Closed Padlock on digital screen showing automated moving target defense

Keeping Cybercriminals Guessing: The Rise of Automated Moving Target Defense

Is endpoint detection and response (EDR) software really not enough anymore?

Well-funded security programs (equipped with the latest EDRs, network detection and response tools, next-generation antivirus solutions, etc.) appear to be on the back foot against vastly less well-resourced attackers. Yet losses due to cybercrime grew by 47% between 2021 and 2022. During this same period, companies spent over $70 billion U.S.

Driving this disconnect is a situation where (to paraphrase a known saying) defenders must always be right, but attackers only need to get lucky once. Even with state-of-the-art reactive solutions, IT systems are still predictable, static, and vulnerable targets. Attack them enough, and you will likely find a gap.

Cybercriminals know that a network, application process, or security control will function similarly and feature the same arrangements of hackable assets in every environment they encounter. This makes compromise almost impossible to prevent, which explains why 83% of organizations have had more than one data breach.

To flip this script, security teams need to make IT environments hostile to threat actors and turn static environments into dynamic ones. This is exactly what Automated Moving Target Defense (AMTD), recently described by Gartner as “the future of cyber,” does.

AMTD is designed to introduce imbalance in the current status-quo, giving the advantage back to cybersecurity teams. AMTD makes defense dynamic by removing the familiar targets threat actors aim for.

Defense in depth protection with AMTD

Moving target defense was originally a military strategy. In the most basic sense, it involves making assets harder for enemies to hit by moving them as much as possible.

In cyber security, the AMTD concept has evolved into a technological process that dynamically morphs the layout of assets, including runtime device memory, IP addresses, passwords, OS configurations, and more, without interfering with usability.

Like a “shell game” where a small ball is placed in one of several constantly moving and visible shells, with only the dealer knowing which one, AMTD hides assets in plain sight. AMTD can show different versions of those assets to different classes of users. Trusted processes see the “real” version of where assets are; untrusted ones see a fake version filled with honeypot traps.

The core benefit of AMTD’s ability to morph the IT environment is that it removes the predictability attackers rely on. Without any performance penalty, AMTD makes sure that no two devices, networks, applications, etc., look alike, and attack chains reliant on encountering a particular morphology will fail to launch.

Morphisec’s implementation of AMTD is designed to prevent evasive in-memory fileless attacks during runtime at the endpoint (desktop/servers etc) level. By introducing controlled changes in the runtime space, it denies attackers the framework required to pull off an evasive attack.

This same process also allows AMTD to stop evasive and novel attacks. These include zero-days and fileless malware, mimicking behavior of legitimate applications or processes which are difficult to detect and prevent using traditional signatures or behavior-based mechanisms.

It’s worth noting just how much benefit AMTD can deliver on top of traditional detection-based solutions like Endpoint Detection and Response (EDR).

Remember that an average breach now takes 277 days to identify and contain, and scanning for threat signatures, hooks, and behaviors is still letting threat actors dwell in compromised networks for far too long.

As another layer beneath an EDR, AMTD’s usefulness is that it does not rely on scanning and can stop these missed attacks. AMTD prevents attacks mostly at a very early stage thus reducing the damage that an attack or adversary group can do. And even better, without the deluge of false alerts that are generated by EDR solutions.

Doing without the need for scanning or telemetry also gives AMTD another function – the ability to stop threats without requiring an internet connection or powerful hardware.

Consider the kinds of under-defended legacy, OT, and air-gapped systems that power some of the most important and complex business applications in the world. AMTD can protect these highly sensitive and low bandwidth environments without getting in the way of their operations.

Where AMTD fits into the security stack

AMTD is a proactive approach that thought leaders in the cyber security space would need to consider in the evolving attack landscape that we see today.

As it is designed to complement the existing cyber security stack and that it doesn’t rely on scanning or require prior knowledge of an attack’s parameters, signatures, or behavior patterns to block attacks gives it an edge as a last line of defense for organizations. It’s a proven one.

Many household name organizations like TruGreen, the largest lawn treatment company in the United States, already use AMTD to protect their systems from advanced attacks

AMTD excels when used within a “defense in depth” security approach. AMTD works in various environments, such as Windows and Linux servers and endpoints, legacy servers, isolated endpoints in operational technology environments, and cloud workloads.

For example, on an endpoint such as an employee laptop, an AMTD solution could be deployed alongside an AV solution like Windows Defender. In this environment, Defender is ready to stop known threats while AMTD sits prepared to defend the run time memory layer from threats like Cobalt Strike that are difficult for AV solutions to detect. This gives a layer of protection against the evasive threats increasingly seen in cyber-attack chains.

In a recent report, Gartner called MTD “an emerging game-changing technology for improving cyber defense.” AMTD adds a new layer of protection that companies can place between critical assets and cyber threats. Alongside other security controls, AMTD is the difference between successful attacks and protected organizations.

We aren’t about to see the end of EDRs but it is time to think about how to plug the gaps scanning solutions miss.