Evaluating and quantifying the feasibility and effectiveness of whole IT system moving target defenses

Abstract

The Moving Target Defense (MTD) concept has been proposed as an approach to rebalance the security landscape by increasing uncertainty and apparent complexity for attackers, reducing their window of opportunity, and raising the costs of their reconnaissance and attack efforts. Intuitively, the idea of applying MTD techniques to a whole IT system should provide enhanced security; however, little research has been done to show that it is feasible or beneficial to the system’s security. This dissertation presents an MTD platform at the whole IT system level in which any component of the IT system can be automatically and reliably replaced with a fresh new one. A component is simply a virtual machine (VM) instance or a cluster of instances. There are a number of security benefits when leveraging such an MTD platform. Replacing a VM instance with a new one with the most up-to-date operating system and applications eliminates security problems caused by unpatched vulnerabilities and all the privileges the attacker has obtained on the old instance. Configuration parameters for the new instance, such as IP address, port numbers for services, and credentials, can be changed from the old ones, invalidating the knowledge the attackers already obtained and forcing them to redo the work to re-compromise the new instance. In spite of these obvious security benefits, building a system that supports live replacement with minimal to no disruption to the IT system’s normal operations is difficult. Modern enterprise IT systems have complex dependencies among services so that changing even a single instance will almost certainly disrupt the dependent services. Therefore, the replacement of instances must be carefully orchestrated with updating the settings of the dependent instances. This orchestration of changes is notoriously error-prone if done manually, however, limited tool support is available to automate this process. We designed and built a framework (ANCOR) that captures the requirements and needs of a whole IT system (in particular, dependencies among various services) and compiles them into a working IT system. ANCOR is at the core of the proposed MTD platform (ANCOR-MTD) and enables automated live instance replacements. In order to evaluate the platform’s practicality, this dissertation presents a series of experiments on multiple IT systems that show negligible (statistically non-significant) performance impacts. To evaluate the platform’s efficacy, this research analyzes costs versus security benefits by quantifying the outcome (sizes of potential attack windows) in terms of the number of adaptations, and demonstrates that an IT system deployed and managed using the proposed MTD platform will increase attack difficulty.