Leidos is advancing next-gen security of mobile devices in defense
Part of a defense research program, a tool developed by the company is designed to analyze mobile operating systems for exploit-chainable vulnerabilities
Three points to remember
- Sophisticated cyber actors use exploit-chain attacks to infiltrate computer networks and mobile devices, where they combine multiple system vulnerabilities to form penetration paths.
- Attack path analysis can map out networks and systems and how vulnerabilities can be linked into exploit chains, but many tools focus on the shortest penetration routes and don't account for attacker behaviors.
- Leidos is working on a modeling and analysis platform, called Network Path Traversal, to help identify potential exploit chains in mobile operating systems.
Traditional cybersecurity methods assess vulnerabilities in digital systems primarily through risk and vulnerability scores, rating them individually from high to low for triage. As the seemingly most severe flaws are addressed first, sophisticated hackers are linking together multiple low-level vulnerabilities to form attack paths into IT networks and mobile operating systems.
Mobile operating systems are particularly prone to so-called exploit-chain cyberattacks because of their subsystem complexity and use in unsecure environments. In these attacks, hackers exploit a series of system vulnerabilities, with each step building on the previous one, to continually increase system access and control. Often starting with a low-severity flaw, they're able to dig toward a goal, like stealing data or compromising the target.
Modern personal electronic devices typify this — mobile phones are systems of systems composed of multiple and discrete components. In such complex systems, holistic evaluation of security posture is increasingly difficult. This leaves devices at greater risk for adversaries and bad actors to infiltrate and take control through exploit chains.
The Defense Advanced Research Projects Agency’s (DARPA) Intelligent Generation of Tools for Security (INGOTS) program aims to address limitations preventing the use of exploit chains for evaluating the security of complex systems. DARPA selected Leidos to develop tools and technology designed to enable the synthesis, modeling and analysis of exploit chains.
Why attack-path analysis alone is not enough
Increasingly, malicious cyber actors use chained exploits to reach key components within mobile devices. They apply similar strategies and techniques used in exploit-chain attacks on networks, like taking advantage of improperly configured security settings and unpatched software and moving laterally while escalating system privileges.
Current attack-path analysis tools for network security focus on the shortest routes for cybercriminals and adversaries to reach high-value assets — or “key cyber terrain.” While looking at the smallest number of network “hops” seems logical, attackers often choose more deliberate and subtle attack paths to avoid tripping alarms.
Leidos created the Network Path Traversal (NPT) attack-path modeling and analysis platform that focuses on the least secure routes as well as the number of network hops to reach a target attack surface. Originally created to model and understand attack paths in networks and predict where attacks may occur, NPT has been extended under INGOTS to map out mobile operating systems and link vulnerabilities into exploit chains, expanding the mobile security focus beyond just viewing vulnerabilities in isolation.
NPT ingests information about a mobile operating system, evaluates paths to key cyber terrain and uses the results to inform risk remediation.
Cooper Linsky
Leidos Senior Full-Spectrum Cyber AI Researcher
Leidos’ INGOTS implementation maps out mobile operating systems as graph models and then uses a graph neural network (GNN), a type of machine learning model, to analyze object relationships, connections and dependencies that help identify potential exploit chains.
“NPT ingests information about a mobile operating system, converts it into a knowledge graph, estimates risk using the GNN, evaluates paths to key cyber terrain and uses the results to inform risk remediation,” said Cooper Linsky, senior full-spectrum cyber AI researcher in Leidos’ Cyber Accelerator.
NPT is designed to automate the large-scale analysis and identification of chainable vulnerabilities, and the GNN integrates behavioral analytics and threat intelligence from external sources.
Thinking and behaving like attackers
Leidos is working to advance attack-path modeling beyond conventional techniques by analyzing how attackers think and move when they create exploit chains.
The GNN in INGOTS models the behaviors of adversaries, taking into consideration how they weigh risks, favor paths of least resistance and reuse vulnerabilities to create new attack routes. The GNN can be improved through iterative updates, as additional data and evaluations become available.
With the application of NPT’s exploit-chain modeling and analysis capabilities on mobile systems, Leidos is developing for DARPA a tool that incorporates technologies and techniques aiming to help solve the chained-exploit problem. Deploying NPT would help DARPA better address evolving threats against software and systems important to defense and national security.
------------
Leidos thanks the Defense Advanced Research Projects Agency (DARPA) for the opportunity to develop the technology discussed in this article.
MORE ON LEIDOS CYBER CAPABILITIES
