How to Remediate a macOS Security Incident
Summary
TLDRKelly Conlon, a security solution specialist at Jamf, presents a comprehensive guide on remediating a security incident on a Mac. The presentation covers the Incident Response (IR) cycle, emphasizing the importance of preparation, detection, analysis, containment, eradication, and recovery. Conlon highlights the evolving threat landscape for Macs and the need for robust security solutions beyond built-in tools. She introduces Jamf Pro, an MDM solution, and Jamf Protect, an in-point security tool for Mac, to monitor, enforce, and respond to threats. The talk includes detailed examples of remediation workflows using Jamf tools for various threat levels and concludes with post-incident activities to enhance defenses and resume the IR cycle, reinforcing continuous preparedness.
Takeaways
- 🛡️ The importance of a security incident response plan is emphasized as it directly correlates to the damage, recovery time, and potential cost an organization may face in the event of a cyber attack or security breach.
- 📈 As Mac adoption rises, so does the threat landscape, necessitating better methods to protect Macs and the organizational data they may contain beyond built-in security tools.
- 🔍 The incident response (IR) cycle, as defined by the National Institute of Standards and Technology (NIST), consists of preparation, detection and analysis, containment, eradication, recovery or remediation, and post-incident activity.
- 🧩 Incident response and remediation are used interchangeably in the script, with incident response being the process of handling a data breach or cyber attack, and remediation being the act of correcting something corrupted.
- 🌐 To prepare for an IR plan, one must have a thorough understanding of the environment, infrastructure, and potential threats, developing situational awareness.
- 🛠️ Jamf Pro, an MDM solution, is highlighted as a tool for monitoring and enforcing security measures on Mac devices, helping to identify devices not meeting security standards.
- 🚨 Jamf Protect is introduced as an endpoint security solution for Macs that blocks known threats, gathers forensic data, and monitors for behavioral detections.
- 🔎 The script stresses the importance of constant analysis and vigilance by security teams to identify unknown threats and to not become complacent while waiting for an attack.
- 🛑 Remediation can be automated and immediate following an incident or threat, or it can be done after a threat has been identified to clean up the attack.
- 👥 The script provides examples of how to set up automated responses using Jamf Pro and Jamf Protect, including quarantine and isolation of devices, and custom scripts for user notification and cleanup.
- 🔄 The final step in the IR cycle, post-incident activity, involves readjusting and enhancing defenses, staying vigilant, and providing training and education to end users to increase overall security preparedness.
Q & A
What is the primary goal of Kelly Conlon's presentation?
-The primary goal is to provide a better understanding of how to prepare and manage a security incident on a Mac, and to inspire the implementation of different workflows in one's environment.
What is the Incident Response (IR) cycle as defined by the National Institute of Standards and Technology (NIST)?
-The IR cycle includes four components: preparation, detection and analysis, containment, eradication and recovery or remediation, and post-incident activity.
Why is it important for an organization to have a security incident response plan?
-A security incident response plan is important because the speed and effectiveness of an organization's reaction to a cyber attack or security breach directly correlates to the amount of damage inflicted, the recovery time needed, and the potential cost lost.
What is the role of Jamf Pro in managing the security of Mac devices?
-Jamf Pro is an MDM (Mobile Device Management) solution that provides monitoring and enforcement to help keep Mac devices up to date on security, identify devices not meeting standards, and automate security-related tasks.
How does Jamf Protect contribute to the security of Mac devices?
-Jamf Protect is an endpoint security solution built for Mac that blocks known threats, gathers process and file information for forensic analysis, and monitors for specific behavioral detections.
What is the significance of situational awareness in the context of building an IR plan?
-Situational awareness is crucial as it involves understanding the environment and infrastructure as well as being aware of the threats that could affect the organization, which is the foundation for building an effective IR plan.
What steps should an IT admin take to ensure devices are as secure as possible?
-IT admins should manage, monitor, and configure devices for the best security posture, using tools like Jamf Pro for device management and Jamf Protect for additional security measures.
What is the importance of constant analysis of events by security teams?
-Constant analysis of events is important to increase the chances of identifying unknown threats and to maintain focus and vigilance, even when no immediate attack is detected.
How does Jamf Pro and Jamf Protect work together to automate the response to a security incident?
-Jamf Protect detects threats and communicates with Jamf Pro to trigger predefined actions such as isolating devices, running scripts, or notifying users, all based on the severity and nature of the threat.
What is the purpose of the 'threat prevention' feature in Jamf Protect?
