Episode 287: Objective by the Sea v5.0

Meter is the easiest way for businesses to get internet, networking, and WiFi. Our full-stack approach combines hardware, software, and operations so that any company can seamlessly run on a reliable and modern network.

• Streamlined installation: We take on the complexities to make designing and deployments easy, fast, and stress-free. We manage the entire installation process, and provide ongoing maintenance and support.
• Network hardware, security & management: We design and build our own controllers, switches, and wireless access points. After the network is deployed, review your speed, usage, and security in one unified dashboard. No need to hire vendors in every location or have IT teams fiddle with manual configurations — everything is automated with our software.
• Simple pricing: Pay one monthly rate with no up-front costs for installation, configuration, or hardware.

---

James Smith:
This week’s episode of the Mac Admins Podcast is brought to you by Kandji. Automation in IT is a hot topic and for good reason. Automating repetitive tasks frees you to focus your skills on more strategic projects that move the needle for your organization. Kandji, the Apple device management and security platform features over 150 pre-built automations to multiply your effectiveness and impact daily. To see how to take the repetition out of your to-do list, visit kandji.io. That’s K-A-N-D-J-I.io.

Tom Bridge:
Hello and welcome to a very special episode of the Mac Admins Podcast, recorded live at Objective by the Sea in Calafell, Spain. This year we attended the Objective by the Sea 5.0 conference hosted by Patrick Wardle and Andy Rozenberg, and conducted a number of interviews while we were on site. The first of which is with Patrick Wardle, organizer of the conference and security maven for the Apple platform. The second interview is Sharvil Shah, a member of the osquery Steering Committee, who is talking a little bit more about how they embraced the EndpointSecurity framework. And last but not least, we have a section with Cat Self talking a little bit about the ATT&CK framework. So we hope you enjoy the special edition of the Mac Admins Podcast recorded in Calafell, Spain on site at the Objective by the Sea Conference.
So we’re at the end of the first day of Objective by the Sea 5.0 in Spain. What’s been the best part for you from day one?

Patrick Wardle:
This is always the same thing every conference, every OBTS that I do. It’s a lot of work. The first day it just all comes together. I see all the smiling faces, the sense of the community. I mean, that’s just an indescribable feeling. The talk is always is great. I love how the attendees come. People always say, “I learned so much. This was so applicable to what I’m doing at work” or, “Hey, I can take this home and apply it.’ The speakers are always thrilled to share the research. So all of that is awesome as well. But it’s really just bringing everyone together. We all really share this same passion for Apple security topics. So the community vibe is just really indescribable and definitely is the favorite thing about the conference for me.

Tom Bridge:
Yeah. As folks started to gather in the lobby last night, on the end of the last day of training and as folks who were arriving for the conference, there was definitely a collegial vibe. Lots of people. I think I saw someone run across the lobby to hug someone and I was like, “This is the best.” That feeling of collegiality has been so hard to find for the last three years. And so it’s definitely wonderful to see here among security practitioners. It’s been a minute since we’ve caught up. I was going to say it’s been probably about a year and a half since we had you last on the podcast. What are you working on these days?

Patrick Wardle:
All the things. I mean, conference probably first and foremost. My first book was published, which was great. So there was a lot of effort wrapping that up. I mean, I was always told that writing a book is more work than you think, and I naively and arrogantly said, “Nah, that doesn’t apply to me” and it surely did. So that’s nice that that’s out the door. Updating the tools for Apple’s new operating systems has always been something that I’m passionate about and does take some time as well. And then really at this stage in my career, I’ve really spent a lot more time looking at malware versus maybe hunting vulnerabilities. So just keeping abreast of the latest trends and threats.

Tom Bridge:
That’s awesome. What kind of trends and threats are you seeing out there that is different now than it was three years ago or five years ago?

Patrick Wardle:
Yeah, that’s a great question, Tom, because we’re really seeing more sophistication in macOS malware. This is completely unsurprising for several reasons. For one, users are a little more aware, let’s say educated, that there are threats out there facing macOS. I mean, five years ago the average Mac user thought Macs were impenetrable, and thus would naively maybe not be as cautious as let’s say they should be. So malware authors could get away with the basics because users were pretty naive. Also, security tools, EDR products, especially in the enterprise, we’re not really that good especially five plus years ago. Now they’re getting pretty solid, especially almost parity with Windows. So again, this is forcing the malware authors to have to step up their game.
And then finally to Apple’s credit, they continually raise the bar, add really impressive anti-malware mechanisms baked into the operating system. So again, this is forcing the adversaries to advance and evolve, which is a good thing. And also as myself as a malware analyst, that’s interesting because it’s getting kind of bored looking at kind of basic adware. So now looking at the more sophisticated APT-based samples is definitely more interesting and does show that the security community, as we push the bar higher and higher, there are benefits to that, meaning we’re forcing the adversaries to have to really evolve as well.

