Lessons Learned in Network and Memory-Based Moving
Author : conchita-marotz | Published Date : 2025-08-13
Description: Lessons Learned in Network and MemoryBased Moving Target Defenses Richard Skowyra Samuel Jero Moving Target Defense Workshop November 2020 DISTRIBUTION STATEMENT A Approved for public release distribution unlimited This material is
Presentation Embed Code
Download Presentation
Download
Presentation The PPT/PDF document
"Lessons Learned in Network and Memory-Based Moving" is the property of its rightful owner.
Permission is granted to download and print the materials on this website for personal, non-commercial use only,
and to display it on your personal computer provided you do not modify the materials and that you retain all
copyright notices contained in the materials. By downloading content from our website, you accept the terms of
this agreement.
Transcript:Lessons Learned in Network and Memory-Based Moving:
Lessons Learned in Network and Memory-Based Moving Target Defenses Richard Skowyra & Samuel Jero Moving Target Defense Workshop November 2020 DISTRIBUTION STATEMENT A. Approved for public release: distribution unlimited. This material is based upon work supported by the Department of Defense under Air Force Contract No. FA8721-05-C-0002 and/or FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Department of Defense. © 2020 Massachusetts Institute of Technology. Delivered to the U.S. Government with Unlimited Rights, as defined in DFARS Part 252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work. Seven Years of Moving-Target Research Have no PHEAR: Networks without identifiers Address-Oblivious Code Reuse Systematic Analysis of Defenses Against Return-Oriented Programming Multi-variant execution to protect unpatched software Survey of cyber moving targets second edition QUASAR: Quantitative Attack Space Analysis and Reasoning Controller-Oblivious Dynamic Access Control in Software-Defined Networks The Leakage-Resilience Dilemma 2015 2013 2016 2017 2017 2018 2019 2019 Moving-Target Taxonomy Hardware Network Memory Processor Operating System Runtime Environment Application Data Dynamic Data – Change data format or representation Dynamic Software – Change application code Dynamic Runtime – Change execution environment Dynamic Platform – Change OS or instruction set Dynamic Network – Change network properties Linkos Network Maersk Network (and others) Lesson 1: Attackers Can Use APIs Too 2017 NotPetya Attack Malware leveraged Active Directory and DHCP protocols to conduct reconnaissance Credential theft and execution conducted via Windows system administration tools (e.g Powershell) EternalBlue exploit helpful against unpatched machines, but potentially unnecessary Not unique: 2017 Equifax and 2015 Anthem attack used similar techniques once inside network Initial compromise of M.E.Doc Servers by Russian Sandworm actors Inject malware via trusted software update CVE-2017-0144 Pivot Credential Theft Pivot Internet M.E.Doc Workstations Unpatched Machines Patched Machines Lesson 1: Attackers Can Use APIs Too Lessons and Opportunities MTDs rely on the attacker needing capabilities unavailable through normal APIs Reconnaissance, remote execution, download/upload, etc. However, modern enterprise APIs are rich enough for most attacker needs Necessary for scalable system administration Conventional targets for movement are no longer sufficient (e.g. memory layout) Yet attackers must still act outside normal bounds Credential theft, privilege
