A Practical Security Evaluation of a Moving Target Defence against Multi-Phase Cyberattacks

Abstract

Moving Target Defence (MTD) is a state-of-art defence mechanism as it proactively changes attack surfaces against cyberattacks. The theoretical security effectiveness of MTD techniques need to be validated with experimental evidence. Previous work in evaluating the effectiveness of virtual IP-shuffling MTD techniques mostly focused on the reconnaissance phase of cyberattacks, and used theoretical modelling or simulated and emulated networks to conduct the evaluation. These types of evaluations did not account for realistic network conditions or consider the effect on the attacker’s behaviour. In this paper, we present a practical evaluation of a virtual IP-shuffling MTD technique in a software define networking (SDN) testbed, with attacks based on the first three phases defined in the cyber kill chain, and consider a possible response by the attacker. This work considers two types of attackers: Dummy attacker and Adjusting attacker. A dummy attacker performs attacks consecutively with no knowledge or consideration about the MTD on the system, whereas an adjusting attacker is aware of the network using a time based MTD job management strategy and can adjust their approach accordingly. The effectiveness of attacks are analysed overall and across the three phases, and compared to the expectation. The results validate the effectiveness of the MTD technique, show its utility extends beyond just the reconnaissance phase, and demonstrate that the attacker can adjust their approach if they are aware of the MTD technique being used in order to increase their success rate.