Tom Bridge:
I was going to say there’s a little bit like the antibiotics situation out there. You can get better and better antibiotics, but at some point you’re going to train a better bug.

Patrick Wardle:
Great analogy, Tom. Yeah, and that’s true. But the good thing is even though we are forcing them to evolve, having to use vulnerabilities in their malware, I mean it is getting harder for them. For example, notarization, we talk about a lot. That is impacting malware authors operations. So yes, they will evolve. It’s always going to be a cat and mouse game, and so great job security for all of that. But I do think the average user is now better protected, thanks to improved education, improved third party security tools and Apple’s baked in anti-malware mechanisms, even if the attackers are also getting more sophisticated.

Tom Bridge:
This year’s conference is a little bit different because it’s now put on by the Objective-See Foundation. I know a little bit about getting in the paperwork together for all of that over the last year or so. So what was the genesis for you of making Objective-See into a full 501(c)(3) nonprofit?

Patrick Wardle:
Yeah, it actually really aligned well with our vision from day one. And so looking back, it was almost in my mind, almost the community-focused nonprofit endeavor. The tools were always free, the conference was always free to attend. The goal was never to make money. It was more to empower the community, provide resources for end users free of charge. And so it kind of came to a point that, hey, if we solidify this as a non-profit, that will help clarify our mission statements. And again, to mention, just kind of solidify what we’re saying. I’ve also found that from an optics and messaging point of view, it’s really helpful, whereas before, people are like, “Why are you giving me these tools for free? Where’s your agenda? I’ve been told that if something’s free, I’m the product.” And that’s true I think if it’s coming from a corporation, but from a non-profit, people are understandably more open to the idea that something can be free and open source with no strings attached.
So that was great. And then also there are obviously some tax benefits for people who sponsor that as well. So that’s great because that’s really opened some more doors, allowed us to have more funding which in turn allows us to some really neat things, supporting students, expanding the conference, giving back to the community in even more ways. So it was really a natural fit. And we hired a great lawyer to take care of most of the paperwork because yes, the IRS loves their money, understandably. And so to be a non-profit, you really have to show that what you’re doing benefits the public. And so first, it was easy and you really checked all the boxes, but there are a lot of boxes to check and you want to dot the i’s and cross the t’s.

Tom Bridge:
I was going to say when we did it for Mac Admins Foundation, there was a lot of learning around the federal forms that you have to fill out, the awful websites that you have to deal with.

Patrick Wardle:
[inaudible 00:07:56].

Tom Bridge:
Deeply antiquated I think is the exact right word. And then last, some very interesting conversations with an IRS agent to be like, “Yes, we are for real. This is a real thing.” Was there a moment in that process where you got asked a question you weren’t expecting? Or was there anything in that process that you kind of found surprising?

Patrick Wardle:
I think we had a pretty good lawyer. I mean, expensive. And so they really buffered a lot. She was great. So there wasn’t anything too surprising, but I think it also helped move us in a really positive direction. For example, one of the requirements as I’m sure you’re aware, but maybe not the listeners, is as a nonprofit you have to have a board and they recommend at least five members that are not close family, friends, et cetera, et cetera. So what we did is we were able to build a five, now six person board for the Objective-See Foundation, which was great, because before it was kind of just me saying like, “Yeah, this is a good idea.”
Generally, that’s a good idea, but now it’s great. We have more diversity on the board, ideas from people that really give me pause for thought and then push us in a positive direction. So really making it a broader foundation originally as a requirement from IRS, but I can really see the benefits of that. So nothing too really surprising, but again, really happy that we went through this I said, kind of the pros of it all. But really again, kind of having that board and now having more guidance for the directions we’re going is a really great thing for the foundation.

Tom Bridge:
That’s awesome. So turning back to the conference for the week, if you were to have to answer the question, what’s the summary of the state of Apple security today? And looking at all of the different platforms that Apple represents from iOS to iPadOS to macOS, what’s the general state of security these days?

