Академический Документы
Профессиональный Документы
Культура Документы
THE LOOKOUT
SECURITY PLATFORM
Advanced mobile threat protection
through predictive cybersecurity
WHITEPAPER
Table of Contents
1. The Road to Predictive Security
a. Cyberattack Economics
b. Signature and Behavioral
Analysis Limitations
c. Toward Predictive Security
a. Acquisition
b. Enrichment
c. Analysis
d. Protection
a. FireTalk
b. BadNews
6. Conclusion
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
WHITEPAPER
security.
SIGNATURES
CONS
Brittle and easily evadable
2014 Cost of Cyber Crime Study: United States. The Ponemon Institute. Oct 2014.
Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware.
Gartner. Aug 22, 2014.
3
2014 Mobile Threat Report. Lookout. Jan. 2014.
1
2
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
WHITEPAPER
instances.4
SIGNATURE
EFFECTIVE
BROKEN
Signature 1
Signature 2
\x00\x00\x00AndroidRTService.apk\x00
\x00\x00\x00AndroidRTSXervice.apk\x00
Status
BEHAVIORAL ANALYSIS
CONS
Hackers in China Attacked The Times for Last 4 Months. New York Times. Jan. 30, 2014.
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
WHITEPAPER
applications:
Flagged
Behavior
Sample
Permissions
Behavior
APP 1
APP 2
YES
YES
android.permission.READ_CONTACTS
android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_FINE_LOCATION
android.permission.READ_CALENDAR
android.permission.READ_CONTACTS
android.permission.WRITE_CONTACTS
android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_FINE_LOCATION
Target says it declined to act on early alert of cyber breach. Reuters. Mar. 13, 2014.
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
WHITEPAPER
INTRODUCTION
6
7
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
WHITEPAPER
ENTERPRISE PRODUCT
CONSUMER PRODUCT
Lookout Mobile
Security (LMS)
iOS
Mobile Threat
Protection(MTP)
iOS
Lookout Mobile
Security (LMS)
Android
Mobile Threat
Protection (MTP)
Android
Mobile
Intelligence
Center (MIC)
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
WHITEPAPER
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
WHITEPAPER
i. Acquisition
AT A GLANCE
Registered mobile
sensors
60+ million
worldwide
App Vetting
API Partners
Many, including
some of the worlds
largest app stores
Unique app
binaries detected8
67,500,000
Unique app
binaries acquired
8,300,000
Unique app
binaries detected
on only one device
worldwide
875,000
CRAWLING -
Apps acquired
daily
10,000+
Lookouts platform is aware of the presence of 67,500,000 unique app binaries in the world, counted by cryptographic hash.
This include both system apps (apps that are part of the operating system) as well as user-downloaded apps, and counts each version
of an app as a unique app instance.
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
WHITEPAPER
The following table highlights the types of data collected from mobile sensors in this acquisition funnel:
Table 3: Mobile Sensor Data Collection
TYPE
ANDROID/iOS
SCOPE
APPLICATION
Cryptographic hash
Android + iOS
Package name
Android + iOS
Apk9 file
Android
iOS
security issue.
APK = Android Application Package, the package file format used to distribute and install app software onto Android devices.
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
10
WHITEPAPER
ii. Enrichment
examples
REPUTATION RESULTS:
95% of known APKs that use this signer are malware
examples
technologies that run the app in a simulated environment and analyze the capabilities of its code.
examples
write_file (Osiris[0.1.217])
read_contacts (Static Behavior Extraction[3.1.469])
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
11
WHITEPAPER
examples
INDEX CLASS:
SCORE:
Lorg/linphone/MapAPP$1$1;
0.9433
Lorg/linphone/MapAPP;
0.9846
Lorg/linphone/util/Constant;
1.0000
Index match:
0.9923
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
12
WHITEPAPER
iii. Analysis
zero-day threats.
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
13
WHITEPAPER
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
14
WHITEPAPER
This diagram shows samples of the NotInstalledYo mobile malware family, correlated by shared signers and
binary similarity as calculated by the platforms App Genome Sequencing technology. The node at the center of
this galaxy represents a widely shared signer that uses a compromised signing key. NotInstalledYo is a family of
spyware that intercepts SMS messages on victimized devices and forwards them to attackers.
Samples that share a high degree of binary similarity are grouped by color and nodes to which multiple colored
nodes connect signify a shared signer amongst those samples.
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
15
WHITEPAPER
iv. Protection
The output of Lookouts platform is a dynamic security decision that identifies evolving known threats as
well as unique, targeted attacks. When the platform
detects novel threats it automatically initiates an
investigative process, alerting Lookouts Research and
Response team to further investigate the operation
and motivation of attackers, take remedial action such
as issue server takedown requests, and ensure that
relevant partners, customers and organizations take
remedial action if needed.
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
16
WHITEPAPER
telemetry includes:
OS configuration
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
17
WHITEPAPER
<https://blog.lookout.com/blog/2013/04/19/the-bearer-
of-badnews-malware-google-play/>
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
18
WHITEPAPER
VI. Conclusion
The Lookout Security Platform analyzes potential
mobile threats not in the context of a single server,
a single device, or a single application, but in
the context of global mobile devices and code.
Lookouts predictive security model enables more
reliable tracking of existing threats and more precise
predictions of zero day threats.
Yet, predictive security models only work if they
can draw on global context. The continued failure
of signatures and behavioral analysis alone to
consistently identify threats without oceans of
false positives or false negatives reveals the critical
importance of having large, contextual data sets.
Lookouts platform excels at finding the signal amid
the noise because it has unprecedented insight into
the code, both apps and firmware, running on tens
of millions of devices around the planet. This massive
dataset produces hundreds of millions of datapoints
that the platform can use to correlate and predict
security threats and risks.
Predictive security models require machine
intelligence to identify exceedingly complex
correlations and risk signals that humans cannot
possibly identify at scale. Today, most detection
systems excel only at identifying the bank robber who
has already hit the vault. We should instead use the
deluge of data available to us to predict the next bank
robber based on their correlations across multiple
dimensions to known bad actors.
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |
19