Explore a comprehensive approach to detecting Mac malware using behavior-based monitoring and Apple's game engine in this RSA Conference talk. Dive into current macOS threats, monitoring capabilities, and the innovative use of Apple's GameplayKit for cybersecurity. Learn about an open-source monitoring framework that passively collects system events and a rule-based system leveraging Apple's game engine for efficient threat detection. Discover how to develop "Game Plans" for detecting persistence methods, chain logic blocks for more accurate detection, and conduct threat hunting using predicates. Gain insights into process, file, synthetic click, and camera/microphone monitoring techniques. Understand the potential of this extensible detection, response, and threat hunting platform for comprehensive Mac security.
Leveraging Apple's Game Engine to Detect Threats
Overview
Syllabus
Intro
Outline
Macs vs. Malware
OSX.WindShift (2018) file esitration implant, with a unique infection vector
The Mac Malware of 2018 a comprehensive report on infection, persistence, and capabilities
CVE-2017-7149: Password Exposure
CVE-2017-13872: #iamroot
The Mac App Store
Process Monitoring
File Monitoring
Synthetic Click Monitoring
Cam/Mic Monitoring
Game (Logic) Engine pieces of the puzzle
Game (Logic) Engine: (re)Applied
Apple's "GameplayKit"
GKRuleSystem Class
Developing "Game Plans" detecting methods of persistence
Chaining Logic Blocks ...for more accurate and actionable detectio
Detect (All?) Things hall the power of the predicatel
Threat Hunting
GamePlan
Finale
Question & Answers
Taught by
RSA Conference
