What is Mobile Threat Defense (MTD)?

In this blog post, we discuss Mobile Threat Defense and answer the following questions along the way:

• What is it?
• How does it work?
• What are the benefits?

Mobile threat management is a term that encompasses many forms of threat prevention on mobile devices. While it often goes by different names and alphabet soup-like acronyms, the most accepted term (and the one we're using) is mobile threat defense, or MTD for short.

In a nutshell, MTD is a catchall term for solutions that work exclusively to minimize the security risk brought on by threats to devices, users and the sensitive data stored on them. This also covers devices used both for work and personal use.

Mobile threat defense is a lot like the Iron Man suit of armor

The Mark I armor Tony Stark built was the first Iron Man suit he created. It was designed to meet a number of requirements, aiding him in his quest to:

• Protect himself using defense capabilities
• Allow himself to perform offensive attacks
• Sustain his body long enough to seek medical attention
• And ultimately escape his captors

Framed in this context, mobile threat defense solutions are a lot like the Iron Man suit of armor. There’s so much capability crammed inside this solution that works in harmony to provide the best level of defense-in-depth protection against an amalgam of security risks and cybersecurity threats.

This does not mean nor imply that mobile threat defense solutions are a fabled “silver bullet." Just to be clear, a one-size-fits-all solution that takes care of anything and everything that seeks to harm your users, data or network does not exist. But an MTD solution does deliver the goods when protecting your device fleet against many common and evolving attack vectors that threaten modern-day mobile computing users.

Ok, so what is it? I thought you’d never ask! MTD is endpoint security designed to meet the unique needs of mobile technologies, safeguarding your mobile device fleet against common security categories that impact them, such as:

• Malware: In all forms and shapes like adware, ransomware, spyware and trojans.
• Phishing: The number one threat to computer security also holds the top threat slot in the mobile space— bad actors are cleverly leveraging truth and lies to get users to divulge sensitive data like credentials or remote access.
• Network attacks: These threats leave victims open to compromise from rogue APs, data exfiltration and eavesdropping via Man-in-the-Middle (MitM) attacks.
• Misconfigured settings: Devices that are improperly configured or have default settings in place are more vulnerable to attack.
• Compliance: A lack of compliance with industry regulations or company policies often leads to harmful consequences due to loss of data through theft, data breach or unauthorized use of apps/services.
• Device health: Even with proper security controls in place, devices may still have risky apps/services installed or they may be missing critical patches that highlight potential risk areas.

Each of these categories, while separate, is often blended (known as convergence) by threat actors looking to find a way into your device. They exploit this access and pivot to other devices, apps and services connected to the same network in an attempt to perpetuate a full-scale data breach.

Mobile threat examples: “Our true enemy has yet to reveal himself.”

Threats come in all shapes and sizes, and when speaking of endpoint security, from all vectors across the attack surface. Mobile is no different — except that given the personal nature of mobile devices, like smartphones and tablets — threat actors are increasingly targeting mobile devices to obtain access to business resources alongside users' personal and privacy-centric data.

Take for example smartphones, the fastest-growing target for threat actors, which is based on an estimated 6.3 billion smartphone subscriptions worldwide stemming from a global population of around 7.4 billion. Those are a lot of opportunities to target. When factoring in some common reasons why mobile devices are compromised, according to the Jamf Security 360: Annual Trends Report, each endpoint is at risk of multiple threats for any number of reasons, exponentially increasing its chances of being attacked and exploited. Some factors that effectively increase risk are:

• Nation-states use malicious code that enables tapping communications feeds, like the camera microphone or key-logging on victim devices, to spy on them.
• Bad actors utilize this data for personal or financial gain, as well as to extend social engineering campaigns and to blackmail victims.
• Businesses enrich themselves by selling gathered data without user consent to advertisers and/or third-party partners.

Common examples of mobile threats

Non-compliant endpoints

Regulated industries exist worldwide. The number of agencies tasked with enforcing regulatory governance take this role quite seriously. Depending on what type of service your organization provides, where they’re located and who they provide these services to, your organization may be subject to any local, state, national and/or regional compliance requirements.

Failure to do so at any level could be potentially risky — and costly for the organization. When considering the proliferation of distributed workforces and employees utilizing personal devices for work, achieving compliance is only part of the equation. The other part? Continually assuring that mobile endpoints maintain compliance.

Not only does falling out of compliance mean that endpoints may not be adequately protected against existing and novel threats but it also means that access to protected resources is now at risk for compromise. Such was the case that impacted the Fintech industry recently, whereby sixteen financial companies were fined a combined $1.8 billion in penalties for violations found by regulators from the SEC and CFTC.

What led to the investigations that resulted in steep fines? Employees were found to have violated record-keeping provisions requiring that financial communications be logged through official channels. By utilizing off-channel methods via personally owned devices instead of company-issued smartphones, the market participants failed to maintain trust “by failing to meet their recordkeeping and books-and-records obligations.”, according to SEC Chair Gary Gensler.

Let’s go phishing!

Social Engineering attacks continue to top the list of threats affecting endpoint security. This applies to computers as well as mobile devices given how much time users spend on their phones and how flexible it is for a user to pivot from personal tasks to business-related work and back again effortlessly.

One of the more ironic bits about Social Engineering is that, despite having the greatest security protections in place, and paired with strong device configurations and policies to enforce them, there is little recourse available when users simply hand their credentials over to threat actors as part of a phishing campaign.

In fact, IBM found that “stolen or compromised credentials were not only the most common cause of a data breach but, at 327 days, they also took the longest time to identify.”

