We founded Shape Security two years ago to tackle one of the hardest problems in web security: how to protect the front door of modern websites. The pervasive rise of malware-infected desktops, botnets and automated attacks threaten the foundation of the new Internet economy. We realized this called for a new approach to security—one that dealt with the reality that we can never truly eliminate malware from the desktop. The security industry has focused largely on preventing malware infections, yet has failed to protect websites against attacks from hundreds of millions of infected consumer computers. Our core strategy is to provide technology to protect websites even when they are serving infected desktops. In military terms, this is called “continuing to operate in a denied and degraded environment.” The ubiquity of malware-compromised desktops creates a degraded environment within which we must still find ways to enable everyday online activities like banking, shopping, socializing, and checking health records.
To accomplish these goals, today we unveil the ShapeShifter, a web security product that protects websites from malware, botnets and scripts.
Fig 1. The ShapeShifter appliance
Botnets: A Massive Criminal Infrastructure of Infected Computers
Today’s cybercriminals assemble massive networks of infected computers (botnets) to attack websites. Most security products fail to block such attacks because criminals are able to make their botnet-based attacks look like legitimate usage.
These botnets are the backbone for a wide variety of high-volume, automated attacks against websites. Some of these attacks are well-known, such as when banking botnets steal millions of dollars across many online banking sessions, or when bots abuse basic website functionality, crippling websites with traffic that is almost impossible to block. Other attacks are much more subtle but just as damaging. For example, a botnet can slowly test stolen usernames and passwords against an e-commerce site in order to take over millions of accounts and defraud end-users. In fact, the same underlying mechanism is likely how miscreants will turn the the vast trove of over 100 million credit cards stolen from Target into money: they will use automated scripts running on botnets to purchase things like gift cards and other easy-to-sell goods from e-commerce websites.
Older security technologies do very little to deal with this problem. Traditional threat signatures and reputation scoring don’t work very well, because most attacks look and feel like normal usage from computers belonging to legitimate human users. Rate limits are easy to avoid by distributing an attack across thousands of IP addresses in a botnet. The ineffectiveness of these and other traditional techniques led us to seek a solution that could disable attacks from malware, botnets and scripts. So we built the ShapeShifter.
Introducing the ShapeShifter
The ShapeShifter uses real-time polymorphism as a defense—it dynamically changes website code to break automated attacks. Cybercriminals have long used polymorphism to hide malware by making the malware appear to be different upon every new infection. We harness polymorphism to make the source code of websites appear differently on every page view, which has the effect of defeating malware, botnets and scripts.
Many web attacks are only profitable if automated. Criminal enterprises pursue profit: without automated scripts, many of today’s attacks cease to be economically viable. Instead of constantly detecting and reacting to threats, the ShapeShifter targets the economics of web hacking, and makes the preferred approach of criminals—automation, too expensive. This provides broad protection from automated attacks against websites and represents a completely new approach to security.