Interview: How Moving Target Defense Can Protect Businesses Against Zero-Day Threats

The modern workplace comprises office-based, remote and hybrid workers, on-prem and cloud applications, and corporate-issued and personal devices. Understandably, this diverse environment is a challenge to secure, and many legacy security tools just can’t cope with the sophisticated, multi-layer, zero-day attacks we’re seeing today.

To find out how organizations can prevent these fileless and diskless attacks, we spoke to Bill Reed, Director of Product Marketing of Morphisec. Reed has over 20 of experience as a leader of sales and marketing teams for both B2B and B2C organizations, the majority of which operate in the cybersecurity space. His wealth and breath of experience enables Reed to gain a deep understanding of the security risks that Morphisec’s customers are facing, as well as the challenges they’re facing when addressing those risks.

In this interview, we spoke about the evolution of cyberthreats, how organizations can use Moving Target Defense (MTD) technology to prevent unknown and zero-day threats, and the importance of implementing preventative and responsive technologies.

Could you give us an introduction to Morphisec, your key use cases, and what sets you apart from your competitors in the endpoint security space?

Absolutely. The company has been around since 2014, and now has very strong industry traction, supporting almost 9 million endpoints across over 5,000 customers, including quite a few well-known logos, some large financial services, as well as insurance, healthcare, manufacturing, SaaS, technology, and so on.

And Morphisec has a unique approach, which I think has attracted not only an experienced team, but also some board advisors. One of our board advisors is the former CEO of Intuit and Symantec, Steve Bennett. We also have an advisor to NTT’s CISO, John Petrie, and one of our advisors, Yoav Tzruya, is a partner with JVP Cyber Labs, who took CyberArk public.

But our approach to the industry has been using a unique technology we call “Moving Target Defense”. This provides a layer in between what would typically be considered the endpoint security layer, for a defence in depth security posture, and the application layer, to prevent these more advanced attacks. And that actually has led to our traction as being the number one fastest growing cybersecurity firm in Israel.

You mention that you have quite a broad customer base. What are the main challenges that you’re helping them to solve?

The typical challenges we see span what we call the “three Rs”. The first of these is risks. That could include—if we’re talking Linux servers—crypto mining, crypto jacking, hijacking your servers, data theft, trying to get your intellectual property, and so on. And of course, ransomware is still very much at the top of everyone’s concern list. But what we’re finding in terms of the types of challenges they’re facing is, that 80% of the breaches today are what we call a “zero-day”, meaning they’re unknown, they don’t have a signature, and they don’t have a known behavior. So, it’s difficult for current solutions to detect them. And then a vast majority are what we call “in memory”, meaning they’re not file- or disk-based, they’re memory-based or fileless. In fact, almost 80% of ransomware attacks are fileless now, and the vast majority of supply chain attacks are targeting code.

Additionally, we’ve seen a lot of patch risks—80% of security failures could have been avoided by faster patching. So, that’s the risk side.

The next challenge is resources. A lot of these challenges can be addressed, but are almost possible to address because of the limited resources involved. They don’t have enough people or time.

And the third challenge, of course, is regulations. That includes audit failures, fines, lawsuits, and brand damage.

So, those are the main things that we address in a unique and different way.

In recent years, with the increased adoption of cloud technologies, hybrid working and BYOD, we’ve seen a huge expansion of the enterprise attack surface. Could you tell us about some of the new attack techniques that the Morphisec Labs threat research team have uncovered in the first half of the year?

Absolutely! It’s quite a long list, so let’s look at some of the things that our customers have reported and we’ve stopped. I want to emphasise, first of all, where we sit. In discussions with industry experts, including a lot of leading analysts, what we found is that, in the past, we had these attacks that were more like a tyrannosaurus rex; they were file- or disk-based, and they came at you in one big, stomping attack. Now, they’re faster, they’re sneakier, and they hunt in packs—more like velociraptors.

With a Cobalt Strike, for example, you might have four different types of tactics and techniques coming at you almost at the same time. And current solutions weren’t designed to handle that type of attack. So, if you look at the defense in depth layers, you start at the perimeter layer—that’s usually your identity and access management, and that sort of thing is easily bypassed now using things like InfoLoggers and phishing.

