Threat Hunt With the Right Red Thread: Why You Need Mobile EDR

Hank Schless  00:09

Hi, everyone, and welcome to episode six of Endpoint Enigma. I'm your host, Hank Schluss. And today, we've got a great topic to discuss, which is mobile endpoint detection and response or mobile EDR. We're also joined by Alex Gladd, who is a principal product manager at Lookout and has been here for almost seven years. So, welcome, Alex.

‍

Alex Gladd  00:26

Thanks, thanks. Glad to be here.

‍

Hank Schless  00:27

Awesome. So can you tell us before we get started, tell us a little bit about your background and what your path to mobile security was?

‍

Alex Gladd  00:35

Yeah, sure. So, like you said, Hank, I've been here for over six years, almost seven now. And I've been a product manager here. And before I came to Lookout, I was actually a software engineer for almost a decade in the defense contracting industry, actually. And I'd always had an interest in information security, starting in college, even before my first job, and that morphed while I was working in the defense industry into an opportunity to start actually working on some information security, specifically in the mobile space. And yeah, that turned into Lookut finding me and here I am.

‍

Hank Schless  01:12

Nice. So to go back to our main topic for today. So let's lay the groundwork here a bit, right. So the focus of this conversation is going to be endpoint detection and response, or EDR. So what is it? And also, why do you think it's important to have as part of a, you know, an organization's security operations?

‍

Alex Gladd  01:32

Yeah, so EDR. Like I said, endpoint detection and response; the name itself doesn't really imply a whole lot other than yes, we should detect things. And yes, we should respond to them. But there's definitely a whole lot going on under the covers, right? And I guess you can break EDR down into sort of four main pillars or tenets. And those four would be: number one, first and foremost, being able to detect incidents, right? I have to be able to detect threats that my devices encounter. Number two: once I detect those things, I need to be able to contain those incidents on the endpoints as quickly as possible. And number three: being able to actually investigate those incidents. Right? So that involves a little bit of forensics work, a little bit of research into, okay, what was this threat? How did it happen? Why did it happen to this device? And what are the potential consequences of that? So, those are all things that go into number three, and then number four is being able to remediate those threats. So that's sort of a mixed bag, but generally comes down to, you know, how do I prevent this from happening in the future, not only for this particular threat, but maybe also similar threats out there. So what preemptive steps can I take to help protect the rest of my endpoints?

‍

Hank Schless  02:54

Gotcha. So with all that in mind, we'll take those core pillars, right, and where does that apply to mobile? And then, as a bonus question, do the capabilities of mobile devices themselves and kind of how they're built and operated play into all of this? Or can you basically treat them the same as you treat, let's just say, like a laptop or something like that more traditional endpoint in the context of EDR?

‍

Alex Gladd  03:18

The first question is really easy to answer. Of course, all those four things definitely apply to mobile. From my perspective, the mobile endpoint is no different than any other endpoint. That's especially true today. So why shouldn't an organization want to apply the same level of insight and protection to mobile endpoints as they do traditional endpoints? That being said, of course, the mobile environment is a lot different than what many are used to in traditional environments. And that's especially true with EDR. Because in an EDR world, a lot of the technical savvy of EDR comes down to being able to have deep access into an endpoint. So my EDR agent is typically something that has kernel level access on the device, it's recording events all the time, sending all that telemetry back into either my on-premise or cloud-based EDR. And then the EDR tools, compiling all those and giving me all those great insights that we talked about through the four different pillars on mobile. Of course, things are different, because you know, normal applications don't have the same level of access that you can sort of get for free on traditional endpoints. So we have to work within the limitations of what the platforms make available to us as an application in terms of what sort of events we can record and what sort of telemetry we can collect. The other interesting challenge on mobile is that we also have to take a much harder look at the privacy implications of what we are trying to do in a traditional ADR setting. We're almost exclusively talking about corporate owned endpoints right? …corporate desktops, corporate laptops that are issued to employees solely by the organization. On mobile, that's definitely not always the case. While there are deployments out there that are fully corporate owned, more often than not what we're seeing is either a mix of corporate owned and bring-your-own device or even fully bring your-own device enabled organizations, which means people are bringing their personal devices and using them for work. So again, that just brings up how big of a challenge we have in terms of, how do I provide the same level of security to that mobile device when I'm also contending with the fact that it's an employee's personal device, which brings a whole host of, you know, liability and privacy concerns?

