API Security

Small, Fast-moving Targets

Tom McNamara

July 8, 2023

Sportsman at target practice shooting clay pigeons

When I was growing up, I had the opportunity to shoot at “Clay pigeons.” They’re small round discs of clay that are launched (at a high velocity) into the air so a person with a shotgun can shoot at them; sometimes for competitions and sometimes practicing for bird hunting. If you’re familiar with this, then you have experienced just how hard it is to hit a small fast moving target, even when you have certain advantages, such as knowing the general area and direction of the clay pigeon. If you haven’t experienced this, I can tell you that it’s pretty hard to hit clay pigeons and takes lots of practice. 

There’s an application here for cyber security strategy.  Imagine if we could make life difficult for cyber adversaries by making their targets (access permissions and data) small and fast moving? Exploring that question is what this article is about, otherwise known as a moving-target defense. 

The Default Cyber Strategy

A colleague recently remarked about the cyber security industry. After decades of investing in cyber companies he thought it was crazy how reactionary the industry still was. And he cited the current interest in solving the problems with API attacks. It’s become a big deal over the last year or two. And before that it was the Solarwinds hack that took the cyber world by surprise and led to the zero trust movement and the scramble for threat intelligence and threat hunting and lots of XDR solutions. The point of this cyber investor's remark was that the industry operates by a default “bug fix” (software development) strategy and runs from vulnerability to vulnerability playing “whack-a-mole.” The strategy seems to be an assumption that it’s just a matter of time before all the vulnerabilities are found and fixed. While that is a good assumption for software product development, it is a poor fit for an industry that continues to innovate new technologies, protocols, and architectures. The technology landscape keeps changing and each change introduces new vulnerabilities. Flaws in what we build are a fact of life. Sure, we will fix and patch to improve the quality and security of our technology, but we need a different default cyber strategy, one that’s diverse, proactive, enduring, and winnable rather than reactive. The goal isn’t perfection, but resilience. 

An Alternative Cyber Strategy

A good approach to finding the right default strategy is to examine each of the strategic advantages the adversary holds, and then conceive and develop opposing strategies. For example, adversaries have an advantage of time, access, and anonymity. That’s a pretty strong strategic advantage for them, and they have held this advantage for a long time. Thinking about an opposing strategy that might offset and degrade or eliminate the adversary’s advantage, the combination of  a moving-target defense, high frequency credential rotation, and dynamic defensive micro-perimeters (perimeters that dynamically surround operating workloads and their communication route) could be effective. The combination of these three strategic components creates a small, fast-moving, target that an adversary must expend a significant amount of effort to attack. The resulting effect moves the defense faster than an adversary can find, understand, and attack it. Forensics analysts understand that adversaries will spend 90% of their time planning an attack but only 10% of their time actually performing the attack. It’s generally understood that a well-planned and executed moving-target defense is a durable cyber security strategic element. Adding high frequency credential rotation, and host-base micro-segmentation to it creates a killer strategy. It doesn’t just offset the strategic advantage of the adversary, but it entirely eliminates the time advantage that they have held for so long, and that cascades to undermine some of the anonymity and reach advantage, too.

Micro-segmentation of Workloads

For illustration purposes, let’s consider the proposed strategy applied to containerized workloads, microservices, and APIs that operate in a modern digital environment today (kubernetes, docker, and others). It’s well known that enterprises moving to the cloud or hybrid environments are more vulnerable because of an increase in the attack surface of their digital footprint.  Micro-segmentation is a technique that segments digital services into small workload groups and isolates them with their own security perimeter for improved protection. It is one of the principles of zero trust that has emerged after the infamous 2020 Solarwinds hack. Micro-segmentation breaks the attack surface into lots of small areas. 

There are different ways to micro-segment digital resources: network micro-segmentation, hypervisor micro-segmentation, and host- or agent-based micro-segmentation. For reasons I can’t fully explain in this article, I have a strong preference for agent-based micro-segmentation. It is simpler and faster to implement and is the choice for a moving-target strategy. For example, Hopr’s sidecar approach (agent-based) can micro-segment digital services into segments as small as two workloads.

Movement of the Defense 

Micro-segmentation by itself is an important architecture security feature, but it becomes even more effective when the segments move dynamically while the business services operate with different microservices and workloads and data is exchanged via APIs. But imagine that we could segment a defensive perimeter even smaller than the segmentation performed for business services? Consider something as small as a pair of containerized workloads operating continuously and exchanging data as they perform a service. Building a defensive micro-perimeter around each pair of workloads each time they start a series of data transactions (I.e., a session) would make a very small target and would create a very large number of targets to confuse and delay an adversary. Also, the micro-perimeters would appear and disappear dynamically as services are performed and different workloads are involved. The end result is a fast-moving target that is difficult for an adversary to locate.

Access for Trusted Workloads

Now that we have a small fast moving target, we need a way to allow only trusted workload identities to gain access through the perimeter and it has to work in real time and from any environment. The conventional approach is to use PKI certificates for identity and something like TLS or mTLS for transport security, along with OAuth (or similar) for authentication. Without going into a lot of detail, I'll point out that recent survey data on API attacks indicate that a majority of successful attacks occur on authenticated APIs. And, Gartner reports that three of the four vulnerability paths for API attacks involve some form of credential theft. My conclusion is that conventional authentication is failing to protect containerized workloads and APIs. 

This is where the combination of a moving-target defense with high frequency credential rotation offers tremendous benefits. Since credentials are an attractive target, rotating them at a high frequency would result in their expiration before an adversary could find, remove, and misuse them.  To be practical in a combined strategy,  the high frequency credential rotation must overcome two big problems that are present in conventional secrets use: 1) secure secrets storage and 2) injection of newly rotated secrets (required for authentication). Ideally, we want high frequency credential rotation without the baggage of storing secrets, injecting them into another workload endpoint, and using yet another API and key to remove stored keys from a vault.

To achieve this ideal, Hopr takes a novel approach to verify trust in workloads at every session, and allow only trusted workloads access through the dynamic micro-perimeter. 

Protect the Data

Rather than use the secret credential for authentication, which requires passing it in a message to another workload, and the receiving workload comparing it to the most recent rotated secret, Hopr developed a protocol and technology to build ephemeral secrets within workload containers. And, instead of passing them for authentication, the secrets are used to encrypt (or decrypt) messages to the other trusted workload. This creates end-to-end encryption (E2EE) over the entire route between the two workloads

So you’re probably asking, don’t you still have to exchange the encryption key between the two work clothes so that they can encrypt and decrypt their messages? The short answer is no. Hopr’s CHiPS technology allows two workloads to build identical secrets. These are symmetric secrets that are ephemeral (they exist for only a single session) and then vanish. These are important attributes for high frequency credential rotation, and they enhance the overall strategy to create small, fast-moving targets overall for an effective moving target defense.

Final Thoughts

I’ve described an alternative strategy for cybersecurity using the example of containerized workloads, microservices, and APIs. And while some of the characteristics of the particular illustration (such as micro-segmentation, dynamic micro-perimeters, and high frequency credential rotation) might be specific to workload and API threat protection, the overall message is that a moving-target defense offers significant improvements over a conventional vulnerability-patching, threat-hunting, and “our guys are smarter than your guys” strategy. Security and risk managers should give considerable thought to strategies that achieve long term resilience because changes in technology, architectures, and environments will continue to appear. Finding a resilient cybersecurity strategy that works for your enterprise architecture and business model has long term value.

If you would like to learn more about Hopr’s MTD solutions, please reach out by email or schedule a free discovery call with us.