Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.
| ID | Mitigation | Description |
|---|---|---|
| M1010 | Deploy Compromised Device Detection Method |
Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action. |
| M1012 | Enterprise Policy |
An EMM/MDM can use the Android |
| M1001 | Security Updates |
Security updates often contain patches for vulnerabilities that could be exploited for root access. Root access is often a requirement to impairing defenses. |
| M1004 | System Partition Integrity |
System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files. |
| M1011 | User Guidance |
Providing user guidance around commonly abused features, such as the modal that requests for administrator permissions, should aid in preventing impairing defenses. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0041 | Application Vetting | API Calls |
Application vetting can detect many techniques associated with impairing device defenses.[1] |
| DS0009 | Process | Process Termination |
Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running. |