-The 'threat prevention' feature allows blocking and quarantining known Mac threats and creating custom lists to block processes from the binary level, providing a proactive defense against new and emerging threats.
How does the post-incident phase of the IR cycle enhance future security?
-The post-incident phase involves readjusting to normal operations while enhancing defenses, increasing vigilance, and providing additional training and education to end users, which in turn improves preparation for future incidents.
Outlines
🛡️ Introduction to Mac Security Incident Response
Kelly Conlon, a security solution specialist at Jamf, introduces the topic of remediating a security incident on a Mac. The session aims to enhance understanding of incident preparation and management, and to inspire the implementation of different workflows. The focus is on the incident response (IR) cycle, which includes steps for building a remediation plan, preparing for security incidents, detecting and analyzing incidents, and responding with remediation. The importance of a rapid and effective reaction to cyber attacks is emphasized, as it can significantly reduce damage, recovery time, and potential costs. The discussion also highlights the changing threat landscape for Macs and the need for better protection methods beyond built-in security tools.
🔍 Building an Incident Response Plan and Detection Analysis
The speaker outlines the first step in building an IR plan, which is preparation. This involves understanding the environment, infrastructure, and potential threats to develop situational awareness. The importance of security as a top priority is discussed, especially with the shift to remote work. IT administrators are advised to ensure devices are secure through management, monitoring, and configuration. Jamf Pro, an MDM solution, is introduced as a tool for maintaining the security posture of Macs. The use of smart groups in Jamf Pro allows administrators to identify devices needing updates or reconfiguration. The second step, detection and analysis, is also covered, emphasizing the need for security and IT teams to stay alert and to continuously monitor and analyze events to identify threats, even when preventative measures are in place.
🛠️ Remediation and Response Strategies with Jamf Solutions
The third step of the IR cycle, remediation and response, is explored with a focus on how to handle threats once detected. Remediation can be automated immediately following an incident or done after a threat has been identified. The speaker provides examples of remediation using Jamf Pro and Jamf Protect, detailing the setup process in Jamf Protect and the creation of smart groups and scripts in Jamf Pro. Different threat levels are addressed, with workflows provided for low, medium, and high-level threats. These examples illustrate how to quarantine files, isolate devices, and inform end users of malicious activities, as well as how to automate responses for immediate threat containment.
🚨 Post-Incident Recovery and Continuous Improvement
The final step in the IR cycle, post-incident activity, is discussed, which the speaker refers to as 'century mode.' This phase involves readjusting and enhancing defenses after an attack has been addressed. The importance of maintaining vigilance and using tools like Jamf Protect for ongoing monitoring and reporting is highlighted. The speaker also suggests expanding security approaches to cover newly identified threats and ensuring that end users receive operational and information security training. This continuous improvement loop leads back to the beginning of the cycle, increasing overall preparedness for future incidents. The session concludes with a QR code for additional information on Mac OS security incident response.
Mindmap
Keywords
💡Remediation
💡Incident Response (IR)
💡Security Incident
💡Threat Landscape
💡Mac Security
💡MDM (Mobile Device Management)
💡Situational Awareness
💡Jamf Protect
💡Threat Prevention
💡Post-Incident
Highlights
Kelly Conlon, a security solution specialist at Jamf, presents on remediating a security incident on a Mac.
The importance of understanding and managing a security incident with inspiration for implementing workflows.
Incident response (IR) cycle and steps to build a remediation plan are discussed.
The correlation between an organization's reaction time to a cyber attack and the amount of damage inflicted.
Mac adoption rise leads to a changing threat landscape and the need for better protection methods.
Built-in security tools of Macs are suitable for individual consumers but not enough for organizational security.
Incident Response (IR) and Remediation are defined and their roles in a security plan are explained.
The National Institute of Standards and Technology (NIST) sets forth the four components of incident response.
Developing situational awareness is key to preparing for an incident response plan.
The necessity of secure devices managed, monitored, and configured for the best security posture.
Jamf Pro as an MDM solution for monitoring and enforcing Mac security.
Jamf Protect as an in-point security solution for Mac to block known threats and monitor behavioral detections.
The importance of constant analysis of events on devices to identify unknown threats.
Automated and immediate remediation response to threats using tools like Jamf Protect.
Quarantining files or processes and isolating devices until they are clean as part of the remediation process.
Examples of remediation workflows using Jamf Pro and Jamf Protect for different threat levels.
