The prevailing model of endpoint cyber security is: monitor, detect, and respond. The idea is to find attacks once they’re inside your infrastructure but before they can do any damage. First, learn about attacks from some source and then reduce their dwell time by updating endpoint sensors or patching before a breach.

In other words, find the crocodile before it finds you. 

Whole taxonomies of tools have emerged to deal with this, most falling into categories like NextGen antivirus and Enterprise Detection and Response (EDR). Various flavors of magic quadrants abound. Many of them sound great on paper or look lovely in the lab. But in the real world, when you add real people and processes, the story is different.

The Prevailing Model Runs Late And Is Burdensome

Attacks move fast. As CVE 2018 – 4878 and notPetya showed, it can take less than an hour for an attack to complete a full cycle. But average dwell time is 229 days. Inside a 229 day envelope, attacks download additional stages, including malware, create botnets, move laterally from endpoint to endpoint or from endpoints to servers and operational technology, and accomplish their malicious purpose: ransomware, fraud, data theft and exfiltration, or stopping business operations..

The burden of achieving the potential of NextGen AV or EDR is on the buyer. These are not ‘set and forget’ technologies. Operationalization, management, monitoring, and response are labor-intensive and error-prone. The tools themselves are costly and taxing to manage. They take trained personnel and need attention. When something goes wrong, it is typically the buyer’s fault, for not updating or tuning policies, monitoring vigilantly, interpreting telemetry correctly, or responding aggressively enough.

These tools have a place in a security strategy, but that place is not as a primary security control. Any dwell time is too much dwell time.

Moving Target Defense Eliminates Dwell Time

Moving Target Defense is a primary security control. It starts with the goal of zero dwell time for all advanced attacks. The goal is achieved by disabling the actuating mechanism that these attacks have in common.  This stops all of them before they can get started, without having to learn about the techniques used by an individual attack, detecting anomalous behavior, or hunting for evidence of an attack. The result is effective defenses and simple security operations, with no dwell time.

Advanced attacks are designed to take over a PC early in order to give themselves dwell time for additional stages of on attack. They accomplish this by running malicious code in memory: that’s the ‘actuating mechanism’’ of the attack. If they do this successfully, they are in control, with lots of runway for the next stages of the attack. If they don’t, the attack is over and there is nothing for defenders to worry about. A recent Ponemon study found that 80% of breaches stem from fileless and other in-memory attacks. Clearly this ‘actuating mechanism’ is a successful technique for attackers. They have coupled it with evasion and have shifted their preference and R&D toward these fruitful methods.

Moving Target Defense prevents memory attacks by dynamically morphing the runtime environment and placing traps every time a user opens a file or opens a web page. Morphing makes it impossible for attacks to find the location of the functions they need to exploit in the runtime environment in order to execute. For want of a target to attack, the attack never gets started. Instead, when the attack tries to execute code, it is trapped, instantaneously and effortlessly, regardless of whether it is known or unknown.

This potent way of stopping attacks is independent of and therefore immune to individual attack techniques, changes or modifications to attacks, or completely new and unknown attacks. All memory attacks must utilize the common ‘actuating mechanism’ of executing code in memory; so all memory attacks are prevented when Moving Target Defense disables this mechanism.

The success rate has been startling. SE Labs tested Morphisec’s Moving Target defense and found it to be 100% effective. In 2017, the version of Morphisec launched in April of 2016 prevented every single memory attack, without any updates and with no dwell time. 2018 is proving to be exactly the same.

In Conclusion

Dwell time is not a fact of life and defenders do not need to reconcile themselves to it. It can be reduced essentially to zero for memory attacks — simplifying IT, reducing the urgency of patches and AV updates, and making cybersecurity economical and effortless.