Posted: 8 Min ReadProduct Insights
Translation: EspañolPortuguês, Brasil

Symantec Mobile Threat Defense: Spotlight on Mobile Endpoint Detection and Response

Organizations need mobile EDR to combat a growing trend in mobile security: advanced and persistent attacks that exploit mobile OS vulnerabilities

In a recent blog post, I discussed the importance of vulnerability management for mitigating mobile security risks. Vulnerability management essentially helps enterprise security teams take the guesswork out of identifying, prioritizing and responding to mobile operating system (OS) vulnerabilities. Ultimately, no operating system is immune to security vulnerabilities, and just as admins use vulnerability management to reduce the risk of exploits on traditional endpoints, it only makes sense they use it for modern endpoints as well.

And yet, even when risks are mitigated, some inevitably remain. At any given time, an organization has mobile devices whose OSs are not up to date and contain known vulnerabilities that can be exploited, leading to device compromise. And those are just the vulnerabilities we know about – what about the ones we don’t? Even when all devices are up to date, mobile OSs, like any other operating system, are still at risk of zero-day attacks that exploit unknown vulnerabilities. In addition to using vulnerability management to mitigate known mobile security risks, organizations need advanced mobile endpoint detection and response (mobile EDR) to mitigate the risk from unknown and persistent mobile threats.

This blog post will focus on mobile EDR as a necessary tool for combatting a growing trend in mobile security: advanced attacks that exploit mobile OS vulnerabilities to compromise device data and integrity. I discuss how visibility over attack kill chains and deep forensic analysis help security teams understand the flow and nature of attacks and determine the best course of remediation.

Mobile EDR

EDR technology provides continuous monitoring and response to malicious activities on endpoints after a breach has occurred. This technology complements traditional endpoint security paradigms, by focusing on the attacker’s behavior during and after the target assets are compromised. Cyber criminals are constantly finding creative and sophisticated ways to infiltrate devices, and they’re determined to adapt, alter, or hide their tactics to circumvent security mechanisms. This is especially the case in mobile, where users’ inattentive behavior and admins’ lack of control, or even visibility, over mobile risks are ripe for exploitation by hackers.

Proactive threat detection, response and incident investigation on mobile endpoints is critical for any organization that wants to improve its mobile (and overall) security posture. However, the way modern OSs were built (i.e. application sandboxing) and privacy regulations limit what data can be collected to provide contextual information on suspicious behaviors. Due to these limitations, the common perception is that while proactive detection and protection from threats is possible and is valuable for enterprises, identifying advanced exploitation (especially zero-day attacks) is unfeasible in mobile. Indeed, most mobile security solutions provide basic jailbreak or rooting detection, but in practice they usually identify intentional attempts by end-users to jailbreak or root their device, rather than advanced exploits by hackers who can easily bypass such detections. When enterprise data and resources are at stake, the ability to not only be alerted when a device is compromised, but also to have deep forensics on indicators of compromise, is critical to understanding what hackers did or plan to do, and respond accordingly.

Zooming in on the mobile attack kill chain

To build a solution that can catch advanced attacks against iOS & Android devices, we’ve developed technology that focuses on the kill chain of attacks. Our mobile threat defense (MTD) solution, Symantec Endpoint Protection Mobile (SEP Mobile), looks for indicators of exploitation or compromise across the different stages of the attack kill chain, rather than focusing on just one magical detection that could fail to catch attackers if they succeed in bypassing it.

Generally, we’ve seen the following group of activities when a device has been compromised:

  1. A malicious actor begins by exploiting a vulnerability in one of several attack vectors – physical, network, app, or OS - which leads to arbitrary malicious code execution on the victim’s device.
    • For example, Pegasus, the notorious mobile spyware that exploited zero-day vulnerabilities to jailbreak iOS devices, was disseminated to victims via SMS spear-phishing messages. Once victims clicked on the malicious links in the messages, the device was infected with malware which installed additional surveillance software.
    • Another more recent example, reported by Google in February, is an Android vulnerability that could allow a remote attacker using a malicious PNG file to execute arbitrary code on mobile devices. Once opened, the PNG could start running malicious code at a privileged-level on a user’s device.
  2. In many cases, the malicious code is initially executed with low permissions, which limits the impact of the attack. Therefore, attackers will try to gain kernel privileges via exploitation of other vulnerabilities on the device, to be able to take certain actions or access resources that are normally restricted.
  3. Attackers will also use elevated privileges to try to hide their tracks. They may install additional code that protects them from being found by standard jailbreaking or rooting detection, allowing them to maintain a persistent presence on the device.
  4. Once their presence is hidden, they will seek to manipulate device sensors (e.g., camera, mic, GPS), intercept user traffic (plaintext and encrypted) or access apps – such as business apps, banking, instant messaging, SMS messages, email, and others – to steal a victim’s data.

Steps 3 and 4 are often achieved by manipulating operating system settings and injecting malicious code into affected processes for the purpose of hiding, manipulating and stealing data managed by these applications.  SEP Mobile detects indicators of compromise along the kill chain activities discussed above, enabling security admins to clearly see that a device has been infiltrated. Our advanced sensors help admins catch the bad guys at different levels of an attack; if hackers pass one detection layer, our sensors can catch them in another.

