Newton’s Third Law of motion argues that for every action there is an equal and opposite reaction. With that in mind, it’s no surprise that the Apple ecosystem is fighting back in a big way against the mercenary spyware companies that have made headlines recently.
Improving situational awareness
Few people in tech sit comfortably with NSO Group and others in their attacks against journalists, human rights advocates, and high-value targets on behalf of repressive governments. They know that these technologies tend to proliferate, which is why most firms are now engaged in finding new ways to fight back.
Apple has arguably already deployed one super-strong protection against attacks in the form of Lockdown Mode, but there is more that can be done to improve situational awareness. After all, while Lockdown Mode will protect you if you think you might be attacked, it provides little visibility into whether you are or have been so targeted. That’s information that’s exceedingly hard to get when it comes to zero-day attacks such as those used by the NSO Group; identifying those exploits usually requites insight into what your systems are doing.
Telematics data is one way security experts can identify when attempts are being made, or have succeeded, in subverting device security. They watch for signals of subversion, such as unexpected communications with servers, unexplained software downloads, or weird packets of outgoing data shared at unusual times of day. Those are among the typical signs an exploit has taken or is taking place, but spotting that information is beyond the capacity of most users.
The nature of spyware attacks is they tend to target high-value users. With this in mind, Jamf introduced Executive Threat Protection, a solution that gathers and analyzes system logs and device information to identify threats. The solution is aimed at users such as government officials, senior executives, journalists, and the like. The company calls it an “advanced detection and response tool designed for mobile devices,” and says it is based on tech it acquired when it purchased ZecOps in 2022.
How Executive Threat Protection works
The system works like this. The end user has an app installed on their device to gather system logs and device information. This data is constantly explored to identify indicators of potential compromise (IOC). If a threat is detected, the system includes remediation tools to create a timeline of events to help identify when a device is hit, as well as tools to sterilize it once it has been.
What’s critical is that this kind of deep exploration and analysis is much better at spotting the kind of sophisticated zero-day attacks that the new breed of surveillance-as-a-service mercenaries use in their attacks against such high level targets.
Jamf CEO Dean Hager says it, “goes beyond endpoint security to provide advanced detection and response capabilities, empowering organizations to stay ahead of targeted attacks and safeguard their most high-risk workers.”
What features does it provide?
Features of Executive Threat Protection include:
- A collector that selectively gathers information relevant to a mobile cyber investigation, while excluding private data such as messages, email, and photos.
- Advanced threat-hunting capabilities that allow analysts to explore device-level telemetry.
- Comprehensive analysis framework that detects mobile indicators of compromise (IOC) to enhance threat hunting and mobile threat intelligence.
- Automated creation of a timeline of suspicious events, indicating how and when a device was compromised.
Jamf also announced that it has joined the Microsoft Intelligent Security Association (MISA). The latter means enterprises using Apple devices can integrate their Jamf Protect endpoint security protection with Microsoft Sentinel, a collaboration which also helps deliver early warning of attack.
What comes next?
Jamf is evidently aiming at what is expected to become a $183 billion cybersecurity market in 2023. The company isn’t alone (most in the Apple focused MDM space seem to be working on their own approaches to boost device security) and there’s quite clearly demand among high-level targets for solutions of this kind.
For most users, there is a little reassurance in that solutions do tend to proliferate over time, which suggests we can anticipate increasingly complex security protection to become a standard fitting in consumer devices.
Security is a dance, of course, and as one set of flaws get plugged, criminals will seek out alternative weaknesses. That’s why it’s going to become increasingly important for every user to become security aware. It’s also why everyone should make sure to protect home and personal devices against becoming conduits for lateral attacks against employers or business partners.
Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.