This post was written by SenseOn’s Security Engineering Squad: Harry McLaren, Graham Stevens, Josh Rogers and Jake Humphries.
On the 5th of October, our Security Engineering Squad made our way from the increasingly cold UK to sunny Spain to attend the macOS security conference, Objective by the Sea! The release of the new Mx architecture has kept the endpoint team busy with developing a new version of our Mx-compatible universal sensor; we wanted to ensure we were at the forefront of security research, malware analysis and threat detection on macOS.
It was an excellent conference, a key focus of which was malware reverse engineering. It was also a perfect opportunity to network and get to know the community. The rest of the squad also had a great time, and the highlights below were co-authored by the SecEng squad.
One of the key takeaways we took from the conference was the accessibility in terms of skill level – there was something for everyone from students in information security, to long-time macOS security professionals. Kristin Del Rosso’s “Do As I Say, Not As I Did: Pivoting into Mac Malware Analysis for the First Time” was brilliant in describing the many pitfalls (and ways to get past them) a beginner malware analyst may face in macOS malware reverse engineering. We picked up some great resources for continuing our security analysts’ reverse engineering journeys, and are looking forward to building our internal training resources for them.
At the other end of the spectrum, Matt Carman’s talk entitled “Sandboxing with ESF Playground on macOS” looked into building a sandbox environment around macOS hardware and Apple’s Endpoint Security Framework. Matt talked about how pre-existing macOS sandboxing solutions no longer supported recent versions of the OS, with ‘mac-a-mal’ limited to macOS Sierra (10.12), and that these were only ever built for x86 architectures (the newer ARM-based Apple Silicon hardware is not supported). With these challenges to overcome, Matt used physical machines with a commercial ‘deep freeze’ software solution to revert the machines to a clean state. By using this solution alongside the manual static analysis outlined by Kristin Del Rosso, a security analyst can begin to build up a very detailed overview of a potentially malicious binary or file. You can find Matt’s ESFriend solution on GitHub.
Although the conference covered a variety of security domains in the Apple ecosystem, malware was a key theme. Speakers detailed new and not-so-new methods in which authors create malware targeting macOS, which has historically had a lower level of focus from threat actors. During Patrick Wardle’s talk entitled “Making oRAT, Go” Patrick walked through analysis of an intriguing piece of macOS malware written in Go called oRAT. The method by which Patrick performed dynamic analysis was novel. Patrick focused on creating a custom command and control (C&C) server for the malware to communicate with and then patched the malware through a configuration file to communicate with the custom C&C server. This gave Patrick the ability to see the malware’s runtime behaviour.
As we further develop our coverage of the Apple ecosystem we need to take into account sources of malicious activity other than malicious binaries. On Windows and Linux environments, there are a lot of resources for discovering potential living off the land binaries and scripts (LOLBAS), however few similar resources exist for macOS. A LOLBAS is a binary, script, or library that can be used for Living Off The Land techniques – using unexpected functionality in ‘built-in’ tooling to perform malicious activity. For example: on Windows the `Desktopimgdownldr.exe` can be abused to download files to a system, not just a lockscreen/wallpaper image. These LOLBAS are great for an attacker – they’re almost always present on a victim device, meaning they don’t need to bring their own tools with them.
Cedric Owens and Chris Ross’ talk ‘Farming The Apple Orchards: Living Off The Land Techniques’ provided a wealth of information on these tools, highlighting some great ways for performing reconnaissance on a victim device, bypassing the Transparency, Consent, and Control (TCC) mechanism used to limit and control application access to certain features.
For example, abusing `mdfind`, an attacker could search for files containing target strings, whilst abusing `mdimport` could be used to display this data. These tools are designed for querying the internal metadata store and for testing plugins for this store, and wouldn’t necessarily be identified as malicious by an unsuspecting analyst.
Our key takeaway from this talk was the identification of further tooling for us to build detections around – not just to focus on specific tools but also looking at benign tools used by our users and developing a behavioural baseline from which we can identify aberrant and malicious behaviours.
One of the key responsibilities of Security Engineering at SenseOn is the documentation and sharing of our knowledge as a team. We’ve found it to be a great driver in changing the ways we work – in modifying how we think about detections, and in teaching one another. Internally we’ve built the “Security Content Library”, a collection of resources for our detections, data sources and training.
Our target audience for this is our SecOps Analysts and eventually our users: we want to aid their investigations and help them not to run into the same pitfalls we did. For example, providing detailed information on how our detections are built and the thought process that has gone into their development can reduce the time taken for an analyst to verify a case, and lead to suggestions on areas for improvement in these detections. Kristin’s talk was great in breaking down some of the more complex areas of reverse engineering. The skills we’ve gained from it will be useful to extend our library and in building better training resources for our analysts and engineers. It’s also expanded our awareness of some of the more detailed points of differentiation between Windows, macOS, and Linux operating systems.
Due to the importance of providing evidence that the detections that we have developed work in the real world we have developed an adversary simulation tool that gives us the ability to define custom scenarios based on MITRE ATT&CK, which are then executed against an internal test range. The adversary simulation tool hooks into other internal tooling, such as our cloud-based detection lab, as well as our product testing environments to provide feedback on what has been executed and the results of that execution. Patrick’s talk outlined an interesting use case that we are looking to implement, allowing us to identify suitable malware samples, defang those samples and intercept the C&C connections in order for them to be controlled by our adversary simulation tool. This will allow us to define scenarios and send commands as though the malware is being controlled by a legitimate threat actor, whilst remaining within a controlled environment to ensure our security. This offers new detection targets for SenseOn Detection Engineers, encouraging us to develop detections in depth and not to target generic indicators. It also enables us to build training scenarios for Security Analysts to analyse and learn from.
It’s really important to us that we’re always looking for new ways to improve our understanding of threats, looking inwards at our own performance and how we are making our customers more secure. Using our continuous integration platforms provided by our delightful DevOps team, we are able to develop fine-grained tests and validation routines for all of our detections deployed throughout our infrastructure, with immediate and quantifiable feedback being provided to us through Slack messages and GitHub PR comments.
We want to detect malicious or abnormal behaviour in as many places as possible, as deep into the OS as possible. Analysing malware, reimplementing it and executing it against our platform gives us the ability to identify blind spots and create generalised specifications for detections.
Biases exist when writing detections: this can come from previous experience, influence from internal stakeholders, customer demand, or just intellectual curiosity! We’re trying to find ways to remove those biases so that we can bring insights driven by data to both our detections as well as the processes we use to prioritise and build them.
Rather than big jumps in the quantity and quality of our detection content, we generally aim for a trend of continual gradual improvement. Our development process is iterative and continually improving, and alongside that so are our detections – improvements such as those above are key to continually tuning and improving our detection capabilities. Alongside this experimenting with different detections we have developed a “detections in depth” approach enabling us to experiment with multiple different tactics and techniques for threat detection, using the highest quality data to uncover the specific methods adversaries employ.
We had a blast at ObtS and look forward to the next time! As SenseOn continues to double down on our commitment to defend Windows, Linux and macOS endpoints from advanced threats (across networks, IoT, and public clouds!) learning, challenging and enriching our understanding is key to keeping up with the threat landscape. We are happy to have attained more knowledge and industry contacts which will help us contribute to our collective mission as well as develop personally in our pursuit of building an industry-leading protection, detection and response product. We can’t wait to see what next year’s event has in store!
For those not able to attend ObtS, they kindly live-streamed and recorded on Youtube, available here.
Official Photos from Event