Cybersecurity Tech Investment Planning: Use annual loss expectancy to build a business case
arrow-white arrow-white Download now

Moving Target Attacks: Techniques & Deception Methods

Posted by Morphisec Team on April 27, 2016
Find me on:


Excerpted from the ebook “Deception and Counter Deception: Moving Target Attacks vs. Moving Target Defense” by Mordechai Guri, Chief Science Officer at Morphisec. Download the full eBook here.

Cyber attackers constantly develop new methods to overcome organizations’ detection and response mechanisms. The most effective and insidious are deception techniques that make it impossible to anticipate the attacker’s next onslaught. With these new techniques, collectively known as Moving Target Attacks (MTA), new strike variations can be bred in a matter of hours.

All of these tactics involve recurring modifications of source, static signatures, and/or behavior signatures. The most dangerous also hide their malicious intent from defense systems, appearing as benign or unknown behavior. There are eight main techniques that attackers use:

  • Polymorphism: Encrypting the malware’s payload, code and data, in order to avoid AV detection. By using multiple encryption keys to generate different instances of the same malware, any signature-based anti-malware becomes useless and it is concealed from scanners.
  • Metamorphism: A variation of polymorphism where the in-memory code is changed on the fly at every execution.
  • Obfuscation: Creating code that is incomprehensible for a human understanding, thus evading manual code inspection.
  • Self-encryption: Changing malware signature and hiding malicious code and data.
  • Anti-VM/sandboxes: Deactivating when within a virtual or sandbox environments to avoid detection, but initiating malicious activity once released to real systems.
  • Anti-debugging: Malware begins malicious activity only when it detects no debugging tools or runtime inspection.
  • Encrypted and targeted exploits: URL patterns, host servers, encryption keys and file names are changed at every delivery to avoid detection. They also can limit the number of access attempts to evade honeypots.
  • Behavior changes: Only execute upon real user interaction such as web page scrolling.

Cyber security defenses invest enormous resources in detecting known attacks, but these modern techniques outsmart current defense mechanisms by constantly changing form. Next week’s post explores Moving Target Defense, a cyber security paradigm that aims at creating asymmetric uncertainty on the attacker’s side.

The new ebook Deception and Counter Deception: Moving Target Attacks vs. Moving Target Defense analyzes how the latest MTA attack techniques evade current defense mechanisms and explores Moving Target Defense (MTD) countermeasures. To read more about MTA and MTD, download the full eBook here.