‍

Hank Schless  05:46

Yeah, absolutely. I mean, as mobile becomes more important, and people are really leveraging those devices more, we definitely hear that more in the market. And there's also this… almost expectation people have that they can use their own device or, if they can't use their own device, they have the freedom to use the device that work gives them to be able to do a lot of personal stuff. It sounds like EDR is something that would have come to the mobile market sooner. And we all know how many capabilities these devices have, especially now when they can pretty much access as much data as a laptop. So I guess my core question, why hasn't there been a true mobile EDR product in the market yet? Is it a question of market appetite? Or is it just a question of the capabilities of these devices and the fact that now they've become critical to include in this process as a key part of the infrastructure?

‍

Alex Gladd  06:32

Yeah, I would say it's a little bit of both, right? It's easy for us to focus on mobile, but the reality for many organizations is that they're still trying to find a way to fully secure their traditional endpoints, right? That's something that's… it's not a completely solved problem, even on that side. So for organizations typically trying to balance between “what do I need to spend my time on that makes the most impact” to the security of my organization and my endpoints? I think, for a long time, that wasn't a relatively easy answer, right? I have many more traditional endpoints; they typically have more access to data than, you know, maybe the very small subset of my executives that have email access on their mobile devices. But like you said, we've seen that is changing extremely quickly, especially now, given everything that's going on these days, right? People are moving to remote work faster than ever. And I think some of that balance is starting to shift. Offices are empty. People are working from home. And suddenly, you know, mobile is going to be top of mind for a lot of people. And then the second part of that is the data access. And the same is true. Moving to remote work means people need more access to more data on all of their devices, including their mobile devices. So it's sort of the same answer, right? It's: Now that people have more access on the mobile side, it's a lot easier to turn your attention as a CISO to what's going on in the mobile space, because it's just the reality of what's going on in the world right now.

‍

Hank Schless  08:06

Yeah, absolutely. And it almost sounds like it's not just a question of device capability or employee preference, but also policy shift. So when you speak to other people in the market, whether they're analysts, peers, customers, whoever it may be, does it seem like people generally understand these challenges as CEO in the context of EDR on mobile? And do they understand how important it is to have it?

‍

Alex Gladd  08:28

Yeah, I think in most cases, people do. There's always going to be education, right? And a lot of times, it depends on the nature of the organization. And the extent to which, during times like these where remote work is big, you know, to what extent people need data access. Yeah. And I guess COVID is something we've been sort of referring to a few times here. But if you would ask me the same question maybe a year ago, I probably would have had a different answer, because, like we've been talking about this whole shift to remote work… kind of changed, like we said, the balance of how things look today, even compared to just 12 months ago. So I think for many organizations who were sort of, I wouldn't say ignoring mobile but putting it on the back burner of things that need to take priority; suddenly, that's shifting. People are finding the need to educate themselves. And I don't think it's a very large jump to understand that we can take the best of breed that we have in the traditional space, which is, you know, all these new and innovative EDR tools, and I should have the same for my mobile endpoints. I think that's something that, in conclusion, that people don't need a lot of coercion or discussion to come to themselves, right? It's something that's been happening in the traditional space for a while and COVID turned into sort of a forcing function for people to make those considerations on mobile.

‍

Hank Schless  09:51

So the thing that I personally think is most interesting about EDR is the investigation –– the threat hunting; the more, kind of proactive, spy secret agent side of it. So tell me first about the investigation side of it. How does it change when you're looking at mobile devices? Especially when you're looking at something like mobile phishing or an attack that doesn't necessarily use a ton of code? How does that change with mobile?

