Why doesn’t Apple’s so-called silent security strategy make users feel safe?



Safetymobile security
Apple's approach to security is different from other operating system vendors, which is not inherently good or bad. It's important for administrators to have a clear understanding of how their operating system handles security incidents. A good, quiet system doesn't necessarily mean a safe and reliable system.

It is generally believed that macOS is more secure than Windows, so many small and medium-sized enterprises use macOS to pursue security. However, for small and medium-sized enterprises that completely rely on macOS to ensure security, this is very dangerous. For example, users won’t find the Defender-like security center built into macOS.

In this article, we’ll take a look at three aspects of macOS security that are critical for businesses that don’t currently deploy additional endpoint protection on macOS devices.

Apple’s platform security strategy

Apple’s most recent update on preventing malware on macOS was in May 2022. The latest public document states that its malware defense is divided into three aspects:

Prevent malware from launching or executing: App Store or Gatekeeper combined with Notarisation;

Prevent malware from running on customer systems: Gatekeeper, Notarisation and XProtect;

Repair executed malware: XProtect, macOS has built-in antivirus technology called XProtect, which detects and removes malware based on signatures. The system uses YARA signatures that are regularly updated by Apple, a tool used to detect malware based on signatures. You can think of it as the "Defender" of macOS systems.

However, these technologies are not very transparent and easy to implement. For example, it is not possible to allow or exclude specific applications or code between users or devices. On a single device, users can make very broad system policy decisions, such as allowing or denying all apps from outside the App Store, but even then, unless the system is managed by a mobile device management (MDM) solution, local users are This policy can be overridden without administrator rights.

Even more concerning from an enterprise security perspective is that there is little visibility into what code was blocked, when and why, nor is it clear when these scans were performed or how effective they were. Another is that malware remediation happens silently in the background without prompts or warnings to the user. In an enterprise environment, this is not enough because security personnel cannot grasp the information. To adequately protect an enterprise, security teams need to understand when malware appears on systems, how long it has been present, and where the malware originated.

1. XProtect signatures often ignore some of the latest malware

According to Apple, macOS has built-in antivirus technology called XProtect for signature-based malware detection and removal. The system uses YARA signatures, a tool for signature-based malware detection that Apple regularly updates.

The last update to Apple's XProtect that included these YARA-signed bundles was developed on June 29, but depending on the location of the device, the update may not be released for several days.

Why doesn’t Apple’s so-called silent security strategy make users feel safe?Why doesn’t Apple’s so-called silent security strategy make users feel safe?

Unfortunately, the update doesn't include any changes to file signatures that Apple says enhance XProtect's blocking capabilities. The YARA file has the same hash as version 2166, which was updated last February.

Why doesn’t Apple’s so-called silent security strategy make users feel safe?Why doesn’t Apple’s so-called silent security strategy make users feel safe?

If you look at the version numbers, there should have been 7 updates to XProtect's YARA rules in the past 12 months, but in fact only 3 were observed in the test equipment of cybersecurity company SentinelOne. Furthermore, the difference between version 2165, released last November, and the more recent version is simply the addition of rules targeting two malware families: one targeting Keysteal, dated February 7, 2019. German security researcher Linus Henze discovered a macOS zero-day vulnerability called "KeySteal" that can be used to obtain all sensitive data stored by Mac users in keychain access applications; the other two are Honkbox.

Since SentinelOne and many other vendors have reported multiple new macOS malware over the past few months, users and administrators who rely solely on XProtect rules should increase their protection awareness.

2. XProtectRemediator will hide attack traces

XProtect Remediator complements the existing XProtect system tools. Last September, around the time macOS 12.3 Monterey was released, Apple quietly launched a new XProtect Remediator tool for its XProtect service that checks for malware in the background. XProtect Remediator looks for malware more frequently and fixes it when it is detected. While Apple's main malware blocking tool lacks updates, it has been regularly updating its MRT alternative, XProtectRemeditor. XProtectRemeditor runs every 6 hours every day, looking for known malware families.

