How to Remediate a macOS Security Incident
Summary
TLDRCe script vidéo, présenté par Kelly Conlon de Jamf, se concentre sur la rédemption d'incidents de sécurité sur les Mac. Il explique comment préparer et gérer un incident, inspirant des workflows pour votre environnement. Il couvre le cycle de réponse aux incidents (IR), les étapes pour construire un plan de rédemption, la préparation nécessaire, la détection et l'analyse, la rédemption et la réponse, ainsi que des exemples de workflows avec Jamf Protect. Il insiste sur l'importance d'une planification et d'une pratique bien mises en œuvre pour une réponse efficace aux incidents de sécurité.
Takeaways
- 🛡️ La préparation à un incident de sécurité est essentielle pour réduire les dommages, le temps de récupération et les coûts potentiels.
- 📈 L'adoption croissante des Mac rend ces derniers de plus en plus cibles d'attaques, nécessitant des méthodes améliorées de protection.
- 🔍 L'équipe de sécurité doit maintenir une surveillance constante et effectuer une analyse approfondie des événements pour identifier les menaces potentielles.
- 🚨 Un plan de réponse aux incidents de sécurité bien préparé et pratique est clé pour un programme de sécurité réussi.
- 🤖 Utiliser un MDM (Gestion de périphériques mobiles) comme Jamf Pro pour gérer, surveiller et configurer les appareils Mac pour assurer la meilleure posture de sécurité.
- 🛠️ L'ajout d'un outil de sécurité supplémentaire, tel que Jamf Protect, aide à bloquer les menaces connues et à collecter des informations pour l'analyse forensique.
- 📊 L'analyse continue des événements est cruciale pour augmenter les chances d'identifier une menace inconnue.
- 🏥 La réponse et la réparation (remediation) sont des actions clés dans un plan de réponse aux incidents, qui peuvent être automatisées ou menées après l'identification d'une menace.
- 🔄 Le cycle de réponse aux incidents (IR cycle) comprend la préparation, la détection et l'analyse, la réparation et la récupération, et la continuité des activités après l'incident.
- 👥 Il est important d'informer et de former les utilisateurs finaux, en particulier ceux touchés par une attaque, pour améliorer la préparation et la sécurité de l'organisation.
- 🔄 Après un incident, il est essentiel de reprendre le cycle IR pour renforcer les défenses et de rester vigilant face à de nouvelles menaces.
Q & A
Quel est le rôle de Kelly Conlon dans ce présentoir ?
-Kelly Conlon est la présentatrice de la session et spécialiste des solutions de sécurité chez Jamf.
Pourquoi est-il important de réagir rapidement et efficacement face à une attaque ou une violation de sécurité ?
-La rapidité et l'efficacité de la réaction d'une organisation à une attaque ou une violation de sécurité sont directement liées à la quantité de dommages infligés, au temps de récupération nécessaire et même au coût potentiel perdu.
Quel est le cycle de réponse aux incidents (IR) et comment est-il structuré ?
-Le cycle de réponse aux incidents (IR) est structuré en quatre composantes : préparation, détection et analyse, contenu et éradication, récupération ou réparation, suivi d'une activité post-incident et un démarrage du cycle IR à nouveau.
Comment les Macs sont-ils de plus en plus ciblés par les attaques potentielles ?
-Avec l'augmentation de l'adoption des Macs, leur paysage de menaces change et ils deviennent de plus en plus cibles pour les attaques potentielles.
Quels sont les outils de sécurité intégrés offerts par les Macs et à quoi sont-ils destinés ?
-Les Macs offrent des outils de sécurité intégrés qui sont une bonne base de protection, mais ils sont mieux adaptés à un consommateur individuel. Avec de nouvelles méthodes d'attaque et une plus grande présence dans les organisations, les Macs nécessitent de meilleures méthodes pour se protéger.
Quel est le rôle d'un MDM (Mobile Device Management) dans la préparation à un incident de sécurité ?
