaving network control with each individual device.
Using an approach called Flexible Random Virtual IP Multiplexing (FRVM), developed by the research team from UC New Zealand, an SDN controller regularly and randomly changes a host’s IP address while leaving hackers with what one of the team’s researchers described as a complex shell game. Instead of having to guess from among three shells, or IP addresses, to get to the network service that serves as the pea in the analogy, a hacker would have 65,536 shells to make a guess from.
ARL says its primary purpose in the research is to protect defense networks from attack in order to let warfighters execute their missions, but an effective, affordable MTD could wind up being the next wave in network defense.