Our self-defined requirements for Mac Monitor were strict. Both scenarios can result in the discovery and remediation of potentially harmful security vulnerabilities-or, at the very least, better awareness of soft spots that we can help fortify with detection coverage.Īfter all, security controls will never be perfect, and Apple consistently patches vulnerabilities and techniques that bypass their security controls with each release of macOS-including two ( CVE-2023-27951 and CVE-2023-27943) we plan to discuss in a later blog and webinar. We can then apply these behavioral understandings to vulnerability research by setting a baseline of “normal” that helps us identify when these controls misbehave-or to create hypotheses about how we can force a security control to misbehave. In other words, we need to know how macOS’s security controls behave in response to suspicious or malicious activity. For example, if we feed macOS a specially crafted file, we have to understand what the system does in response. As it turns out, ES provides a rich stream of telemetry that you can tap into with Mac Monitor and learn a great deal about the inner workings of macOS in the process.įurther, as security researchers, it’s important to understand what macOS does in response to any given action. However, we also needed a more generic testbed for conducting deeper security research and learning more about the internal workings of macOS. In turn, this would empower us to analyze new data sources and determine their viability for detecting malicious activity on macOS devices. We wanted to be able to simulate a threat or technique on macOS and then assess the relative quality of the corresponding events generated by ES. So, we set out to create a tool that could. In this case, we knew that Apple’s Endpoint Security (ES) API, which is analogous to Microsoft Event Tracing for Windows in some respects, supported events that would help us improve detection coverage across our customers’ macOS endpoints, but we didn’t have a reliable way to collect, analyze, enrich, and test the efficacy of these events. Our job as a company is to find the best possible ways to detect threats across our customers’ IT environments with the tools we have available. Simply put, we developed Mac Monitor to further our understanding of macOS internals so that we could improve Red Canary’s macOS detection capabilities. Why did we build Mac Monitor in the first place? Today, we’re releasing Red Canary Mac Monitor as a stable open beta, and we’re hopeful that the security community can help us improve this complex software by using it and offering feedback. Mac Monitor uncovering evidence of a novel Gatekeeper bypass technique We plan to discuss this work in depth in a webinar on April 19 and in a subsequent blog shortly thereafter. However, we’ve also used Mac Monitor to conduct more complicated threat research, including work that yielded the discovery of an exploitable vulnerability in Apple’s Gatekeeper functionality ( CVE-2023-27951). Mac Monitor record of Atomic Test Harness for T1059.007: JavaScript (for Automation) For example, we’ve used it for relatively straightforward telemetry generation, running Atomic Test Harnesses and examining the forensic artifacts left behind, as seen in the following image: Security researchers can use Mac Monitor to perform a wide range of analysis, whether they’re simply confirming their suspicions about unusual system activity or performing more rigorous threat research. You can find the GitHub repo and latest release notes here. Mac Monitor collects a wide variety of telemetry classes, including processes, interprocess, files, file metadata, logins, XProtect detections, and more-enabling defenders to quickly and effectively analyze enriched, high-fidelity macOS security events in a native, modern, and customizable user interface. Mac Monitor is practically the macOS version of the Microsoft Sysinternals tool Procmon. Red Canary Mac Monitor is a feature-rich dynamic analysis tool for macOS that leverages our extensive understanding of the platform and Apple’s latest APIs to collect and present relevant security events. Minimize downtime with after-hours support.Train continuously for real world situations.Operationalize your Microsoft security stack.Protect critical production Linux and Kubernetes.Protect your users’ email, identities, and SaaS apps. Protect your corporate endpoints and network.Deliver enterprise security across your IT environment.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |