ShapeShifter Offers Polymorphic Defense for Web Attacks

After more than a year of operating in stealth and more than $20 million invested in research and development, Shape Security emerged out of the shadows this week to debut its ShapeShifter technology. The basic idea behind ShapeShifter is to constantly shift the attack landscape that is available to an attacker in a bid to minimize risk.

Shape Security first hinted at its efforts in January of 2013, when the company announced a $20 million round of funding.

Company co-founder Sumit Agarwal, who was the Deputy Assistant Secretary of Defense for the Obama administration in 2010 and served for 14 years in the U.S. Air Force Reserve, told eWEEK that Shape Security’s thesis is that there is a whole new class of attacks that have emerged that abuse the front door of Websites through automated attacks. It’s a class of attack that rides along with legitimate traffic, making it difficult for current forms of Web security to defend against.

“We have created something that changes Websites into a constantly changing target, which breaks the vast majority of attempts of automated scripted attacks,” he said.

Attackers have used similar approaches by constantly adjusting malware to evade signature-based detection methods, according to Agarwal. Now the tables have turned, and Websites can constantly adjust to avoid attack. Shape Security refers to its approach as real-time polymorphism.

How It Works

From a practical use-case perspective, the Shape Shifter technology does not actually block specific attacks—for example, a SQL Injection action. Rather, it makes it more difficult for an attacker to find code to exploit.

In a typical large-scale SQL Injection attack, an automated attack tool is first used to spider or index a target for all input fields and try a number of known SQL exploits, Agarwal explained. Once the automated attack tool gets some form of response from the tool to the SQL query, a manual attack needs to happen. With the Shape Shifter technology, since the Website code is constantly shifting, when the attacker comes back, the same code injection route is likely not going to be available.

“When all of the attacker’s reconnaissance gathering information is useless, cause you can’t go back to a page and find the same form, we have not directly prevented the SQL Injection from going through, but we have destroyed in practice how the attack would be perpetrated,” he said.

The ability to customize and change a given Website for user preferences, for example, is not a new thing, and it is typically achieved with the use of Cascading Style Sheets (CSS) to adjust the look of a Website. Agarwal stressed that simple CSS modification is not what ShapeShifter does.

“This is very involved technology. It’s technology that involves all of the HTML/JavaScript and CSS that has to be modified and changed in unison,” he said. “So everything is adjusted and modified in ways that are specifically designed to foil every measure and counter-measure that an adversary might try, while still preserving the functional aspects of the site.”

From a network deployment perspective, ShapeShifter technology is deployed in line with the data flow and is designed to work with load balancer technologies. The goal is to limit any performance impact on a live Website to something that is undetectable to most humans, which Agarwal said is in the range of 20 to 40 microseconds.

There are multiple other approaches in the security market today that try to deceive attackers from finding their targets. One of them is Juniper’s Web App Secure technology, formerly known as Mykonos, which aims to deceive attackers with a variety of techniques. Agarwal said that Shape Security is similar to other approaches in that it wants to reduce the risk of Web attacks, though he stressed that how Shape Shifter works, with its approach of rewriting Websites to deflect attackers, is fundamentally different from other approaches.

The initial Shape Shifter technology release is being made available as a hardware platform from Shape Security. Agarwal declined to comment on the specific components included in the box, other than that its commodity gear from leading vendors. Moving forward through 2014, the plan is to make the technology available for use as a virtual appliance that can be used in virtualization deployments.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.