Unraveling the unique challenges of Mac threats

Introduction

As the digital landscape continues to evolve, security researchers face a multitude of challenges in uncovering and mitigating cybersecurity risks. While Windows has traditionally been the primary target for cybercriminals, the rise in popularity of Mac systems has cybercriminals shifting their focus to exploit the unique vulnerabilities and challenges within the Apple ecosystem. To combat these new threats, Apple built up their hardware, system, app and services security controls. On the system end, the introduction of System Extensions and DriverKit pulled third party code out of the kernel — further defining the Apple/vendor barrier. However, to continue to enable software like EDRs, Apple introduced the Endpoint Security APIs which replaced the legacy Kext alternatives. However, in doing so they have also limited the level of access threat researchers and 3rd party security systems have to the kernel and the important pieces of telemetry data within the operating system. In this blog post, we will explore how Red Canary has adapted our research gathering methodologies to address these challenges in order to provide industry leading protection across macOS devices. But first…

Let’s talk about ESF

Apple's Endpoint Security Framework (ESF) was introduced in macOS Catalina released in October 2019. It was designed to enhance the security of Mac systems by implementing stricter controls and restrictions at the kernel level. By locking down the kernel and removing third-party access, ESF ensures only trusted entities have the ability to modify critical system components thus reducing the risk of unauthorized modifications or malicious attacks. This benefits the macOS system and users through three primary ways:

1. Avoid the difficulties and dangers of kernel programming by running in userspace: Since only trusted entities have access to the kernel, ESF enforces a higher level of system integrity ensuring stability and performance.
2. Protect data security, privacy, reliability: Limiting access to the kernel level also helps prevent potential abuses of system resources or unauthorized access to sensitive user data.
3. Easier to develop and debug: Free to use high level languages like Swift and use any framework in the macOS SDK!

While these benefits are all well and good, the big drawback here is that third party security vendors and researchers are now locked out of the kernel, losing access to critical data sources hindering their ability to stay on top of the latest threats.

How Red Canary stays on top of macOS threats

To begin, Red Canary’s threat research team has a deep understanding of the macOS architecture as well as the threat landscape and have used that knowledge and experience to adapt as ESF was introduced while leveraging available resources effectively. While ESF makes implementation easier, we believe that ESF has not been fully understood nor utilized meaning there are ways to use the data available to perform high level threat research and analysis. Our macOS threat researcher Brandon Dalton created a free tool to help us investigate the output ESF produces by simulating a threat or technique on macOS and then using our Mac Monitor tool to assess the relative quality of the corresponding events generated by ESF. With this tool we have been able to gain a better understanding of macOS, the types of data available to us, and how to parse and interpret it in a way that is meaningful and accurate. In fact our Mac Monitor tool was being spread across the Hacker News forum as the community engaged with it to help them improve their threat research capabilities.

If you’re curious about the type of things you can do with the tool, check out this walkthrough for how we used it to identify a gatekeeper bypass.

Over the course of our research and testing, and given the Mac platform’s unique telemetry needs, we have adapted our behavioral detection analytics. This allows us to identify suspicious activities, unusual system interactions and deviations from normal behavior patterns, allowing us to detect and mitigate threats that may not be easily identified through traditional static signature/command line-based detection methods.

But beyond the things we’ve done on our own, we also have been establishing a more collaborative relationship with Apple. We’ve seen Apple show an increased responsiveness to not only us but the security community in general, allowing researchers and security experts to engage with their security team to share insights, report vulnerabilities and gain a deeper understanding of ESF. Through this collaboration we hope to not only aid us in how we perform our threat research but also help Apple adapt and align their future security developments with the rest of the security community.

We have also partnered with Jamf to utilize their in-depth knowledge and EDR tools to provide us with a wealth of information and data allowing us to do our best work — detect and stop threats. This partnership allows us to embrace a multilayered approach, as the combined expertise between Jamf and Red Canary provides unparalleled security for Mac endpoints.

In summary

While ESF provides a limited boundary for third-party vendors and security companies, we at Red Canary believe there is vast untapped potential in how security research and threat detection can be performed. We are consistently working with Apple, our partners like Jamf and the security community to develop the tools, resources and knowledge to make the best use of Apple’s framework. Our multilayered approach utilizing Jamf’s world class EDR combined with our own approach to threat research and detection provides world class security across your Mac endpoints. Red Canary helps organizations operationalize their security tools while acting as a security ally in the fight against cyber threats. If you’re interested to learn more about our partnership with Jamf and how we can help you secure your macOS environment, reach out to schedule a call today.