Malware authors are beginning to target Mac OS X and iOS in larger numbers. In 2014 Kaspersky estimated 1,800 unique attacks categorized into 25 different families engineered specifically for Macs. As malware and phishing attacks become targeted, more sophisticated, and easier to carry out, Mac users can no longer rely on hackers not targeting the smaller OS X market share for security. To combat the growing threat, companies will need to use analysis tools that can automate forensics.
Ivan Leichtling, engineering manager at Yelp, laid out the issue simply: “There’s a ton of malware for Macs,” he told a large crowd at BSides SF 2015. “If you haven’t seen it, that’s because it’s on your machine.”
At Yelp, a company with 29 global deployments and 5,000 company Macs, security for OS X is more than just a growing priority. That many Macs means thousands of easy entry points for hackers if Yelp’s security engineers and employees are not watching carefully. Understanding the mammoth task at hand, Leichtling and his team developed a tool named OSXCollector for detecting and containing malware in OS X.
OSXCollector uses readily available and simple to use components like the Python programming language, which works nicely with Objective-C–the language that powers most Mac apps. The tool also links to a series of filters that can query threat intelligence tools like OpenDNS’s Investigate and VirusTotal scores.
“Filters are really easy to plug in and move between,” he said. “We run one giant chain that runs most all the filters and recommends next steps.” But high-functioning, free tools can come with sacrifices like speed.
Admittedly, Leichtling said, the tool can take hours to process, mostly because of the sheer amount of data it crawls through. And with a mixed computing environment, including Windows, Macs, VMs, and mobile devices, the complexity of forensics gets compounded.
Tanium is a company that promises to help address this issue. Co-founder Orion Hindawi describes the platform as a tool that “in 15 seconds, even at the largest scale of enterprises, can see every endpoint.” But the security platform, unlike OSXCollector, is not free and not without its own potential drawbacks. Minor as it might be, Tanium runs an endpoint client, while OSXCollector does not. Depending on a company’s computing environment and its complexity, installing a client across every machine might prove to be a challenge. But if Tanium is as efficient as it claims, the trade off may be well worth it.
Regardless, the malware issue for OS X and iOS is only going to increase. If Apple’s grip on the enterprise market continues to grow, so will the attacks. What security professionals need to fight back, according to Leichtling, are tools that can query large amounts of data quickly and put that data into human readable format.