Aug 01, 2015

What is a polymorphic defense and what security problem does it solve?

The Emergence of Polymorphic Cyber Defense

"An emerging and rather exciting security paradigm that seems to be popping up in Israel and SV is called polymorphic defense. One of the main anchors contributing to successful attacks is the prior knowledge that attackers benefit from about the target, including: which software and systems are used, the network structure, the specific people and their roles, etc. This knowledge serves as a baseline for all targeted attacks across all the stages of an attack: the penetration, persistence, reconnaissance and the payload itself. All these attack steps, in order to be effective, require a detailed prior knowledge about their target—except for reconnaissance—which complements the external knowledge with dynamically collected internal knowledge. Polymorphic defense aims to undermine this prior knowledge foundation and to make attacks much more difficult to craft.

The idea of defensive polymorphism has been borrowed from the attacker’s toolbox where it is used in order to “hide” their malicious code from security products. The combination of polymorphism with defense simply means changing the “inners” of the target, where the part to change depends on the implementation and its role in attack creation. This is done so that these changes are not visible to attackers, making prior knowledge irrelevant. Such morphism hides the internals of the target architecture so that only trusted sources are aware of them—in order to operate properly. The “poly” part is the cool factor of this approach in that changes to the architecture can be made continuously and on-the-fly, making the guesswork higher by magnitudes. With polymorphism in place, attackers cannot build effective re-purposable attacks against the protected area. This cool concept can be applied to many areas of security depending on the specific target systems and architecture, but it is definitely a revolutionary and a refreshing defensive concept in the way that it changes the economic equation that attackers are benefitting from today. I also like it because, in a way, it is a proactive approach—and not passive like many other security approaches."
Most of us know what polymorphic malware is: the ability of malware to adapt to current conditions and try to evade security software to do its dirty business on a target computer. This type of malware can easily evade signature-based scanners and other standard means of detection since it is always changing the nature of its attack vectors whenever it executes. But what if we could harness this same behavior and use this defensively, so that we could do good instead of harm?

This is relatively a new idea and is gaining some steam, and there are several new security vendors who are trying to develop polymorphic protective devices of one kind or another. JumpSoft, Morphisec, Shape Security and CyActive are all in the early stages. For example, on Shape’s website, they explain their process by taking a login form with certain attributes and replace them “with random strings. The resulting code breaks malware, bots, or other attacks programmed to submit that form, but renders identically to the original.”

Dudu Mimram, one of the principles with Morphisec, says on his blog that all polymorphic defenses share the following four attributes:

First, you start with some sort of trusted source that controls the dynamic changes to the host.

Next, you build a solution that isn’t easily identified with the typical attack patterns which makes them much more resilient.

You integrate the internal code changes in such a way that these changes aren’t readily apparent to external users or software programs.

On top of this, you harden your code to make reverse engineering and propagation very difficult.

The jury is still out whether these sophisticated defenses will actually work or be more trouble than they are worth. But the notion is certainly intriguing.
Answer this