‍

Alex Gladd  10:17

Yeah, well, I guess, first of all, I definitely agree that this is sort of the most interesting area of EDR. Because this is really the area where I, as the user of these tools, can have the most impact in terms of being able to actually detect and respond to the threats. And in terms of how it changes on mobile, I guess I would say there's a couple of things to consider. The first is the… Like we touched on a little earlier –– right? –– there's definitely crossover between desktop and mobile threats. And then we also have to make sure we are looking at some of the key characteristics of mobile threats themselves, or else there's things you're gonna miss. So in terms of the crossover –– right? –– this is what we touched on earlier with… Threat actors are increasingly building campaigns that target both traditional desktop endpoints and mobile endpoints. Some examples of that are people targeting banking or financial space. So I may create some desktop malware that tricks somebody into starting a transaction, which, of course, these days, a lot of times, you're gonna have mobile transaction codes or SMS authorization that happens as part of that. Well, then that brings in the mobile side, right? And I need to make sure as a threat actor, I have coverage for those types of codes –– right? –– I need to have presence on both the desktop and the mobile device in that case, to sort of complete that chain of attack. And in terms of EDR, whatever EDR tool I'm using needs to understand both of those spaces in order to make those data correlations. So my tool needs to have access to both traditional desktop data and mobile data so that when I'm doing my investigation, I can sort of seamlessly pivot between the two platforms. So the other part of that is the key characteristics on mobile. Of course, the easiest one to talk about there is… Mobile malware typically looks a lot different than desktop malware. Desktop malware is typically reasonably sophisticated these days, because it's a problem space that people have been dealing with for decades now. So to evade detection –– right? –– you gotta be fairly sophisticated for traditional desktop malware. On the mobile side, that's less the case for sure. A lot of times, you can just socially engineer somebody, or even sneak an app onto Google Play or the App Store for iOS devices. And simply asking people, “Hey, Grant, my app, all these permissions to access all of your data, I swear, it's completely fine.” And more often than not, people hit that OK button. So in terms of malware, you're looking for different things, right? You're not necessarily looking for the ultra sophisticated exploits out there, right? A lot of times it's looking for interesting combinations of capabilities that a mobile application has in terms of what data access do they have combined with what are the remote endpoints they're accessing. For instance, similarly, in terms of analysis capabilities, things are different there, too. You know, we've seen many times where a phishing attack targeted at mobile will render a completely different page if you're trying to access it from a desktop browser. So we're looking at things like user agents and other indicators to determine, is this user coming from a mobile device or a desktop device if my analysis stack isn't emulating mobile devices? Well, guess what? I've just missed that potential discovery. So yeah, in terms of being able to detect those key characteristics for mobile, it's pretty important to have that integrated into an EDR solution.

‍

Hank Schless  13:51

Yeah, I mean, that's all super interesting. Can you tell us a little bit more about that threat, hunting side of it, really –– what it is, what you do for it, and maybe just some of like, the use cases that you see or you've been through yourself?