Patrick Wardle:
Well, the good news is it’s moving in great direction. And so for example, I like that Apple is here, maybe unofficially, but attending the conference. I think that’s a good sign, shows that they’re willing to interact with the community. We saw a talk today of a jail break that was successful in a very recent version of iOS. But in order to pull that off, had to chain a handful of just mind-blowingly incredible exploits that a very small handful of people in the entire world have the knowledge and expertise to find and weaponize. So that again, is a testament to, especially on iOS, the security that’s being baked in.
However, there are some gaps. Some of the vulnerabilities that people have been talking about are kind of those FacePalm bugs where it’s like, How did this slip through the cracks?” So I think there is still work to be done. But overall I’m very happy moving in a positive direction. Some of the talks about the tools and the security tools using the EndpointSecurity framework, that’s a framework that Apple has recently released basically saying, “Hey, we want to enable third party vendors to add a defense in depth additional security on top of the operating system.” And seeing Apple admit that and basically saying, “Hey, yeah, we’re in this together” and there are scenarios where third party security tools can be beneficial and build on top of Apple’s built in security mechanisms, to see Apple say that is great. I believe one of the main developers of the EndpointSecurity framework is actually at the conference.
So that’s great to see Apple engaging with the community, being involved even if it’s still kind of somewhat unofficially and off the record is great. And I think that to me is a really positive thing. And like I said, the direction of the security of Apple’s platform continues to improve, but we’re not there yet. I’m not sure we ever will be, but moving in a good direction.

Tom Bridge:
Yeah. So I mean if you were to summarize just one thing, what’s working on the platform? What’s not?

Patrick Wardle:
I think the mitigations are a great step in the right direction. This is Apple basically saying, “Look, our code’s never going to be bug free.” Admitting that is actually a very emotionally mature thing to admit. Other vendors have admitted this sooner than Apple, but better late than ever let’s just say. And so you see people talking a large… A lot of the talks a lot of time is not spent so much on the bugs. It’s how to then exploit that. And I think that’s a testament to the success of the mitigations where the vulnerabilities previously used to be the most interesting thing, and once you found a bug, game over. Now that’s only half the battle or less. It’s like, “Okay, I have a vulnerability. Now how do I overcome these 3, 4, 5, 6 exploit mitigations that are baked into the operating system, macOS or iOS and bypass that?”
So in a nutshell, that’s something I think that’s been very successful and is a really good, again, kind of emotionally mature approach to security saying, “Attackers will always find bugs, that’s just the reality of it. And so let’s make their job as difficult as possible.” And we can see things like Lockdown mode in iOS. I mean, that’s a really great feature. Some people don’t think it is, but it’s reducing the attack surface, and I think that’s always a great approach.

Tom Bridge:
I thought it was interesting today, Linux’s talk about Fugo 15, was fascinating because there were four or five disparate, deeply interesting exploits that were part of that same jailbreak process. And getting to the point where you’re realizing, “Okay, this is where the random offset starts and this is where it stops. And there’s this little tiny gap that I can shoot between in order to get into kernel memory and do some of the necessary processes” was fascinating. I mean, the state of the talks that we saw today were far and above any of the talks that I’ve seen from previous years. It’s just been incredible to see that kind of change happen.

Patrick Wardle:
Yeah, I like that you brought that up because I think this is just a moment for me to thank the speakers that we have because the conference is really composed of the community and the attendees. The conference wouldn’t be the conference without them, but also the world class speakers who come share their research. I’m a speaker myself and so I know the time and effort to making the slides, practicing talk, and then getting up on the stage in front of everyone. Many of us in this community, public speaking is not our forte let’s just say. I even still get nervous even though it’s a lot of friends and peers here. So just taking a moment here to thank the speakers of sharing their incredible research, which is eyeopening, inspiring, applicable, but again, I think like you said, has just risen to incredible levels that previously we haven’t seen before. So I think all the kudos to the speakers for that and so happy and so stoked that they’re here with us.

Tom Bridge:
Yeah. Lots of really, really great talks today. We’ll have links to all of those in the show notes for this episode and links to all of the things for the Objective by the Sea Foundation as well. And I want to set my sites just a little bit forward because 5.0 begets 6.0.

Patrick Wardle:
Exactly.

Tom Bridge:
I know that you’re mid conference and maybe you don’t want to have to commit yet to next year or beyond that. But as folks plan their budget season, I mean obviously we’ve just ticked over the federal fiscal financial year so we start to think about those kind of things, what’s the best justification for coming to a Objective by the Sea?