Threat prevention feature of Jamf Protect to block and quarantine known Mac threats.
Customized response methods for unique remediation workflows.
Post-incident activities include readjusting, enhancing defenses, and increasing preparation.
QR code provided for additional information on Mac OS security incident response.
Transcripts
today i'm going to cover remediating a
security incident on a mac
and my hopes is that you will take away
a better understanding
on how to prepare and manage an incident
and some inspiration
for how you could implement different
workflows in your environment
i am kelly conlon i will be your
presenter and i am
a security solution specialist here at
jamf
for today's call we are going to cover
the incident response or
ir cycle and identifying the steps to
get started with building your own
remediation plan
preparation needed for a security
incident or threat
detection and analysis of an incident
remediation and response and some
example workflows with jamf protect
and finally what does life look like
post-incident
and starting the ir cycle all over again
when a cyber attack or security breach
occurs
how fast and effectively an organization
reacts
is directly correlated to the amount of
damage that can be inflicted
the recovery time needed and even
potential cost lost
this process and planning is referred to
as a security incident response plan
and is a key factor to a successful
security program
at jamf we are seeing that as mac
adoption rises
their threat landscape is changing and
they are becoming
more and more of a target for potential
attacks
so the mac has always come with built-in
security tools
and they're great baseline protection
but really
it's well suited for an individual
consumer
and with new modes of attack and a
larger presence in organizations
macs require better methods to protect
them
and any organizational data that may be
on them
so regardless of your choice of a mac
security
solution your approach to incident
response
should be well planned and practiced
throughout today's call i will be
covering incident response and
remediation
almost interchangeably and to define
them quickly
incident response or simply ir is
actually pretty self-defined in its name
it is most commonly described as the
process by which an organization
handles a data breach or cyber attack
and remediation is simply the act
of remedying or correcting something
that has been corrupted
so ultimately most of the time the
action
in your incident response plan is
remediation
the incident response cycle you see here
was set forth by the national
institute of standards and technology or
simply nist
this covers the four components of
incident response as preparation
detection and analysis containment
eradication and recovery or remediation
post incident activity and then simply
starts at the beginning all over again
so let's start with the first step of
building an ir plan
to begin you need to prepare and the
best preparation
is to have a thorough understanding of
your environment
and infrastructure as well as the
threats that could affect you
so essentially you need to develop
situational awareness
and be aware of what is around you or
just simply your surroundings
now security has always been a top
priority for almost every organization
this covers operational and physical
security
to the information security and
protection of data
and with the current situations creating
a shift to a larger
remote workforce it will be even more
important to have these plans in place
it admins need to first ensure their
devices
are as secure as possible by having
those devices be managed
monitored and configured for the best
security posture
think getting fitted for armor before
battle and to do this
starting with an mdm is the best place
to fire up the forges
so jamf pro is such an mdm and this
provides
monitoring and enforcement that will
help to keep you
up to date on the state of your max and
identify any devices that are not
meeting the standard
using smart groups in jamf pro it admins
can actually
hunt for devices that need to be updated
have some reconfiguration done
or even have restrictions enforced
all of this can be done remotely and
even be automated without an
administrator needing to physically
touch the devices
now to ensure we are keeping a pulse of
the activity on the devices and start to
harden the device's defenses
an organization may look to implement
some security software like
jamf protect which is simply an in-point
security solution that is purpose-built
for the mac
adding in an additional security tool
will help to block known threats to the
mac
gather process and file information for
forensic analysis
as well as monitoring for specific
behavioral detections
so just by using an mdm like jamf pro
and adding in an additional security
tool like jamf protect
we will help you understand your
environment better and identify those
threats as they arrive
so now for the second step in the ir
cycle detection and analysis
now that our security and it teams are
in a position
and on alert in the event of any
potential attack
we need to make sure that over time they
don't become complacent
or stagnant while waiting for an attack
and to do this they can continue to do
monitoring of those detections as well
as deeper analysis of events
former fbi director james comey was once
quoted stating
there are two kinds of big companies
those who've been hacked
and those who don't know they've been
hacked
so essentially despite our preparation
and even preventative mechanisms we have
in place
security and i.t teams should assume
