The Emergence of Polymorphic Cyber Defense

Background

Attackers are Stronger Now

The cyber world is witnessing a fast-paced digital arms race between attackers and security defense systems, and 2014 showed everyone that attackers have the upper hand in this match. Attackers are on the rise due to their growing financial interest—motivating a new level of sophisticated attacks that existing defenses are unmatched to combat. The fact that almost everything today is connected to the net and the ever-growing complexity of software and hardware turns everyone and everything into viable targets.

For the sake of simplicity, I will focus this post on enterprises as a target for attacks, although the principles described here apply to other domains.

Complexity of Enterprise: IT has Reached a Tipping Point

In recent decades, enterprise IT achieved great architectural milestones thanks to the lowering costs of hardware and accelerating the pace of technology innovation. This transformation made enterprises utterly dependent on IT foundation, which is composed of a huge amount of software packages coming from different vendors, operating systems, and devices. Enterprise IT has also become very complicated where gaining a comprehensive view of all the underlying technologies and systems has become an impossible mission. This new level of complexity has its tolls, and one of them is the inability to effectively protect the enterprise digital assets. Security tools did not evolve at the same pace as IT infrastructure, and as such, their coverage is limited—resulting in a considerable amount of “gaps” waiting to be exploited by hackers.

The Way of the Attacker

Attackers today can craft very advanced attacks quite quickly. The Internet is full of detailed information regarding how to craft those with plenty of malicious code to reuse. Attackers usually look for the least resistant path to their target, and such paths exist today. Although, after reviewing the recent APT techniques, some consider them not to be sophisticated enough. I can argue that it is just a matter of laziness, and not professionalism—since today there are so many easy paths into the enterprise, why should they bother with advanced attacks? And I do not think their level of sophistication, by any means, has reached a barrier that can make the enterprises feel more relaxed.

An attack is composed of software components and to build one; the attacker needs to understand their target systems. Since IT has undergone standardization, learning which system the target enterprise use and finding its vulnerabilities is quite easy. For example, on every website an attacker can identify the signature of the type of web server, and then investigate it within the lab, to try to look for common vulnerabilities on that specific software. Even more simple is to look into the CVE database and find existing vulnerabilities, which have not been patched on it. Another example is the active directory (AD), which is an enterprise application that holds all the organizational information. Today, it is quite easy to send a malicious document to an employee in which once the document is opened, it exploits the employee’s Windows machine and looks for privileged vulnerability into AD. Even the security products and measures that are applied to the target enterprise can be identified by the attacks quite easily, and can later bypass them, leaving no trace of the attack. Although organizations always aim to update their systems with the latest security updates and products, there are still two effective windows of opportunities for attackers:

From the moment that a disclosure of a vulnerability in specific software is identified to the moment in which a software patch-up is engineered, to the point in time in which the patch is applied to the specific computers running the software. This is the most vulnerable time frame since the details of the vulnerability are publicly available, and there is always enough time before the target covers this vulnerability—greatly simplifying the job of the attacker. Usually, within this time frame attackers can also find example exploitation code on the internet for reuse.

Unknown vulnerabilities in the software or enterprise architecture that are identified by attackers and used without any disruption or visibility since the installed security products are not aware of them.

From a historic point of view, the evolution of attacks is usually tightly coupled with the evolution of security products aiming to bypass them and mainly the need to breach specific areas within the target. During my time as VP R&D for Iris Antivirus (20+ years ago) I witnessed a couple of important milestones in this evolution:

High-Level Attacks – Malicious code written in a high-level programming language such as Visual Basic or Java, which created a convenient platform for attackers to write a PORTABLE attacks which can be modified quite easily since it is written in high-level language making virus detection very difficult. The basic visual attacks created, also as an unintentional side effect, an efficient DISTRIBUTION channel for the malicious code to be delivered via documents. Today it is the main distribution path for malicious code, via HTML documents, Adobe PDF files or MS Office files.