Patrick Wardle:
That’s a great question, because originally OBTS was totally free and in Hawaii. I had some friends that work at large corporations that said, “Hey, I have a hard time justifying this.” So actually now one interesting thing we did is we have an attendance fee for corporate attendees. I was really kind of initially not stoked on that idea because I love the idea of having conference free. So the conference is always free for students, independent researchers. Actually really anyone. Even if you work for a company that’s not willing to pay, it’s free to attend. So the compromise was, “Okay, we’ll charge that corporate attendance fee, but 100% of that will go to the speakers as an honorarium for a thank you.” Actually, one of the main reasons we leveraged this corporate attendance fee was, yes, to be able to fund the speakers honorariums, but actually that gave the conference some more justification where now companies said, “Okay, it’s a few hundred dollars, it’s probably a legit conference.”
So to answer your question kind of more directly, I think there’s a few justifications. First and foremost, it’s incredible opportunity to learn. So we’ve talked about some of the super impressive talks, but equally impressive to me are the talks that are the how-tos that are super actionable, super applicable, super practical. So we had a few today that’s like, “How do I get involved in Mac malware analysis or how do I analyze a system after there’s an infection?” And so I think for anyone who’s learning or just coming into this community, which as I look around this is the biggest conference we have, a large percentage of people are new. I mean, Macs are becoming ever more prevalent in the enterprise. And so the attackers, as we talked about, becoming more prolific, more sophisticated. So the ranks of the defensive army have to swell as well, and they are. So this is I think an unparalleled opportunity where you can come and learn and then also talk to the speakers and talk to the other attendees.
So the networking component to me is something that I cherish, but I think is a great justification. I think that’s one of the reason why even companies like Apple show up. It’s also I think one of the few events where you have a very high concentration of the world’s top security researchers, Red teamers, malware analysts in the Apple ecosystem. So for hiring and recruiting, I mean it’s like a one stop shop. So I think there’s some justification as well.
We also this year expanded the training. So now we’re doing three day trainings and we actually had several trainers. So I did myself a Mac malware analysis detection class. We had Jaron Bradley doing a Mac malware threat hunting class. We had Maria giving a arm reverse engineering class. So again, just an opportunity to learn from some of the best in the field where you’re not necessarily going to get that elsewhere. So I think the networking, the learning opportunities, the community connections make it a must attend event.

Tom Bridge:
I agree. You mentioned some of the tools talk, the talks that we had today, Kristin Del Rosso’s talk right after lunch was tremendous and Cat Self’s talk on the attack framework was just tremendous as well. We think about all of the different voices that are out there in the community. It’s a very disparate group of voices. It’s a very diverse group of people. I love seeing that in a conference, so thank you. How much extra work is that for you as a conference organizer? Because I mean, it’s definitely easy to fall back into a path, but you know guys haven’t.

Patrick Wardle:
Yeah, I’m glad you mentioned that because when a conference goes smoothly, everyone’s like, “That was easy.” And it’s like, “Well, actually that means probably more work was done behind the scenes.” So what we’ve done from day one is we wanted to create a conference that was super community-friendly and that encouraged diversity and would bring in new voices. We all know that the tech scene is somewhat male-dominated and there’s some challenges there. And we said, “Look, there are a very diverse group of individuals doing incredible research, so can we reach out and empower them?” And so it was great because some of the kind of success stories I’ve seen are where we’ve reached out to researchers who have been doing incredible research but maybe are in a group that’s underrepresented let’s say traditionally in the conference speaking scene and saying, “We would love for you to come because you’re doing great research, not because of the color of your skin or your race or sex or anything like that.” And then working with them to say, “Okay, you’re a first time speaker, but let’s mentor you and let’s help you create an abstract.”
I found that they really didn’t need a lot of help per se, but maybe just someone to believe in them and a little extra encouragement. Especially now Objective by the Sea is a fairly well known conference, so maybe it’d be a little intimidating to get on stage, especially as a first time speaker. So we’ve really found that what we can do is reach out. And now we have a great diverse group of speakers that we can lean on to reach out and talk to their peers because we don’t think we have all the answers, but they can reach out and do that interaction. And what we found, it really kind of has this snowball effect where we built this what we believe is a very diverse and community friendly environment that the participants and attendees can then go out as almost ambassadors in liaison and continue to do that. So initially it was a little work up front, but now it almost speaks and sells for itself, which we’re super grateful for and something that we’re really committed to.

Tom Bridge:
Awesome. So with just one last thing to wrap this up, this is year five of this conference. I think that’s been five and seven years. Five and six years, give or take?

Patrick Wardle:
[inaudible 00:20:56] So yeah.

Tom Bridge:
All right. I hate to be the guy that’s asking, but when’s 6.0 and where were you going to be?

Patrick Wardle:
I’m glad we’re talking about that. There definitely will be a 6.0. We’re going to do an informal poll I think at the end of the conference, because again, I don’t like thinking that I have the answers. We did two in a row, Maui back to back because of the COVID situation in Europe. And that was definitely the right thing to do. So the question is do we do two in Europe, another one following this or are we back to Hawaii? I want to be cognizant of the attendees. I know a lot of them, it’s very far distances and that’s why we want to ask them.
If everyone’s stoked on Hawaii and is willing to make the long flight, we will probably do it there. Probably do again a year out. What we are doing now as the foundation is looking for ways where we can do more community-focused activities that aren’t necessarily directly tied to that. So we’re going to be announcing some really exciting programs tomorrow at the end of the conference, some more community focused efforts where to encourage diversity. And so some of that is separate from the conference and will take some time and resources. But I think we’ll aim again for late summer, early fall next year, either somewhere amazing in Europe, Canary Islands, somewhere on the Mediterranean again, or back in Hawaii. So either way, win-win. It’s going to be amazing, bigger than ever. Hope to see yourself there and again, all the amazing new attendees who have showed up for this one as well.

