From Phishing to Malware: How to Defend Against a Modern Kill Chain

Every day, threat actors devise new plans for breaking into secure systems. The steps they take, from researching a target to carrying out the attack, are known as the cyber kill chain. Traditionally, that kill chain has targeted devices and networks that lie completely within your organization’s control. For better or worse, mobile and cloud-based work have upended that dynamic.

Workers increasingly use their mobile devices to access apps and data in the cloud. As a result, they’ve massively expanded the attack surface and created a new, modern kill chain. This modern kill chain targets both mobile devices and their owners, using social engineering and coordinated attacks to worm into your systems. It’s no longer enough to secure your business’ devices — you need to protect your employees' mobile devices, too. With so much more to defend, it’s no wonder that only 12% of security leaders feel confident in their existing security measures.

Luckily, a suite of cutting-edge cybersecurity solutions can help you keep your organization — and your employees — safe.

‍

What is mobile device management?

Contrary to popular belief, threat actors frequently target mobile devices. To keep those threats at bay, many organizations employ mobile device management (MDM). MDM is a set of tools and practices that help IT teams keep track of employee devices, monitor their use, and protect them. MDM generally works by enrolling devices in your organization's network protection policies, and it can provide the following benefits:

• Device tracking via GPS.
• Activity monitoring to ensure policy adherence.
• Remote management to install firmware updates, lock devices, or wipe their storage from afar.

Mobile device management can work on mobile phones, tablets, laptops, and Internet of Things (IoT) devices. It's often applied as the first layer of protection against the modern kill chain.

How does MDM fall short?

As useful as it is, here are some of the ways mobile device management leaves you vulnerable:

• MDM applications aren't standardized, forcing organizations to jerry-rig their solutions.
• Devices in your system likely run on more than one operating system. Most MDM solutions are designed for just one OS, which can force you to purchase two versions of the same software to manage all of your devices.
• Tracking data across all of your mobile devices can lead to missed updates and inaccurate data on individual devices. Ensuring each one has access to up-to-date information at all times can lead to security compromises.
• MDM collects a lot of data from your devices, and employees may object to having their privacy violated.

To address these issues, many organizations supplement their MDM with other solutions such as endpoint security, user behavior monitoring, and zero-trust architecture. Here's how Lookout solutions guard against the modern kill chain.

To learn more about mobile device monitoring, read Mobile Device Management: What Is It & Why Isn't It Enough?

‍

What is endpoint detection and response (EDR)?

Today's threat actors are working harder and faster than ever before. They're discovering new vulnerabilities at a rate that traditional antivirus software can't match. It's not enough to compare files against a database of known threats. Organizations need software that monitors user activity to spot and respond to potential zero-day threats.

Endpoint detection and response does exactly that. When you install EDR on a device, it will track that device's actions and flag unusual behavior. It can then relay that information to your cybersecurity team for rapid response.

Traditional EDR's central weakness is that it can't expand to mobile devices. That leaves your workers open to phishing, smishing, and other social engineering attempts. Only mobile-specific EDR can protect the expanded attack surface of the modern kill chain.

How does mobile EDR work?

Successful mobile EDR software must work around different limitations. For one, mobile devices have limited battery life, so mobile EDR can't use much energy. For another, employees often use their personal devices for work. Monitoring their actions could lead to privacy violations. Finally, mobile EDR software can rarely gain privileged access to the OS, limiting its capabilities.

Despite those limitations, mobile EDR can successfully provide the following:

• Continuous monitoring and data collection equip your cybersecurity team for incident response and forensic investigations.
• Behavioral profiles and analytics can flag unusual activity on any device.
• Automated responses can shut down potential data breaches before they get out of hand.
• Threat-hunting tools can empower your cybersecurity team to analyze telemetry data, double-check the EDR's responses, and prowl for threat actors in hiding.

To learn more about how mobile EDR keeps your devices safe, read Using Endpoint Detection and Response (EDR) in Mobile Defense.

‍

What is digital forensics and incident response?

With mobile devices expanding the modern kill chain, even the most secure organizations are at risk of a data breach. Having a digital forensics and incident response (DFIR) plan can mitigate the effects of such a breach.

DFIR plans can generally be split into two components: digital forensics and incident response.

Digital forensics

Digital forensics is the process of investigating a breach to understand and learn from it. The investigation's main goal is to share evidence with lawyers and law enforcement officers. The National Institute for Standards and Technology (NIST) defines four key steps in a digital forensics process:

1. Collection: Researchers decide which data relates to the investigation and then label, record, and organize it.
2. Examination: Researchers pore through the materials they've collected and pull data segments that shed light on the breach.
3. Analysis: Researchers search their data and attempt to find the root cause of the breach.
4. Reporting: Researchers summarize their findings and share them via report. That report should include how the breach occurred and how the organization will avoid a similar breach.

Incident response

Incident response is how organizations plan to slow or stop breaches they discover. The SysAdmin, Audit, Network and Security (SANS) Institute breaks it down into six steps:

1. Preparation: Administrators create or revise security policy around breach response and then share it with staff.
2. Identification: Administrators observe and log user behavior in an organization's network to spot compromised accounts.
3. Containment: Once a data breach is detected, administrators must take steps to impede the compromised user. Those might include revoking permissions, logging the attacker out, or restricting file access.
4. Eradication: Administrators must undo any actions taken by the intruder, whether that's uninstalling malware or wiping devices.
5. Recovery: Administrators restore the network to working order, allowing others to return to normal work.
6. Lessons learned: Administrators begin the process of digital forensics.

To learn more about DFIR, read The Role of Digital Forensics and Incident Response (DFIR) in Cybersecurity.

‍

What is threat hunting?

Automated detection systems can't catch every breach. To spot the most rigorous and sophisticated threat actors, your organization needs to take a proactive approach. Threat hunting is the practice of actively searching for potential threats in your organization's systems.

By pulling from pooled knowledge bases and using comprehensive monitoring tools, threat hunters can spot signs of a breach that automation might miss and contain the threat.

‍

What is threat intelligence?

Organizations ranging from enterprise businesses to national governments have collected huge stores of data about how threat actors conduct cyber attacks. In isolation, that data has limited use. But when organizations pool their data, they create a well of knowledge about how threat actors operate. That's threat intelligence, and threat hunters use it to understand how the next attack might look. When they know what to expect, they're better equipped to defuse an attack before it explodes.

What is a threat intelligence feed?

A threat intelligence feed is a database full of cyber threats, from common indicators of compromise (IOCs) to advanced persistent threats (APTs). Cybersecurity experts use these feeds to stay abreast of the latest warning signs and attacker tactics. As threat actors constantly design new attack patterns, the best threat intelligence feeds will update continuously to keep your administrators up to date.

‍

Threat intelligence best practices

To get the most out of your threat intelligence efforts, consider following these best practices:

• Consult several feeds to achieve a more complete understanding of the cybersecurity landscape.
• Prioritize mobile vulnerability management.
• Create an actionable plan for keeping your hardware and software up to date.
• Educate your employees on social engineering scams they're likely to face and how to respond.
• Employ mobile EDR to protect your devices and provide more telemetry to your security team.

To learn more about threat hunting and threat intelligence, read Enhancing Security Posture: What is Threat Hunting? and How to Leverage Threat Intelligence Feeds to Level Up Your Organization's Security Strategy.

‍

Know the risks and guard against them

Remote work has opened up a new world of flexibility. With mobile devices and cloud apps, workers are more empowered than ever to work how they want and where they want. However, that flexibility comes with new threats. Your organization needs to be ready to defend against them. To learn about the five most pressing risks of operating in the cloud, read our free whitepaper today.