Cyber Defense Advisors

Endpoint Detection and Response – you need it on mobile devices too

This blog was written by an independent guest blogger.

Welcome to the final episode in our blog series focused on Mobile Endpoint Security.  The first two episodes detailed the protections necessary to secure data accessed by remote workers (Endpoint security and remote work) and best practices for combating the threat of ransomware 5 ways to prevent Ransomware attacks). In this installment, we will highlight the need to extend your company’s Endpoint Detection and Response capabilities beyond traditional endpoints (servers, laptops, desktops) to include mobile devices to proactively prevent advanced threats and improve your company’s incidence response.    

The two previous blogs provided detail on the types of threats that target businesses across all verticals and presented evidence to establish the mobile device as the entry point for the significant percentage of these attacks.  As an example, Twilio recently published a blog detailing an attack that compromised their internal systems and customer data via a series of SMS messages to employees.  The bad actors mimicked login requests for SSO and Okta to socially engineer those employees that resulted in the need to engage a forensics firm to lead the ongoing investigation.  Logically, any efforts by that forensics firm specific to EDR, threat hunting and incident response should therefore also include the ability to research and respond to attacks that originate via mobile devices with similar capabilities to that of traditional EDR solutions.    

Therefore, we must examine the gap that exists in current EDR solutions as it relates to mobile devices along with the reasons why the traditional solutions in this space are so ill-equipped to operate in the mobile device ecosystem.  It stands to reason that the dominant players in this space such as Crowdstrike, SentinelOne, and CarbonBlack have addressed mobile with their solutions given the dependence on mobile devices by workers across all verticals. 

However, there are challenges that exist for their solutions due to the inherent architectures of the operating systems of traditional endpoints (Windows, MacOS) versus mobile (Android, iOS).  Primarily, the core difference is the lack of kernel access available to mobile devices which limits the efficacy of incident response, kill chain reconstruction, and proactive threat hunting for traditional EDR solutions.  

Without access to the kernel, a different strategy must be employed to effectively detect threats that exist across the mobile ecosystem of both your managed and unmanaged devices.  Specifically, the need exists for an agent tailored specifically for the challenges presented by mobile platforms, a streaming detection engine capable of analyzing mobile-specific telemetry, and ways of identifying anomalous mobile-unique behavior across thousands of data points collected from millions of mobile devices. 

These capabilities enable you to leverage your mobile fleet telemetry to build proactive protection policies, improve your threat hunting workflow, and quickly identify how attackers leverage sophisticated campaigns to target your organization.  The variable in this equation, that most directly influences your company’s ability to detect and respond to these threats, becomes the ability to provide domain-specific context via a comprehensive mobile ecosystem dataset.

To further explain the gap that exists in almost all companies’ incident response capabilities and make the need for mobile EDR more tangible, it is a useful exercise to detail a real-world threat.

SourMint

First things first, this example dispels the myth that the iOS App Store is completely safe.  SourMint, discovered by the security firm Snyk, is an advertising SDK that was found to be active in over 1,200 iOS apps that totaled roughly 300 million downloads per month.  The SDK contains malicious code that allows for access to PII on the affected device and sends that data to third-party servers.  Even more concerning is the SDK’s ability to obfuscate itself with its ability to detect debugging or proxy tools which likely enabled it to bypass Apple’s app review process. 

Now the part about how mobile EDR is necessary to secure your data from mobile apps that exhibit potentially malicious behavior.  In this example, traditional EDR solutions may not have visibility to the behaviors and capabilities of the SourMint threat.  Only an EDR solution capable of analyzing the SDK and querying the results of that analysis against a global dataset specific to mobile would allow for an organization to correlate the potentially malicious hosts that the SDK is using to exfiltrate data. 

And only a mobile EDR solution would then allow that incident response team to proactively hunt for the existence of other affected mobile apps that also connect to the same host(s) to determine whether a policy action needs to be taken.  And because the connections to those hosts are not exclusive to mobile, this intel is also needed to examine if other endpoints are connecting to the suspected hosts via their traditional EDR toolset.  

Without a mobile EDR solution, organizations have limited resources to evaluate the impact of a detected mobile threat and its potential ability to compromise laptops or desktops.  In the case of SourMint, a mobile EDR solution provides the ability to alert or denylist on any type of device that connects with the hosts used by the bad actors.       

Mobile EDR solutions are still in their beginning stages and feature parity with traditional EDR solution will continue to be a maturation process.  However, the importance of applying the methodology for EDR to mobile will only continue to increase as the world continues to go more and more mobile.  Delays in adoption not only present inherent risk to a company’s existing security posture but also introduce the concept of innovation debt that could be costly to overcome. 

To learn more about how AT&T and Lookout can help your organization with mobile EDR reach out to your assigned account team or click here to learn more.