-Un MDM, tel que Jamf Pro, permet de gérer, de surveiller et de configurer les appareils pour le meilleur profil de sécurité, en identifiant les appareils qui ne répondent pas aux normes et en les mettant à jour ou en appliquant des restrictions à distance.
Quel est l'avantage d'ajouter un outil de sécurité supplémentaire tel que Jamf Protect à un MDM ?
-Ajouter un outil de sécurité supplémentaire comme Jamf Protect aide à bloquer les menaces connues pour les Macs, à recueillir des informations sur les processus et les fichiers pour une analyse forensique, ainsi qu'à surveiller les détections comportementales spécifiques.
Quelle est la différence entre la réponse aux incidents (IR) et la réparation ?
-La réponse aux incidents (IR) est le processus par lequel une organisation gère une violation de données ou une attaque informatique, tandis que la réparation est l'acte de corriger ou de réparer quelque chose qui a été corrompu.
Quels sont les exemples de workflows de réparation et de réponse utilisant Jamf Protect et Jamf Pro ?
-Les exemples incluent des workflows pour des menaces de faible, moyenne et haute gravité, où Jamf Protect détecte et informe sur les activités malveillantes, et Jamf Pro exécute des scripts pour notifier l'utilisateur final, mettre en quarantaine les fichiers associés, isoler l'appareil sur le réseau et nettoyer l'appareil jusqu'à ce qu'il soit à un état connu et sain.
Comment la fonctionnalité de prévention des menaces de Jamf Protect peut-elle aider à protéger contre les nouvelles menaces ?
-La fonctionnalité de prévention des menaces de Jamf Protect permet de bloquer et mettre en quarantaine les menaces Mac connues et de créer des listes personnalisées pour bloquer les processus au niveau binaire. Ainsi, en cas de nouvelle vulnérabilité ou de malware, une liste de prévention personnalisée peut être créée pour protéger les appareils dès que les informations sont disponibles.
Quel est le but de l'étape finale du cycle IR, appelée 'mode centenaire' ?
-L'étape finale, ou 'mode centenaire', vise à rehausser la conscience et la vigilance après une attaque, à améliorer les défenses, à surveiller et à signaler toute activité ou incident supplémentaire, à élargir l'approche de la sécurité pour couvrir des menaces ciblées et à sensibiliser et former les utilisateurs finaux sur la sécurité.
Outlines
🛡️ Sécurité des incidents sur Mac : Introduction
Kelly Conlon, spécialiste des solutions de sécurité chez Jamf, présente un guide sur la réponse aux incidents de sécurité sur les Mac. L'objectif est de fournir une meilleure compréhension de la préparation et de la gestion des incidents, ainsi que des idées pour mettre en œuvre des processus dans votre environnement. Le script couvre le cycle de réponse aux incidents (IR), les étapes pour construire un plan de remédiation, la préparation nécessaire, la détection et l'analyse des incidents, la remédiation et la réponse, des exemples de flux de travail avec Jamf Protect, et ce qu'il est comme après un incident, en reprenant le cycle IR.
🔍 Préparation et analyse des incidents de sécurité
Le texte explique l'importance de la préparation dans le cadre du cycle de réponse aux incidents, en comprenant son environnement et en développant la conscience de la situation. Il insiste sur la nécessité de gérer et de surveiller les appareils pour assurer la meilleure posture de sécurité. L'utilisation de solutions comme Jamf Pro pour la gestion des appareils et Jamf Protect pour renforcer les défenses contre les menaces est recommandée. L'analyse continue des événements est cruciale pour identifier les menaces potentielles, même si des mécanismes préventifs sont en place.
🛠️ Réponse et remédiation des incidents
Cette partie du script se concentre sur la troisième étape du cycle IR : la remédiation. Il est décrit comment, après la détection d'une menace, la réponse peut être automatisée ou manuelle. Des exemples de remédiation sont présentés, utilisant des outils comme Jamf Pro et Jamf Protect pour gérer les menaces de niveau bas à élevé. Des scénarios tels que la modification DNS, l'ouverture d'un média infecté et la réception de pop-up trompeuses sont explorés, montrant comment ces outils peuvent être configurés pour répondre en temps réel et mettre en quarantaine les fichiers ou appareils compromis.
