Threat hunting and Malware Analysis on Mac OS X with osquery

Speakers: Milan Shah

Level: Intermediate, Lecture

Excerpt: In this talk, we share the experience of the Threat Intelligence team at Uptycs, a SaaS EDR solution provider for Mac OS X and Linux cloud workloads based on osquery, in effectively hunting for threats on the Mac OS X platform. An innovative approach to using advanced system monitoring capabilities of osquery instead of an instrumented virtualization environment for analysis and hunting will be described.

Description: Threat hunting tools and techniques have developed nicely over the recent past, but many tools are available primarily for the Windows platform. Availability of such tools is limited or non-existent for Mac OS X and Linux platforms, yet the shift of workloads to Macs and the Cloud is all too obvious. At the root of many of these tools lies their ability to retrieve very specific types of system information, which are then fed into specific analysis algorithms. For example, one common technique is to run an instrumented virtualized environment in which a malware can be executed so that system call data from the instrumentation can then be analyzed to study the malware’s key behavior patterns. Porting such a tool to Mac OS X and Linux can easily be seen to be a herculean task, compounded by the multitude of threat hunting tools that are already out there. osquery provides a very interesting alternative. By using SQL as it’s query language, it abstracts away OS specific tools in both how system data is accessed and how it is returned and processed. Because it is able to tap deep into fine grained OS monitoring capabilities, it can provide the right type of data for advanced threat hunting and malware analysis. In this talk, we share with you the queries and techniques used by the Uptycs Threat Intelligence team to hunt and detect malware on Mac OS X platform.

About the speaker

Milan Shah (Twitter: @uptycs) – CTO – Uptycs, Inc.

Milan is a serial entrepreneur with a track record of building and leading cutting edge cybersecurity technology companies. Prior to co-founding Uptycs, Milan was SVP of Products and Engineering at Core Security, where he formulated a vision for a new class of automated pen testing solutions. Milan has also served as VP of Engineering at CA Technologies and IMlogic, which was successfully acquired by Symantec. The first part of his career was spent as a member of the early Windows NT development team, and he was a key architect of Microsoft Exchange. Milan holds a Masters in EECS degree from MIT, and a Bachelors in EECS from University of Illinois, Urbana.

This entry was posted in MacAdmins 2019 Sessions. Bookmark the permalink.