Gartner® has published a new report focused on Automated Moving Target Defense (AMTD) technology innovation. According to Gartner: “Combining AMTD solutions at different layers of the technology stack provides innovation leaders with a highly effective ‘defense in depth’ strategy that significantly improves overall security posture.”[2]
The evolution of cybersecurity began with anti-virus (AV) software, which offers static analysis of binaries and files to check if they correspond to known malware. Next generation anti-virus (NGAV) software and endpoint protection platforms added dynamic analysis that executes a file in a sandboxed environment and observes it. Endpoint detection and response (EDR/XDR/MDR) took this further with behavioral analysis. EDR technology observes execution on a computer, hooks into important functions/syscalls to learn about behavior in real time and analyzes not just the binary but everything that surrounds the execution.
Automated Moving Target Defense (AMTD) technology is the next evolution in cybersecurity, and unlike the technologies that came before it, rather than focusing on detection and reaction, it is preventive.
In a report released earlier this year, Gartner called AMTD “an emerging game-changing technology for improving cyber defense... [that] effectively mitigates many known threats and is likely to mitigate most zero-day exploits within a decade, rotating risks further to humans and business processes.”[1]
AMTD is based on a basic premise taken from military strategy, that a moving target is harder to attack than a stationary one. AMTD uses strategies that orchestrate movement or changes in IT environments across the attack surface to increase uncertainty and complexity for attackers.
Automated MTD reduces exposed attack surfaces by introducing strategic change, while increasing the cost of reconnaissance and malicious exploitation on the attacker, according to the Gartner report.[1] AMTD involves moving, changing, obfuscating, or morphing attack surfaces to disrupt adversaries’ cyber kill chain.
The technology incorporates four main elements, according to Gartner: “Proactive cyber defense mechanisms; automation to orchestrate movement or change in the attack surface; the use of deception technologies, [and] the ability to execute intelligent (preplanned) change decisions.”[1]
Note that while deception is a key technological component of (A)MTD, it is not synonymous with it. Morphisec’s table below outlines the difference between deception technology, MTD, and AMTD.
Landscape: Moving Target Defense and Deception |
||
|
Technology |
How it works |
Benefits |
|
Morphisec Automated Moving Target Defense |
|
|
|
“Classic” Moving Target Defense |
|
|
|
Deception |
|
|
For example, Morphisec’s patented Automated Moving Target Defense technology uses system polymorphism to create a randomized, dynamic runtime memory environment, moving application memory, APIs, and other operating system resources while leaving decoy traps in their place. This makes it virtually impossible for threat actors to find what they’re looking for—you can’t hit what you can’t see.
Any code that tries to execute on a decoy is automatically reported and captured for forensic analysis, while the real system resource remains safe and the attack is prevented. As Rick Schibler, VP of IT at Kentucky Trailer says, “Morphisec’s Moving Target Defense is critical to hardening our attack surface.”
AMTD has proven successful within military doctrine for many years in modern warfare strategies. However, Gartner notes that historically AMTD usage within commercial cybersecurity has been limited, but this is changing now. The company says a variety of emerging security technologies quickly pivot security programs and underlying technologies to increase the burden on attackers, forcing them to work harder or fail completely in their malicious efforts.
Currently, reactive, detection-based technologies like next-generation anti-virus (NGAV), endpoint protection platforms (EPP), and endpoint detection and response (EDR/XDR/MDR) dominate the cybersecurity market. These technologies work by first detecting malicious files or behavior patterns and then responding to them. They are fundamentally reactive in nature. The report suggests prevention should be a greater focus. “Although prevention hasn’t been a panacea within security technologies, Gartner sees a strong need to encourage the market to focus on promising new prevention-related technologies.”[1]
AMTD’s preventive approach is particularly important given the investment attackers put into attack reconnaissance to discover vulnerabilities and the right way to exploit a victim’s systems. Many modern cyberattacks are highly targeted and tailored to evade and bypass specific defense layers.
The Gartner report notes the example of operational technology (OT)-related use cases. Because of industry variety and the specialized nature of industrial environments, malicious actors need to dedicate time and resources to gather the needed intelligence to be successful. AMTD methods like obfuscation and system morphing are particularly valuable in protecting against such highly targeted attacks. This preventive approach is especially effective in securing endpoints and server workloads—typically an organization’s largest attack surface.
For this reason, Gartner predicts “By 2025, 25 percent of cloud applications will leverage AMTD features and concepts as built-in prevention approaches, enhancing existing Cloud Web Application and API Protection (WAAP) technologies.” The company also predicts that “AMTD-based solutions will displace at least 15 percent of traditional solutions that are focused on detection and response only [by 2025], up from less than 2 percent in 2023.” And by 2030, Gartner expects exploit-resistant AMTD-based hardware and software to emerge, “shifting security focus further to business process, identity misuse and social engineering prevention over application, endpoint and workload security strategies.”[1]
Gartner offers an example of the AMTD automation concept:
We believe Morphisec’s technology incorporates all three concepts, protects multiple system resources, and includes attack visibility thanks to deception technology.
