Editor’s Note: Welcome to our weekly Reality Check column. We’ve gathered a group of visionaries and veterans in the mobile industry to give their insights into the marketplace.
Despite the increases in today’s mobile malware, many mobile operators and subscribers continue to be virtually blind to the full extent of the problem – they simply react to incidents as they occur and have no proactive processes in place to address malware. As more and more applications come to mobile devices, this reactive approach becomes increasingly risky – and will ultimately result in service issues, outages and lost data.
The enterprise world provides a good example of the type of two-pronged strategy needed to combat malware effectively. In corporate environments, both the network and the device are protected: the network via intrusion detection/prevention appliances, firewalls and policy-based controls on the types of traffic allowed in and out; and mobile devices primarily with anti-virus applications. The two modes of protection work in concert – and a similar approach is required for mobile subscribers, where operators are in fact ideally positioned to offer both.
Network versus client-based security
Although client-based security has its strengths, there are a number of factors that can reduce the effectiveness of security apps installed on mobile devices. Infection detection technologies integrated directly into the mobile operator’s network offers a much-needed additional layer of protection.
Rather than directly scanning a user’s smartphone or tablet for malware, network-based detection systems analyze the mobile Internet traffic for specific malware communications. Such an approach is effective because malware must engage in network activity to communicate with controllers, transmit stolen information and to spread or update itself. Each of these activities is easily observed at the network level and can provide conclusive evidence of malware infection.
Network-based detection also serves to enhance the security process. In their ongoing “arms race” with security vendors, criminals are continuously updating and repackaging their malicious apps – but very rarely do they change their malware’s communication protocols. So where mobile device-based security software needs to keep track of hundreds or even thousands of signatures related to the variations of a malicious app, a network-based system needs only to monitor for the signatures of just a few distinct protocols. Network-based security techniques provide zero-day protection against the new versions of malware that use existing command and control protocols.
In general, network-based security systems offer the following advantages over client-based systems:
–Cannot be disabled: Network-based systems are not susceptible to the techniques modern malware uses to defeat and bypass client-based security measures. Because the detection system is embedded within the service provider network itself, it is practically invisible to cybercriminals.
–Always-on: Client-based anti-virus software can be deactivated by the end user. However, some users will inadvertently forget to turn it back on. Because a network-based system cannot be shut off by the user, it is always on and always doing its job.
–Always up-to-date: Because service providers maintain the equipment, it is easier to ensure the network-based security system remains up to date and aware of the latest threats.
Increasingly, mobile operators need to come to the conclusion that security is not an “either/or” proposition; both client-based and network-based solutions are important layers of an overall security strategy.
Signature-based network detection is needed
One specific technique that can be leveraged in a network-based security system is signature-based detection, which analyzes Internet traffic to look for a specific traffic pattern – the signature – known to be associated with malware C&C activity. If a computer is seen to be communicating with a traffic pattern that matches a known signature, it can be determined with great certainty that the user is infected with the specific malware that uses that C&C protocol.
Typically, a detected malware signature triggers an alert in the network when the characteristic traffic pattern is observed. But before notifying users that their devices are infected and leading them through the remediation process, mobile operators must be extremely confident the devices are actually infected – and that they know for sure which type of malware is infecting each user’s system.
To ensure accuracy and identify the malware involved, the signatures should look for C&C communications, backdoor connections, attempts to infect others (e.g. exploits), denial of service and hacking activity, and excessive e-mail activity.
By minimizing false positives, users will not be asked to perform remediation on non-existent threats or receive too many alerts where they become immune to the entire process and refuse to act should their systems actually become infected.
Do you still need an app?
While network-based security is a key component, mobile device-based anti-virus software is still an important element of any approach to online security. It can scan the device for malicious apps even if the subscriber is roaming or connected via Wi-Fi and not on the network where the sensor is analyzing traffic. The app can also help in the remediation of known threats.
However, a mobile security app needs to be designed differently than its PC-based counterparts. It needs to minimize data and battery usage and be as inconspicuous as possible so that the user does not turn it off to increase the performance of the device.
Ideally, mobile device-based and network-based solutions should work together. For example, if the network component detects an infection, it means that some malware – probably a new version of the malware that has been repackaged to avoid detection – must have slipped past the device-based security app. At the same time, if the network component sends a security alert, the device-based app should combine that information with what processes were running at the time of the alert to pinpoint the infected app and help the user remove it from their mobile device. Used this way, both components strengthen each other to provide a much higher level of protection.
Kevin McNamee is security architect and director of Kindsight Security Labs. With over 30 years of security and networking experience, Kevin was director of security research at Bell Labs and also held security development and design roles at TimeStep, Milkyway Networks, Newbridge Networks and Alcatel-Lucent.