Zooming out on the bigger picture

Most MTD solutions detect and provide alerts on security incidents in isolation. This process neglects links that may be present between certain incidents, and security admins who don’t see the associated telemetry may be missing the bigger picture. By providing full visibility across the attack kill chain, SEP Mobile enables admins to connect the dots between various data points, and understand: when the attack took place, what the device security level was before the attack (e.g., known vulnerabilities it was susceptible to), what the possible entry point to the device was (a MITM attack? A malicious app? etc.), and even what code attackers injected into the device as part of their attack.

Equipped with extensive threat telemetry and incident forensics, security teams have more confidence when assessing the risk of an attack and determining the best response. For example, some remediation actions, like wiping a device completely, could have ramifications for employee privacy and productivity. Before deciding to take this strong measure, admins want to have as clear a picture as possible of what happened or is happening on the device. SEP Mobile provides this clear picture, so that admins see important signs on one hand, and avoid being bogged down by false positives on the other.

Let’s look at an example kill chain of an attack against an iOS device. The below shows kill chain incidents identified by SEP Mobile that are automatically bundled together, allowing the admin to connect the dots and better understand the attack flow:

Based on these incidents, we can see the following:

  • The presence of suspicious enterprise developer certificates on the device indicates that it had sideloaded apps – most likely downloaded from a rogue third party app store. The user trusted the suspicious certificates that allowed the apps to run, under the assumption that they were safe.
  • Malware was detected on the device. It’s likely that one or more of the sideloaded apps discovered in the previous detection were the source for the malicious code.
  • When the end-user activated the malicious app, it exploited known OS vulnerabilities, which we saw existed on the device (see “OS With Known Vulnerabilities” alert) – to jailbreak the device and get escalated privileges.
  • Post-infiltration, several indicators of compromise (IoCs) detected by SEP Mobile revealed additional malicious activities such as code injection and modification:
    • The attackers altered file system security attributes (remounting the system partition as read-write) to be able to manipulate it.
    • Then, the Suspicious Operating System Module alert indicates that attackers injected dylibs into running processes to override specific functions or add their own functionality.
    • As a last step, attackers inserted function hooks in the iOS runtime environment to hide the fact that the device was jailbroken. Essentially, attackers faked the output of API calls that would normally show their presence on the device.
  • Taking all of these IoCs into consideration, we concluded that the device was compromised.

It’s important to note that SEP Mobile provides a range of on-device protection mechanisms against network and app threats. These include stopping the aforementioned attack in its different stages, such as preventing the installation of apps from rogue third-party stores or blocking the app’s communications with its malicious command and control server. To show the extent of our layered detection mechanism these protection actions were disabled in the example above.

For each IoC detection above, and in general, SEP Mobile provides detailed forensics that can serve as technical proof behind the detection. This can be leveraged to prevent false positives and shed any doubt about the accuracy of the findings, enabling admins to respond to incidents with confidence.

For example, within the forensics provided for the Suspicious Operating System Module alert, admins can see the specific dylibs that were added by the attacker:

Additionally, unlike most standard jailbreak detections that look for evidence like Cydia on devices, SEP Mobile recognizes that more sophisticated attackers will try to hide their footprints. We look for these very behaviors – altering or inserting code to remove evidence – to determine that the device has been infiltrated by a malicious actor. In the forensics for the “iOS Runtime Environment Altered” alert below, we see that the API of NSFileManager, which is responsible for file system logic, was modified, most likely to hide the existence of files on the device that are indicative of an attack and/or are needed by the attacker to achieve persistence.

Automated, real-time mitigation

Organizations can set a security compliance policy in SEP Mobile according to which devices are deemed non-compliant if they meet certain conditions, such as “device compromised” or “having indicators of compromise.” Security teams can leverage SEP Mobile standalone protection actions to mitigate the risk from non-compliant devices in real-time, for example by automatically blocking devices from accessing sensitive corporate resources. Moreover, admins can use SEP Mobile’s integration with Enterprise Mobility Management (EMM) solutions as a layered mechanism to limit data exposure or exploitation. For instance, they can use their EMM to automatically remove business apps from the device before deciding at a later point to manually or remotely wipe it. In cases where admins must make a business case for wiping the device, they have all the necessary forensics to justify the measure, as discussed above.

The early bird catches the [bad guys]

The ability to detect and respond to mobile device exploitation in its early stages vs. after attackers have been able to cause significant damage is critical. By identifying indicators of compromise as an advanced attack unfolds, SEP Mobile reduces response time from a potentially infinite amount of time – in cases where the attack goes undetected, an attacker can monitor, intercept and manipulate device activity for years without anyone knowing about it – to a matter of minutes. Additionally, our granular visibility and deep forensic analysis on an attack kill chain allow security professionals to make more informed decisions on the appropriate response. Like vulnerability management for mobile, SEP Mobile has taken a traditional security practice and extended it to modern endpoints. Our innovative Mobile EDR technology helps enterprises mitigate the risk from zero-day attacks and advanced persistent threats on their employee’s mobile devices - a capability that is becoming more and more important as mobile plays an increasingly vital role in business and attacks grow more complex.

Symantec Enterprise Blogs
You might also enjoy
7 Min Read

Symantec Mobile Threat Defense: Spotlight on Modern Endpoint Vulnerability Management

The age-old practice of vulnerability management to mitigate security risks can (and should) extend to modern endpoints

About the Author

Yair Amit

VP & CTO, Modern OS Security

He leads the company’s research, vision and R&D center for securing iOS & Android devices, also envisioning the security model of future desktop operating systems. Working in the security industry for the past 15 years, his work has yielded dozens of patents.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.