Defense-in-Depth

Defense-in-Depth, also known as layered defense, is a fundamental security strategy that emphasizes the implementation of a multi-tiered defense framework, wherein each successive defense layer acts as an additional hurdle for would-be attackers. Should an attacker manage to infiltrate one defensive layer, they immediately face another. Consequently, this layered approach renders cyber-attacks progressively more challenging and economically unattractive, effectively discouraging attackers from continuing with their efforts.

Organizations must integrate devices supporting Defense-in-Depth frameworks due to four primary factors:

• Software retains hidden flaws exploitable by attackers.
• Suboptimal configurations expose vulnerabilities.
• Users remain prone to manipulation via social engineering techniques such as phishing emails or fake websites.
• Hardware embeds undetected weaknesses that can be targeted by adversaries.

The following diagram describes a typical malware infection cycle and the various stages in which malware passes through a device:

Samsung Knox devices come equipped with multiple defense mechanisms to combat malware infections at various stages. Below, we outline these features categorized by attack phase:

Infiltration

Malware can infiltrate devices through various vectors. Samsung Knox addresses each vector with dedicated defenses:

• Phishing: Knox Suspicious URL Detection helps protect against phishing attacks by providing on-device detection of malicious or potentially harmful links, and sending alerts to IT and security admins for immediate review and response actions.

• Network: Knox Firewall blocks HTTP traffic, Secure Wi-Fi automatically protects insecure Wi-Fi connections, and Samsung Internet supports content blocker plugins that can filter out harmful web traffic.

• Peripherals: Hardware Device Manager, implemented in the hypervisor, disables peripherals such as USB, Bluetooth and cellular modems, while the Auto Blocker, implemented in the Android framework, blocks malicious AT commands sent over USB.

• Zero-Click Exploits: Message Guard protects messaging apps (including SMS and other third-party messaging apps) from exploits that can coerce message-parsers into running malicious code without any user interaction.

Escalation

Once inside, malware seeks elevated privileges using rooting or kernel exploits. Samsung Knox counters these attempts with:

• Real-time Kernel Protection: A hypervisor-based protection feature that prevents privilege-escalation to the Linux kernel.

• DEFEX: A Linux kernel-level protection feature that allows only authorized binaries to run with superuser (root) privileges. Knox Security Log monitors suspicious activity indicative of malicious intent.

Persistence

Persistent malware reinstalls itself during reboots. Samsung Knox combats persistence via:

• Knox Verified Boot: Ensures that the device boots up with only authorized code components, starting from the very first piece of code that runs when the device is switched on to the Android framework system components.
• Knox Warranty Bit: Stores a tamper-proof record of whether a device has ever booted up with unauthorized code. Additionally,
• Knox Health Attestation: Proves to a remote verifier whether a device is running authorized code.

Data Collection and Exfiltration

Finally, malware collects and transmits stolen data. Samsung Knox defends against this with:

• HDM: Disables peripherals, preventing them from being used for data collection or exfiltration.
• Knox Firewall: Allows flexible firewall customization, restricting unwanted data transfer.

Additionally, Samsung Knox incorporates Dual Data-At-Rest (Dual DAR) encryption and Universal Credential Management for enhanced data confidentiality and integrity.