Moving Targets Defense – Defenders’ Race Condition

A race condition

In computing, a race condition may occur when two or more threads access shared data and try to change it at the same time. Problems may arise when one thread runs a CHECK-THEN-ACT command, while another thread runs a change to value command at a time which is between the CHECK and the ACT of the first.

Cyber defense paradox

BA’s customer data breach was first disclosed in September 2018 when the airline revealed that hackers had breached its computer systems to steal data relating to about 380,000 customers from its mobile app and website.

In October 2018, BA revealed that cybercriminals had stolen the credit card details of 185,000 more customers in what it described as a sophisticated, malicious criminal attack that took place over a three-month period. Apart from personal details, customers’ email addresses, card numbers, expiry dates, and card verification value numbers were likely stolen, BA warned.

To fall foul of the GDPR legislation, BA would have been found to have failed to take reasonable steps to protect their customers’ data or failed to provide evidence to the ICO that they had done so. The reputational hit to BA may cost them more even than the massive fine, if customers start to lose trust that their data is secure with the company.
It is not yet clear how the breach at BA occurred, but it is already clear that this was a catastrophic failure of internal security monitoring by BA. Not only were their systems breached, but they failed to notice this for three months or more.

There are many routes into the systems of a massive, globally spread company like BA, most likely through the weakest link of its human operators. The corporate security perimeter will extend beyond their own staff to outsourced roles like ground handling agents in dozens of countries around the world.

Getting into race condition with Moving Targets Defense

In order to get into race condition a disruptive approach to cybersecurity is required. While adding an additional horse to drive one’s carriage faster away from adversaries can be a good temporary solution, switching the carriage to a racing car may be an idea worth considering.

In recent years, some concepts as deception, trickery and decoy were introduced to try to slow down and exhaust attackers. Implementing various ‘honeypots’ and distraction across the network may impede attackers and provide defenders with more time and opportunities to detect and respond to malicious activities. However, the core challenge of stopping hackers from penetrating an organisation from the outside is yet to be resolved.

Moving Targets Defense (MTD) is a proactive approach that combines various techniques, such as network architecture randomisation and endpoints information shuffling, which aim to defeat attacks by imposing uncertainty in attack reconnaissance, planning and execution phases, causing attackers to lose their grasp within the victim’s network, while potentially minimising attackers’ dwell time, and allowing response teams to react with their best techniques and tools.

Imagine the reaction of an attacker, which after spending weeks and maybe months probing and enumerating a network has discovered that the systems and addresses have been randomised, network configuration changed, host images replaced, etc. This could be a good incentive for such attacker to shift his efforts to another company.

Moving Targets Defense applicability conditions

The execution of the Moving Targets Defense concept can indeed change the cyber-playground and in a way bridge the ‘odds-gap’ between the competing parties. However, to create a solid business case for MTD adoption, it must not only be highly effective, but also, at the same time, it has to be completely transparent for company’s end users, who simply want to be able to do their work properly and not to be bothered when trying to work remotely or access their shared folders on demand.