Over 5,000 companies have deployed Morphisec’s automated moving target defense technology across approximately nine million endpoints and Windows and Linux servers. They use it to augment NGAV, EPP, and EDR/MDR solutions and stop the most advanced and undetectable attacks these solutions don't. Two such examples include:
TruGreen
TruGreen brings in an objective third party each year to conduct penetration testing to identify vulnerabilities that cybercriminals could exploit. “This year, for the first time, we were able to prevent the tester from cracking into one of our endpoints,” said Ryan Pagan, Cyber Security Engineer at TruGreen. “After implementing Morphisec, the tester couldn’t figure out what was keeping him from breaking in. He spent several hours attempting to crack our security but couldn’t figure it out. The tester said to us, ‘Normally, we can get around endpoint security stuff, but we couldn’t get around Morphisec.’”
Anonymous Global Manufacturer
The preventative capabilities of Morphisec’s AMTD technology allowed this CIO's team to adopt an entirely new security posture with much greater operational efficiencies. So now, “We don’t spend much time on detection and response,” he said, “because we don’t need to.” Instead, they focus on training people, improving processes, and planning for emerging threats. These are high-level initiatives they now have the resources for because AMTD blocks attacks they used to detect and prevents damage they used to remediate.
Moving Target Defense explained
Check out other real-world examples of AMTD in action here.
Morphisec uses automated Moving Target Defense to proactively prevent the most sophisticated and damaging cyberattacks without needing any prior knowledge of them—or even to detect them.
Cybersecurity tools like NGAV require malware file signatures from previous attacks so they can recognize malicious files to detect and respond to them. Tools like EPP and EDR/XDR/MDR require recognizable behavior patterns from previous attacks to detect and respond to them. And these tools work well in such circumstances.
But they have a security gap—unknown attacks, evasive attacks, and those that target runtime memory, where these tools can’t effectively scan. To quantify this gap, Morphisec analyzed the Picus Labs 2021 Red Report, which is based upon analysis of 200,000 malware samples. The Red Report identified the top 10 most prevalent MITRE ATT&CK techniques based on the percentage of observed malware samples. Two key findings are:
Defense evasion and runtime memory attacks are critical weaknesses in today’s detection-focused solutions. Morphisec coupled these findings with real-world analysis covering 5,000+ customers, nine million endpoints, and 30,000 daily incidents. Detection-based solutions struggle to stop at least three of the top 10 most prevalent, most damaging MITRE ATT&CK techniques—a critical 30 percent security gap. While Morphisec’s prevention-first, endpoint, and server AMTD software consistently prevents these attacks and more.
Threat actors are well aware of this gap. Which is precisely why the most advanced cyberattacks like supply chain attacks, fileless attacks, in-memory attacks, ransomware, and zero-days exist. And it’s the reason why so many of these attacks keep making headlines despite organizations ostensibly being defended by detection-based tools. These attacks successfully evade detection.
Morphisec’s AMTD is explicitly built to address this security gap and stop unknown, evasive attacks and those targeting runtime memory. And it does so while slashing false positive alerts and the need for analysts to investigate them. With an ultra-lightweight agent that causes no performance degradation, easy deployment, easy tech stack integration, and no maintenance or updates needed, AMTD drastically reduces total cost of ownership.
Automated MTD supplies Defense-in-Depth to stop the most sophisticated and damaging attacks NGAV, EPP, and EDR/XDR/MDR don't while reducing false positives.
Gartner states that: “Security teams are overwhelmed with having to supply reactive defense and response. They struggle with high alert volumes and false positives. Consequently, there is a high demand for solutions that effectively protect and strengthen cybersecurity.”[2]
To learn more about how Automated Moving Target Defense technology is game-changing and evolutionary in the cybersecurity market, download your complimentary copy of the latest Gartner AMTD report Emerging Tech: Security—Tech Innovators in Automated Moving Target Defense.
[1] Emerging Tech: Security — The Future of Cyber Is Automated Moving Target Defense. Lawrence Pingree, Carl Manion, Matt Milone, Sean O'Neill, Travis Lee, Mark Pohto, Mark Wah, Ruggero Contu, Dan Ayoub, Elizabeth Kim, Rustam Malik, Nat Smith, 28 February 2023.
[2] Gartner Emerging Tech: Security — Tech Innovators in Automated Moving Target Defense, Mark Pohto, Carl Manion, 07 June 2023
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Morphisec.
Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.