Attacker skill, defender strategies and the effectiveness of migration-based moving target defense in cyber systems

Abstract

Despite the significant effort directed toward securing important cyber systems, many remain vulnerable to advanced, targeted cyber intrusion. Today, most systems that provide network services employ a fixed software stack that typically includes an operating system, web servers, and database software. This software mix as a whole constitutes the attack surface of the host, and a vulnerability in one or more of its components is a threat to the security of the entire system. Moving target defense (MTD) aims to increase the security of a system against successful intrusion by increasing an attacker's uncertainty of the attack surface. Platform migration defense (PMD) is a form of MTD that entails changing the software stack of a system. We consider a scenario in which an attacker gathers information and then selects and launches an attack against a target system that is using PMD. We perform simulations using a multi-agent model to evaluate the effectiveness of PMD against a spectrum of attackers ranging from "script-kiddies" to state-sponsored actors. In particular, we focus on two core characteristics of PMD: (i) migration rate, the frequency at which the platform is changed, and (ii) platform diversity, the number of platform configurations available, as well as two dimensions of an attacker's capabilities: (i) reconnaissance skill, the ability to collect accurate information regarding the target system, and (ii) arsenal size, the number of usable exploits at the attacker's disposal. Our results indicate that increasing migration rate and platform diversity results in a lower rate of successful attacks, even in cases where the attacker has near-perfect information regarding the target system, but that this may come at a cost in system performance. Furthermore, although the strength of an attacker is often measured by their ability to develop or acquire a large arsenal of available exploits, reconnaissance skill may be just as important a determinant for the success of an attack as the arsenal size. Our analysis provides insight into the relationship between attacker and defender capabilities, which can help inform decision-making processes of cyber defenders and lay the grounds for effective automation of cyber maneuvers.