Moving Target Defense: Common Practices

Moving Target Defense (MTD) uses counter-deception techniques that constantly change the target surface, so that attackers can’t get a foothold.

There are three main categories of MTD:

  • Network level MTD: Changing the network topology, including IP-hopping, random port numbers, extra open or closed ports, fake listening hosts, and obfuscated port traffic as well as fake information about the host and OS type and version.
  • Host level MTD: Changing the host and OS level resources, naming and configuration.
  • Application level MTD: Changing the application environment. This includes randomly arranging memory layout, changing application type and versioning and routing them through different hosts, or changing setting and programming languages to compile the source code, altering the source code at every compilation.

All of these techniques are intended to morph the target, making it unfamiliar to the attacker. MTD forces the attacker to learn the target over and over again, increasing the likelihood of discovery and making attacks costly and unfeasible.

By using deception and MTA, attackers had the upper hand by camouflaging their next moves. The new MTD paradigm turns the tables by making the attacker operate in an uncertain and unpredictable environment. MTD at the OS and Application levels holds particular promise, as a successful attack depends on accurate information about the targeted operating system and application.