Using MITRE’s ATT&CK® Framework to Protect Mobile Devices

Edwin Covert
6 min readOct 10, 2021

--

Photo by Lisa from Pexels

While Weiss and Solomon (2016) don’t include them in the remote access domain, mobile devices are pervasive in society today. Mobile devices are integral to everyday life and no longer just for making telephone calls (Arhipova et al., 2020). This article will summarize several use cases for mobile devices outside of voice communications. From there, the article will discuss five specific threats to mobile devices, and potential mitigations or countermeasures to those threats.

Mobile Device Use Cases

The initial use case for a mobile device or phone was voice communications without the necessity of a physical connection to the telecommunications infrastructure, i.e. a phone in a home or office location. Today, there are many more. One significant use case is banking via mobile devices (Mullan et al., 2017). A major second use case involves mobile gaming. Mobile devices drive the market for video games, as user interest has shifted from traditional consoles to mobile platforms (Cai et al., 2021). A third considerable use case for mobile devices is that of social media. Social media on mobile devices is ubiquitous and essential for networking between disparate individuals and for sharing of information across the planet (Sarkar & Sarkar, 2020).

Mobile Device Vulnerabilities, Threats, and Countermeasures

With the increasing prevalence of mobile devices comes increased vulnerabilities and threat actors targeting these devices. The National Institute of Standards and Technology (NIST) says “[m]obile devices pose a unique set of threats’’ (NIST, n.d., para.1) in particular to organizational enterprise networks and assets. To this point, NIST has documented many vulnerabilities for the leading mobile device operating systems in their National Vulnerability Database. In the last three years, researchers discovered nearly 1000 vulnerabilities in Apple’s iOS operating system and over 2000 in Google’s Android operating system (NIST, 2021a; NIST, 2021b).

Threat actors looking to exploit these vulnerabilities in unpatched mobile devices follow a nominal framework. One of the most well-known is the Cyber Kill Chain® from Lockheed Martin. Figure 1 outlines the Cyber Kill Chain® process threat actors would use for attacking a target. The third step in Figure 1, delivery, is where the threat actor attempts to put their malicious payload on the mobile device for future steps.

Figure 1

Flow of the Lockheed Martin Cyber Kill Chain® with Delivery Step Highlighted

Note. Adapted from “The Cyber Kill Chain®” by Lockheed Martin, 2020. https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html. Copyright 2020 by Lockheed Martin.

Specific Delivery Techniques Against Mobile Devices

The MITRE Corporation has developed what it calls the ATT&CK® Framework. The tool is “a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations” (MITRE, 2021e, para. 1). Using the ATT&CK® Framework, many techniques become clear for delivering malware to mobile devices in the delivery phase of the Cyber Kill Chain® in Figure 1. Table 1 outlines five techniques from MITRE’s ATT&CK® Framework specifically for mobile devices.

Table 1

Five attack techniques for mobile devices from the MITRE ATT&CK® Framework

Note. Adapted from “Mobile Matrices” by MITRE, 2021f. https://attack.mitre.org/matrices/mobile/. Copyright 2021 by MITRE.

Each of the five methods in Table 1 allows a threat actor, after he or she has done the reconnaissance and weaponization efforts in Figure 1, to deploy a means of gaining a foothold into a targeted mobile device. T1475 occurs when an attacker attempts to “place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices” (MITRE, 2021a, para. 1). In method T1456, a threat actor infects a site where the targeted user congregates online, thus enabling the hostile payload to be downloaded to their phone; security researchers call this a watering hole attack (MITRE, 2021b). With T1478, the attacker attempts to coerce a targeted user to install inappropriate configuration settings via phishing emails or fraudulent text messages with the incorrect configuration settings sent as an attachment (MITRE, 2021c).

The last two techniques described by MITRE require physical possession of the mobile device by the threat actor. T1461 assumes an attacker possesses the device and attempts to brute force the device to gain access to the data inside or ‘shoulder surfs’ the user and then enter the PIN or passcode upon access while T1474 is a technique where the device becomes compromised while it is being built by the manufacturer and arrives to the user in an already-degraded state (MITRE, 2021d; MITRE, 2021g).

Countering Delivery Techniques Targeting Mobile Devices

Using the attack approaches in Table 1 as a rudimentary threat model, organizations can develop mitigations against them. For T1475, organizations should only allow applications signed by the app store to be installed and have a mobile vulnerability scanner installed to review all applications installed continuously. To counter techniques T1456 and T1478, organizations must ensure that they patch their mobile devices with the latest security updates and possess the most recent version of the operating system (MITRE, 2021b).

