Gartner® has published a new report focused on Automated Moving Target Defense (AMTD) technology. The company calls it “an emerging game-changing technology for improving cyber defense… [that] effectively mitigates many known threats and is likely to mitigate most zero-day exploits within a decade, rotating risks further to humans and business processes.”
Static Defenses Are Not Enough
The evolution of cybersecurity began with anti-virus (AV) software, which offers static analysis of binaries and files to check if they correspond to known malware. Next generation anti-virus (NGAV) software and endpoint protection platforms added dynamic analysis that executes a file in a sandboxed environment and observes it. Endpoint detection and response (EDR/XDR/MDR) took this further with behavioral analysis. EDR technology observes execution on a computer, hooks into important functions/syscalls to learn about behavior in real time and analyzes not just the binary but everything that surrounds the execution.
Moving Target Defense (MTD) technology is the next evolution in cybersecurity, and unlike the technologies that came before it, rather than focusing on detection and reaction, it is preventive. MTD is based on a basic premise taken from military strategy, that a moving target is harder to attack than a stationary one. MTD uses strategies that orchestrate movement or changes in IT environments across the attack surface to increase uncertainty and complexity for attackers.
Automated MTD reduces exposed attack surfaces by introducing strategic change, while increasing the cost of reconnaissance and malicious exploitation on the attacker, according to the report. AMTD involves moving, changing, obfuscating, or morphing attack surfaces to disrupt adversaries’ cyber kill chain.
The Four Elements of AMTD
The technology incorporates four main elements, according to Gartner: “Proactive cyber defense mechanisms; automation to orchestrate movement or change in the attack surface; the use of deception technologies, [and] the ability to execute intelligent (preplanned) change decisions.”
Note that while deception is a key technological component of (A)MTD, it is not synonymous with it. Morphisec’s table below outlines the difference between deception technology, MTD, and AMTD.
Landscape: Moving Target Defense and Deception
How it works
Morphisec Automated Moving Target Defense
Combines automated MTD with deception
Automatically morphs system resources so they cannot be targeted, and plants decoy traps of morphed resources
Any access to a decoy triggers a notification for reporting and visibility into the attack
Deterministic attack prevention
Directly protects the resource
Threats are immediately mitigated with full attack sequence visibility
Augments and closes the unknown threat/in-memory security gaps in NGAV, EPP, and EDR/XDR /MDR
“Classic” Moving Target Defense
The solution morphs/randomizes different system resources by changing their location so they can’t be targeted.
Doesn’t typically include deception elements
Directly protects resources
Often requires manual configuration to schedule the morphing of resources
Often doesn’t include detection and reporting capabilities since there is no visibility about attacks taking place
Plants decoy resources throughout a system to lure attackers
Access to a decoy triggers the protection mechanism
Deterministic attack prevention upon access to decoys.
Doesn’t directly protect system resources—because they aren’t morphed they remain vulnerable to attack
For example, Morphisec’s patented Automated Moving Target Defense technology uses system polymorphism to create a randomized, dynamic runtime memory environment, moving application memory, APIs, and other operating system resources while leaving decoy traps in their place. This makes it virtually impossible for threat actors to find what they’re looking for—you can’t hit what you can’t see.
Any code that tries to execute on a decoy is automatically reported and captured for forensic analysis, while the real system resource remains safe and the attack is prevented. As Rick Schibler, VP of IT at Kentucky Trailer says, “Morphisec’s Moving Target Defense is critical to hardening our attack surface.”
AMTD’s Market Impact
AMTD has proven successful within military doctrine for many years in modern warfare strategies. However, Gartner notes that historically AMTD usage within commercial cybersecurity has been limited, but this is changing now. The company says a variety of emerging security technologies quickly pivot security programs and underlying technologies to increase the burden on attackers, forcing them to work harder or fail completely in their malicious efforts.
Currently, reactive, detection-based technologies like next generation anti-virus (NGAV), endpoint protection platforms (EPP), and endpoint detection and response (EDR/XDR/MDR) dominate the cybersecurity market. These technologies work by first detecting malicious files or behavior patterns, and then responding to them. They are fundamentally reactive in nature. The report suggests prevention should be a greater focus. “Although prevention hasn’t been a panacea within security technologies, Gartner sees a strong need to encourage the market to focus on promising new prevention-related technologies.”
AMTD’s preventive approach is particularly important given the investment attackers put into attack reconnaissance to discover vulnerabilities and the right way to exploit a victim’s systems. Many modern cyberattacks are highly targeted and tailored to evade and bypass specific defense layers.
The report notes the example of operational technology (OT)-related use cases. Because of industry variety and the specialized nature of industrial environments, malicious actors need to dedicate time and resources to gather the needed intelligence to be successful. AMTD methods like obfuscation and system morphing are particularly valuable in protecting against such highly targeted attacks. This preventive approach is especially effective in securing endpoints and server workloads—typically an organization’s largest attack surface.
For this reason, Gartner predicts “By 2025, 25 percent of cloud applications will leverage AMTD features and concepts as built-in prevention approaches, enhancing existing Cloud Web Application and API Protection (WAAP) technologies.” The company also predicts that “AMTD-based solutions will displace at least 15 percent of traditional solutions that are focused on detection and response only [by 2025], up from less than 2 percent in 2023.” And by 2030, Gartner expects exploit resistant AMTD-based hardware and software to emerge, “shifting security focus further to business process, identity misuse and social engineering prevention over application, endpoint and workload security strategies.”
