How to Remediate a macOS Security Incident

00:00

today i'm going to cover remediating a

00:02

security incident on a mac

00:05

and my hopes is that you will take away

00:07

a better understanding

00:09

on how to prepare and manage an incident

00:12

and some inspiration

00:13

for how you could implement different

00:15

workflows in your environment

00:20

i am kelly conlon i will be your

00:22

presenter and i am

00:24

a security solution specialist here at

00:26

jamf

00:29

for today's call we are going to cover

00:31

the incident response or

00:33

ir cycle and identifying the steps to

00:35

get started with building your own

00:37

remediation plan

00:39

preparation needed for a security

00:41

incident or threat

00:43

detection and analysis of an incident

00:46

remediation and response and some

00:49

example workflows with jamf protect

00:52

and finally what does life look like

00:54

post-incident

00:55

and starting the ir cycle all over again

01:01

when a cyber attack or security breach

01:03

occurs

01:04

how fast and effectively an organization

01:06

reacts

01:07

is directly correlated to the amount of

01:10

damage that can be inflicted

01:12

the recovery time needed and even

01:14

potential cost lost

01:16

this process and planning is referred to

01:19

as a security incident response plan

01:22

and is a key factor to a successful

01:24

security program

01:26

at jamf we are seeing that as mac

01:28

adoption rises

01:30

their threat landscape is changing and

01:32

they are becoming

01:33

more and more of a target for potential

01:36

attacks

01:37

so the mac has always come with built-in

01:40

security tools

01:41

and they're great baseline protection

01:44

but really

01:45

it's well suited for an individual

01:47

consumer

01:48

and with new modes of attack and a

01:51

larger presence in organizations

01:54

macs require better methods to protect

01:56

them

01:57

and any organizational data that may be

02:00

on them

02:01

so regardless of your choice of a mac

02:04

security

02:05

solution your approach to incident

02:07

response

02:08

should be well planned and practiced

02:12

throughout today's call i will be

02:13

covering incident response and

02:15

remediation

02:16

almost interchangeably and to define

02:19

them quickly

02:20

incident response or simply ir is

02:23

actually pretty self-defined in its name

02:26

it is most commonly described as the

02:28

process by which an organization

02:30

handles a data breach or cyber attack

02:33

and remediation is simply the act

02:36

of remedying or correcting something

02:39

that has been corrupted

02:40

so ultimately most of the time the

02:44

action

02:45

in your incident response plan is

02:47

remediation

02:49

the incident response cycle you see here

02:51

was set forth by the national

02:53

institute of standards and technology or

02:55

simply nist

02:57

this covers the four components of

02:59

incident response as preparation

03:02

detection and analysis containment

03:05

eradication and recovery or remediation

03:10

post incident activity and then simply

03:14

starts at the beginning all over again

03:18

so let's start with the first step of

03:20

building an ir plan

03:24

to begin you need to prepare and the

03:26

best preparation

03:27

is to have a thorough understanding of

03:29

your environment

03:30

and infrastructure as well as the

03:33

threats that could affect you

03:35

so essentially you need to develop

03:37

situational awareness

03:38

and be aware of what is around you or

03:42

just simply your surroundings

03:44

now security has always been a top

03:46

priority for almost every organization

03:49

this covers operational and physical

03:51

security

03:52

to the information security and

03:54

protection of data

03:56

and with the current situations creating

03:58

a shift to a larger

04:00

remote workforce it will be even more

04:02

important to have these plans in place

04:06

it admins need to first ensure their

04:08

devices

04:09

are as secure as possible by having

04:11

those devices be managed

04:13

monitored and configured for the best

04:16

security posture

04:18

think getting fitted for armor before

04:20

battle and to do this

04:22

starting with an mdm is the best place

04:25

to fire up the forges

04:27

so jamf pro is such an mdm and this

04:30

provides

04:31

monitoring and enforcement that will

04:33

help to keep you

04:35

up to date on the state of your max and

04:37

identify any devices that are not

04:39

meeting the standard

04:42

using smart groups in jamf pro it admins

04:45

can actually

04:45

hunt for devices that need to be updated

04:48

have some reconfiguration done

04:50

or even have restrictions enforced

04:53

all of this can be done remotely and

04:55

