Analyze Malicious Behavior from Mobile Devices
When you have Cybereason Mobile set up and added to all devices, devices raise alerts and send information to your Cybereason server. You can analyze and respond to mobile-specific data in the Cybereason platform like you do with data collected by other endpoint sensors.
In this topic:
View details from Mobile devices
Cybereason Mobile integrates with your existing Cybereason setup, combining Mobile-relevant information with details from non-Mobile endpoints in the Malop Inbox, Malops management screen, or Investigation screens.
For any detected threat, Cybereason Mobile both displays an alert on a device and sends information to your Cybereason platform. These threats generate Malops, suspicions, or evidence for the Cybereason platform, depending on the threat:
You can then analyze these threat detections just like any other MalOp or investigation.
The Cybereason platform marks MalOps from mobile devices with a special Mitigated label to show that the alert has been addressed on the mobile device with relevant protection actions:
Depending on your threat policy configuration, the Mitigated label works differently on a device for each threat:
If you selected Block as the response action, if a MalOp is mitigated, Cybereason Mobile blocks the device’s connection to the malicious site.
If you selected Secure as the response action, if the MalOp is mitigated, Cybereason Mobile creates a secure network for the device that prevents malicious communication.
When you run an investigation query in the Investigation screen, the query results return information from both Mobile and non-Mobile endpoints:
Mobile-specific detections contain mobile-relevant information, such as the device information and device properties:
You can also use mobile-specific information in the Investigation screen in a number of different Elements and Features, including:
In addition, Cybereason Mobile threats generate numerous Evidences and Suspicions that you can use in your queries. Use the search bar in the Investigation screen to locate mobile-related Evidences or Suspicions.
View details on connected mobile devices
When a device has the Cybereason Mobile sensor installed, the System > Sensors screen includes details on these mobile devices.
Add the column for Device Type or OS to the Sensors screen and you can view the details of the mobile devices:
When you view the device information, the FQDN for the device is shown in the FQDN column. Cybereason recommends that you update device information in your UEM/MDM platform as the Cybereason platform takes the device information from your UEM/MDM platform.
Mobile-specific MalOps
To integrate the information received from Cybereason Mobile connected devices, the Cybereason platform includes a number of MalOps related to mobile devices, including:
Abnormal Process Activity Malop
Android Device possible tampering
App tampering
Device configurations that may put corporate and personal data at risk
Device jailbroken/rooted
Elevation of Privileges
Malicious application
Malware that aggressively displays ads, negatively affecting user productivity and device performance
Malware that attempts to obtain escalated system privileges
Malware that blocks access to a device until a ransom is paid
MITM attack
MITM - Fake SSL Certificate
MITM attack through SSL Strip
MITM attack via ARP
MITM attack via ICMP redirect
Persistent modifications to device file systems
Rogue Access Point
Sideloaded apps
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form
Suspicious iOS App
System Tampering
Third party application stores
Untrusted Profile
For a complete list of the Malops that Cybereason Mobile generates, see Cybereason Mobile MalOps.