Multiple OS Rotational Environment an Implemented Moving Target Defense
Abstract: Cyber-attacks continue to pose a major threat to existing critical infrastructure. Although suggestions for defensive strategies abound, Moving Target Defense (MTD) has only recently gained attention as a possible solution for mitigating cyber-attacks. The current work proposes a MTD technique that provides enhanced security through a rotation of multiple operating systems. The MTD solution developed in this research utilizes existing technology to provide a feasible dynamic defense solution that can be deployed easily in a real networking environment. In addition, the system we developed was tested extensively for effectiveness using CORE Impact Pro (CORE), Nmap, and manual penetration tests. The test results showed that platform diversity and rotation offer improved security. In addition, the likelihood of a successful attack decreased proportionally with time between rotations.
Written by: Michael Thompson, Nate Evans, Victoria Kisekka
PDF and other resources at: ieeexplore.ieee.org/xpls/icp.jsp?arnumber=6900086#article
Section I: Introduction
A common vulnerability in traditional cyber security systems is the static nature of defense mechanisms often used by programmers and IT personnel. Numerous cyber security experts in both academia [6] [7] [24] and the industry [23] have acknowledged the challenges of static defense and have suggested Moving Target Defense (MTD) as an ideal solution. MTD systems mitigate the limitations of static defense by creating a dynamic attack surface, which increases uncertainty from the perspective of the attacker(s) as well as the cost and effort required to launch an attack. Although suggestions for MTD defense techniques flourish, implementation of MTD in practice has been slow, perhaps because of the complexity and lack of demonstrated feasibility of the proposed solutions. This research proposes a design to overcome these challenges by developing a Multiple Operating System Rotation Environment (MORE) MTD, which makes use of existing technology to achieve a feasible MTD solution. This research contributes to the existing literature by developing an MTD solution that accomplishes three goals: the proposed solution (1) reduces the likelihood of a successful exploit, (2) reduces the impact of a successful exploit, and (3) ensures application availability during operating system (OS) rotations. The term “rotation window” is used throughout the paper to define the duration of time an OS is exposed and vulnerable to an attack.
Section II: Background and Related Work
MTD systems broadly fall into two categories: proactive MTD and reactive MTD. In proactive MTD, possible adversarial behaviors are anticipated, and the corresponding defensive strategies are incorporated into the system design to thwart attacks proactively without disrupting operations. In addition, some elements of the defense system, such as Internet protocol (IP) addresses, port numbers, operating systems, etc., are diversified periodically to create a varying attack surface. In reactive MTD, systems react out of necessity to defend against a detected malicious attack. This paper proposes a proactive MTD system and discusses proactive defense systems.
Cyber security experts have implemented proactive diversity defense in numerous ways, most commonly through network diversity. Some recommendations to enhance dynamic network defense are dynamic network address translation to vary packet identification information [15], random IP address alteration [3] [18] [19] [22], and IP address hopping [2] [16].
Incorporating dynamic security into end-user applications has also received much attention. Use of this approach has increased, in part, because of the rise of application layer attacks [4] and the lack of both compliance [1] and cyber-defense knowledge by end-users [10]. A notable example demonstrating diversity defense in end-user applications is Cox et al. (2006)’s technique, which involves inputting similar data into varied applications and subsequently comparing the output from each variant for discrepancies [6]. Other relevant examples involve the use of dynamic compilers [13] [14] and code diversification [5] [8] to achieve MTD in end-user applications. In all these studies, the authors argued that diversifying certain aspects of the program code caused variations in the internal structure of each application. Thus, application-specific attacks would require more time and effort from the attacker(s), who would need to successfully identify the vulnerabilities in each diversified application.
Server diversity is another area of MTD research. Similar to application diversity, achieving server diversity requires creating server replicas and varying some aspects of each server to differentiate them [6] [20]. Dynamic defense through server diversity was demonstrated in [12], where virtual servers were periodically modified to provide MTD defense for web services. MORE MTD adopts a somewhat similar strategy, as will be explained.
Most research focuses on theoretical designs without demonstrating the feasibility and effectiveness of implemented proposals. With a few exceptions in network [22] and application diversity [13], there are no applications of MTD in the cyber security industry. The effectiveness of existing solutions requires further examination; and although [24] and [8] demonstrated the effectiveness of MTD, [9] concluded that MTD was not always effective.
The MORE MTD design proposed in this study overcomes the aforementioned gaps by leveraging existing technology to provide an easily deployable MTD solution that reduces the likelihood of successful attacks, reduces the ability to exploit zero day vulnerabilities, and remains transparent to the user—so as not to interrupt application performance.
Section III: Design of MORE MTD
The proposed dynamic defense solution, MORE MTD, consists of several virtual machines (VMs) equipped with a different distribution of Linux and was tested with a web application of WordPress [21]. In addition, all VM hosts store shared data in a MySQL database. The network design consists of one external IP address mapped to an internal address that is assigned to an individual VM, as shown in Fig. 1.