For T1461, organizations must ensure password requirements are sufficiently complex to prevent brute-force attacks, and users must always maintain control of their devices. In the event a user loses their device, organizations should have a means of remotely wiping the device of data. The last technique, T1474, is the hardest to counter; supply chain compromise happens before the user takes ownership of the device. To effectively mitigate this threat, organizations need to use application vetting techniques available from the mobile operating system manufacturer to detect destructive third party software components not approved by the vendor (MITRE, 2021g).

Conclusion

People and organizations use mobile devices for a variety of use cases and the number of mobile devices continues to grow globally. With this increase in devices, however, comes a greater level of risk exposure to users and organizations. It is important to understand how to prevent mobile devices from having hostile content installed on them by threat actors. An outstanding way of doing this is by making use of the MITRE ATT&CK® Framework.

While not a panacea for protecting all mobile devices, with this framework, users and organizations can better understand potential access methods onto mobile devices. Armed with this information, organizations and users can create effective countermeasures and mitigations for the mobile attack surface and protect their data. This new sense of vigilance will improve the security posture of both users and organizations.

References

Arhipova, I., Berzins, G., Brekis, E., Binde, J., Opmanis, M., Erglis, A., & Ansonska, E. (2020). Mobile phone data statistics as a dynamic proxy indicator in assessing regional economic activity and human commuting patterns. Expert Systems, 37(5), 1–19. https://doi.org/10.1111/exsy.12530

Cai, X., Cebollada, J., & Cortiñas, M. (2021). From traditional gaming to mobile gaming: video game players’ switching behaviour. Entertainment Computing. https://doi.org/10.1016/j.entcom.2021.100445

Lockheed Martin. (2020, January 15). Cyber kill chain®. Lockheed Martin. Retrieved October 8, 2021, from https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.

MITRE. (2021a). Deliver malicious app via authorized app store. Deliver Malicious App via Authorized App Store, Technique T1475 — Mobile | MITRE ATT&CK®. Retrieved October 8, 2021, from https://attack.mitre.org/techniques/T1475/.

MITRE. (2021b). Drive-by compromise. Drive-by Compromise, Technique T1456 — Mobile | MITRE ATT&CK®. Retrieved October 8, 2021, from https://attack.mitre.org/techniques/T1456/.

MITRE. (2021c). Install insecure or malicious configuration. Install Insecure or Malicious Configuration, Technique T1478 — Mobile | MITRE ATT&CK®. Retrieved October 8, 2021, from https://attack.mitre.org/techniques/T1478/.

MITRE. (2021d). Lockscreen bypass. Lockscreen Bypass, Technique T1461 — Mobile | MITRE ATT&CK®. Retrieved October 8, 2021, from https://attack.mitre.org/techniques/T1461/.

MITRE. (2021e). MITRE ATT&CK®. MITRE ATT&CK®. Retrieved October 8, 2021, from https://attack.mitre.org/.

MITRE. (2021f). Mobile matrices. Matrix — Mobile | MITRE ATT&CK®. Retrieved October 8, 2021, from https://attack.mitre.org/matrices/mobile/.

MITRE. (2021g). Supply chain compromise. Supply Chain Compromise, Technique T1474 — Mobile | MITRE ATT&CK®. Retrieved October 8, 2021, from https://attack.mitre.org/techniques/T1474/.

NIST. (2021, October 7). Search for Apple iOS vulnerabilities 2018–2021. National Vulnerability Database. Retrieved October 8, 2021, from https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=iOS&queryType=phrase&search_type=last3years&isCpeNameSearch=false&cpe_vendor=cpe%3A%2F%3Aapple.

NIST. (2021, October 7). Search for Google Android vulnerabilities 2018–2021. National Vulnerability Database. Retrieved October 8, 2021, from https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe%3A%2F%3Agoogle&cpe_product=cpe%3A%2F%3Agoogle%3Aandroid&pub_start_date=10%2F05%2F2018&pub_end_date=10%2F05%2F2021.

NIST. (n.d.). Mobile Threat Catalogue. Background · Mobile Threat Catalogue. Retrieved October 8, 2021, from https://pages.nist.gov/mobile-threat-catalogue/background/.

Sarkar, S., & Sarkar, P. (2020). Consumer behavior towards mobile social media and OTTs from data monetization and customer engagement perspective. Telecom Business Review, 13(1), 6–19.

Weiss, M. M., & Solomon, M. G. (2016). Auditing IT infrastructures for compliance (2nd ed.). Jones and Bartlett Learning.

--

--

Edwin Covert

Cybersecurity, guitar, jazz, bourbon, rye, enterprise security architecture, current trophy husband. CISSP-ISSAP, CISM, CRISC, SCF, PMP at www.edwincovert.com