According to Verizon’s Data Breach Investigation Report 2023, phishing “makes up 44% of Social Engineering incidents.” Among their findings, Verizon also discovered that within incidents where data was compromised, the breakdown by type was:

1. Credentials
2. Internal
3. Other
4. Personal

“In 2022, 31% of organizations had at least one user fall victim to a phishing attack.” — Jamf Security 360: Annual Trends Report 2023

Still not convinced Social Engineering is a critical threat to mobile devices? Here are a few other global statistics cobbled together from various sources that underscore how serious the threat truly is:

• Google blocks around 100 million additional spam emails daily
• In 2022, an average of 48.63% of emails worldwide were spam
• A third of employees don’t understand the importance of cybersecurity
• 62% of phishing attacks weaponized using spear phishing attachments
• Nearly 1.5 million new phishing sites are created each month
• 43% of employees knowingly engage in risky online behaviors at work
• Cybercriminals shifted attacks to mobile and personal communication channels with a 50% increase in attacks on mobile devices

Spyware-as-a-Service

The Jamf Threat Labs (JTL) team has detected their fair share of malware threats, some as recent as several months ago when they learned of the presence of cryptojacking malware embedded within pirated copies of professional apps, like Final Cut Pro. This same team also lends its expertise to iOS and iPadOS, keeping track of and discovering malware threats that are novel and impacting mobile devices in various, never-before-seen ways.

One such threat, dubbed Pegasus, is used to target iPhones belonging to high-risk individuals, for the purposes of surveilling these users. Specific use cases violate user privacy to answer questions, such as:

• What is the target’s location?
• Which communication tools are they using?
• Who have they been communicating with?
• What is being shared and by whom?

The JTL team has performed extensive research and deep-dive analysis into devices affected by Pegasus to determine:

• How it works
• The ways malware continues to evolve
• What Indicators of Compromise (IOC) exist

Their findings contribute directly to powering Jamf security solutions to not only detect but also limit risk from this and other zero-day threats while also preventing a host of malware threats from running on your mobile fleet. After all, the JTL found that “5% of organizations having a potentially unwanted application installed within their device fleet in 2022.” While that percentage may not seem too concerning, consider that there are an estimated 6.3 billion smartphone users worldwide, and 5% of that represents 315,000,000 mobile devices that are at risk globally.

Mobile threat detection: “Do. Or do not. There is no try.”

Mobile threat detection, prevention and compliance remediation make up the core of the capabilities present in mobile threat defense solutions. Under those central tenets, additional functionality is available that furthers the security afforded to mobile endpoints. Features such as:

• Anomaly detection: Applying heuristics, MTD can detect potential threats based on behavioral analytics, stopping threats before they can take hold. This applies to potentially unwanted software applications, actions that are performed on behalf of the user (or by the user themselves). Like, say, by malware or any suspicious actions taken.
• Network security: MTD automatically encrypts network traffic when connecting to networks, such as your cellular connection or Wi-Fi hotspots. These are known to expose endpoints to a variety of different threats, such as rogue access points for data exfiltration. Additionally, critical data can often be leaked by trusted apps that may be vulnerable without the developer even knowing. MTD protects against that, as well.
• Vulnerability management: As mentioned previously, device health plays a large role in how risky certain apps and services could get. Performing regular health checks allows MTD to assess endpoints against certain criteria. If devices fail to meet any of the desired requirements, devices are flagged, and users are notified that remediation is necessary.
• Intrusion prevention: Conditional access policies or rules that require a specific set of criteria to be met before access to an app, service or resource may be granted fit hand-in-glove with device health checks. If an endpoint is missing a critical update, then access to the resources may be denied until the issue is remediated to minimize risk and exposure of sensitive and/or private data to unauthorized actors.
• Risk assessment: In addition to the above, MTD routinely performs risk assessments on endpoints, ensuring management of risk stemming from several threat categories determined by IT and Security teams such as:
  • Limiting the use of unsanctioned services or apps (shadow IT)
  • Hardening devices with the correct configuration settings
  • Ensuring compliance with regulations on data access and control permissions
  • Auditing app permissions and privacy data for compliance with corporate policies, industry and/or governmental regulations
  • Enforcing Acceptable Use Policies (AUP), supporting enterprise processes and usage caps on data pools
  • Detection of rooted or jailbroken devices; this includes third-party app stores that allow downloading of unsupported apps and are known to allow access to unlicensed applications and apps that have had their integrity compromised by malware (trojans)
  • Filtering of web content, such as unacceptable websites and domains used in phishing campaigns

Mobile threat defense: “Good for you and good for me.”

It is important to note, however, that MTD and MDM are not mutually exclusive. That is to say that either may be run separately from each other and are not required to gain the benefits of device management (MDM) or mobile threat defense (MTD).

With that said, when mobile threat defense solutions are deployed alongside an MDM solution like Jamf Pro, using these tools in tandem makes for an incredibly powerful, cloud-based solution. It allows IT and Security teams to dig in their heels, so to speak, and granularly inspect each endpoint, their network communications and the apps and services running on each device. It provides them insight into patch and update levels while preventing mobile malware and:

• Phishing defense from SMS, email, social media and messenger apps
• Cybersecurity threat protection
• Advanced mobile security and remediation workflows
• Network threat protection, covering all network connection types
• Hardware and software vetting

This is all while granting support teams unprecedented access to robust device management. That includes automation of policy-based remediation workflows that enable advanced mobile endpoint protections that work seamlessly in the background. They are invisible to the end user, allowing your hybrid or remote workforce to focus on their productivity while mobile threat defense solutions work to keep your mobile device fleet secure and to safeguard enterprise and privacy data.