Three reasons the ‘moving target defense’ can stop bot attacks

Defense Secretary Mark Esper speaks at the Department of Homeland Security’s cyber summit held by CISA last year. CISA ordered civilian agencies to identify and patch all assets known to be affected by the Log4J vulnerability before Christmas. (Creative Commons CC BY 2.0)

The cybersecurity industry has an effectiveness problem. Despite thousands of available tools, breaches continue unabated. If these tools – which often overstate the effectiveness of artificial intelligence and machine learning – were enough to solve the problem, they would have done so by now. 

Headlines often capture stories of large-scale breaches, but leave out pertinent details on how adversaries launch attacks. The attackers are increasingly proficient and reliant upon automated bots to complete malicious activities. Forrester has found that these bots account for nearly 40 percent of internet traffic – half of which are malicious attacks that result in denial of service (DoS) attacks and stolen data.

In too many instances, organizations under attack often have bot mitigation solutions in place, but are overly confident in their capabilities to protect applications that require bot identification protection. This requires client and network signatures such as IP addresses, behavioral-based detection, and defense-in-depth strategies to uncover the attacker’s digital DNA and unique fingerprint usually after they have launched an attack. For many organizations, these techniques do not address the dynamic nature of adversaries who modify bots daily and even hourly so that attack behaviors and signatures remain unique. The latest bots also hide in the “network noise” by using low-volume, low-frequency attacks that easily slip unnoticed past common defense tools that require larger data samples and behavioral activity to identify new threats. The harsh reality: continuing to rely on static fingerprints and large data analysis techniques will never let organizations catch new or altered tools before they have compromised a network.

As the percentage of bad bot attacks increase--and they will as cybercriminals mature --what preventive measures can security leaders take?

Moving Target Defense (MTD) has emerged as a fundamentally different protection method. Created by the Department of Homeland Security, MTD looks to control change across multiple systems to increase uncertainty and apparent complexity for attackers, reducing their window of opportunity, and increasing the costs of their probing and attack efforts. The strategy makes the attributes of the network dynamic, rather than static, obfuscating the attack surface, much like attackers do to ensure bots go undetected.

For organizations struggling with a bot management problem, MTD can help for the following reasons:

  • Dynamic, not static.

Despite deploying digital equivalents of traps and surveillance, standing at the edge of a static infrastructure to essentially close a gate hasn’t stopped fraudsters from gathering intelligence and learning enough to plan and execute attacks over time. Bots continue to evade current protections because the technologies are not dynamic enough:

  • Firewall/IPS: Signatures and rules can’t differentiate quick-changing attack patterns.
  • Web Application Firewalls: Can’t detect attacks on business logic that mimics normal user behavior.
  • Threat intelligence: Intelligence on new threats and sources are “after the fact” detection, which lets early attackers go undetected and gain a foothold.
  • Big data analytics: Fast-changing attack patterns use low volume/frequency, which evades data protection models that are slow to update.

While there’s still merit to each of these defense methods, if used alone, internet-facing businesses should expect automated attacks on static infrastructure to increase in both scale and sophistication. MTD can work with these technologies, increasing the degree of difficulty for cybercriminals who can’t hit what they can’t see. Instead of relying on one sole method of detection and mitigation, security teams can apply MTD in a myriad of ways, working together with existing cyber tools and techniques to create a more robust security framework.

  • Shifts the focus to threat deflection.

True intelligence work is predictive. It requires critical thinking, detailed analysis and focus on not only what threats are currently doing, but what future threats look like. While valuable, this process requires hands-on expertise that still does not address the skills and resources shortage that plagues today’s cybersecurity industry.

MTD reduces the need to detect threats and works to deflect them or create scenarios that are resource-intensive for attackers, thus driving them away to other targets. While MTD can also function with detection methods, it’s immediately proactive by creating asymmetry for attackers so it’s more difficult to exploit the attack surface. No fraudster has an unlimited time to plan and execute attacks, so when the reconfiguration results in the attacker’s inability to find vulnerabilities, they move and their success rates decrease.

  • Accelerates innovation.

MTD breaks common barriers for technologies that have until now been too challenging or costly to secure. For example, when moving to cloud infrastructures, organizations may delay the process if it’s too difficult to comply with policies and existing security standards. MTD unlocks the potential for businesses to forge ahead with cloud, internet of things, and similar distributed systems because it does not have to learn the environment. No matter how any of the technologies behave, MTD gets stronger as infrastructure expands.

And as a less resource-intensive approach, MTD reduces the time, money, and staff needed to maintain network security. This lets security teams redistribute  resources to invest in other areas of the business as the digital world expands.

As cybercriminals continue their reliance on automation to carry out attacks, MTD will redefine the power balance between defenders and attackers. It sharply diverges from detection-based protection models that rely on knowing attacker signatures and post-attack forensics to identify threats. MTD stands as the only long-term viable technique that reduces the website attack surface while increasing website security.

John Briar, co-founder and COO, BotRx

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.