home

Mobile Endpoint Security

Mobile Endpoint SecuritySecurity Service Edge
Mobile Endpoint SecuritySecurity Service Edge

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Contents

Mobile Endpoint Security

Use the Research Capability

Threat Hunting Workflow Example

SOC administrators typically assign security analysts to routine threat hunting when they are not actively pursuing in-progress threats or attacks. Threat hunting targets are picked largely by monitoring cybersecurity attacks and events reported daily across business sectors and choosing a threat that is likely to affect your organization. Another use of threat hunting is to identify applications which may represent unacceptable levels of risk to the organization, or use undesirable permissions/capabilities on the device, even though the application may not be identified as malicious.

As the MES Research dataset focuses on mobile apps, threat hunting activities described here pertain to mobile app risks and threats. When external intelligence includes a mobile app threat that could apply to your organization, you can use the MES Research capability to cross-reference the intelligence with the Lookout corpus of intelligence.

The threat hunting workflow typically starts with the MES Research query page. You begin your search by submitting a valid LQL query statement that includes your externally-sourced intelligence (example: IOCs) and reviewing matching results. Subsequent threat hunting workflow steps are similar to the incident response workflow outlined in the previous section, but generally include:

  1. After reviewing any pertinent externally sourced threat information, you open the MES console and select the Research option from the navigation panel.
  2. You enter the information (example: IOCs, using relevant search terms) into the Research query area using valid LQL conventions and submit the query.
  3. Any matching results appear in the Research query results area.
  4. You select an application in the Research query results area to view the application details.
  5. Using the details in the research analysis results, you begin testing pivot points in the dataset based on the threat and situation.
    Example: Pivoting on the DNS or IP/FQDNs observed during dynamic analysis, or the application signer, both of which would reveal other applications where Lookout observed those same data elements. If other applications which are known to be malicious use the same DNS, IP/FQDN, or application signer, these indicate the application may be malicious or a potential threat as well.
  6. You collect evidence via pivots to iteratively build and refine your analysis hypothesis based on your observations and circumstances to find any matching applications using the identified data elements.
    This generally involves iteratively repeating steps 4-5.

    If a particular research query produces useful results, consider saving it as a personal or team saved query so that it’s easy to come back to.

  7. Once you determine if any applications share common data elements with the intelligence or your refined list of IOCs, you can take appropriate actions such as denylisting the application, or adding any domain(s) used by the application to the phishing and content protection (PCP) denylist content policy.

Last updated: November 20, 2024

lookout-footer

Legal Privacy Policy Cookie Policy Transparency Report Compliance Info Compliance Info (Gov)

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.