The dynamic environment was facilitated by a periodic rotation of the various hosts. The rotation was controlled from an administrator machine running a daemon process. Rotation could occur with at least two “live” IP addresses and one “spare” IP address. During rotation, the host that was previously at the “live” IP address is rotated to the “spare” IP address, and then every other host in the configuration is rotated to a new IP address. After rotation is complete, the host that was rotated out is analyzed for evidence of intrusion and removed from rotation if compromised. During this process, if any of the hosts in the configuration are found to be unreachable, those hosts are ignored for the current run of the daemon; however, the daemon will attempt to include them on subsequent runs.
Section IV: Methodology
A. Evaluation of the Effectiveness of MORE MTD
Our goals in designing MORE MTD were to reduce the likelihood of a successful exploit, reduce the impact of any successful exploits, and keep the application up and available during rotation. We verified the success of these goals in three ways: (1) operating system identification/fingerprinting, (2) detection of exploitable services, and (3) detection of violations of the integrity of the host. Specific details about the testing scenarios and results are provided in the next section. Table I shows each goal with its corresponding evaluation metric.
1) Testing Scenarios
A total of six scenarios were tested, as shown in Table II. In the first scenario, for instance, three hosts were subsequently rotated every 60 seconds. During the 60 seconds, the network was assessed for vulnerabilities using CORE, Nmap, and manual testing.
2) Testing Tools
In addition to manual testing, two tools were used: CORE Impact Pro and Nmap. CORE Impact Pro (CORE) is a comprehensive, commercial-grade penetration testing product. The Network Vulnerability Test (NVT), a component of CORE that focuses on the speed of an attack, was used. Nmap is a port scanning utility tool used by network administrators to check for security gaps within the network; it is also used by attackers to identify and exploit network vulnerabilities. For a detailed description of Nmap, we refer the reader to [17].
Section V: Results
A. CORE Impact Pro Results
CORE was used to validate goals 1 and 2 by the use of OS identification/fingerprinting and detection of exploitable services. In order to test CORE, we needed to establish a baseline. We first conducted “control” tests to see how CORE would respond to the tested hosts in a nonrotational environment. CORE NVT attack was used in all tests because of its combination of speed and depth of attack. Because CORE focuses on speed, if it does not see an exploitable service, it will often not “fingerprint” a tested host. In our control tests, none of the tested platforms were fingerprinted except Metasploitable, the known-vulnerable host, which had four successful exploits against it.
For scenario 1, successive attacks were executed against MORE MTD using CORE. The output showed that CORE was only able to fingerprint MORE-MTD in about 25% of attempts, and in successfully fingerprinted attempts, CORE tried several attacks against MORE MTD, but was unable to deploy any exploits. Results in scenario 2 were similar to those observed in scenario 1 in that CORE was able to fingerprint the MTD approximately one in every four attempts; in scenario 2, however, with a five-minute rotation window, CORE successfully deployed agents to the Metasploitable host in approximately half of the fingerprinted runs. This result shows that although vulnerabilities are still exploitable in the rotational environment, a smaller rotation window between systems offers increased protection against those vulnerabilities being exploited.
With the increased number of hosts in scenarios 3 and 4, more CORE NVT attempts were needed to obtain a successful fingerprint. CORE was unable to deploy any agents in scenario 3, and when the rotation window was increased to five minutes (scenario 4), CORE was able to successfully deploy exploit agents. As soon as the vulnerable host was rotated out, however, CORE lost the ability to reconnect to the previously deployed agents. In looking at the differences between three hosts and six hosts, the only significant difference we found was that the ratio of hits to misses for CORE’s fingerprints and/or attacks went down in proportion to the number of hosts.
During scenario 5, which consisted of three Metasploitable hosts, several attacks were observed. In particular, CORE was able to fingerprint the target host successfully every time, and for every fingerprinted run, CORE was able to deploy exploit agents to the active host. This test is significant in that it shows us that platform diversity increases the difficulty and cost of fingerprinting and attacking.
B. Nmap Results
Nmap was used to validate the success of goal 1 by the use of OS identification. The Nmap output for scenario 1 was quite varied; the port scan results indicated a lack of consistency in the output. With a 60-second rotation window in scenarios 1 and 3, Nmap fingerprinting became virtually useless for reconnaissance because the port scan results were always different. In addition, as soon as the port scan was finished, the information gathered was for a host that was no longer accessible. Not surprisingly, at the 5-minute window between rotations in scenarios 2 and 4, the Nmap results were much more predictable, clearly revealing which host was running and when. In general, when running different OSs with a small window between rotations, MORE MTD obfuscated the information that would be necessary to a potential attacker.
