A Short History of Moving Target Defense

I recently attended RSAC2023 and talked to many passionate cybersecurity professionals, but none had ever heard of Automated Moving Target Defense (AMTD). As I explained AMTD, I found that starting with a historical context made it easier for them to understand what AMTD was all about. So I hope this article will help other cybersecurity professionals that may be wondering “What is AMTD?” and “Why should I care?”

MTD in World War II

The earliest form of moving target defense (MTD) that I am aware of was used in WWII for communications security. The Allied forces needed to prevent Axis forces from listening into allied radio communications. The Allies invented frequency hopping and it hopped radio communications from one frequency (channel) to another at short intervals. Anyone listening could only get a partial message before the message changed to another frequency, the intruder would have to scan the entire frequency spectrum, and detect the conversation again in another channel. It was very difficult for Axis forces to get any useful information, and it was the foundation of moving target defense for communications and information security.?

Simply put, with MTD, you find something of value that the attacker wants or needs and you move it around (the faster and more frequently the better) so they are never able to find it or obtain it.

MTD is an elegant and strategic defense strategy because it doesn’t require a lot of intelligence or knowledge of the threat or the attack method. Continuous movement raises the cost of an attack and prevents attackers from getting what they need to launch the attack.

Digital MTD (circa 2000)

Fast-forward five decades from the WWII era to the early 1990s and the emergence of the Internet and we can find that new types of MTD appeared to secure digital (IP) communications. These took various forms, sometimes hopping device network addresses, sometimes rearranging memory, and sometimes scrambling data storage locations. Most of these methods were built for monolithic systems and on-premises data centers.?

When IPV6 came along (released in 1995) and added a large number of IP addresses to the Internet protocol, IP hopping became a reality beginning with work done by Virginia Tech by my friend Matthew Dunlop, Ph.D. and others (2012).?

There are certainly other historical MTD programs that I have skipped over, but it’s clear that MTD has evolved from its earliest form of frequency hopping. Some of the earlier forms of MTD have lost some of their effectiveness as technology has evolved and adversaries have figured out how to bypass them. But others have achieved generational improvements that improve MTD’s effectiveness in preventing a loss of information.?

Automated MTD (2023)

If you’re a cybersecurity professional, then you’re likely to be hearing more about Automated Moving Target Defense (AMTD) in the near future. AMTD is an emerging cybersecurity defensive strategy that adds sophisticated automation to traditional MTD approaches. The AMTD emerging for cybersecurity use is more sophisticated than ever before. Recently, Gartner recognized AMTD as an important cyber security defensive strategy that should be part of every enterprise security architecture (Gartner blog) as “the future of cyber.”

Although AMTD is “emerging” (Gartner clients see this paper) in new forms, the macro-cyber environment of digital transformation and new cloud architectures, such as Kubernetes, microservices, service mesh, and serverless, require generational MTD improvements and new forms of AMTD. Also, with Zero Trust (ZT) moving out of policy and hype into mainstream commercial use with practical implementations. The opportunity for strategic convergence of AMTD and ZT will enhance cybersecurity outcomes.?

The combination of ZT plus AMTD is compelling. Individually they offer important strategic benefits to prevent attacks and disable threat actors from getting to the data they seek. But when these two strategic approaches are combined, the cybersecurity benefits are synergistic; it’s like 1 + 1 = 3. If it’s done well, it can produce new levels of threat protection and at low cost.

Four Important Takeaways

There are four important takeaways for security and risk managers to consider and possible act on:

1. AMTD solutions that are built for the cloud or cloud native should be emphasized in selecting a solution because they are likely to be the most effective in preventing attacks. Re-factoring older forms of MTD for the cloud could be costly and still not deliver the generational improvement needed for Zero Trust and cloud-first enterprises.
2. AMTD solutions that are “plug and play” (or nearly so) should receive strong consideration because they offer the lowest adoption cost and fast time-to-value. They are the easiest and fastest path to evaluation and adoption into existing security architectures, and in at least one instance the implementation is easily reversible (no lock-in)
3. Managed Security Service Providers (MSSPs), and Managed Detection and Response (MDR) vendors, and related cybersecurity platforms should seek opportunities to partner with AMTD vendors that have novel solutions and bring those capabilities into their platforms. Specifically, look for AMTD partners whose solutions are: a) built for the cloud, b) a generational improvement in MTD, and c) meet Zero Trust principles.
4. CISOs, CIOs, CTOs of digital enterprises should budget and plan for incorporating Zero Trust, cloud-native AMTD technology into their security architectures. Be early adopters of AMTD solutions that are “plug and play” if even for evaluation purposes.

This article originally appeared on the Hopr Blog. You can visit there to find more articles on relevant cybersecurity topics.