even be automated without an

04:57

administrator needing to physically

04:59

touch the devices

05:01

now to ensure we are keeping a pulse of

05:03

the activity on the devices and start to

05:05

harden the device's defenses

05:08

an organization may look to implement

05:10

some security software like

05:12

jamf protect which is simply an in-point

05:14

security solution that is purpose-built

05:16

for the mac

05:18

adding in an additional security tool

05:21

will help to block known threats to the

05:23

mac

05:24

gather process and file information for

05:26

forensic analysis

05:27

as well as monitoring for specific

05:30

behavioral detections

05:32

so just by using an mdm like jamf pro

05:35

and adding in an additional security

05:36

tool like jamf protect

05:38

we will help you understand your

05:40

environment better and identify those

05:42

threats as they arrive

05:47

so now for the second step in the ir

05:48

cycle detection and analysis

05:54

now that our security and it teams are

05:56

in a position

05:57

and on alert in the event of any

05:59

potential attack

06:00

we need to make sure that over time they

06:03

don't become complacent

06:04

or stagnant while waiting for an attack

06:07

and to do this they can continue to do

06:10

monitoring of those detections as well

06:12

as deeper analysis of events

06:16

former fbi director james comey was once

06:18

quoted stating

06:20

there are two kinds of big companies

06:22

those who've been hacked

06:24

and those who don't know they've been

06:25

hacked

06:27

so essentially despite our preparation

06:31

and even preventative mechanisms we have

06:33

in place

06:34

security and i.t teams should assume

06:37

that an attack will get past

06:39

their best defenses because you really

06:41

can't protect against something you

06:43

don't

06:43

know entirely so to ensure we are

06:47

staying focused

06:48

security teams need to do constant

06:50

analysis of events occurring on these

06:52

devices

06:53

to increase their chances of identifying

06:55

an unknown threat

06:57

but we still need to detect and analyze

07:00

known threats as well

07:02

so let's imagine an end user

07:04

accidentally downloads a trojan

07:06

application

07:07

it's time for your endpoint security

07:09

solution like jff protect

07:11

to get to work alert you on this

07:13

compromised

07:14

process and when that security incident

07:18

occurs

07:18

you need to know what that malware may

07:20

do and how impactful its attack is

07:24

this is when you need to collect all

07:26

relevant information

07:27

and use that to analyze the threat

07:31

so security teams always need to have as

07:34

much visibility as possible

07:36

during an incident so they can make

07:38

informed decisions

07:40

also they may need to collect activity

07:42

logs in reports and send that data into

07:45

a sim

07:45

or a security incident and event

07:48

management tool

07:50

this will help them to visualize the

07:52

data and perform deeper analysis

07:55

so when an investigation of a threat is

07:58

occurring

07:59

or simply an audit is being done an

08:02

organization needs to have a complete

08:04

picture of what activities are happening

08:06

on their max

08:08

now to step three the action

08:12

all right i'm going to be honest this is

08:14

my favorite section of the cycle

08:16

now the preparation you have is in place

08:19

and the results of your detections are

08:21

arming you to respond

08:23

remediation can typically be handled two

08:26

ways

08:27

it can be automated and immediately

08:29

following

08:30

an incident or a threat or it can be

08:33

done

08:33

after a threat has been identified and

08:35

used to clean up the attack

08:39

to dive into remediation as an automated

08:41

response to a threat

08:43

let's again say we have an attack that's

08:45

active on a network

08:47

first the attack has to be stopped and

08:49

prevented from spreading to other

08:51

devices

08:52

because of your preparation and planning

08:54

the relevant process will be

08:56

likely stopped and blocked by a tool

08:59

like jamf protect or similar solution

09:02

but that does not mean the attack is

09:04

completely finished and it didn't leave

09:06

anything behind

09:07

so we can start by providing a response

09:09

to your end user that there was

09:11

malicious activity on their device

09:13

and to refrain from any further actions

09:15

we then can quarantine any associated

09:18

files or processes

09:20

and isolate the device on the network

09:22

until the device is clean and set back

09:24

to a known good state

09:27

so instead of just talking about

09:30

examples of remediation

09:31

let me actually show you just to go over

09:35

all of these examples are going to be

