Mobile Cyber-Espionage at a Global Scale

One of the key issues that has stymied the growth of the Mobile Threat Defense (MTD) market is that the mobile threat landscape that MTD protects against doesn't really scare enterprises.

That might be about to change. Enter Dark Caracal, characterized by Lookout and Electronic Frontier Foundation, as "cyber-espionage at a global scale."

Again, like other serious threats. this is attributed to a state actor: the Lebanese General Security Directorate in Beirut. To quote further from the report:

Dark Caracal has been conducting a multi-platform, APT-level surveillance operation targeting individuals and institutions globally.

Although Dark Caracal uses tools across mobile and desktop platforms, including Windows, OSX and Linux, it uses mobile (Android) as its primary attack platform. Of the 81 GB of data exfiltrated, 59% is from Android campaigns. The report outlines the devastating surveillance functionality of a compromised device:

The breadth and quantity of exfiltrated data is significant, and includes:

Compromised devices have been discovered worldwide.

The problem with MTD is that it competes for security budget funds with advanced persistent threat (APT) solutions, largely regarded at the top enterprise threat and the type of attack that breached Sony, OPM, Target, Home Depot and others. It's easy to imagine that enterprises will re-evaluate the priority of an MTD solution as they digest the new threat landscape that includes Dark Caracal.

Self-protecting software, application shielding, and RASP

Many of my recent posts have provided insights regarding the Mobile Threat Defense (MTD) space; in this post I wanted to explore other mobile security segments as they relate to enterprises.

Mobile Threat Defense (MTD)
First, for background, here's how MTD is defined by Gartner:

The MTD solutions market is made up of products that protect organizations from threats on mobile platforms, including iOS, Android and Windows 10 Mobile. MTD solutions provide security at one or more of these four levels: Device behavioral anomalies, Vulnerability assessments, Network security, or App scans.

MTD solutions are designed to protect enterprises from mobile threats. The primary threat landscape that MTD addresses is mobile malware, and data leakage of enterprise data. Skycure/Symantec, Lookout, Zimperium and Appthority are vendors in this space.

Application Security Testing (AST)
As mentioned above, other mobile solutions exist besides those that fall into the MTD category. The most mature mobile security segment is part of the Application Security Testing (AST) market, which broadly applies to both web-based and mobile applications. Sometimes referred to as SAST (static application security testing) and DAST (dynamic application security testing), these solutions are applied against internally developed apps deployed for internal use for employees and contractors. There are often called private apps or custom apps. Veracode, HPE and IBM are leaders in this segment.

Application Shielding 
Another mobile security market segment, and the focus of this post, is emerging as of early 2018 and doesn't have a consensus segment name. It's referred to by participating vendors as "Protecting Apps in Untrusted Environments," "Autonomous Application Protection," and "Self Protecting Software." Gartner refers to it as Application Shielding, and names over 20 vendors with relevant solutions. The underlying technology is called Runtime Application Self-Protection (RASP). What's this all about?

Enterprises often must deploy mobile apps in support of their core business. Think of public apps from banks, retailers, gaming companies, and any app-based business. These are generally B2C apps, or consumer mobile apps, and are deployed in environments outside of the developers' control. The app could be reversed engineered for intellectual property theft or to determine and exploit whatever vulnerabilities might exist. The app could be installed on rooted or jailbroken devices, which opens it up to a wide array of attacks. The app could be re-packaged with keyloggers, spyware or other forms of malware, which could result in brand damage. Other exploits and misuse of the app are possible. How can app developers protect their app when it's in the wild?

Runtime Application Self-Protection (RASP)
Enter RASP. Gartner defines RASP as a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks. Secure app development practices (often based on OWASP) and security testing remains a best practice and is not replaced by RASP. In fact, RASP solutions are applied not to the source code but to the binary (executable) app. RASP can usually be integrated into the build process but does not require SDLC changes or app developers' participation.

RASP technology is not unique to application shielding, as is it utilized by some AST vendors. But it has experienced considerable growth of late because of the application shielding requirements of mobile apps. Furthermore, RASP usage is expected to mushroom as it gets applied to IoT-based apps.

What Mobile Security Solution Should An Enterprise Adopt?
So what does all this mean to an enterprise that is developing its mobile security strategy? In short, one size does not fit all. MTD is required to protect the enterprise from attacks against its employees and its data. SAST and DAST are required to secure mobile apps developed for internal use as productivity tools. RASP is required for consumer mobile apps. The rapid adoption of mobile in the workplace and as the primary means of reaching customers requires a broad mobile security strategy with multiple components.

Enterprises seek best of breed solutions for all of their security requirements. But enterprises are not always willing to be their own system integrators, where they must glue various platforms together from a management and operations perspective. It seems likely that at the end of the day enterprises will gravitate towards single-vendor solutions, to the extent they emerge. I believe that the window of opportunity for mobile security startups is still wide open to those with innovative solutions who can execute, but history suggests the ultimate winners will be the established, mega security vendors.

"Modern computing security is like a flimsy house that needs to be fundamentally rebuilt"

Image courtesy NY Times

Zeynep Tufekci has an interesting take on the latest cyber security news in her column entitled The Looming Digital Meltdown. The money quote is this: "Modern computing security is like a flimsy house that needs to be fundamentally rebuilt." Her focus is the chip-based vulnerabilities disclosed last week, but she's talking about cyber security in general. And her point is hard to argue with.

Tufekci has been thinking both deeply and broadly about these topics for quite some time. She's the author of Twitter and Tear Gas: The Power and Fragility of Networked Protest, and her TED talk "We're building a dystopia just to make people click on ads" gets right to the point about the economic incentives that enable the Internet's stalker economy.

The theme of Tufekci's column is that vendors, driven by consumer demand and the frenzy to be first to market, have sacrificed security for speed and convenience. She rightly asserts that this is a solvable problem--and maybe would have already been solved if we simply held our vendors accountable (as we do with airplane travel, for example, or with consumer products).

But I think users have been complicit. By users, I mean people who use Facebook, and who buy smartphones, and who are inevitably attracted to "free" apps and services. I put the word free in quotes because the cost is real but not always evident. The stalker economy, which leads to exploits such as ADINT where by using the same techniques available to advertisers one can easily track friends, relatives and even strangers. We've ceded this power to the technology providers in order to have easy access to social networking apps and other "free" services.

And profit-driven technology is proving more powerful than traditional safety systems. Witness the fact that Uber Can Find You but 911 Can’t. Would we ever have designed such an outcome consciously?

Maybe there's hope on the horizon: Mark Zuckerberg says one of his goals for 2018 is to fix Facebook.

Meanwhile, here on earth, we're left to live with the chip-related vulnerabilities (known as Meltdown and Spectre). There's much hand-wringing that the proposed fixes will slow our systems down--maybe by as much as 30%. But MIT has developed an ad-blocking system that improves web page download times by up to 34%. That sounds like a fair tradeoff to me.