🔄 Post-incident et ajustements
Le dernier paragraphe aborde la phase post-incident, où l'organisation doit se recentrer et améliorer ses défenses après une attaque. Il est important de rester vigilant et d'utiliser des outils comme Jamf Protect pour surveiller et signaler toute activité anormale. L'expansion de l'approche de sécurité pour couvrir des menaces ciblées et la sensibilisation des utilisateurs et du personnel sont également essentielles pour renforcer la préparation et éviter les incidents futurs. Un QR code est fourni pour accéder à un guide supplémentaire sur la réponse aux incidents de sécurité pour macOS.
Mindmap
Keywords
💡Incident Response (IR)
💡Remediation
💡Mac
💡Jamf
💡MDM (Mobile Device Management)
💡Threat Landscape
💡Situational Awareness
💡Security Software
💡Forensics Analysis
💡Smart Groups
💡Zero-Day
Highlights
Kelly Conlon, a security solution specialist at Jamf, presents on remediating a security incident on a Mac.
The importance of understanding how to prepare and manage an incident and implementing different workflows in your environment is emphasized.
Incident Response (IR) cycle and steps to build a remediation plan are covered, including preparation for a security incident or threat.
The correlation between an organization's reaction speed and effectiveness to a cyber attack and the amount of damage inflicted is discussed.
Mac adoption rise leads to a changing threat landscape, with Macs becoming more of a target for potential attacks.
Built-in security tools in Macs are suitable for individual consumers but require better methods for organizational protection.
Incident Response is defined as the process by which an organization handles a data breach or cyber attack.
Remediation is the act of remedying or correcting something that has been corrupted.
The National Institute of Standards and Technology (NIST) sets forth the four components of incident response: preparation, detection and analysis, containment, eradication, and recovery or remediation.
Having a thorough understanding of your environment and infrastructure, as well as the threats that could affect you, is crucial for preparation.
Jamf Pro as an MDM provides monitoring and enforcement to keep Macs updated and identify non-compliant devices.
Security software like Jamf Protect can block known threats, gather forensic data, and monitor for behavioral detections.
The need for constant analysis of events on devices to identify unknown threats, despite best defenses, is highlighted.
Automated remediation response to a threat can involve stopping the attack, quarantining files, and isolating the device until clean.
Examples of remediation workflows using Jamf Pro and Jamf Protect for different threat levels are provided.
Threat prevention feature in Jamf Protect allows blocking and quarantining known Mac threats and creating custom lists to block processes.
Post-incident activities include readjusting to normal operations, enhancing defenses, and providing training to end users.
A QR code is provided for more information on Mac OS security incident response.
Transcripts
today i'm going to cover remediating a
security incident on a mac
and my hopes is that you will take away
a better understanding
on how to prepare and manage an incident
and some inspiration
for how you could implement different
workflows in your environment
i am kelly conlon i will be your
presenter and i am
a security solution specialist here at
jamf
for today's call we are going to cover
the incident response or
ir cycle and identifying the steps to
get started with building your own
remediation plan
preparation needed for a security
incident or threat
detection and analysis of an incident
remediation and response and some
example workflows with jamf protect
and finally what does life look like
post-incident
and starting the ir cycle all over again
when a cyber attack or security breach
occurs
how fast and effectively an organization
reacts
is directly correlated to the amount of
damage that can be inflicted
the recovery time needed and even
potential cost lost
this process and planning is referred to
as a security incident response plan
and is a key factor to a successful
security program
at jamf we are seeing that as mac
adoption rises
their threat landscape is changing and
they are becoming
more and more of a target for potential
attacks
so the mac has always come with built-in
security tools
and they're great baseline protection
but really
it's well suited for an individual
consumer
and with new modes of attack and a
larger presence in organizations
macs require better methods to protect
them
and any organizational data that may be
on them
so regardless of your choice of a mac
security
solution your approach to incident
response
should be well planned and practiced
throughout today's call i will be
covering incident response and
remediation
almost interchangeably and to define
