Mobile Threat Defense: The drawbacks of “on-device” MTD solutions
Not all Mobile Threat Defense solutions are created equal.
MTD vendors take different approaches to evaluating risks on a mobile device. The philosophy behind these approaches can have real implications on cybersecurity effectiveness. It's important, therefore, that IT security managers understand each vendor's technology approach when evaluating a solution.
Lookout developed the Mobile Risk Matrix to help security organizations accurately identify, assess and secure their mobile workforce. In the matrix, we illustrated an array of mobile risks across device, app, network, and web & content vectors. In this blog we'll discuss how different approaches impact the effectiveness of these solutions for each of these risk vectors, starting with the device vector.
Device attacks subject users to catastrophic data loss and real-time surveillance
Device-based attacks occur when a bad actor manages to modify the mobile operating system. This is referred to as "jailbreaking" on iOS or "rooting" on Android. Both methods remove restrictions that Apple and Google have put in place and give the attacker higher levels of permission. Once a device is compromised in this way, it is exposed to catastrophic data loss and real-time surveillance. The Pegasus attack, discovered by Lookout in August 2016, is an example of a targeted iOS attack that enabled a jailbreak and stealthily spied on victims, collecting information from voice communications, camera, email, messaging, GPS, passwords, contact lists and more.
There is no hard and fast way to know that a device has been jailbroken or rooted. The normal practice is to search the operating system for evidence by sampling an assortment of indicators that might reveal an attack. For example, an MTD solution might monitor certain file system directories for changes triggered by attempts to exploit a known vulnerability, or it might query files that provide insight into other processes running on the device.
The philosophy behind the platform matters
Some vendors promote the virtues of an "on-device" approach. Under this model, indicators are passed to a decision system, known as a "classifier," that is incorporated into a security app. Classifiers are "trained" to infer whether a threat is present based on the indicators that are fed to it. This training typically occurs offline on a centralized server using examples of previously known threats. Classifiers must be retrained periodically and pushed to each device through an app update. For practical reasons, this retraining occurs infrequently with update intervals usually measured in months. While this whole approach can be considered machine learning, there is no new "learning" after the classifier is downloaded.
There are several drawbacks to this approach. First, Apple iOS and Google Android have built-in security protections that place all applications in a "sandbox" at install time. A sandbox is a set of controls that limits an app's access to files, preferences, network resources, hardware, etc. Limiting the privileges of an app to its intended function makes it more difficult for malicious software to compromise a device.
iOS has historically been much more restrictive than Android. That changed a few years ago, however, when Google began enforcing Security-Enhanced Linux (SELinux) with Android 4.4 ("KitKat"). SELinux is a Linux kernel security module that provides a mechanism for supporting access control security policies. These policies were made progressively more restrictive in subsequent releases through Android 8 ("Oreo").
"While access controls are a great way for a Mobile OS to minimize the damage that can be done by hackers, they present a significant challenge for mobile threat defense (MTD) solutions that employ “on-device” detection."
While access controls are a great way for a Mobile OS to minimize the damage that can be done by hackers, they present a significant challenge for mobile threat defense (MTD) solutions that employ "on-device" detection. The increased constraints make it more difficult for the on-device app to access specific indicators it may use to infer that a threat is present. The less evidence collected, the more difficult it is to solve the crime. Lab testing shows the efficacy of these solutions is reduced on iOS and has progressively degraded with each new Android release, making products that utilize on-device detection applicable to an ever-shrinking number of users.
In fact, according to Google's official statistics, Android users are coalescing around the most recent versions, with Android 7 ("Nougat") accounting for 26.3% of active Android users. Now that Android 8 ("Oreo") has begun shipping on flagship smartphones, the number of enterprise devices running older versions of Android will decline rapidly and MTD solutions that employ "on-device" detection will become less effective.
Constant evolution is critical to stay ahead of adversaries
Next, security is all about speed and agility. Offline training with long update intervals limits a solution's ability to react to new and novel threat variants. While some companies might consider periodic retraining of the model to be sufficient, threat actors are constantly changing their tools, techniques and procedures. For an attacker, changing an indicator of compromise is analogous to a bank robber changing his shirt. While the police are looking for a man with a blue shirt, the same crook is robbing a bank across town wearing a red shirt.
"Faced with a rapidly changing threat landscape, security solutions must be architected to respond and remediate quickly."
Faced with a rapidly changing threat landscape, security solutions must be architected to respond and remediate quickly. By the time on device classifiers can be retrained offline and pushed to each phone through an app update, the damage may already be done. Even with automatic app updates, there's always a long tail of laggards who don't update to the latest version, leaving them exposed.
Look under the hood
While MTD solutions may look the same, there are significant differences in philosophy and approach that ultimately determines cybersecurity effectiveness. In part II of this series, I'll talk about an alternative "cloud-first, device assisted" approach that addresses the limitations of on-device detection by incorporating the power of cloud computing and big data in a layered defense model.
Interested in learning how an on-device-only MTD solution may impact your organization? Contact us today.