Tom Bridge:
Wherever you go, there I am. I was going to say this week has been so great. We spent a couple of days in Barcelona ahead of the conference. Barcelona’s pretty amazing. So I was going to say if we came right back here, I would not be sad. But by the same token, I hear Mallorca’s very nice, I hear Sardinia’s beautiful. So all sorts of great places to go in Europe.

Patrick Wardle:
Yeah, I really think we kind of have this winning recipe where we’ve talked about all the incredible aspects of the community and the conference per se. But it is also nice where we’d like to do the conference in neat locations. And I love hearing the stories where people come a few days before, stay a few a days after, bring their partners, their families, because I think it’s a great example of a work-life balance in a beautiful place. And I like to think we’re facilitating some of that and giving people awesome some opportunities to travel. Some that are partially sponsored by their company, which I think is just the best. So it’s great to see that people come to the event and then build other activities around that. That to me makes me super stoked.

Tom Bridge:
Awesome. Well, Patrick Wardle, thank you so much for having us here for your Objective by the Sea 5.0 here in Calafell in Catalonia. We’ll see you next year. So thank you again.

Patrick Wardle:
Thanks again, Tom. Always a pleasure to chat and in person, better than ever.

Tom Bridge:
Same here, friend. Same here. Thank you again.
This week’s episode of the Mac Admins Podcast is brought to you by Black Glove. Black Glove is about to be your new favorite IT partner. They provide ongoing expert support and rapid deployment services for your current new or refreshed Apple fleets. But what they’re really providing is complete peace of mind that your technology is safe, secure, and operating at its full potential. So no more quick and expensive calls to the Geek Squad or Apple Support. Black Glove’s strategies and fixes are from the hands and minds of former Apple engineers. So not only is the expertise of this team unmatched, but their services are affordable and easy to get started too. Fortune 500 companies and small budding businesses alike are working with Black Glove to ensure their Apple technology is doing exactly what they need it to.
Whether it’s helping manage your remote team’s devices, transitioning your device management system, onboarding new employees or casing, tagging and tracking your devices, Black Glove can handle it all. They’re also just really great people to work with. In fact, mention this podcast when you reach out to them and the Black Glove team will sponsor the next generation of Mac Admins through our Mac Admins foundation. You can learn more and get started at blackglove.com. That’s B-L-A-C-K-G-L-O-V-E.com. While you’re at it, ask them why they’re called Black Glove. It’s a clever nod to how white-glove services, just don’t cut it for IT.
So I’m here with Sharvil Shah from Fleet DM. He gave a great talk here at Objective by the Sea and I wanted to talk to you a little bit about it. So welcome to the podcast, Sharvil Shah.

Sharvil Shah:
Hi Tom, thanks for having me. Excited to be here.

Tom Bridge:
It was a really interesting talk that you gave about the EndpointSecurity framework and how it can be used with osquery. Can you tell me why you started to look at the end point security framework for osquery?

Sharvil Shah:
So following Mac Security or any security to do any kind of analysis detection, we need to do what’s called process auditing or file auditing. And on macOS, the usual way to do it before endpoint security was a thing was OpenBSM. OpenBSM has its routes in Solaris and Apple hired a contractor, McAfee, way back in the time to port it to Apple. And then I think it kind of got free updates but wasn’t really updated, wasn’t really intuitive to use, wasn’t really well documented. And it also had a lot of performance issues when you are gathering 50,000 events. And when you scale it out to thousands of computers and managing those, there was no method built into, like recover if an event got dropped or the [inaudible 00:26:29] got disconnected or something.
So with Apple’s introduction to EndpointSecurity framework in Catalina, that kind of aimed to replace OpenBSM, make it easier, make it more developer friendly. So I think it was a natural fit because process auditing, file auditing, kind of just answering questions about your system, which is what osquery is all about. This kind of gives us an insight into what’s going on in the system. So yeah, I think it was a natural fit. I was excited about it, started initial POC way back in the day and was really impressed with how well it worked compared to OpenBSM and how easy it was to program against as well. And while the process of tying it all together wasn’t that documented, the headers in the library were really well documented and commented.

