M1001 Security Updates
Install security updates in response to discovered vulnerabilities.
Purchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.
Decommission devices that will no longer receive security updates.
Limit or block access to enterprise resources from devices that have not installed recent security updates.
On Android devices, access can be controlled based on each device’s security patch level. On iOS devices, access can be controlled based on the iOS version.
| Item | Value |
|---|---|
| ID | M1001 |
| Version | 1.0 |
| Created | 18 October 2019 |
| Last Modified | 18 October 2019 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1398 | Boot or Logon Initialization Scripts | Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. |
| mobile | T1577 | Compromise Application Executable | Security updates frequently contain patches to vulnerabilities. |
| mobile | T1645 | Compromise Client Software Binary | Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. |
| mobile | T1634 | Credentials from Password Store | Apple regularly provides security updates for known OS vulnerabilities. |
| mobile | T1634.001 | Keychain | Apple regularly provides security updates for known OS vulnerabilities. |
| mobile | T1456 | Drive-By Compromise | Security updates frequently contain patches for known exploits. |
| mobile | T1404 | Exploitation for Privilege Escalation | Security updates often contain patches for vulnerabilities. |
| mobile | T1629 | Impair Defenses | Security updates often contain patches for vulnerabilities that could be exploited for root access. Root access is often a requirement to impairing defenses. |
| mobile | T1629.003 | Disable or Modify Tools | Security updates frequently contain patches to vulnerabilities that can be exploited for root access. |
| mobile | T1630 | Indicator Removal on Host | Security updates typically provide patches for vulnerabilities that could be abused by malicious applications. |
| mobile | T1630.001 | Uninstall Malicious Application | Security updates typically provide patches for vulnerabilities that enable device rooting. |
| mobile | T1461 | Lockscreen Bypass | OS security updates typically contain exploit patches when disclosed. |
| mobile | T1458 | Replication Through Removable Media | Security updates often contain patches for vulnerabilities. |
| mobile | T1474 | Supply Chain Compromise | Security updates may contain patches for devices that were compromised at the supply chain level. |
| mobile | T1474.002 | Compromise Hardware Supply Chain | Security updates may contain patches to integrity checking mechanisms that can detect unauthorized hardware modifications. |
| mobile | T1474.003 | Compromise Software Supply Chain | Security updates may contain patches that inhibit system software compromises. |