Polymorphic Viruses – Malicious code hides itself from signature driven detection tools, and only at runtime is the code deciphered and executed. Now imagine a single virus serving as a basis for so many variants of “hidden” code and how challenging it can be for a regular AV product. Later on, polymorphism evolved to dynamic selection, and execution of the “right” code where the attack connects to a malicious command and control server with the parameters of the environment and the server returns an adaptive malicious code, which fits the task at hand. This can be called as runtime polymorphism.

Both “innovations” were created to evade the main security paradigm which existed back then, mainly that of the anti-viruses looking for specific byte signatures of the malicious code. Both new genres of attacks were very successful in challenging the AVs —because signatures have become less deterministic. Another major milestone in the evolution of attacks is the notion of code REUSE to create variants of the same attack. There are development kits in existence which can be used by attackers, as if they were legitimate software developers, building something beneficial. The variants phenomena competed earnestly with AVs in a cat and mouse race for many years—and still, does.

State of Security Products

Over the years malicious code related security products have evolved alongside the threats, whereas the most advanced technology applied to identifying malicious code was and still is behavioral analysis. Behavioral analysis indicates the capability to identify specific code execution patterns. An approach to the signature detection paradigms, which mainly addresses the challenge of malicious code variants. Behavioral analytics can be applied at runtime to a specific machine tracing the execution of applications or offline via a sandbox environment such as FireEye. The latest development in behavioral analytics is the addition of predictive capabilities aiming to predict which alternative future execution patterns reflects a malicious behavior and which is benign to stop attacks before any harm is done. Another branch of security products which aim at dealing with unknown malicious code belongs to an entirely new category that mimics the air-gap security concept, referred to as containment. Containment products—there are different approaches with different value propositions, but I am generalizing here—are running the code inside an isolated environment, and if something were to go wrong, the production environment would be left intact in that it was isolated and the attack had been contained. It is similar to having the 70’s mainframe, which did containerization, but in your pocket and a rather seamless manner. And of course, the AVs themselves have evolved quite a bit, while their good old signature detection approach still provides value in identifying well-known and rather simplistic attacks.

So, with all these innovations, how are attackers remaining on top?

As I said, it is quite easy to create new variants of malicious code. It can even be automated, making the entire signature detection industry quite irrelevant. The attackers have found a way to counter the signatures paradigm by simply generating a large amount of potential malicious signatures. Attackers are efficient at locating the target’s easy-to-access entry points, both due to the knowledge of systems within the target, and the fact that those systems have vulnerabilities. Some attackers work to uncover new vulnerabilities, which the industry terms zero-day attacks. Most attackers, however, simply wait for new exploits to be published and enjoy the window of opportunity until it is patched. The human factor plays a serious role here where social engineering and other methods of convincing users to download malicious files is often successful. It is easier to target the CFO with a tempting email with a malicious payload, then to find your digital path into the accounting server. Usually, the CFO has the credentials to those systems, and often there are even excel copies of all the salaries on their computer, so it is a much less resistant path toward success.

Enter the Polymorphic Defense Era

An emerging and rather exciting security paradigm that seems to be popping up in Israel and SV are called a polymorphic defense. One of the main anchors contributing to successful attacks is the prior knowledge that attackers benefit from about the target, including which software and systems are used, the network structure, the specific people and their roles, etc. This knowledge serves as a baseline for all targeted attacks across all the stages of attack: the penetration, persistence, reconnaissance and the payload itself. All these attack steps, to be effective, require a detailed prior knowledge about their target—except for reconnaissance—which complements the external knowledge with dynamically collected internal knowledge. Polymorphic defense aims to undermine this prior knowledge foundation and to make attacks much more difficult to craft.