that an attack will get past
their best defenses because you really
can't protect against something you
don't
know entirely so to ensure we are
staying focused
security teams need to do constant
analysis of events occurring on these
devices
to increase their chances of identifying
an unknown threat
but we still need to detect and analyze
known threats as well
so let's imagine an end user
accidentally downloads a trojan
application
it's time for your endpoint security
solution like jff protect
to get to work alert you on this
compromised
process and when that security incident
occurs
you need to know what that malware may
do and how impactful its attack is
this is when you need to collect all
relevant information
and use that to analyze the threat
so security teams always need to have as
much visibility as possible
during an incident so they can make
informed decisions
also they may need to collect activity
logs in reports and send that data into
a sim
or a security incident and event
management tool
this will help them to visualize the
data and perform deeper analysis
so when an investigation of a threat is
occurring
or simply an audit is being done an
organization needs to have a complete
picture of what activities are happening
on their max
now to step three the action
all right i'm going to be honest this is
my favorite section of the cycle
now the preparation you have is in place
and the results of your detections are
arming you to respond
remediation can typically be handled two
ways
it can be automated and immediately
following
an incident or a threat or it can be
done
after a threat has been identified and
used to clean up the attack
to dive into remediation as an automated
response to a threat
let's again say we have an attack that's
active on a network
first the attack has to be stopped and
prevented from spreading to other
devices
because of your preparation and planning
the relevant process will be
likely stopped and blocked by a tool
like jamf protect or similar solution
but that does not mean the attack is
completely finished and it didn't leave
anything behind
so we can start by providing a response
to your end user that there was
malicious activity on their device
and to refrain from any further actions
we then can quarantine any associated
files or processes
and isolate the device on the network
until the device is clean and set back
to a known good state
so instead of just talking about
examples of remediation
let me actually show you just to go over
all of these examples are going to be
using
jamf pro and jamf protect
first let's start with setting up
everything
in jamf protect we need to choose what
detection we want to respond to
here you can see we have a number of
behaviors that jamf protect is
monitoring for
with our analytics for today i'm going
to choose a dns modification
once you've chosen the desired analytic
simply click
update actions and add to jamf pro
smart group this is where you're going
to type out a value
that will later become an extension
attribute
written to the device
now in jamf pro we need to add a script
to find the extension attribute created
by jamf protect
all you need to do is go into the
settings for your jamf pro server
and get to computer management and then
extension attributes so
to make it easier at jamf we've added a
template
under the jamf section for jamf protect
smart groups
once you've added the template script
all you need to do is simply hit save
next we need to build a smart group
so going in and clicking new
we can give the smart group a name
i recommend using the extension
attribute value in the name to stay
organized
and now we need to add the criteria
which is just the extension attribute
we've added from that template looking
for the value that is written by jamf
protect
now that smart group can be scoped to
configuration profiles
to exclude that device from company
resources
or be scoped to a policy for some
customization
and for policy jamf protect
actually runs a custom event trigger as
soon as that detection happens
so when creating a policy you can simply
add
protect all lowercase
within a custom event trigger to allow
for near real-time response
okay now we have everything set up
between jamf pro and jamf protect
let's go through some actual examples of
remediation and response
so again i like to organize by threat
level so this is an example of a
low-level threat
something not truly malicious and almost
no
impact in jff protect we have those
behavioral
alerts within our analytics that are
looking for a variety of activities that
are largely mapped to the miter attack
framework
in this example an end user does a dns
modification
which jamf protect is monitoring for
once chance protect has been alerted
that this user has done this
modification
it then will tell the jamf pro agent
managing managing the device to run a
script
to simply launch stamp helper and notify
the end user
that there may have been malicious
activity occurring on their device
and they may need a contact i.t so this
response is not doing anything
automated or deleting or stopping but
just
telling the end user on what activities
are happening
on their device
next we're going to cover responding to
a medium level threat
so something that is definitely unwanted
but has minimal impact
in this workflow the end user tries to
open
a downloaded media player this specific
version
has been infected with known malware so
when the end user tries to launch it
gatekeeper will actually stop the
application
and jamf protect is monitoring for
activity from gatekeeper
