Army's MORPHINATOR: A shape-shifting approach to network defense
Connecting state and local government leaders
The cyber maneuver technology would randomize configurations and other aspects of a network to fool and foil intruders.
Can a network defend itself from cyberattacks by becoming a moving or, more specifically, morphing target?
That’s what the Army is attempting with the Morphing Network Assets to Restrict Adversarial Reconnaissance, a prototype network with the tasty acronym MORPHINATOR that would randomize its makeup to fool and foil attackers.
The service’s Communications-Electronics Research, Development and Engineering Center (CERDEC) recently a $3.1 million contract to Raytheon to develop the cyber maneuver technology. It’s expected to be available in 2014.
Related story:
Army Cyber Command to streamline cyber defense process
The company describes cyber maneuver as “the technique of dynamically modifying aspects and configurations of networks, hosts and applications in a manner that is undetectable and unpredictable by an adversary, but still manageable for network administrators.”
The initial prototype will focus on IP address and application port hopping, according to an article in AFCEA’s Signal Magazine. For example, an IP address assigned to a Windows machine could be switched to a Linux machine, and vice versa, in an ongoing, random pattern, the article reports. Likewise, applications would randomly switch ports to keep attackers guessing.
“We’re looking to dynamically modify and shape our networks to prevent, delay or deter cyber attack,” Jonathan Santos, information security chief of CERDEC's Space and Terrestrial Communications Directorate, told Signal. In a sophisticated attack, an intruder reconnoiters the network, goes and develops an exploit and then returns. But, “by the time they come back, things have changed on the network to such an extent that those exploits they’ve crafted are no longer useful,” Santos said.
Cyber maneuvering is an idea that has been attracting attention in the Army. Russ McRee, a Microsoft security researcher writing on his website HolisticInfoSec.org, pointed to a paper earlier this year by Army Maj. Scott Applegate, The Principle of Maneuver in Cyber Operations.
In the paper, which grew out of his research at George Mason University, Applegate summarized the evolution of maneuvers in military history and describes how defensive maneuvers can be applied to protecting critical networks.
“Cyber defense is often seen as being much more difficult than offensive operations due to what is perceived as an asymmetric advantage on the side of the attacker,” he writes. “While that is largely true, the proper use of defensive maneuver can offset that advantage and allow defenders to regain the initiative.”
Applegate describes four basic types of defensive cyber maneuvers. Three of them are pretty well-known: Perimeter and defense-in-depth, deceptive defense (such as honeypots to lure attackers into a controlled environment where their tactics can be studied) and counter attacks. The other one he called the "moving target defense," which appears to be what CERDEC is going for.
This kind of defense “uses technical mechanisms to constantly shift certain aspects of targeted systems to make it much more difficult for an attacker to be able to identify, target and successfully attack a target,” he writes.
He said a moving target defense would involve randomizing either address spaces, instruction sets or data, although other types of “system diversification,” were being researched.
The government of Georgia took a physical approach to this kind of randomization when it was faced a massive denial-of-service attack (which got past its defense-in-depth) in 2008, moving its sites to servers in the U.S., Poland and Estonia, Applegate noted.
With MORPHINATOR, the Army would be applying that kind of movement within a network. And although the technique appears to show promise, it won’t be a silver bullet, but rather one more weapon in a network’s defense arsenal. Raytheon noted that MORPHINATOR will be designed to be used in conjunction with other defense measures.