09:36

using

09:37

jamf pro and jamf protect

09:41

first let's start with setting up

09:43

everything

09:44

in jamf protect we need to choose what

09:48

detection we want to respond to

09:52

here you can see we have a number of

09:54

behaviors that jamf protect is

09:56

monitoring for

09:57

with our analytics for today i'm going

10:00

to choose a dns modification

10:03

once you've chosen the desired analytic

10:06

simply click

10:07

update actions and add to jamf pro

10:10

smart group this is where you're going

10:13

to type out a value

10:14

that will later become an extension

10:16

attribute

10:18

written to the device

10:25

now in jamf pro we need to add a script

10:28

to find the extension attribute created

10:30

by jamf protect

10:33

all you need to do is go into the

10:34

settings for your jamf pro server

10:37

and get to computer management and then

10:40

extension attributes so

10:46

to make it easier at jamf we've added a

10:48

template

10:49

under the jamf section for jamf protect

10:52

smart groups

10:54

once you've added the template script

10:56

all you need to do is simply hit save

11:04

next we need to build a smart group

11:08

so going in and clicking new

11:11

we can give the smart group a name

11:16

i recommend using the extension

11:18

attribute value in the name to stay

11:20

organized

11:22

and now we need to add the criteria

11:24

which is just the extension attribute

11:26

we've added from that template looking

11:29

for the value that is written by jamf

11:33

protect

11:39

now that smart group can be scoped to

11:42

configuration profiles

11:43

to exclude that device from company

11:46

resources

11:47

or be scoped to a policy for some

11:49

customization

11:51

and for policy jamf protect

11:55

actually runs a custom event trigger as

11:58

soon as that detection happens

12:00

so when creating a policy you can simply

12:02

add

12:03

protect all lowercase

12:07

within a custom event trigger to allow

12:09

for near real-time response

12:15

okay now we have everything set up

12:17

between jamf pro and jamf protect

12:20

let's go through some actual examples of

12:22

remediation and response

12:25

so again i like to organize by threat

12:27

level so this is an example of a

12:29

low-level threat

12:30

something not truly malicious and almost

12:33

no

12:33

impact in jff protect we have those

12:37

behavioral

12:38

alerts within our analytics that are

12:40

looking for a variety of activities that

12:42

are largely mapped to the miter attack

12:44

framework

12:46

in this example an end user does a dns

12:49

modification

12:50

which jamf protect is monitoring for

12:53

once chance protect has been alerted

12:57

that this user has done this

12:58

modification

13:00

it then will tell the jamf pro agent

13:03

managing managing the device to run a

13:06

script

13:07

to simply launch stamp helper and notify

13:10

the end user

13:11

that there may have been malicious

13:12

activity occurring on their device

13:15

and they may need a contact i.t so this

13:18

response is not doing anything

13:20

automated or deleting or stopping but

13:23

just

13:23

telling the end user on what activities

13:26

are happening

13:26

on their device

13:32

next we're going to cover responding to

13:34

a medium level threat

13:36

so something that is definitely unwanted

13:38

but has minimal impact

13:41

in this workflow the end user tries to

13:44

open

13:45

a downloaded media player this specific

13:48

version

13:49

has been infected with known malware so

13:52

when the end user tries to launch it

13:54

gatekeeper will actually stop the

13:56

application

13:57

and jamf protect is monitoring for

13:59

activity from gatekeeper

14:01

and all of those other native security

14:02

tools to keep you informed on their

14:05

activity

14:06

because we know gatekeeper has stopped

14:08

something unwanted

14:09

we can again use jamf helper to further

14:12

inform the end user

14:13

of what's happened on their device and

14:16

actually prompt them to do some cleanup

14:18

themselves

14:19

so using self-service this can all be

14:21

automatically opened

14:24

this can all automatically open a policy

14:27

to have the end user delete

14:28

all files that have been downloaded in

14:30

the last 24 hours

14:32

hopefully removing that compromised

14:35

application

14:39

now let's cover a high level threat this

14:42

is where something malicious

14:44

has definitely occurred but we have no

14:46

idea what that impact may be

14:49

in this example a user is going to open

14:52

up their browser

14:53

and they're immediately prompted with a

14:55

pop-up telling their adobe flash player

14:57

is out of date

14:59

this is a very common delivery mechanism