The idea of defensive polymorphism has been borrowed from the attacker’s toolbox where it is used to “hide” their malicious code from security products. The combination of polymorphism with defense simply means changing the “inners” of the target, where the part to change depends on the implementation and its role in attack creation. This is done so that these changes are not visible to attackers, making prior knowledge irrelevant. Such morphism hides the internals of the target architecture so that only trusted sources are aware of them—to operate properly. The “poly” part is the cool factor of this approach in that changes to the architecture can be made continuously and on-the-fly, making the guesswork higher by magnitudes. With polymorphism in place, attackers cannot build effective repurposable attacks against the protected area. This cool concept can be applied to many areas of security depending on the specific target systems and architecture, but it is a revolutionary and a refreshing defensive concept in the way that it changes the economic equation that attackers are benefitting from today. I also like it because, in a way, it is a proactive approach—and not passive like many other security approaches.

Polymorphic defenses usually have the following attributes:

Solutions that are agnostic to covered attack patterns which makes them much more resilient.

Seamless integration into the environment since the whole idea is to change the inner parts—changes which cannot be made apparent to externals.

Makes reverse-engineering and propagation very difficult, due to the “poly” aspect of the solution.

There is always a trusted source, which serves as the basis for the morphism.

The Emerging Category of Polymorphic Defense

The polymorphic defense companies I am aware of are still startups. Here are few of them:

The first company that comes to mind, which takes polymorphism to the extreme, is Morphisec*, an Israeli startup still in stealth mode. Their innovative approach solves the problem of software, and it achieves that by continuously morphing the inner structures of running applications, which as a result, renders all known and potentially unknown exploits as useless. Their future impact on the industry can be tremendous: the end of the mad race of newly discovered software vulnerabilities and software patching, and much-needed peace of mind regarding unknown software vulnerabilities and attacks.

Another highly innovative company that applies polymorphism in a very creative manner is Shape Security. They were the first one to coin the term of polymorphic defense publicly. Their technology “hides” the inner structure of web pages which eventually can block many problematic attacks such as CSRF, which rely on specific known structures within the target web pages.

Another very cool company also out of Israel is CyActive. CyActive fast forwards the future of malware evolution using bio-inspired algorithms, and use it as training data for a smart detector which can identify and stop future variants, much like a guard that has been trained on future weapons. Their polymorphic anchor is in the fact they outsmart the phenomena of attack variants by creating all the possible variants of the malware automatically and by that increase detection rate dramatically.

I suppose there are other emerging startups which tackle security problems with polymorphism. If you are aware of any particularly impressive ones, please let me know, as I would love to update this posts with more info on them. J

*Disclaimer – I have a financial and personal interest in Morphisec, the company mentioned in the post. Anyone interested in connecting with the company, please do not hesitate to send me an email and I would be happy to engage regarding this matter.

History

The idea of morphism or randomization as an effective tool for setting a serious barrier for attackers can be attributed to different academic developments and commercial ones. To name one commercial example, take the Address Space Layout Randomization (ASLR) concept from operating systems. ASLR is a concept that aims to deal with attacks that are written to exploit specific addresses in memory, and ASLR changes this assumption by moving around code in memory in a rather random manner.

The Future

Polymorphic defense is a general theoretical concept which can be applied to many different areas in the IT world, and here are some examples off the top of my head:

Networks – Software defined networking provides a great opportunity for changing the inner-networking topology to deceive attackers and dynamically contain breaches. This can be big!

APIs – API protocols can be polymorphic as well, and as such, prevent malicious actors from masquerading as legitimate parties or man in the middle attacks.

Databases – Database structures can be polymorphic too, so only trusted parties could be aware of a dynamic DB scheme and others cannot.

So, polymorphic defense seems to be a game-changing security trend which can potentially change the balance between the bad guys and the good guys…and ladies too, of course.

UPDATE Feb 11, 2015: On Reddit I’ve got some valid feedback that it is the same as the MTD concept, Moving Target Defense, and indeed that is right. In my eyes, the main difference is the fact Polymorphism is more generic in the sense it is not specifically about changing location as means of deception but also creating many forms of the same thing to deceive the attackers, but it is just a matter of personal interpretation.