Code polymorphism is the strategy of changing a web page’s code each time it’s served, making it impossible for bot creators to predict the format of their targets.
Many web users misunderstand how hackers work. They envision a brilliant computer expert carefully targeting sites and using their expertise to bypass security measures. In fact, the vast majority of online security breaches are the result of mass attacks carried out by botnets. Botnets can launch simultaneous attacks against thousands of different sites, probing them for weaknesses. Vast amounts of cash and information flow through the web every hour, and so cyber-crime is big money. Botnets are a cheap tool with an impressive ROI.
But, botnets are only financially viable because they are relatively simple pieces of code. They don’t have to be complex because web sites present a predictable challenge. If a hacker wants to probe thousands of WordPress sites for weak authentication, all they need to do is understand the code that generates WordPress login page and program their bots to enter username and password combinations until they successfully gain access.
The obvious response is to make usernames and passwords complex enough that bots are unlikely to crack them in a practical amount of time, but that is often not a solution because most users aren’t willing or able to manage their password security properly.
The alternative is to make web pages more difficult for bots to understand. A new product from Shape Security aims to do just that by making on-the-fly changes to the code so that bots never see the same page twice. Code polymorphism has the potential to rapidly multiply the cost per site of hacking. Rather than a being a tool that can attack tens of millions of sites, botnets could become practically useless for large-scale cyber-crime operations.
“Modern cyber-criminals employ sophisticated attacks that operate at large scale while easily evading detection by security defenses,” said Derek Smith, CEO of Shape Security. “The ShapeShifter focuses on deflection, not detection. Rather than guessing about traffic and trying to intercept specific attacks based on signatures or heuristics, we allow websites to simply disable the automation that makes these attacks possible.”
While it’s unlikely this technology is going to be widely deployed soon, it should be greeted with relief by web hosting companies, web service providers, and sites owners. Cyber-crime is costing companies billions of dollars a year in revenue lost as a direct result of attacks, in mitigation and defense, and in network resources like bandwidth. As we recently reported, a significant proportion of all web traffic is is generated by malicious bots. A strategy like code polymorphism that increases the cost of a successful attack may shift the balance of power away from hackers and towards web hosting companies, saving them considerable expense.
Photo credits: pepemczolz