A Moving Target Defense for Workloads, APIs, and Data

When I was growing up, I had the opportunity to shoot “Clay pigeons.” They’re small round discs of hard clay that are launched (at a high velocity) into the air so a person with a shotgun can shoot at them (see photo above). If you’re familiar with this, then you'll have experienced just how hard it is to hit a small, fast-moving target, even when you have certain advantages, such as knowing the general area and direction of flight. If you haven’t experienced this, I can tell you that it’s pretty hard to hit clay pigeons.?

There’s an application here for cyber security strategy.?Imagine if we could make life difficult for cyber adversaries by making their targets (such as access permissions and data) small and fast moving? Exploring that question is what this article is about, otherwise known as a moving-target defense (MTD).

The Default Cyber Strategy

A colleague recently remarked about the cyber security industry. After decades of investing in cyber companies he thought it was crazy how reactionary the industry still was. And he cited the current interest in solving the problems with API attacks. It’s become a big deal over the last year or two. And before that it was the Solarwinds hack that took the cyber world by surprise and led to the zero trust movement and the scramble for threat intelligence and threat hunting and lots of XDR solutions. The point of this cyber investor's remark was that the industry operates by a default “bug fix” (software development) strategy and runs from vulnerability to vulnerability playing “whack-a-mole.” The strategy seems to be an assumption that it’s just a matter of time before all the vulnerabilities are found and fixed. While that is a good assumption for software product development, it is a poor fit for an industry that continues to innovate new technologies, protocols, and architectures. The technology landscape keeps changing and each change introduces new vulnerabilities. Flaws in what we build are a fact of life. Sure, we will fix and patch to improve the quality and security of our technology, but we need a different default cyber strategy, one that’s diverse, proactive, enduring, and winnable rather than reactive. The goal isn’t perfection, but resilience.?

An Alternative Cyber Strategy

A good approach to finding the right default strategy is to examine each of the strategic advantages the adversary holds, and then conceive and develop opposing strategies. For example, adversaries have an advantage of time, access, and anonymity. That’s a pretty strong strategic advantage for them, and they have held this advantage for a long time. Thinking about an opposing strategy that might offset and degrade or eliminate the adversary’s advantage,?the combination of?an MTD with high frequency credential rotation and dynamic defensive micro-perimeters (security perimeters that surround operating workloads and their communication route) could be very effective. The combination of these three strategic components creates a small, fast-moving, target that an adversary must expend a significant amount of effort to attack. The resulting effect moves the defense faster than an adversary can find, understand, and attack it. Why is this important? Because forensics analysts have found that adversaries will spend 90% of their time planning an attack but only 10% of their time actually performing the attack. This means that a well-planned and executed MTD is an effective and durable cybersecurity strategy. But when two other elements are added to MTD: high frequency credential rotation, and host-base micro-segmentation, the combination becomes a killer strategy because it achieves other security benefits and entirely eliminates the time advantage that adversaries have held for so long.

Micro-segmentation of Workloads

For illustration purposes, let’s consider the proposed strategy applied to containerized workloads, microservices, and APIs that operate in a modern digital environment today (such as Kubernetes, docker, and others). It’s well known that enterprises moving to the cloud or hybrid environments increase in their attack surface and are more vulnerable.??Micro-segmentation is a technique that segments digital services into small workload groups and isolates them with their own security perimeter for improved protection. It is one of the principles of zero trust that has emerged after the infamous?2020 Solarwinds hack. Micro-segmentation breaks the attack surface into lots of small areas.?

There are different ways to micro-segment digital resources: network micro-segmentation, hypervisor micro-segmentation, and host- or agent-based micro-segmentation. For reasons I can’t fully explain in this article, I have a strong preference for agent-based micro-segmentation. It is simpler and faster to implement and is the choice for a moving-target strategy. For example, Hopr’s agent-based micro-segmentation isolates digital services into segments as small as two workloads.

Movement of the Defense?

Micro-segmentation by itself is an important security architecture feature, but it becomes even more effective when the micro-segments themselves move dynamically while the business services are performed by workloads and data is exchanged via APIs. Consider something as small as a pair of containerized workloads operating continuously and exchanging data as they perform a service.?Building a defensive micro-perimeter around each pair of workloads each time they start a series of data transactions (i.e., a session) would make a very small target and would result in a very large number of targets to confuse and delay an adversary. Also, the micro-segments would appear and disappear dynamically as services are performed by different workloads. The end result is a fast-moving target that is difficult for an adversary to locate.

Access for Trusted Workloads

Now that we have a small fast moving target, we need a way to allow only trusted workload identities to gain access through the perimeter and it has to work in real time and from any environment. The conventional approach is to use PKI certificates for identity and something like TLS or mTLS for transport security, along with OAuth (or similar) for authentication. Without going into a lot of detail, I'll point out that recent survey data on API attacks indicate that a majority of successful attacks occur on authenticated APIs. And, Gartner reports that three of the four vulnerability paths for API attacks involve some form of credential theft. My conclusion from these findings is that conventional authentication is failing to protect containerized workloads and APIs.?

This is where the combination of a MTD with high frequency credential rotation offers tremendous benefits.?Since credentials are an attractive target, rotating them at a high frequency would result in their expiration before an adversary could find, remove, and misuse them.?To be practical in a combined strategy,?the high frequency credential rotation must overcome two big problems that are present in conventional secrets use: 1) secure secrets storage and 2) injection of newly rotated secrets (required for authentication). Ideally, we want high frequency credential rotation without the baggage of storing secrets, injecting them into another workload endpoint, and using yet another API and key to remove stored keys from a vault.

To achieve this ideal, Hopr takes a novel approach to verify trust in workloads at every session, and allow only trusted workloads access through the dynamic micro-perimeter.?

Protect the Data

Rather than use the secret credential for authentication, which requires passing it in a message to another workload, and the receiving workload comparing it to the most recent rotated secret, Hopr developed a protocol and technology to build ephemeral secrets within workload containers. And, instead of passing them for authentication,?the secrets are used to encrypt (or decrypt) messages to the other trusted workload. The result is end-to-end encryption (E2EE) over the entire route between the two workloads and verifiable trust in the sender's identity.?

So you’re probably asking, don’t you still have to exchange the encryption key between the two work clothes so that they can encrypt and decrypt their messages? The short answer is no. Hopr’s CHIPS? technology allows two workloads to build identical secrets. These are symmetric secrets that are ephemeral (they exist for only a single session) and then vanish. These are important attributes for high frequency credential rotation, and they enhance the overall strategy to create small, fast-moving targets overall for an effective MTD.

Final Thoughts

I’ve described an alternative strategy for cybersecurity using the example of containerized workloads, microservices, and APIs. And while some of the characteristics of the particular illustration (such as micro-segmentation, dynamic micro-perimeters, and high frequency credential rotation) might be specific to workload and API threat protection, the overall takeaway is that MTD offers significant improvements to conventional defensive strategies such as vulnerability-patching and threat-hunting.?Security and risk managers should give considerable thought to strategic use of MTD because of its long-term value as changes in technology, architectures, and environments evolve.?

This article was originally published in the Hopr blog.