Introducing Shape Security

Posted by Sumit Agarwal

1/21/14 3:31 AM

We founded Shape Security two years ago to tackle one of the hardest problems in web security: how to protect the front door of modern websites. The pervasive rise of malware-infected desktops, botnets and automated attacks threaten the foundation of the new Internet economy. We realized this called for a new approach to security—one that dealt with the reality that we can never truly eliminate malware from the desktop. The security industry has focused largely on preventing malware infections, yet has failed to protect websites against attacks from hundreds of millions of infected consumer computers. Our core strategy is to provide technology to protect websites even when they are serving infected desktops. In military terms, this is called “continuing to operate in a denied and degraded environment.” The ubiquity of malware-compromised desktops creates a degraded environment within which we must still find ways to enable everyday online activities like banking, shopping, socializing, and checking health records.

To accomplish these goals, today we unveil the ShapeShifter, a web security product that protects websites from malware, botnets and scripts. 

appliance

Fig 1. The ShapeShifter appliance
 


Botnets: A Massive Criminal Infrastructure of Infected Computers

Today’s cybercriminals assemble massive networks of infected computers (botnets) to attack websites. Most security products fail to block such attacks because criminals are able to make their botnet-based attacks look like legitimate usage.

These botnets are the backbone for a wide variety of high-volume, automated attacks against websites. Some of these attacks are well-known, such as when banking botnets steal millions of dollars across many online banking sessions, or when bots abuse basic website functionality, crippling websites with traffic that is almost impossible to block. Other attacks are much more subtle but just as damaging. For example, a botnet can slowly test stolen usernames and passwords against an e-commerce site in order to take over millions of accounts and defraud end-users. In fact, the same underlying mechanism is likely how miscreants will turn the the vast trove of over 100 million credit cards stolen from Target into money: they will use automated scripts running on botnets to purchase things like gift cards and other easy-to-sell goods from e-commerce websites.

There are many examples of attacks that use botnets and automated scripts to exploit websites, but they all target the same inherent vulnerability: the fact that most websites are created from publicly viewable common building blocks (HTML, Javascript, and CSS). This allows criminals to treat websites as implicit APIs, meaning the website can be operated by bots and scripts that can perform any action the website supports.

Older security technologies do very little to deal with this problem. Traditional threat signatures and reputation scoring don’t work very well, because most attacks look and feel like normal usage from computers belonging to legitimate human users. Rate limits are easy to avoid by distributing an attack across thousands of IP addresses in a botnet.  The ineffectiveness of these and other traditional techniques led us to seek a solution that could disable attacks from malware, botnets and scripts. So we built the ShapeShifter. 


Introducing the ShapeShifter

The ShapeShifter uses real-time polymorphism as a defense—it dynamically changes website code to break automated attacks. Cybercriminals have long used polymorphism to hide malware by making the malware appear to be different upon every new infection. We harness polymorphism to make the source code of websites appear differently on every page view, which has the effect of defeating malware, botnets and scripts.

All of this happens without creating any user-visible changes. The website looks and feels exactly the same to legitimate users, but the underlying site code (HTML, JavaScript, and CSS) is different on every pageview. Because bots must reference the content is some manner, this never-ending modulation of the site code breaks scripts and deflects attacks. Ultimately, the ShapeShifter aims to stop non-human visitors from executing large-scale automated attacks. This may help break the economics of breaches like the one Target experienced in late 2013, by eliminating the monetization path. 

Many web attacks are only profitable if automated. Criminal enterprises pursue profit: without automated scripts, many of today’s attacks cease to be economically viable. Instead of constantly detecting and reacting to threats, the ShapeShifter targets the economics of web hacking, and makes the preferred approach of criminals—automation, too expensive. This provides broad protection from automated attacks against websites and represents a completely new approach to security.