Pioneering Automated Moving Target Defense (AMTD)
Credit to Author: Mark Loman| Date: Thu, 19 Oct 2023 18:47:07 +0000
As the cyber threat landscape becomes ever more challenging, security teams find themselves dealing with a rapidly growing number of threats. Many organizations struggle with high alert volumes and false positives, resulting in a perpetual game of catch-up that taxes resources and diminishes security efficacy.
Automated moving target defense (AMTD), an emerging concept developed and championed by Gartner, seeks to change that dynamic. Security products and services that employ AMTD technologies raise the cost for attackers by orchestrating controlled change within IT environments to proactively disrupt attacks and confound breach activities.
Inherently threat-agnostic by nature, AMTD-infused solutions provide organizations with dramatic protection benefits by turning the tables on adversaries and rendering large swaths of malicious tactics, techniques, and procedures (TTPs) useless.
AMTD on the endpoint
Sophos is on a mission to block as many threats as possible up front by leveraging an extensive range of protection technologies.
In addition to threat surface reduction, behavioral analysis, and deep learning AI models, Sophos Endpoint also enhances application security by installing threat-agnostic barriers for every process. This makes it more difficult for any program to execute arbitrary code not originally part of the application, and forces attackers to rethink and make architectural changes to core functions of their malware.
Sophos deploys AMTD technologies to set barriers and lay traps that automatically intercept and disrupt threats on the endpoint. As a result, even new threat variants that manage to evade other protection mechanisms will find it more difficult to execute malicious actions on machines secured by Sophos.
Here are a few ways Sophos uses AMTD to keep its customers safe.
Adaptation
With Adaptive Attack Protection (AAP), Sophos Endpoint dynamically applies aggressive protection when it detects an attack in progress.
In the event an attacker gains initial access to a device in the environment, AAP dramatically decreases the likelihood of the attack’s success and provides defenders more time to neutralize it. It does this by engaging additional defense measures, including blocking actions that may not inherently be malicious in an everyday context but are dangerous in the context of an attack.
AAP detects the presence of an active adversary in two main ways: 1) through the use of common attack toolkits, and 2) through combinations of active malicious behaviors that may be indicative of the early stages of an attack.
Upon detection, AAP enables temporary restrictions that are unsuitable for everyday use but are necessary when an active adversary is detected on an endpoint. An example is preventing a reboot into Safe Mode, as attackers use this to evade detection.
AAP is powered by SophosLabs researchers, who continuously enhance both the detection of adversaries and the dynamic protection measures in response to changes in the threat landscape.
Randomization
When a resource module (DLL) within an application consistently loads at the same predictable memory address, it becomes easier for attackers to exploit vulnerabilities.
While developers can opt in to address space layout randomization (ASLR) during compilation – which randomizes addresses once per reboot – any third-party software that lacks ASLR can undermine this strategy.
Sophos Endpoint enhances security for internet-facing productivity applications by ensuring that every module loads at a random memory address each time the application starts, adding complexity to potential exploitation.
Deception
Attackers often attempt to hide their malicious code from file and memory scanners with obfuscation.
Without doing this, they’d need to generate unique code for every victim to prevent it from resembling any of their previous code, which could then be detected and blocked by endpoint protection products.
Fortunately, the obfuscation of malicious code needs to be reversed (by a short initialization or loader routine) before it can run on the machine. This reversal process typically relies on specific operating system APIs, and attackers aim to avoid revealing this dependency right from the beginning as it can be an indicator of subterfuge.
As a result, this dependency is frequently omitted from the import table of malware binaries, and instead the loader is configured to directly search for the memory-resident Windows module that provides the necessary API.
Sophos strategically positions decoy elements that imitate memory-related APIs commonly employed by attackers to initialize and execute their malicious code. This threat- and code-agnostic defense can break malicious code without hindering benign applications.
Limits
To evade defenses, malicious code is typically shrouded in obfuscation and often piggybacks on benign apps. Prior to the execution of covert code – such as a multi-stage implant – the threat must ultimately reverse its obfuscation, leading to the creation of a memory region suitable for running code, which is a CPU hardware requirement.
The underlying instructions, or opcodes, required to create a code-capable memory region are so short and generic that they alone are not enough for other protection technologies to convict as malicious, as benign programs would no longer be allowed to function.
However, Sophos Endpoint uniquely keeps history, tracks ownership, and correlates code-capable memory allocations across applications, allowing for novel low-level mitigations otherwise not possible.
Hardening
Sophos prevents the manipulation of processes by erecting barriers around the security-sensitive memory regions of every application.
Examples of sensitive memory regions are the Process Environment Block (PEB) and the address space of security-related modules like the Anti-Malware Scan Interface (AMSI).
Attackers aiming to assume the identity of a benign process hide command-line parameters, disable or run arbitrary code in its own (or another process’s) address space, and regularly tamper with code or data within these sensitive regions.
By shielding these, Sophos generically protects against a plethora of existing and future adversary techniques, automatically terminating and revealing an active attack.
Guardrails
Sophos installs guardrails around code execution. This prevents code execution from flowing between individual code sections and entering an address space that, although part of the original application, is meant to contain only data – also referred to as a code cave.
Sophos also actively prevents APC injection and the utilization of various other system functions at runtime which are not used by business applications.
In contrast, many other endpoint protection platforms primarily rely on detecting specific attack techniques based on associated known malicious code, specific sequential instruction calls, and delivery context. Consequently, these platforms may provide ineffective protection if the malware author rearranges their code and its distribution.
Conclusion
When deployed properly, AMTD adds an invaluable layer of defense against advanced persistent threats (APTs), exploit-based attacks, and ransomware.
Sophos Endpoint uses AMTD technologies on the endpoint to automatically enhance the resilience of all applications without the need for configuration, source code changes, or compatibility assessments.
AMTD fundamentally transforms the IT environment, raising the bar by introducing greater uncertainty and complexity for attackers. In short, endpoints protected by Sophos are more resilient to attacks.