C. Manual Testing Results
In order to replicate as closely as possible what a highly skilled attacker might be able to accomplish when attacking MORE MTD, we conducted manual attacks. In the manual attack scenarios, we used our knowledge of the known exploits in metasploitable and our knowledge of the rotational environment, while taking away all of the “unknowns” that contribute to the defensive elements of MORE MTD. What we found is that although an attacker could connect and cause quite a bit of damage during the one-minute rotation window, the attacks were mitigated through OS rotation once the rotation window expired.
D. Application Availability
In addition to the integrity testing scenarios discussed above, minimal testing was performed to establish whether application availability was maintained during rotation. Subjective tests revealed that the application could be updated and viewed without noticeable impact to the user. Furthermore, we measured packet loss to the rotating address over a period spanning several days. With a 60-second rotation window, packet loss measured only an average of 2%, and at 5 minutes, packet loss dropped below 0.5%. Future studies will include more metrics for application availability.
Section VII: Discussion
This research proposes a dynamic defense system called MORE MTD and has evaluated its effectiveness in defending against malicious activities. The test results showed that MORE MTD met all of its goals. More specifically, MORE MTD reduced the likelihood of attacks by lessening the possibility of reconnaissance and zero day vulnerabilities through platform diversity. MORE MTD attained the goal of reducing the impact of successful exploits by limiting the duration of the rotation window, thereby limiting the time an attacker would have to exploit a system and thereby limiting his/her ability to gather information about the network. Last, minimal application availability testing suggested that a web application such as WordPress.org would see minimal loss in performance as a result of operating in a rotational environment. Another important finding was that although the automated testing tools were able to collect some configuration attributes of MORE, actual exploitation of the system failed despite repeated attempts. However, hosts that were intentionally configured with a vulnerable OS were successfully attacked when the rotation window was large enough and the hosts in the setup were not diversified. This result shows that MTD does not remove system vulnerabilities but rather makes it harder for an adversary to exploit the vulnerabilities. In addition, increasing the rotation window and the number of diversified components greatly reduced the chances of a successful attack.
Our findings confirm earlier conclusions in [24] [11] about the improved security offered by increased system variability. The present study differs from earlier work in that our focus is on OS diversity. Our work also has several advantages over the existing MTD solution offered by Coronado Group. First, MORE MTD offers improved security through platform diversity and frequent OS rotation, whereas the Self Cleansing Intrusion Tolerance (SCIT) technique system only relies on rotation and quarantining of exploited systems for improved defense. This type of operation may not offer optimal defense because cleaning/replacing the compromised system does not rid the system of the vulnerabilities that could still be exploited.
Section VII: Conclusion
This paper presented a multiple OS rotation MTD solution for hardening security by increasing adversarial uncertainty of the target system. Existing MTD solutions are not practical, and their ability to protect networks from attacks has received little attention in the literature. The proposed solution fills these gaps. The results showed that MORE MTD was effective in protecting the server environment from adversarial attacks by reducing the likelihood of reconnaissance and other attacks, and limiting an attacker’s access time to a compromised host. The findings have several implications. First, converting from static defense to dynamic defense through the rotation of system components improves security by reducing the value and increasing the costs of information gathering, and reducing the window of opportunity for gathering information and deploying exploits. Second, MORE MTD can be improved upon further by diversifying other elements of the networking environment, such as applications and database servers. The next steps are to implement MORE MTD on a larger network. Although current testing showed that the size of the rotation window was the most significant factor in reducing the likelihood of an attack, future studies need to address other factors, such as varying the number of open ports on different platforms and randomizing the order of rotation.
References
[1] Albrechtsen, E. A qualitative study of users’ view on information security. Computers & Security. 2007 6//;26(4):276–289.
[2] Al-Shaer, E. Toward Network Configuration Randomization for Moving Target Defense. In: Jajodia, S.; Ghosh, A.K.; Swarup, V.; Wang, C.; Wang, X.S., editors. Vol. 54, Moving Target Defense: Springer New York; 2011. p. 153–159.
[3] Al-Shaer, E.; Duan, Q.; Jafarian, J. Random Host Mutation for Moving Target Defense. In: Keromytis, A.; Pietro, R., editors. Vol. 106, Security and Privacy in Communication Networks: Springer Berlin Heidelberg; 2013. p. 310–327
[4] Arbor Networks. The Growing Threat of Application-Layer DDoS Attacks. Arbor Networks; 2012.
[5] Azab, M.; Eltoweissy, M. CyberX: A biologically-inspired platform for cyber trust management. Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), 2012 8th International Conference on; 2012. p. 655–663.
[6] Cox, B.; Evans, D.; Filipi, A.; Rowanhill, J.; Hu, W.; Davidson, J.; Knight, J.; Nguyen-Tuong, A.; Hiser, J., editors. N-variant systems: a secretless framework for security through diversity: Defense Technical Information Center; 2006.
