Post on 24-Jan-2018
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Mobile Threat Detection usingOn-Device Machine Learning Engine
Mark Szewczul, CISSP
IoT Security Architect
Zimperium, Inc.
11/10/2017
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Rhetorical Questions
• How many of you carry a Smartphone or a Tablet?
• How many have access to corporate information?
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
• How many believe that your mobile is completely safe?
• How many of you would know if it was not?
Not-so-Rhetorical Questions
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Mobile Is the New PC
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Mobile Is the New PC
Source: “Mobile Advertising Forecast, 2016”, Zenith
Global Internet Consumption: Desktop vs MobileMinutes per day
2014 ‘16 2018
26.90
40
60
80
100
112.9
Mobile Internet
Desktop Internet
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Mobile Compromise → → Risk to Enterprise
Emails Pictures Company
Confidential
files
Technology Contacts Calendar
Credentials
Assets Access
Servers
Document
Repositories
Enterprise
Apps
Corporate
Servers
Further
compromise
…
Avoid the ripple effect...
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
The Threat Is Real.
And It Is Everywhere
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Malicious App
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Install app from
third party storePermissions abuse Exploit executed Leak data
Used as pivot to
internal network
Ap
p
Ap
p
Malicious AppM o b i l e T h r e a t s A r e R e a l …
Ap
p
ALLOW
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
iOS Profile
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Consultant that goes in
and out of client networks
Doesn’t like client network
restrictions on-site
Installs “free” VPN profile
to bypass restrictions
Installs SSL cert to encrypt
/ decrypt device traffic
All company data is
decrypted to the hacker
client3_wifi
CONNECTED!
client1_wifi
client2_wifi
client3_wifi
client4_wifi SSL
CERT
iOS ProfileM o b i l e T h r e a t s A r e R e a l …
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Wi-Fi MITM
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
At a coffee shop
near an officeWi-Fi MITM Redirect to phishing page Data exploit
Access to cloud
source data
coffee_wifi
CONNECTED!
LOGIN
Wi-Fi MITMM o b i l e T h r e a t s A r e R e a l …
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Silent Device Exploit
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Phone on table
while you sleep
MMS sent to
dormant device
MMS
processed
Device
compromised
Persistence for
targeted attack
New
Message
Received!
Silent Device Exploit (e.g., Stagefright)M o b i l e T h r e a t s A r e R e a l …
Exploit
executed
Privilege
elevation
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
The Threat is Real… & Pervasive
Network Attacks:
10% of Devices
Source: “1Q/2017 Global Threat Intelligence”, Zimperium
Malicious Apps:
11% of Devices
Dangerously Configured
Devices:
12% of Devices
Vulnerable (e.g., Out of Date OS,
Leaky App…):
87% of Devices
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
The Threat Is Real.
What does a CISO do?
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Two Areas of Consideration
1. Manage Risk with Conditional Entitlement
2. Active Threat Defense
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
z9™ Detection Engine uses machine learning to provide
real-time, on-device protection against both
known & unknown threats
Network
Attacks
Application
AttacksDevice
Attacks
On-Device ML DETECTION ENGINE
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
STAGES of Cyber Kill Chain
• Stage 1 – Reconnaissance
• Stage 2 – Network Manipulation
• Stage 3 – Delivery
• Stage 4 – Command & Control
• Stage 5 – EOP
• Stage 6 – Data Exfiltration
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Compromised
Data Exfiltration
Privileges Elevation
OS / Kernel Exploit
EOP
Get Reverse Shell
Exploit
Command & Control
Social Engineering
Delivery
Malware
Intercept Traffic
MITM
Network Manipulation
Scan (IPv4/IPv6)
Target discovery
Coffee
Shop
Connect
to Wi-Fi
Found
Infection
Run Cleaning
Tool
Check
Emails
2 3 4 5 6
Download
Attachments
Recon 1
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Let’s Attack !
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Q & A
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
24
Thank you !
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Mark Szewczul, CISSP, is an IoT Security Architect at Zimperium with over 20 years of experience from Semiconductor, Telecom/Datacom, and Computing sectors. He currently is Director of Marketing at the Dallas/Fort Worth Cisco Users Group, has led the IEEE-Electromagnetic Compatibility Society and co-founded the IEEE-Consumer Electronics Society, both in Dallas. Along the journey, he has mastered design, testing, integration and deployment of numerous systems. His passion entails implementing best practices of security and privacy principles at all 7-layers and beyond. He has his MS in Information Science and Systems from Texas A&M University and 3 patents.
marks@zimperium.com@vslick1
469-996-7942
About me