‍

Alex Gladd  14:03

For threat hunting, I would break it down into sort of two main areas or two categories, one of which is proactive research or proactive threat hunting and the other, of course, being reactive research or reactive threat investigation. So I guess if we start with the reactive side –– right? –– that's typically: Something has happened, I need to figure out what it was and why and what problems could it cause. So this is more of like the incident investigation side where something has happened, you know, your security product has made a detection. It's alerted your team that something has happened. And now that team, they're tasked with figuring out what happened on the device, what's the severity of the threat? What do we need to do to that device to fully remediate? And what is the threat posed to the rest of my endpoints? So it's sort of a mix of researching what are the capabilities under threat, what else should I be worried about? Also mixed with a little bit of the forensic side of, you know, what actually happened on the device? What is the potential for credential theft, data theft, whatever it may be, based on the actual threat that was encountered? On the proactive side, it's a little different, right? Because our starting point isn't an incident or a detection, it's really more of open ended. Threat hunting, like really true threat hunting –– and typically, that starts from a couple different sources; one may be open source intelligence. So some blog or some news site posts something about a campaign that was discovered or something similar, where a story like that will post a set of IOCs, or indicators of compromise –– right? …that campaign was found to be using this set of IP addresses or this set of host names, or here's a set of hashes for known bad applications sort of all serve as potential starting points for doing proactive threat hunting. And regardless of whether it's a reactive use case, or a proactive use case, you start with some data. And you need to be able to pivot through the dataset to figure out or to make more discoveries. Really, the goal is to turn that raw data into actionable intelligence that you can do something with and on the reactive side that often looks like, you know, answering those questions we talked about earlier. And on the proactive side, it's really making actual new discoveries of, hey, here's this threat that hasn't been identified yet. And I can preemptively put coverage in place so that even if it was something that got targeted at one of my endpoints, I already have detection in place, and I'm good to go.

‍

Hank Schless  16:45

Yeah, there's, it's a lot that goes into it. And while adding mobile definitely adds more to it, it's a pretty key part of being able to really complete that full investigation and also hunting aspect of this type of job,, right? So before we kind of wrap up here, I'd be interested to know if you have any particular examples or scenarios where EDR has been particularly helpful, either in your own experience, or what you've heard kind of out, out in the world, out in the market. 

‍

Alex Gladd  17:15

Yeah, if you take a step back first –– right? –– and think about why it was EDR. So popular when it came about, right. We said early on that, okay, we detect things and we respond to them. But really where the power of EDR comes into play is being able to detect more things more often, and being able to respond more effectively to them. So some examples of those we've already touched on. But if we're talking about it in the context of mobile –– right? –– probably the best example is coming back to those threat campaigns where the threat actors are taking a dual pronged approach, targeting desktop users as well as mobile users. And I talked about, you know, the proactive threat hunting use case, well, we sort of prove this out on a day-to-day basis here at Lookout because we have a research team that does these activities. That's their day job, right?. And in instances like we've seen where threat actors are launching a campaign at targets, desktop, and mobile, even when those are discovered, more often than not, you'll see. In the news, people talk purely about the desktop side, because that's more often what people are focused on. A lot of times what our research team will do, though, is follow news like that, right? And like I said, look for the IOC’s that are included in those stories, and we can plug those into our systems and find where those crossovers happen, right? So, if it gets published that this state-sponsored actor out there was, you know, using this set of infrastructure to launch attacks against banking customers, we can go and  use the same IOCs to pivot through our own data. And sure enough, pop up, you know, a handful of mobile apps that communicate with that same infrastructure. And in another example, it's that same sort of thing, but leads us to, I guess, what I'll call cross-vector attacks, where looking at, initially,  indicators of compromise from desktop malware leads us to discover infrastructure that's also hosting  phishing attacks targeted at mobile users, right? So we have not only crossover in platforms in terms of malware but also the vector. And it just gives us more proof that threat actors out in the world are recognizing that mobile is an increasingly valuable target and gives us the proof we need to say we recognize the value in EDR in the traditional space, let's start applying that to mobile because it helps us fill that huge gap we have in terms of being able to do those types of correlations that, you know, our researchers take advantage of on a daily basis.

‍

Hank Schless  19:57

Absolutely. And I think that's probably a great spot to wrap it up. So, Alex Gladd, thank you so much for joining us. Really appreciate your insight into things and look forward to seeing more about, you know, where this market evolves to and, you know, hopefully, people can give this a listen and they can always reach out to us if they have any particular opinions on Mobley Dr. Then I'll be sure to give them your home address so they can come find it. Okay. So, no, but seriously, Alex, thank you for joining us. It's been a great conversation. And thank you everybody else for tuning in. We'll see you in a couple of weeks with our next episode of Endpoint Enigma. Have a great day.