[7] Colbaugh, R.; Glass, K. Proactive defense for evolving cyber threats. Intelligence and Security Informatics (ISI), 2011 IEEE International Conference on: IEEE; 2011. p. 125–130.
[8] Cui, A.; Stolfo, S. Symbiotes and defensive Mutualism: Moving Target Defense. In: Jajodia, S.; Ghosh, A.K.; Swarup, V.; Wang, C.; Wang, X.S., editors. Vol. 54, Moving Target Defense: Springer New York; 2011. p. 99–108.
[9] Evans, D.; Nguyen-Tuong, A.; Knight, J. Effectiveness of moving target defenses. Moving Target Defense: Springer; 2011. p. 29–48.
[10] Furnell, S. Why users cannot use security. Computers & Security. 2005 6//;24(4):274–279.
[11] Goues, C.; Nguyen-Tuong, A.; Chen, H.; Davidson, J.; Forrest, S.; Hiser, J.; Knight, J.; Gundy, M. Moving Target Defenses in the Helix Self-Regenerative Architecture. In: Jajodia, S.; Ghosh, A.K.; Subrahmanian, V.S.; Swarup, V.; Wang, C.; Wang, X.S., editors. Vol.100, Moving Target Defense II: Springer New York; 2013. p. 117–149.
[12] Huang, Y.; Ghosh, A. Introducing Diversity and Uncertainty to Create Moving Attack Surfaces for Web Services. In: Jajodia, S.; Ghosh, A.K.;
Swarup, V.; Wang, C.; Wang, X.S., editors. Vol. 54, Moving Target Defense: Springer New York; 2011. p. 131–151.
[13] Jackson, T.; Homescu, A.; Crane, S.; Larsen, P.; Brunthaler, S.; Franz, M. Diversifying the Software Stack Using Randomized NOP Insertion. In: Jajodia, S.; Ghosh, A.K.; Subrahmanian, V.S.; Swarup, V.; Wang, C.; Wang, X.S., editors. Vol. 100, Moving Target Defense II: Springer New York; 2013. p. 151–173.
[14] Jackson, T.; Salamat, B.; Homescu, A.; Manivannan, K.; Wagner, G.; Gal, A.; Brunthaler, S.; Wimmer, C.; Franz, M. Compiler-Generated Software Diversity. In: Jajodia, S.; Ghosh, A.K.; Swarup, V.; Wang, C.; Wang, X.S., editors. Vol. 54, Moving Target Defense: Springer New York; 2011. p. 77–98.
[15] Kewley, D.; Fink, R.; Lowry, J.; Dean, M. Dynamic approaches to thwart adversary intelligence gathering. DARPA Information Survivability Conference & Exposition II, 2001 DISCEX ’01 Proceedings; 2001. p. 176–185, vol. 171.
[16] Leyi, S.; Chunfu, J.; Shuwang, L. Full Service Hopping for Proactive Cyber-Defense. Networking, Sensing and Control, 2008 ICNSC 2008 IEEE International Conference on; 2008. p. 1337–1342.
[17] Lyon, G.F. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning: Insecure; 2009. p. 468.
[18] Phatak, D.; Sherman, A.T.; Joshi, N.; Sonawane, B.; Relan, V.G.; Dawalbhakta, A. Spread Identity: A new dynamic address remapping mechanism for anonymity and DDoS defense. Journal of Computer Security. 2013;21(2):233–281.
[19] Phatak, D.S. Spread-Identity mechanisms for DOS resilience and Security. Security and Privacy for Emerging Areas in Communications Networks, 2005 SecureComm 2005 First International Conference on; 2005. p. 23–34.
[20] Roeder, T.; Schneider, F.B. Proactive obfuscation. ACM Transactions on Computer Systems (TOCS). 2010;28(2):4.
[21] WordPress.Org. About WordPress: WordPress.Org. Accessed on July 23, 2013.
[22] Yackoski, J.; Bullen, H.; Yu, X.; Li, J. Applying Self-Shielding Dynamics to the Network Architecture. In: Jajodia, S.; Ghosh, A.K.; Subrahmanian, V.S.; Swarup, V.; Wang, C.; Wang, X.S., editors. Vol. 100, Moving Target Defense II: Springer New York; 2013. p. 97–115.
[23] Zank, A. Moving Target Defense: Coronado Group. Available from: http://www.coronadogroup.com/images/Moving-Target-Defense- Coronado.pdf. Accessed June 18, 2012.
[24] Zhuang, R.; Zhang, S.; DeLoach, S.A.; Ou, X.; Singhal, A. Simulation based Approaches to Studying Effectiveness of Moving-Target Network Defense. National Symposium on Moving Target Research; 2012.