Tom Bridge:
And so that gives the ability for a tool like osquery to talk to the system on a very different level than it could otherwise and fill out additional tables with additional information and start to track events that osquery was otherwise unable to do.

Sharvil Shah:
Exactly. This gives us insight into if this binary is a platform binary, which means like, is this a binary shipped by Apple by default. It gives us insights into what’s happening, whether an event is forking and then replacing the image or not. It gives us good signing information. We shouldn’t rely on that information because it’s only valid for the memory that’s paged in, but it’s still better than nothing. And if you tie all this together, you can create an event stream and then really up your game in detections.

Tom Bridge:
That’s awesome. And so as part of that, using the EndpointSecurity framework requires an entitlement. It requires you as the signer of the certificate to go talk to Apple to say, ‘Hey, we want to use the EndpointSecurity framework. Here’s our justification” and then you kind of wait and see. A as part of that, what was the process for getting that added to osquery?

Sharvil Shah:
So for osquery, osquery is now part of a foundation, osquery Foundation, which is part of the Linux Foundation. So I think the legal setup is a little bit different. So I think it’s a 501(c)(6) if I’m… I believe that’s correct, but I’m not sure. So I think Apple really requires having an entity that makes it easier. And then if you’re a legitimate entity it makes it even more easier. So I think there was some back and forth about the account type, whether it’s a corporate account or not. I’m not too familiar, I didn’t handle that logistics. But we had to make an application and wait for a little bit to get it. It was kind of an opaque process.
I also applied for entitlements on my personal developer ID, which is an individual developer account, which is usually… I think that’s also took about three to four months, but I had to write a long essay why I want one, what I’m going to do with it. I think it helped in my case that I had a lot of commits on osquery, specifically to macOS functionality that I could point to and I asked them I want to build and test it out. So yeah, it’s an opaque process. You don’t hear back. When you send that form out, it goes on the void. And then you get an automated email back and then four months later you get an email like, “Hey, here’s your entitlement. But I’ve heard stories where it’s taken six months, it’s taken a lot of back channeling to move the process forward.

Tom Bridge:
And so this is now available for everyone to use as part of osquery or is it something that other people are going to need to apply for and get on their own?

Sharvil Shah:
If you use the official osquery packages, which we have the entitlement for, it’s code signed and notarized, then it’s available for everyone, right? If you are a vendor, if you re-sign the code signature, if you embed osquery into something else and extend it or fork it or do something else, I think you’re going to need your own entitlements and all the stuff around it.

Tom Bridge:
So if you’re a software vendor that wants to include osquery as part of your product or wants to compile it on your own, what’s one piece of advice that you’d give to the developers on how to better prepare for that process?

Sharvil Shah:
So I think as a kind of user… All I do at my day job here at Fleet as well, we all do is open source. So I’m kind of biased, it’s like, just use the official package, just embed it. If you have feature requests, just put it up and most likely someone will or we will work on it. But if you’re a big company and you kind of want to do your own thing, then start early. I think having a legitimate entity, say if you’re someone like Microsoft, I’m sure they’re not going to have any problem getting an entitlement for instance. But if you’re a small developer trying things out, want to make small tools, limited scope, start early, kind of expect some opaqueness. And then just outline the reasons like, “Hey, this is exactly what I want to do. These are the APS I want to use. These are the events I’m interested in. This is the reason why I’m interested in this events. This is my plan.” So kind of give a business plan to Apple kind of a thing.

Tom Bridge:
Yeah, that’s awesome. Sharvil, is this your first Objective by the Sea?

Sharvil Shah:
This is my first Objective by the Sea. Yes.

Tom Bridge:
Yes. How have you found it so far?

Sharvil Shah:
It is awesome. I think the crew and people here are very nice. We’re supportive. Everyone is an expert in their own thing, so there’s a great learning experience. And everyone is very welcoming, very nice. It’s intense because there’s a fire hose of knowledge being dropped every single minute here.

Tom Bridge:
That’s awesome. And we’d love to have you back on the podcast in the future to talk a little bit more about Fleet. Are you open to that?

Sharvil Shah:
Yeah, I’m down.

Tom Bridge:
Awesome. Well, Sharvil Shah, thank you so much for joining us here on the Mac Admins Podcast at Objective by the Sea.

Sharvil Shah:
Ah, thanks Tom for having me. This was fun.

Tom Bridge:
Deploying, managing and protecting Apple devices at work shouldn’t be difficult to require several solutions. Mosyle is the only Apple unified platform for business. By combining enhanced device management, endpoint security, internet privacy and security, single sign-on and enhanced and apps management into a single Apple only platform, businesses can now easily and automatically deploy, manage and protect their Apple devices with one solution and at an affordable price with a solution for every business size and the best support in the market. Request your free account today and see firsthand why Mosyle is more than an Apple MDM. Mosyle is everything you need to work with Apple. To learn more, visit business.mosyle.com. That’s business.M-O-S-Y-L-E.com.
And now I’m here with Cat Self from Mitre. And we’re here at Objective by the Sea. Cat, it’s great to see you. What have you been up to?