Gartner offers an example of the AMTD automation concept:
- Identifying target assets
- Selecting the morphing interval
- Automating asset reconfiguration
We believe Morphisec’s technology incorporates all three concepts, protects multiple system resources, and includes attack visibility thanks to deception technology.
Automated MTD is Here—And It’s Proven to Work
Over 5,000 companies have deployed Morphisec’s automated moving target defense technology across approximately nine million endpoints and Windows and Linux servers. They use it to augment NGAV, EPP, and EDR/MDR solutions and stop the most advanced and undetectable attacks these solutions don’t. Two such examples include:
- Based in Memphis, Tennessee, TruGreen is America’s largest customized lawn care and treatment services provider with more than 12,000 employees and annual revenue exceeding $1.5 billion
- TruGreen deployed Morphisec’s AMTD software and discovered that, “With our previous solution, it took seven agents to accomplish the same thing we’re doing with just one Morphisec agent,” said TruGreen’s Principal Security Architect, Dale Slawinski
- The company realized a 2.3x return on investment, while cutting software costs by two-thirds and slashing false positives by 95 percent
TruGreen brings in an objective third party each year to conduct penetration testing to identify vulnerabilities that cybercriminals could exploit. “This year, for the first time, we were able to prevent the tester from cracking into one of our endpoints,” said Ryan Pagan, Cyber Security Engineer at TruGreen. “After implementing Morphisec, the tester couldn’t figure out what was keeping him from breaking in. He spent several hours attempting to crack our security but couldn’t figure it out. The tester said to us, ‘Normally we can get around endpoint security stuff, but we couldn’t get around Morphisec.’”
Altra Industrial Motion
- Altra Industrial Motion (Altra Motion) is an American manufacturer of mechanical power transmission products, with 9,100 employees across 17 countries and $1.7 billion in revenue
- Altra Motion CIO Rick Klotz says, “Dollars spent doesn’t correlate to security value. We spent a lot of money on our MDR provider, and yet we still were breached and had to do a lot of work ourselves.”
- Altra Motion deployed Microsoft Defender with Morphisec AMTD to secure their critical infrastructure from both known and unknown attacks
The preventative capabilities of Morphisec’s AMTD technology allowed Klotz’s team to adopt an entirely new security posture with much greater operational efficiencies. So now, “We don’t spend much time on detection and response,” said Klotz, “because we don’t need to.” Instead, they focus on training people, improving processes, and planning for emerging threats. These are high-level initiatives they now have the resources for because AMTD blocks attacks they used to detect and prevents damage they used to remediate.
Moving Target Defense explained
Check out other real world examples of AMTD in action here.
AMTD Augments a Critical 30% Security Gap
Morphisec uses automated Moving Target Defense to proactively prevent the most sophisticated and damaging cyberattacks without needing any prior knowledge of them—or even to detect them.
Cybersecurity tools like NGAV require malware file signatures from previous attacks so they can recognize malicious files to detect and respond to them. Tools like EPP and EDR/XDR/MDR require recognizable behavior patterns from previous attacks to detect and respond to them. And these tools work well in such circumstances.
But they have a security gap—unknown attacks, evasive attacks, and those that target runtime memory, where these tools can’t effectively scan. To quantify this gap, Morphisec analyzed the Picus Labs 2021 Red Report, which is based upon analysis of 200,000 malware samples. The Red Report identified the top 10 most prevalent MITRE ATT&CK techniques based upon the percentage of observed malware samples. Two key findings are that:
- Defense Evasion is the Most Common ATT&CK Tactic: Five of the top ten ATT&CK techniques observed are categorized under TA005 as defense evasion tactics
- Memory is Now Where Attackers Prefer to Target: Four of the top six ATT&CK techniques observed are in-memory
Defense evasion and runtime memory attacks are critical weaknesses in today’s detection-focused solutions. Morphisec coupled these findings with real-world analysis covering 5,000+ customers, nine million endpoints, and 30,000 daily incidents. Detection-based solutions struggle to stop at least three of the top 10 most prevalent, most damaging MITRE ATT&CK techniques—a critical 30 percent security gap. While Morphisec’s prevention-first, endpoint and server AMTD software consistently prevents these attacks and more.
Threat actors are well aware of this gap. Which is precisely why the most advanced cyberattacks like supply chain attacks, fileless attacks, in-memory attacks, ransomware, and zero-days exist. And it’s the reason why so many of these attacks keep making headlines, despite organizations ostensibly being defended by detection-based tools. These attacks successfully evade detection.
Morphisec’s AMTD is built specifically to address this security gap and stop unknown, evasive attacks, and those targeting runtime memory. And it does so while slashing false positive alerts and the need for analysts to investigate them. With an ultra-lightweight agent that causes no performance degradation, easy deployment, easy tech stack integration, and no maintenance or updates needed, AMTD drastically reduces total cost of ownership.
Automated MTD supplies Defense-in-Depth to stop the most sophisticated and damaging attacks NGAV, EPP, and EDR/XDR/MDR don’t. To learn more about how Automated Moving Target Defense technology is game-changing and evolutionary in the cybersecurity market, download your complimentary copy of the Gartner report: Emerging Tech: Security—the Future Of Cyber Is Automated Moving Target Defense.
Emerging Tech: Security — The Future of Cyber Is Automated Moving Target Defense. Lawrence Pingree, Carl Manion, Matt Milone, Sean O’Neill, Travis Lee, Mark Pohto, Mark Wah, Ruggero Contu, Dan Ayoub, Elizabeth Kim, Rustam Malik, Nat Smith, 28 February 2023.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Morphisec.
Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.