15:01

to get malware onto a mac

15:04

so as soon as that installer has been

15:06

downloaded

15:07

this triggers jamf protect and this

15:09

immediately pushes another jamf helper

15:12

policy from jamf pro telling the end

15:14

user

15:15

what they've done and what actions have

15:17

taken place

15:18

what we've done is we've isolated this

15:20

device by cutting off its access

15:23

to the network this will hopefully limit

15:25

the impact of any possible breach

15:28

and keep the device quarantined and

15:30

isolated

15:31

until the threat can be analyzed

15:36

okay for our last example i want to show

15:39

you

15:39

how using our methods of customized

15:41

response

15:42

can give you some really unique

15:44

remediation workflows

15:47

jamf protect has a feature called threat

15:49

prevention

15:50

that allows you to block and quarantine

15:53

known mac

15:54

threats as well as allowing you to

15:56

create

15:57

custom lists to block processes from the

16:00

binary level

16:02

so say there's a new zero day for mac

16:04

malware

16:06

as soon as the hashes are identified or

16:09

even the developer

16:10

team id you can create a custom prevent

16:13

list

16:14

to protect your devices from this new

16:16

threat as soon as that information is

16:18

available

16:21

so to go over this a little bit deeper

16:23

so here we have a shared directory

16:25

that it or infosec would have access to

16:29

on all your devices

16:30

also i want to show you the directory

16:32

that jamf protects threat prevention

16:34

quarantines threats

16:36

now the end user here is going to

16:37

attempt to launch an executable that is

16:40

in jamf protects threat prevention

16:42

on launch jamf protect immediately

16:45

blocks and removes the executable

16:47

and as you can see here it has now been

16:50

quarantined so now jamf pro is actually

16:54

installing

16:55

a response tool of dep notify

16:58

which is just an open source program

17:00

that's typically used to onboard users

17:03

but what i've done is i've taken

17:05

advantage of dep notify's

17:07

full screen feature to lock the end user

17:10

out

17:11

while additional scripts are being run

17:13

that are going to

17:14

zip up that malware move it to that

17:17

shared drive

17:18

as well as cleaning up that quarantined

17:20

location

17:22

all while informing the end user of

17:24

exactly what's happening

17:25

and the progress as soon as remediation

17:28

has been completed

17:30

we can prompt the user again with some

17:32

best practices

17:33

and follow-up step recommendations

17:37

and as you can see that malware has now

17:40

been zipped and moved to that shared

17:42

drive

17:43

and that directory for quarantine has

17:46

been cleaned

17:50

okay so now that we've gone over some

17:52

examples of remediation

17:54

let's get back to the ir cycle and go

17:56

over the final step

18:00

i like to call this step century mode

18:03

we've survived our attack

18:05

and we've responded now we're going to

18:07

readjust to get back to normal

18:10

but we want to also enhance our defenses

18:14

so we have this heightened awareness of

18:16

what's just happened

18:17

and we need to make sure we stay hyper

18:19

vigilant so you can use

18:21

jamf protect to continue to monitor and

18:24

report on any additional activity or

18:26

incidents

18:27

or even monitor for indicators of a

18:30

threat

18:31

you can also expand your security

18:33

approach to cover additional targeted

18:35

threats

18:36

that you were able to identify and

18:39

lastly

18:40

we can ensure that all end users and

18:42

especially those affected by an attack

18:45

are aware of provided operational and

18:48

information security trainings

18:50

and education courses and by doing this

18:54

we actually send ourselves back to the

18:56

start

18:57

of the cycle by increasing our

18:59

preparation

19:02

okay let's quickly go over everything

19:05

we've covered

19:07

so we went over the incident response or

19:10

ir

19:10

cycle in building your own remediation

19:13

plan

19:14

the preparation needed for a security

19:16

incident detection

19:18

and analysis of an incident remediation

19:21

and response in some example workflows

19:24

with jamf protect

19:25

and jamf pro and finally what does life

19:28

look like

19:29

post incident and starting that ir cycle

19:32

all over

19:34

if you'd like some more information i've

19:35

included a qr code to a guide

19:38

by jamf covering mac os security

19:40

incident response

19:45

thanks again everyone for listening we

19:47

will share the recording as soon as it's

19:49

ready

19:50

but if you're in a hurry you can scan

19:52

this qr code to get in touch with

19:53

someone at jamf immediately