Cat Self:
Thanks. I have been up to preparing for Objective by the Sea in the new release in ATT&CK, which has been wonderful and terrifying to try to get it all put together in such a short time.

Tom Bridge:
So you guys have just released the new version of ATT&CK at this point?

Cat Self:
No, we release on the 25th of October.

Tom Bridge:
Which should be about a week after this podcast drops. So super exciting for you guys. You gave a great talk this week on new methodologies and things that you learned and have revised as part of your tool. So tell me a little bit more about your revision process as you guys have gone through the last year or two.

Cat Self:
I love that you’re asking that. There’s actually a lot of people that have been asking that on what goes behind the thought process and our decision with these techniques. So I can tell you right now ATT&CK is community-driven. So a lot of times we’re listening to the community. And we will absolutely take a look at things if someone calls out but like, “Hey, this isn’t really right,” which is exactly what happened. Jonathan Or who is a fantastic researcher at Microsoft, specifically for a defender in macOS, he came up and he was like, “This is file quarantine. It’s not Gatekeeper bypass. Here’s all of the sub techniques and how I see them.” It was great. We actually met later at DEF CON. He’s a great individual, super smart. That man has got such a great brain. We just kind of talked through it. I realized that I needed to do a lot of deep research on Gatekeeper and then take a real look like, “Is this worthy of being broken up in a multiple techniques? Should I revise it?”
And behind the scenes, there are sometimes that you can’t see how something actually will turn out until you do a proof of concept, right? What does it look like in draft form? And that’s what we did. So I wrote out a technique for notarization, a technique for file quarantine. When we were looking at it, Jamie Williams made just a really great comment, who he is so wise. So Jamie has been at this for a while and he is very wise. He was like, “How are people going to map to this?” He asked a great question. And then I started thinking about it and I think we both came to the conclusion that you’re going to have 17 techniques mapped to one Gatekeeper bypass. How does that help defenders? Does it?
The answer that we both kind of naturally organically came to is like, no it doesn’t. So maybe we just need to rescope it and address all the components of it and then focus on the fact that you’re bypassing it since that’s the real goal of the adversary because we constantly have to ask ourselves what’s the point behind this. Why is the adversary doing that, right? That’s why it’s impactful, is because there’s a point behind what they’re doing. So then how do we capture that so that way everyone else can understand it at the most simplistic level so you can now do something about it?

Tom Bridge:
And as part of that, you guys have built an incredible framework for starting to analyze and focus on the kind of offensive actions that are being taken against you so that you can understand a little bit more about the defensive capabilities that you have in your environment. As you guys look at the framework, what’s the most exciting part of the changes that you guys have just made?

Cat Self:
Well, I can tell you right now that no one other than us Mac nerds are going to say Mac. Everyone right now is extremely focused on campaigns. Matt Malone’s been heading up that with Adam Pennington. He’s done a ton of work because it’s a lot of backend changes with the sticks. I’m excited for that. That’s going to be really neat. There’s a lot that we can’t capture from the groups and software and campaigns are their own little special niche. And so for us being able to do a huge revamp, all of the research that goes into campaigns and naming those and seeing what that looks like, it’s been a lot of work on our end to make sure that’s done, honestly done in a way in which we can continue to build off of it that it’s not going to be this volatile change every single release. So mad props to everyone that’s on the intelligence side of the CTI team of ATT&CK because, whoo, they have worked really hard on campaigns. So I would say campaigns is definitely going to be the biggest change that this release is really focused on.

Tom Bridge:
So thinking about the conference this week, we’ve seen a lot of really interesting talks. We’ve seen a lot of talks from people from different backgrounds, red team, blue team, purple team. We’ve seen a lot of practitioners who are talking about, “This is how you dive in and figure out what you have in front of you.” What was the most impactful talk for you this week?

