Macs don't get malware. We’ve all heard that one over the years. That’s like saying .net domains are still as cool today as they were during the 1990s. Here's the truth: Macs have malware families specifically designed to exploit them; and, .net domains are about as cool as orange countertops from the 70s :)
If you need further evidence, just check out the latest MITRE ATT&CK Matrix for macOS. But here’s the real question: Why are we talking about Macs on the Cado Security blog when Cado is a leader in the recently dubbed “CIRA” space by Gartner (aka Cloud Investigation and Response Automation)?
I’ll tell you why. The belief that Macs are immune to malware is a sentiment we often encounter in the cloud too, but it is simply inaccurate. AWS EC2s, Azure VMs, Google Compute resources are compromised all the time.
Now that we’ve established the above, I’ll play devil’s advocate for a moment. We can certainly say for example that a Lambda function (or any Function-as-a-service for that matter) has far less attack surface than an on-premise Windows server that’s running countless applications that all have vulnerabilities (or CVEs) associated to them. I get it, attack surface reduction is a real thing. However, just how measurable is this? Can we really know (in absolutes) how much risk is reduced by a factor of ‘X’?
In the world of TCP/IP connections, if something is connected to the internet, it's at risk. It’s now a reality/problem that every CISO, CIO or CEO with any cloud footprint must address. If something isn’t guaranteed - there will be risk and vulnerability to acknowledge and address. And the same thing applies to the cloud.
Take for instance Denonia. Denonia was a clever/crafty malware sample Cado’s threat research team discovered - the first of its kind. Just over one year ago, Cado Labs announced Denonia as the first known malware intended to execute in a Lambda environment:
Knowing this, we can say that monetary-motivated attackers are actively researching and developing new ways to compromise the next-generation of technology (specifically, cloud resources).
Let’s shift gears for a minute.
I know some intelligent people at the ‘Big 3’ Cloud Service Providers (CSPs). In my mind, these CSPs have a very clear objective - to build and assist in providing tremendous amounts of infrastructure, and rather quickly.
They do a great job with this, but everyone’s interpretation of ‘cyber’ and risk is very different (including the CSPs). Other than sharing best practices, CSPs have not operationalized true incident response in the cloud.
Further, most cloud security companies out there focus on “preventative security,” or building the fortress. That’s definitely necessary -- a proactive cyber security strategy is vital to reducing risk. However, accepting the inevitable and embracing the idea that being response ready is also a key part of the overall strategy is critical.
I get it, developing and building a response mechanism like an incident response team (aka CSIRT - aka blue team) is a little like ‘admitting defeat’. You’ve spent and put in countless hours of labor and effort (as a whole team) to maintain, care for and feed these preventative systems and now, they have failed.
It’s sort of like creating a legal Will (aka Will and Testament) in our own lives…we really don’t want to admit that something bad could happen to us (like our company being pwned and ending up in the news as a result).
Mandiant, as a company, is (in my opinion) the best in the world at incident response. Several years ago, while working at FireEye/Mandiant, I found a picture of a commemorative coin that Mandiant Leadership would give to certain employees. Inscribed on this coin were the words “Find evil. Solve Crime.” This was sort of a ‘Mandiant Mantra’ at the time.
This phrase will stick with me indefinitely. “Find Evil. Solve Crime.”
I am proud to be a part of a company like Cado Security that focuses exactly on this goal. Enabling incident responders has been my livelihood for a long time now, and there’s something just awesome about what IR folks do on a daily basis.
In a world of unknowns and uncertainty, we should all take pride in knowing that we're always working to keep our organizations - and our people - secure. Building out (and constantly evolving) an IR program should give a greater sense of confidence when dealing with the possibility of everyday incidents.
And it's the basics that count. Sure (to be technical for a moment), we can get into depth of SDN configurations with IPv6 configured hosts and BGP as our border routing advertisement on our NGFW, and (by doing so), this will bode a risk reduction as a part of our layer 3 OSI risk-reduction strategy…but you didn’t think about that unpatched EC2 sitting out there in AWS with a little bit of ‘Shadow IT’ sprinkled all over it. Now, our persistent attacker has a really simple angle to ‘break in’ and get started with their goal.
So, what do we do?
Well we’re back full circle, incident response matters and it needs to be further embraced. One thing I adore about that Mandiant statement is a reality as to ‘why we are all here’ as practitioners working in Cyber.
To help with this, Cado Security, as a company, was founded on roots of incident response. Our founders, former IR practitioners themselves, founded Cado by way of recognizing the fundamental flaw (both politically and technically speaking) in responding to incidents in the cloud. There just wasn't resources or tools available to them to help drastically improve MTTR (mean time to respond) in the cloud.
That’s why we’re here. Call it Cloud Incident Response, call it Cloud Forensics, call it CIRA (recently dubbed by Gartner AKA Cloud Investigation and Response Automation), but it’s all about enabling folks with IR aspirations to do their work measurably faster when dealing with cloud compromises.
So, go on. Fight the evil. Solve the crime - and let us help you fight the battle on your cloud resources (maybe even your MacBooks, too).
Cloud Investigations
