Building an Android Scale Incident Response Process

Transcription

1 MBS-R03 Building an Android Scale Incident Response Process Adrian Ludwig Lead - Android Security

2 Who am I? Android Adobe Protect 1.5 Billion+ Users Protect the NSA Offense for Hire Offense

3 Goals Describe strategies we ve developed for incident response Share thought process and lessons learned Include Android-specific considerations (case studies)

4 The Incident Response Process Establish Situational Awareness Take Action Environment Accept Risk Actors + Actions Eliminate Risk Risks Manage the Risk Data

5 The Android Ecosystem 1.5B+ 300M B+ Android 30DA Users Users added in 2015 New devices launched in 2015 App downloads in 2015

6 Actors The Good Ecosystem The Bad Attackers The Ugly Complex Actors Security Team OEMs Attackers Consumers Product Engineering + QA Carriers Malware Authors Enterprises PR / Communications SOCs Thiefs Press Operations + Support App Developers Opportunists Researchers Network MITM Governments Executives Legal Security Companies

7

8 Threats Malware Vulnerabilities Local Exploits Hardware / Physical Attacks Remote Exploits Network Traffic Interception Supply chain compromise

9 Data Sources Google Play Safebrowsing for Chrome Verify Apps Android Safety Net Android Device Manager Billions of new pieces of data including apps, developers, app behavior, relationships, and third-party analyses are added every day.

10 Organization Platform Attack App Review Build Features Find Bugs Improve App Safety Respond Review SafetyNet Fix bugs Trust, but Verify Endpoint Protection

11 Responses Google Public Statement Google Play Update Google Service Update (Verify Apps, SafetyNet) Patch to AOSP Warn users Joint statement with partners 3rd Party Apps (Google Play) Major 3rd Party App Patch Ecosystem Wide patch delivery Publish Research 3rd Party App Upgrade Change an API Release a major update Patch a Google app Nexus Update Publish a best practice Warn developers And many more...

12 Strategy Lenses Frequency Velocity How often is the threat realized? How quickly is a threat realized? Impact Scope What happens if a threat is realized? What portion of the ecosystem is at risk?

13 Incident Frequency

14 Incident Frequency Rare 0-day Malware New Exploit (Local) New Exploit (Remote) Lost / Stolen Device Media / Press Reaction Publicly Disclosed Vulnerability? Supply Chain Compromise? Traffic Interception Yearly (or less) Weekly Monthly Copycat malware Common Daily Thousands/day

15 Strategies to Reduce Frequency Change the attacker economics Move the target

16 Smart phone thefts rose to 3.1 million in 2013 Source: Consumer Reports

17 Responses React Prevent Device Manager Lockscreen Find my phone Encryption Lock my phone Factory Reset Protection Wipe my phone 2.5 Million Monthly Users of Device Manager Find my Phone Lockscreen usage up 50% between 2014 and 2015 Nexus devices Encryption and FRP Enabled by default

18 Smart phone thefts declined from 3.1 in 2013 to 2.1 million in 2014 Source: Consumer Reports

19 $200,000 paid in 2015 g.co/androidsecurityrewards Up to $38,000 per security issue

20 Incident Velocity

21 Incident Velocity Slow? Traffic Interception? Years Supply Chain Compromise New Exploit Developed (remote) Months New Exploit Developed (Local) 0-day Malware Weeks Media / Press Reaction Publicly Disclosed Vulnerability Lost / Stolen Device Copycat malware Instant Days Hours

22 Strategies to Reduce Velocity Centralize your response Batching and Cadence Quality and Automation

23 Monthly Security Updates Monthly Security Bulletins 3 years from device availability

24

25 Android Security Monthly Process Month 0 Partner Bulletin Public Security Bulletin Compatibility Requirement po rt AOSP Updated Device OTAs Begin ck Ba de Month 2 ch Pa t Is su e ve lo fo u pe d nd (Patch, Backports, Severity Guidance) Month 1 OEM Integration Testing Carrier Testing Other Remediations: SafetyNet, Google Play, Verify Apps

26 Incident Impact

27 Incident Impact Potential 0-day Malware Publicly Disclosed Vulnerability New Exploit (remote)? New Exploit (Local) Supply Chain Compromise Lost / Stolen Device Copycat malware Media / Press Reaction? Traffic Interception Perception Limited Partial Realized Months Recoverable Complete

28 Strategies to Reduce Impact Provide a safer path Isolate high risk components Focus on recovery

29 Developer APIs SecurityProvider : GmsCore_OpenSSL SafetyNetApi.attest

30 Developer Security Warnings 85% Reduction in Installs of Vulnerable Apps in 2015

31 Isolation at every level System System Phone Contacts System Trust Zone Messaging Google Play User 2 Messaging Google Play System Phone System User 1 System Root Contacts Root Root Root Kernel Hardware Root Root

32 Focus on recovery Verified Boot + SafetyNet =

33 Incident Scope

34 Incident Scope Few Lost / Stolen Device New Exploit (remote) Probabilistic One Device New Exploit (Local)? Supply Chain Compromise One Model Copycat malware 0-day Malware Publicly Disclosed Vulnerability? Traffic Interception Months Version Platform Media / Press Reaction Many All Devices

35 Reduce Incident Scope Add Speed Bumps Embrace diversity

36 Google Play Unknown Sources Warning Install Confirmation Verify Apps Consent Verify Apps Warning Runtime Security Checks Sandbox & permissions

37 Application Review Collect Apps Google Play Analyze Apps Enforcement Google Web Crawler <Others> Application Scanner Suspend Apps Notify Developers

38 Application scanner details Static analysis Dynamic analysis Machine learning Intelligencebased discovery Signature-based discovery

39 80% Reduction of Russian Bank Phishing Trojans Infected devices in Russia Infected devices worldwide

40 Embrace Diversity Intentional Natural ASLR OEM Update Frequently SOC Hardware Architecture Build Time Changes

41 Predicting real scope is hard Unique APKs Peak exploitation after public release (per install) Exploitation before public release (absolute) Vulnerability Initial Claim Headline Master Key 99% of devices vulnerable 1231 < 8 in a million 0 FakeID 82% of Android users at risk 258 <1 in a million 0 Stagefright 95% of devices vulnerable N/A None confirmed N/A Source: Google Safety Net Data; Masterkey data collected from 11/15/2012 to 8/15/2013 and previously published at VirusBulletin Fake ID data collected data collected from 11/15/2012 to 12/11/2014 and previously published at the RSA Conference Stagefright data current through February 2016.

42 To recap

43 Strategy Lenses Frequency Velocity Use economics Change the target Centralize Batch and Cadence Automate Impact Scope Another Path Isolation Recovery Speed Bumps Diversity

44 Key Learnings Incident Response Use data as your source of truth (not stories!) Look for new responses ( think offensively!) Try not to get lost in the details (this is hard!) Identify incident features Execute existing responses, try new ones Analyze response effectiveness, Response Feedback

45 Thank You!