Then they hit the network layer. That’s where you might have a next generation firewall, which, again, is just not designed for these types of attacks. Maybe they stop one of the four missiles, but three of them get through to hit the endpoint layer. That’s where your endpoint detection response and your antivirus sit. Antivirus can stop barely any of these anymore. They were built for signature- and disk-based attacks. EDR can do it, but it needs to be in what we call “aggressive mode”, meaning you get a lot of alerts—and even then, the latest MITRE results show that you can’t hope to stop 100% of these.

So, they’ll get through to your other layers. And then then you’re hoping that you have good enough remediation. That’s kind of the dynamic that we’re facing today.

As for some of the attacks that we’ve stopped, I could go on and on; we found the Jupyter attack for example, but we also stopped LockBit, Emotet, Phoenix, TrickBot, Parallaxing, Cobalt, Backdoors, all these different things that our customers have reported. But we believe that we could have prevented the attacks that took out three large organizations that all had some pretty good defenses, and all paid north of 40 million in ransoms.

You can’t rely on those solutions alone in your defense in depth strategy.

How can Morphisec help organizations protect themselves against these types of threats?

Think of us as your Navy SEAL team between the endpoint security and the application security layers. We look at the typical defence in depth security layers: perimeter, network, endpoint, and application, and then you start getting into the data security. And our mission critical assets are down below that layer.

So, in between the endpoint and the application layer is where we sit. We have a lightweight, no impact endpoint server agent. And we create this additional defense in depth layer using Moving Target Defense. The way it works is, we morph the memory space. When the attackers get past an important security layer, they’re trying to hit your application layer. They’re looking for a specific point of attack, which is where they would normally go within, say, an application in the memory space. And we morph that; we move it.

It’s kind of like the bad guys have figured out where your doors are, and they want to rob your house, but we move the doors and we continuously move them all the time, so that they can’t find them. And that prevents the attack from taking place at runtime.

So, the bottom line is that we don’t let the bad guys get to crawl time, let alone runtime.

How important is it for organizations to have preventative security in place, as well as detection and response security?

EDR solutions are excellent. I’ve spent a good part of my career serving with or in some of these organizations, and they all have excellent capabilities. You still need EDR for what it does; if you currently have antivirus or maybe endpoint protection, many of the experts out there and some of the government organizations say that’s not quite enough, you really do need to have at least EDR. It’s great for detecting and responding to certain types of attacks.

So, we are not a replacement for that—we’re in an extension or an augmentation for that. Because unfortunately, the prevention capabilities even within EDR, just have some difficulty with some of these new velociraptor-type attacks, which is evident by the recent MITRE ATT&CK test results. They had two categories: detection and prevention. On the detection side, the top 10 were great; we’re talking upwards of 90% capability for detection. Now, that said, they were all in Aggressive Mode, which means you’re going to have a lot of alerts.

On the prevention side, however, even in aggressive mode, the average of the top 10 was lower than 80%. So, these are very capable, excellent solutions, but they need some help.

And that’s where we come in. We add that extra layer of defense between the endpoint layer, where they are, and the application layer, before it can get to application runtime.

Finally, what is your advice to organizations looking to improve their resilience against the emerging and zero-day threats they’re currently facing?

I would say that enough is not enough. We’re seeing that there are multiple reasons for the prevention of these attack: we don’t want the ransom, we don’t want the remediation and clean-up costs, and we don’t want the brand damage. But there’s another piece of this that can be even more threatening, more scary, and more expensive. And that’s the lawsuits. And unfortunately, that’s where we’re headed.

I’ve done a couple of webinars with a really well known CISSP-certified attorney, and this is what he is seeing, unfortunately, in the legal landscape. Because we now have this new executive order, and because we’re hearing from experts and analysts and so on that you need more layers of defense and you need to employ the latest technologies and capabilities, that’s going to be the bar. So, if you do get some sort of a breach, or even potential breach, and you may have potentially exposed, say, personally identifiable information or intellectual property, and you didn’t have these capabilities in place, you could get dragged into court and you’d have to answer to the authorities as to why you didn’t. That’s unfortunate, but that’s just again where we are. And that’s both in the US and internationally. Not to mention all the fines that are coming down: state civil codes, GDPR in Europe, and so on. So, you really have to stay on top of what is available and making sure that you are putting more defense in depth layers in place. Defense in depth application zero trust will allow you to be able to prevent those kinds of costs.

Thank you to Bill Reed for taking part in this interview. You can find out more about Morphisec’s breach prevention platform via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.