I recently attended RSAC2023 and talked to many passionate cybersecurity professionals, but none had ever heard of Automated Moving Target Defense (AMTD). As I explained AMTD, I found that starting with a historical context made it easier for them to understand what AMTD was all about. So I hope this article will help other cybersecurity professionals that may be wondering “What is AMTD?” and “Why should I care?”
MTD in World War II
The earliest form of moving target defense (MTD) that I am aware of was used in WWII for communications security. The Allied forces needed to prevent Axis forces from listening into allied radio communications. The Allies invented frequency hopping and it hopped radio communications from one frequency (channel) to another at short intervals. Anyone listening could only get a partial message before the message changed to another frequency, the intruder would have to scan the entire frequency spectrum, and detect the conversation again in another channel. It was very difficult for Axis forces to get any useful information, and it was the foundation of moving target defense for communications and information security.
Simply put, with MTD, you find something of value that the attacker wants or needs and you move it around (the faster and more frequently the better) so they are never able to find it or obtain it.
MTD is an elegant and strategic defense strategy because it doesn’t require a lot of intelligence or knowledge of the threat or the attack method. Continuous movement raises the cost of an attack and prevents attackers from getting what they need to launch the attack
Digital MTD (circa 2000)
Fast-forward five decades from the WWII era to the early 1990s and the emergence of the Internet and we can find that new types of MTD appeared to secure digital (IP) communications. These took various forms, sometimes hopping device network addresses, sometimes rearranging memory, and sometimes scrambling data storage locations. Most of these methods were built for monolithic systems and on-premises data centers.
When IPV6 came along (released in 1995) and added a large number of IP addresses to the Internet protocol, IP hopping became a reality beginning with work done by Virginia Tech researchers (2012).
There are certainly other historical MTD programs that I have skipped over, but it’s clear that MTD has evolved from its earliest form of frequency hopping. Some of the earlier forms of MTD have lost some of their effectiveness as technology has evolved and adversaries have figured out how to bypass them. But others have achieved generational improvements in effectiveness to prevent a loss of information as threats became more capable and persistent.
Automated MTD (2023)
If you’re a cybersecurity professional, then you’re likely to be hearing more about Automated Moving Target Defense (AMTD) in the near future. AMTD is an emerging cybersecurity defensive strategy that adds sophisticated automation to traditional MTD approaches. The AMTD emerging for cybersecurity use is more sophisticated than ever before. Recently, Gartner recognized AMTD as “the future of cyber;" an important cyber security defensive strategy that should be part of every enterprise security architecture (Gartner blog).
Although AMTD is “emerging” (Gartner clients see this paper) in new forms, the macro-cyber environment of digital transformation and new cloud architectures, such as Kubernetes, microservices, service mesh, and serverless, require enhanced and new forms of AMTD. Also, with Zero Trust (ZT) moving out of the policy domain (and hype) into practical commercial implementations, the opportunity for strategic convergence of AMTD and ZT to enhance cybersecurity outcomes is compelling for those of you who need high security or are just faced with an onslaught of attacks that need a new defensive strategy.
The combination of ZT plus AMTD is compelling because they reinforce each other and offer important strategic benefits to prevent attacks and disable threat actors from getting to the data they seek. The cybersecurity benefits are synergistic (it’s like 1 + 1 = 3.) If it’s done well, it can produce new levels of threat protection and at a low cost.
At Hopr, our novel technology creates AMTD by moving credentials (identity and secret - the targets for credential theft) at a high frequency. We then added identity verification and micro-segmentation to meet Zero Trust principles defined by NIST. Lastly we added the ‘superpower’ of our CHIPs technology: the capability to build on-demand, end-to-end-encrypted (E2EE), communications channels between two entities anywhere the Internet exists, without a key exchange. The combination of AMTD, Zero Trust, and CHIPS (E2EE) produces a strong and strategic cybersecurity defense at a relatively low cost.
Four Important Takeaways
There are four important takeaways for security and risk managers to consider:
- AMTD solutions that are built for the cloud or cloud native should be emphasized in selecting a solution because they are likely to be the most effective in preventing attacks. Re-factoring older forms of MTD for the cloud could be costly and still not deliver the generational improvement needed for Zero Trust and cloud-first enterprises.
- AMTD solutions that are “plug and play” (or nearly so) should receive strong consideration because they offer the lowest adoption cost and fast time-to-value. They are the easiest and fastest path to evaluation and adoption into existing security architectures, and in at least one instance the implementation is easily reversible (no lock-in)
- Managed Security Service Providers (MSSPs), and Managed Detection and Response (MDR) vendors, and related cybersecurity platforms should seek opportunities to include sophisticated AMTD solutions in their offerings to enhance cybersecurity for their customers. Specifically, look for AMTD partners whose solutions are: a) built for the cloud, b) a generational improvement in MTD, and c) meet Zero Trust principles.
- CISOs, CIOs, CTOs of digital enterprises should budget and plan for incorporating Zero Trust, cloud-native AMTD technology into their security architectures. Be early adopters of AMTD solutions that are “plug and play.” These solutions are easy to evaluate for your use case.