macOS Endpoint Security 101

Speakers: Matt Woodruff, World-wide Security Solutions Lead, Jamf Mark Walker, Security Solutions Lead, Jamf

When it comes to security, the conversation around Mac is really heating up. The fact that enterprise is adopting Mac at an alarming rate certainly plays a role in this. Suddenly there are two audiences that are becoming invested in the conversation — Mac Admins and Windows Admins now asked to bring Apple device management into the fold.

With integrations and relationships like the one Jamf and Microsoft spoke about during JNUC 2020’s keynote, the lines between Apple and Windows management are blurring by the day. Now you can obtain the same level of security and protection as you may have had with Windows for your Mac users, all while maintaining the user experience they expect.

In Matt Woodruff and Mark Walker’s session, they looked at Mac Endpoint Security from the views of a Mac Admin that may not be fully aware of the infosec world of an attack and how malware is distributed, as well as, the infosec teams that are well aware how Windows devices are attacked, but unsure how that translates into Mac.

Anatomy of an attack

The anatomy of an attack happens in various formats. In the example given, we look at a user that has a healthy computer, who receives a phishing email that lures them to a malicious site resulting in them downloading a malware program. Just like that, the device has become infected with malware.

This is simply one example of the many types of attacks that exist. When you deal with an attack, it can be disseminated through various networking components resulting in it being propagated through various peer computers, phishing emails attempting to lure, various websites that have particular codes or downloads, or file-sharing techniques in which the programs are distributed.

But, when a Mac is compromised, there are multiple means to distribute and disseminate that particular malware. One of the leading current issues with this are devices used for remote work being introduced to a network in which it can distribute or receive malware to/from home network devices. This is a potential issue for the user, their home, AND your company.

Methods of Attack

There are a few common techniques used for Windows:

• Registry Keys
• Service execution
• BIOS attacks
• PowerShell
• DLLs
• Access Token manipulation
• WMI

By leveraging these techniques and tools, a malicious actor could spread further throughout an environment to find a route to more valuable, interesting systems. As you can see, there are a lot of variations someone could use to attack a Windows system. This is important because Windows Malware is very different from Mac malware.

What are the techniques used on Mac?

• Launch Agents/Daemons
• Exploiting sudo/pam.d/scripts/cron
• Phishing/Masquerading
• More…

But there is a level of uniqueness with macOS. One of the most common is how persistent malware can be on Mac. This can be done with the Launch Agents, something very unique to Mac. Phishing is of course common amongst both Mac and Windows but has been spiking lately for Mac because of all the new security controls introduced by Apple. macOS now enforces a user approves every aspect of control in order to validate to the user that is should be accessing those components. This has enabled people to spin up creative ways to send Mac users messages in an attempt to phish.

Here is an image of all the techniques, tactics, and procedures that the Mitre organization has found:

Built-in?

The great news is, Apple hardware and macOS comes with the following built-in tools:

• T1/T2 chip
• App Signing/Notarization
• SIP – System Integrity Protection
• Firewall/Packet Filter

In addition to these tools, macOS also comes with the following built-in tools:

• XProtect
• MRT – Malware Removal Tool
• GateKeeper

Security Tools

macOS offers different methods for endpoint security tools to be built. Most common for a long time were kernel extensions because of the unhindered access to the macOS kernel. Most security tools started off as tools for Windows and were ported over to the Mac causing tremendous headaches for Mac users when it came to performance, which directly led to kernel panics.

The current state of macOS endpoint security tools finds itself in a transitional phase because Apple is leading the charge on getting out of the kernel. This was announced at WWDC in 2019 when they declared that kernel extensions will no longer be allowed. They provided new frameworks called system extensions. A few security providers have started to properly build on these system extensions using the new frameworks. One of those is Jamf Protect.

Because Apple announced at this year’s WWDC that the release of Big Sur will begin the reduction of kernel extension capabilities, you as the user of a security product dependent on them may have a huge security risk on your hands. Finding a provider like Jamf Protect that is already compliant with the new measures is going to be crucial in a few months.

Security Baselines

When given the need to protect your data, you might get overwhelmed with all the different settings. This is when a security baseline leads the way. A security baseline provides guidance to secure date from exfiltration on end-user devices and they should be based around industry standard, security benchmarks.

If you aren’t sure where to start, CIS benchmarks are a widely recognized destination. In fact, below we have access to the macOS CIS benchmarks in relation to Jamf.