and all of those other native security
tools to keep you informed on their
activity
because we know gatekeeper has stopped
something unwanted
we can again use jamf helper to further
inform the end user
of what's happened on their device and
actually prompt them to do some cleanup
themselves
so using self-service this can all be
automatically opened
this can all automatically open a policy
to have the end user delete
all files that have been downloaded in
the last 24 hours
hopefully removing that compromised
application
now let's cover a high level threat this
is where something malicious
has definitely occurred but we have no
idea what that impact may be
in this example a user is going to open
up their browser
and they're immediately prompted with a
pop-up telling their adobe flash player
is out of date
this is a very common delivery mechanism
to get malware onto a mac
so as soon as that installer has been
downloaded
this triggers jamf protect and this
immediately pushes another jamf helper
policy from jamf pro telling the end
user
what they've done and what actions have
taken place
what we've done is we've isolated this
device by cutting off its access
to the network this will hopefully limit
the impact of any possible breach
and keep the device quarantined and
isolated
until the threat can be analyzed
okay for our last example i want to show
you
how using our methods of customized
response
can give you some really unique
remediation workflows
jamf protect has a feature called threat
prevention
that allows you to block and quarantine
known mac
threats as well as allowing you to
create
custom lists to block processes from the
binary level
so say there's a new zero day for mac
malware
as soon as the hashes are identified or
even the developer
team id you can create a custom prevent
list
to protect your devices from this new
threat as soon as that information is
available
so to go over this a little bit deeper
so here we have a shared directory
that it or infosec would have access to
on all your devices
also i want to show you the directory
that jamf protects threat prevention
quarantines threats
now the end user here is going to
attempt to launch an executable that is
in jamf protects threat prevention
on launch jamf protect immediately
blocks and removes the executable
and as you can see here it has now been
quarantined so now jamf pro is actually
installing
a response tool of dep notify
which is just an open source program
that's typically used to onboard users
but what i've done is i've taken
advantage of dep notify's
full screen feature to lock the end user
out
while additional scripts are being run
that are going to
zip up that malware move it to that
shared drive
as well as cleaning up that quarantined
location
all while informing the end user of
exactly what's happening
and the progress as soon as remediation
has been completed
we can prompt the user again with some
best practices
and follow-up step recommendations
and as you can see that malware has now
been zipped and moved to that shared
drive
and that directory for quarantine has
been cleaned
okay so now that we've gone over some
examples of remediation
let's get back to the ir cycle and go
over the final step
i like to call this step century mode
we've survived our attack
and we've responded now we're going to
readjust to get back to normal
but we want to also enhance our defenses
so we have this heightened awareness of
what's just happened
and we need to make sure we stay hyper
vigilant so you can use
jamf protect to continue to monitor and
report on any additional activity or
incidents
or even monitor for indicators of a
threat
you can also expand your security
approach to cover additional targeted
threats
that you were able to identify and
lastly
we can ensure that all end users and
especially those affected by an attack
are aware of provided operational and
information security trainings
and education courses and by doing this
we actually send ourselves back to the
start
of the cycle by increasing our
preparation
okay let's quickly go over everything
we've covered
so we went over the incident response or
ir
cycle in building your own remediation
plan
the preparation needed for a security
incident detection
and analysis of an incident remediation
and response in some example workflows
with jamf protect
and jamf pro and finally what does life
look like
post incident and starting that ir cycle
all over
if you'd like some more information i've
included a qr code to a guide
by jamf covering mac os security
incident response
thanks again everyone for listening we
will share the recording as soon as it's
ready
but if you're in a hurry you can scan
this qr code to get in touch with
someone at jamf immediately
関連する他のビデオを見る
![](https://i.ytimg.com/vi/X2UiMLxRdhE/hq720.jpg?sqp=-oaymwEmCIAKENAF8quKqQMa8AEB-AH-CYAC0AWKAgwIABABGH8gRCg2MA8=&rs=AOn4CLDwmGFPIOZJiK5zr1S5F-XX3jNbbA)
Incident Response - CompTIA Security+ SY0-701 - 4.8
![](https://i.ytimg.com/vi/rMIigMJE9YY/hq720.jpg)
Complete Guide to SentinelOne EDR (Endpoint Detection and Response): Exploring the Console in Part 1
![](https://i.ytimg.com/vi/H5ifNVeDXkg/hq720.jpg)
Security Mechanisms
![](https://i.ytimg.com/vi/CYFe16lCRMk/hq720.jpg?sqp=-oaymwEmCIAKENAF8quKqQMa8AEB-AH-CYAC0AWKAgwIABABGFUgYyhlMA8=&rs=AOn4CLAlBc48WLkhzh8XAuug04lHXeRtOQ)
Incident Planning - CompTIA Security+ SY0-701 - 4.8
![](https://i.ytimg.com/vi/Yug9vP9ix3g/hq720.jpg?v=66306046)
I Passed the Security Blue Team Level 1 Exam
![](https://i.ytimg.com/vi/0lg_derTkaM/hq720.jpg)
How Microsoft Copilot for Security works
5.0 / 5 (0 votes)