Security startups are using the techniques of polymorphic malware to better protect enterprises and use a tool from the hacker’s world for good instead of for evil. Let’s look at why is this important and why you should care.
Polymorphic malware is nasty stuff. It adapts to a variety of conditions, operating systems and circumstances and tries to evade whatever security scans and protection products to infect your endpoints. It is called that because it shifts its signatures, attack methods, and targets so that you can’t easily identify and catch it.
But turnabout is fair play, especially when it comes to infosec. And now some very clever companies are taking the notion of polymorphism and using it as a defensive countermeasure. These vendors such as JumpSoft, Morphisec, Shape Security and CyActive (now part of PayPal) who can make a target Web server or other piece of network infrastructure appear to change frequently so it can’t be easily identified or infected.
This can thwart attackers that are trying to identify your servers or domain accounts or unpatched endpoints and used targeted exploits to worm their way into your network. As Dudu Mimran, the CTO of Morphisec says on his blog, “An attack is composed of software components and to build one, the attacker needs to understand their target systems. Since IT has undergone standardization, learning which system the target enterprise uses and finding its vulnerabilities is quite easy.”
Actually, poiymorphism isn’t exactly new. Academics have been writing research papers about it for years, under the rubric of “moving target defenses.” There are been two Association of Computing Machinery (ACM) conferences: one in November 2014 in Arizona and a second one last November in Denver. Both covered many ways of implementing such a defense, such as with game theory and other advanced algorithms.
In an article for Network World, a Morphisec executive wrote about three categories of polymorphic defenses. These include using network actions (such as changing the apparent IP address), host actions (such as changing host names and other characteristics), and application actions (such as changing the memory layout of a process to find and execute the app).
The products are still mostly at the startup stage, but they are quickly evolving and gaining customers. For example, Shape sells an appliance that sits behind an enterprise load balancer and with a few configuration commands can protect your network from DDOS, man-in-the-browser and account takeover attacks. It dynamically changes the code behind each page displayed by your webserver every time it is loaded. This defeats many of the automated scripts used in these kinds of exploits.
Today’s polymorphic defenses generally perform a series of actions. First, some kind of trusted source controls the dynamic, real-time changes to a host server, such as a web or database server. Then they create something that isn’t easily recognized by typical attack patterns. These changes are then implemented so that external users can predict what will happen, and thus can’t easily respond or use existing attack methods. Finally, they make sure their code is hardened in such a way that it can’t be easily reverse engineered.
Whether these polymorphic defenses will prove vulnerable to even more sophisticated exploits isn’t yet clear. And whether they will ultimately prove unworkable given all the security features that they have to manage under the covers also isn’t a sure bet. But at least the bad guys are finally getting a taste of their own evil-tasting medicine, and they could prove to be a valuable tool in your security arsenal.