them quickly
incident response or simply ir is
actually pretty self-defined in its name
it is most commonly described as the
process by which an organization
handles a data breach or cyber attack
and remediation is simply the act
of remedying or correcting something
that has been corrupted
so ultimately most of the time the
action
in your incident response plan is
remediation
the incident response cycle you see here
was set forth by the national
institute of standards and technology or
simply nist
this covers the four components of
incident response as preparation
detection and analysis containment
eradication and recovery or remediation
post incident activity and then simply
starts at the beginning all over again
so let's start with the first step of
building an ir plan
to begin you need to prepare and the
best preparation
is to have a thorough understanding of
your environment
and infrastructure as well as the
threats that could affect you
so essentially you need to develop
situational awareness
and be aware of what is around you or
just simply your surroundings
now security has always been a top
priority for almost every organization
this covers operational and physical
security
to the information security and
protection of data
and with the current situations creating
a shift to a larger
remote workforce it will be even more
important to have these plans in place
it admins need to first ensure their
devices
are as secure as possible by having
those devices be managed
monitored and configured for the best
security posture
think getting fitted for armor before
battle and to do this
starting with an mdm is the best place
to fire up the forges
so jamf pro is such an mdm and this
provides
monitoring and enforcement that will
help to keep you
up to date on the state of your max and
identify any devices that are not
meeting the standard
using smart groups in jamf pro it admins
can actually
hunt for devices that need to be updated
have some reconfiguration done
or even have restrictions enforced
all of this can be done remotely and
even be automated without an
administrator needing to physically
touch the devices
now to ensure we are keeping a pulse of
the activity on the devices and start to
harden the device's defenses
an organization may look to implement
some security software like
jamf protect which is simply an in-point
security solution that is purpose-built
for the mac
adding in an additional security tool
will help to block known threats to the
mac
gather process and file information for
forensic analysis
as well as monitoring for specific
behavioral detections
so just by using an mdm like jamf pro
and adding in an additional security
tool like jamf protect
we will help you understand your
environment better and identify those
threats as they arrive
so now for the second step in the ir
cycle detection and analysis
now that our security and it teams are
in a position
and on alert in the event of any
potential attack
we need to make sure that over time they
don't become complacent
or stagnant while waiting for an attack
and to do this they can continue to do
monitoring of those detections as well
as deeper analysis of events
former fbi director james comey was once
quoted stating
there are two kinds of big companies
those who've been hacked
and those who don't know they've been
hacked
so essentially despite our preparation
and even preventative mechanisms we have
in place
security and i.t teams should assume
that an attack will get past
their best defenses because you really
can't protect against something you
don't
know entirely so to ensure we are
staying focused
security teams need to do constant
analysis of events occurring on these
devices
to increase their chances of identifying
an unknown threat
but we still need to detect and analyze
known threats as well
so let's imagine an end user
accidentally downloads a trojan
application
it's time for your endpoint security
solution like jff protect
to get to work alert you on this
compromised
process and when that security incident
occurs
you need to know what that malware may
do and how impactful its attack is
this is when you need to collect all
relevant information
and use that to analyze the threat
so security teams always need to have as
much visibility as possible
during an incident so they can make
informed decisions
also they may need to collect activity
logs in reports and send that data into
a sim
or a security incident and event
management tool
this will help them to visualize the
data and perform deeper analysis
so when an investigation of a threat is
occurring
or simply an audit is being done an
organization needs to have a complete
picture of what activities are happening
on their max
now to step three the action
all right i'm going to be honest this is
my favorite section of the cycle
now the preparation you have is in place
and the results of your detections are