For information stealers, 6 hours is too long, especially when they only need a few seconds to complete their work. Session cookies are a prime target for attackers to infiltrate further into an organization and turn an attack on a single Mac into a serious vulnerability, such as what happened recently at CircleCI. CircleCI is a very popular CI/CD continuous integration development platform, claiming to provide "fast and reliable" development services to more than one million software engineer users.

As mentioned above, there is no user interface on macOS to let users know which malware has been patched, when and how it was introduced into the system. However, starting with macOS Ventura, system administrators without third-party visibility tools can try leveraging the eslogger tool introduced in macOS 13. Apple doesn't often give us new tools specifically focused on security, but ESLogger looks like it could be very useful for security practitioners, malware analysts, and threat detection engineers. According to the published man page for the tool, ESLogger works with the Endpoint Security framework to log ES events, which can be output to a file, standard output, or a unified logging system. Apple is also reaffirming its commitment to third-party security products by adding more NOTIFY events to the ES Framework, and ESLogger supports all 80 NOTIFY events now available in macOS Ventura. ESLogger provides researchers with much-needed and convenient visibility into security-related events without the need to deploy a full ES client.

Unfortunately, eslogger doesn't take business size into account. This will require some infrastructure and external tools to bring the entire detection results into a central database where the data can be monitored and mined. In both cases, unless security teams are proactive, Apple's XProtectRemediator will quietly remove the malware when it is discovered without alerting users or administrators that an attack has occurred. Similarly, the tool neither warns nor logs suspected malicious activity because it is not explicitly programmed to detect it.

For businesses and Apple, relying on this type of remediation to improve their security is a high-risk strategy. In this case, the risk of false positives could cause serious harm to users and businesses, so it's likely that Apple has designed its tools to be very conservative in their detection and silent removal.

For enterprises, the inability to receive alerts and difficulty in inspecting logs means it is nearly impossible for XProtectRemeditor to detect missed infections, track the root cause of infections it removes, or further investigate incidents and their impact on the organization.

3.XProtectBehaviorService: Hide detection activities

Apple recently added a malware detection technology that has not yet been released publicly, called XProtectBehaviorService.

Why doesn’t Apple’s so-called silent security strategy make users feel safe?Why doesn’t Apple’s so-called silent security strategy make users feel safe?

Currently, the service simply silently logs details of applications that violate certain preprogrammed behavioral rules, currently defined in /usr/libexec/syspolicyd.

Why doesn’t Apple’s so-called silent security strategy make users feel safe?Why doesn’t Apple’s so-called silent security strategy make users feel safe?

These rules (referred to internally as "bastion rules") log violations in a hidden SQLite database located at /var/protected/xprotect/xpdb. To its credit, Apple is logging access to data in enterprise apps like Slack and Teams, as well as various browsers and chat apps. However, questions remain as to what access Apple intends to provide users, particularly management, IT and security teams, and the information collected during further operations. For example, these logs were recently used to investigate an APT attack that infected four macOS Ventura systems, which neither XProtect successfully blocked nor XProtectRemediator removed.

While this data can now be found by incident responders, collecting this data and learning how to use it falls on the shoulders of those responsible for security. The above example illustrates that IT teams that rely solely on Apple for protection must proactively analyze their macOS devices and mine Apple's hidden logs and monitoring data.

Summarize

As mentioned above, Apple's approach to security is different from other operating system vendors. This is not inherently good or bad. It is important for administrators to have a clear understanding of how their operating system handles security incidents. A good, quiet system doesn't necessarily mean a safe and reliable system.

Understanding what's happening on your company's endpoints is the first step to protecting your devices, and there's a lot more security-related events happening on the backend of macOS than meets the eye.

This article is translated from: https://www.sentinelone.com/blog/mac-admins-why-apples-silent-approach-to-endpoint-security-should-be-a-wake-up-call/ If you wish to reprint, please Please indicate the original address