It’s (Past) Time to Hide the Attack Surface

The very nature of the cyber security attack surface – a sitting duck which can be found and then attacked by adversaries – is currently assumed to be an unchangeable fact of life.  This vulnerability, however, fundamentally undermines the ability to protect our most confidential and sensitive data and information. We must move beyond the sitting duck attack surface. That’s why we are working to hide it and enabling an additional new layer of security to do so. 

Remote attacks against servers represent an especially challenging problem. Denial-of-Service (DoS) attacks and remote exploits are the two main categories of such attacks. A remote exploit takes advantage of a bug or vulnerability in order to view or steal data or gain unauthorized access to a vulnerable system. The first step in launching a remote attack is to gather information about the victim. Adversaries need to find information about the victim's Internet Protocol (IP) address(es), port number(s), etc., which includes attack surfaces, by monitoring relevant network activities. 

Several defensive measures, including firewalls and Intrusion Prevention and Detection Systems (IPDS), exist to attempt to protect systems from these attacks. These solutions are important, but the same fundamental vulnerability still exists - static IP addresses are easily discoverable, and after the victim is found, the adversaries have significant time to gain system access and explore once successful. 

We must limit the amount of time adversaries have to find and attack victims. Dynamic IP addressing changes the victim's IP address such that adversaries must constantly try to find the victim (usually without success). Our technology offers an effective prevention technique. It works as a form of a dynamic network layer scheme which rapidly changes the IPv6 addresses of the entities involved in network communication. Rapid address changes can be made mid-session without dropping or renegotiating the session. This solution leverages IPv6 networks, which allow nodes to seamlessly bind new IPv6 addresses, while also functioning on IPv4 or IPv6 systems. This is not a new firewall. It’s not Version 3.0 of existing technologies. It is a new layer of security, in the network, which hides the attack surface itself by moving it around every 10 seconds from the perspective of an adversary. 

Cyber defense is a team effort – services will still be needed to protect the attack surface. Given the fundamental vulnerability of a sitting duck attack surface, however, we think a new layer of security is necessary to hide it. At the end of the day, you can’t attack what you can’t find. We need to make the attack surface itself hard to find.