arming you to respond
remediation can typically be handled two
ways
it can be automated and immediately
following
an incident or a threat or it can be
done
after a threat has been identified and
used to clean up the attack
to dive into remediation as an automated
response to a threat
let's again say we have an attack that's
active on a network
first the attack has to be stopped and
prevented from spreading to other
devices
because of your preparation and planning
the relevant process will be
likely stopped and blocked by a tool
like jamf protect or similar solution
but that does not mean the attack is
completely finished and it didn't leave
anything behind
so we can start by providing a response
to your end user that there was
malicious activity on their device
and to refrain from any further actions
we then can quarantine any associated
files or processes
and isolate the device on the network
until the device is clean and set back
to a known good state
so instead of just talking about
examples of remediation
let me actually show you just to go over
all of these examples are going to be
using
jamf pro and jamf protect
first let's start with setting up
everything
in jamf protect we need to choose what
detection we want to respond to
here you can see we have a number of
behaviors that jamf protect is
monitoring for
with our analytics for today i'm going
to choose a dns modification
once you've chosen the desired analytic
simply click
update actions and add to jamf pro
smart group this is where you're going
to type out a value
that will later become an extension
attribute
written to the device
now in jamf pro we need to add a script
to find the extension attribute created
by jamf protect
all you need to do is go into the
settings for your jamf pro server
and get to computer management and then
extension attributes so
to make it easier at jamf we've added a
template
under the jamf section for jamf protect
smart groups
once you've added the template script
all you need to do is simply hit save
next we need to build a smart group
so going in and clicking new
we can give the smart group a name
i recommend using the extension
attribute value in the name to stay
organized
and now we need to add the criteria
which is just the extension attribute
we've added from that template looking
for the value that is written by jamf
protect
now that smart group can be scoped to
configuration profiles
to exclude that device from company
resources
or be scoped to a policy for some
customization
and for policy jamf protect
actually runs a custom event trigger as
soon as that detection happens
so when creating a policy you can simply
add
protect all lowercase
within a custom event trigger to allow
for near real-time response
okay now we have everything set up
between jamf pro and jamf protect
let's go through some actual examples of
remediation and response
so again i like to organize by threat
level so this is an example of a
low-level threat
something not truly malicious and almost
no
impact in jff protect we have those
behavioral
alerts within our analytics that are
looking for a variety of activities that
are largely mapped to the miter attack
framework
in this example an end user does a dns
modification
which jamf protect is monitoring for
once chance protect has been alerted
that this user has done this
modification
it then will tell the jamf pro agent
managing managing the device to run a
script
to simply launch stamp helper and notify
the end user
that there may have been malicious
activity occurring on their device
and they may need a contact i.t so this
response is not doing anything
automated or deleting or stopping but
just
telling the end user on what activities
are happening
on their device
next we're going to cover responding to
a medium level threat
so something that is definitely unwanted
but has minimal impact
in this workflow the end user tries to
open
a downloaded media player this specific
version
has been infected with known malware so
when the end user tries to launch it
gatekeeper will actually stop the
application
and jamf protect is monitoring for
activity from gatekeeper
and all of those other native security
tools to keep you informed on their
activity
because we know gatekeeper has stopped
something unwanted
we can again use jamf helper to further
inform the end user
of what's happened on their device and
actually prompt them to do some cleanup
themselves
so using self-service this can all be
automatically opened
this can all automatically open a policy
to have the end user delete
all files that have been downloaded in
the last 24 hours
hopefully removing that compromised
application
now let's cover a high level threat this
is where something malicious
has definitely occurred but we have no
idea what that impact may be
in this example a user is going to open
up their browser
and they're immediately prompted with a
pop-up telling their adobe flash player
is out of date
this is a very common delivery mechanism
to get malware onto a mac
so as soon as that installer has been
downloaded
this triggers jamf protect and this
immediately pushes another jamf helper
policy from jamf pro telling the end
user
what they've done and what actions have
taken place
what we've done is we've isolated this
device by cutting off its access
to the network this will hopefully limit
the impact of any possible breach
and keep the device quarantined and
isolated
until the threat can be analyzed
okay for our last example i want to show
you
how using our methods of customized
response
can give you some really unique
remediation workflows
jamf protect has a feature called threat
prevention
that allows you to block and quarantine
known mac
threats as well as allowing you to
create
custom lists to block processes from the
binary level
so say there's a new zero day for mac
malware
as soon as the hashes are identified or
even the developer
team id you can create a custom prevent
list
to protect your devices from this new
threat as soon as that information is
available
so to go over this a little bit deeper
so here we have a shared directory
that it or infosec would have access to
on all your devices
also i want to show you the directory
that jamf protects threat prevention
quarantines threats
now the end user here is going to
attempt to launch an executable that is
in jamf protects threat prevention
on launch jamf protect immediately
blocks and removes the executable
and as you can see here it has now been
quarantined so now jamf pro is actually
installing
a response tool of dep notify
which is just an open source program
that's typically used to onboard users
but what i've done is i've taken
advantage of dep notify's
full screen feature to lock the end user
out
while additional scripts are being run
that are going to
zip up that malware move it to that
shared drive
as well as cleaning up that quarantined
location
all while informing the end user of
exactly what's happening
and the progress as soon as remediation
has been completed
we can prompt the user again with some
best practices
and follow-up step recommendations
and as you can see that malware has now
been zipped and moved to that shared
drive
and that directory for quarantine has
been cleaned
okay so now that we've gone over some
examples of remediation
let's get back to the ir cycle and go
over the final step
i like to call this step century mode
we've survived our attack
and we've responded now we're going to
readjust to get back to normal
but we want to also enhance our defenses
so we have this heightened awareness of
what's just happened
and we need to make sure we stay hyper
vigilant so you can use
jamf protect to continue to monitor and
report on any additional activity or
incidents
or even monitor for indicators of a
threat
you can also expand your security
approach to cover additional targeted
threats
that you were able to identify and
lastly
we can ensure that all end users and
especially those affected by an attack
are aware of provided operational and
information security trainings
and education courses and by doing this
we actually send ourselves back to the
start
of the cycle by increasing our
preparation
okay let's quickly go over everything
we've covered
so we went over the incident response or
ir
cycle in building your own remediation
plan
the preparation needed for a security
incident detection
and analysis of an incident remediation
and response in some example workflows
with jamf protect
and jamf pro and finally what does life
look like
post incident and starting that ir cycle
all over
if you'd like some more information i've
included a qr code to a guide
by jamf covering mac os security
incident response
thanks again everyone for listening we
will share the recording as soon as it's
ready
but if you're in a hurry you can scan
this qr code to get in touch with
someone at jamf immediately
Parcourir plus de vidéos associées
![](https://i.ytimg.com/vi/uL0atQFZzL8/hq720.jpg)
If You Can't Answer These 6 Questions You Don't Have A Story - Glenn Gers
![](https://i.ytimg.com/vi/G23tw4UGPis/hq720.jpg)
Comment arrêter de stresser (pour de bon)
![](https://i.ytimg.com/vi/DVTeDQCG4tw/hqdefault.jpg?sqp=-oaymwEXCJADEOABSFryq4qpAwkIARUAAIhCGAE=&rs=AOn4CLA5NQdojZh17l8QMlRDW_9EUA5fQQ)
Bouturage herbacé : Comment bouturer les vivaces: le Fuchsia, le Dahlia avec une mini-serre gratuite
![](https://i.ytimg.com/vi/_xZkeQM8tm4/hqdefault.jpg?sqp=-oaymwEXCJADEOABSFryq4qpAwkIARUAAIhCGAE=&rs=AOn4CLCebhlnRxIcpj4s08QDJ9IGUGh5AA)
Représenter un partage à l'aide d'une fraction - Sixième
![](https://i.ytimg.com/vi/3w8jS7EooXU/hq720.jpg)
Couteau, Spray, IFAK, Lampe : Nos conseils pour votre kit EDC (Feat Michael Illouz)
![](https://i.ytimg.com/vi/1Yv8m398Fv0/hq720.jpg)
L'Algorithme qui Sécurise Internet (entre autres...)
5.0 / 5 (0 votes)