Cat Self:
There are a couple of them that’s so hard. So I think the thing I love about conference talks, and for those of you that are ever looking to produce a conference talk, if you don’t see that topic really heavily covered in other conferences, please submit. There’s a reason for it. A lot of times it’s not that no one wants to hear, it’s that no one’s done it yet. And we want more visibility. Kristin gave a talk on AirPods, right? And that was just, we were all like, “Oh. What else is beaconing out right now?” We don’t think about those things.
And then Ian Beer, I loved his talk because he gave a talk specifically on there is something beautifully powerful about someone that can take something so complex in a technical depth of hardware and then bring it up to a understandable… And then you clicked the link and then this is what happens. And then this is the route that this processing information is taking. You can see the squirrly lines of the route that it’s taking versus the route that it probably should take. I can understand that without having to sit there and dissect registries. And that’s wonderful. So his talk was really powerful for me to see at the hardware level what was able to be exploited and then how much hasn’t even been touched as far as he had this big iceberg picture, which I love iceberg pictures and I love seeing what people put on those iceberg pictures because they’re very telling.
And then, I mean, honestly I’m just a fan girl of so many people like Cody Thomas with his on how he went over how Microsoft was using the keychain but then they were putting all of the tokens inside of the extended attribute instead of the actual password and that the password was empty. It’s funny because it’s like you don’t realize that there’s these misconfigurations until someone looks for them, which I feel like is the theme of almost every macOS security conference, is there’s not enough people looking at this. And so just for everyone out there, just keep looking. And then when you find it, write up a blog. Feel free to ping me or ping somebody and get it out there.
Patrick Wardle just announced how they’re actually going to start funding this diversity where they’re not just saying like, “Hey, we’re inclusive and we want to invite you.” No, no, no. They’re not just saying like, Hey, I’ll give you a [inaudible 00:40:54] we’ll cover your conference cost and your hotel room.” No. “We just got a donor of a hundred thousand dollars that’s going to back your research projects.” Who does that? That’s amazing. So there’s lots of opportunities to start looking whether you’re a new researcher or an older one, which I know doesn’t answer your question, but I like all of them is my answer.

Tom Bridge:
Yeah, Cody’s talk was particularly fascinating because any Mac Admin who’s ever looked at that keychain object, you look and you’re like, “Oh I can find the Outlook password for this account here. Maybe that’s because it’s still working and the user doesn’t remember their password. My outlook still works.” They go and they open it up and then it just says password;blank. And so the conversation that we had today at the talk was it turns out all of the primary bare tokens and things along those lines in the authentication tokens, all of those things live in the keychain metadata for that item, which is both not encrypted and just password accessible. So if you have managed to gather the users a keychain password, you have access to their primary refresh token. And that’s maybe not the most ideal situation.
And so I will encourage everybody to find that talk. We’ll put those talks in the show notes because the nice thing about Objective by the Sea is the talks are all free, you can watch them later. It’s amazing. I have a couple of talks that I need to re-watch on the plane flight home. I will second your thought on Kristin’s talk about AirPods today and the Bluetooth low energy quality of life information or pattern of life information that you have out there. The fact that your AirPods beacon when one of them is out and the others in the case or when one of them is in the case and the others in your ear was news to me. I did not realize that it was so chatty and there’s a lot of things going on there.
So if we start to think about the state of security for the Apple platform as a whole, how would you class the state of Apple security?

Cat Self:
I would class it in that very heavily loaded question as it’s moving in the right direction. I love the fact that they keep iterating and they keep improving over the years. Thomas Reed did a great talk on talking about… And this is why I love Thomas Reed’s talk. So for those of you that are new in the macOS security realm, his talks are phenomenal because Thomas Reed talks from a point of wisdom, versus, “Here’s my latest zero day.” And so he’ll actually go over the history of malware and how us as users have evolved and how we respond to macOS prompts, how adversaries have manipulated us and some of these assumptions that we’ve made about how Macs don’t have malware and all of these ridiculous ideas that for some reason we accept as truth.
So based off of Thomas Reed’s talk and his just beautiful wisdom bites, I would say we’re definitely moving in the right direction. And you can see that as you watch these evolutions of how adware and malware or software with just malicious intent has evolved, right? Because they’re constantly bypassing hardware controls, bypassing security controls. And Apple’s baked into so many different processes. When we redid Gatekeeper, one reason why the Gatekeeper bypass was so tough to research was because it touches launch services, it touches launch D, it touches multiple different XPC deviance. It’s not a simple… There’s a reason why you don’t call it a program. Apple very specifically calls it a set of technologies because it’s a multifaceted, multilayered. It’s built into the hardware. It’s built into the way programs run on a system when certain things kicked in. It touches multiple databases in different locations based on the CD hash versus reaching out via this API iCloud kit. So the point is they are evolving, they’re becoming more complex.
I would say the only thing that’s been really tricky for Apple to navigate as far as a state of security is how do they integrate security professionals into their ecosystem, not have them research their ecosystem and then let them figure out how to integrate into it. It’s a very different perspective because I get it, it’s a Pandora’s box. When you open up that security researcher into your walled garden, you are vulnerable. But at some point, I mean we’re kind of already vulnerable, we’re just pretending that we’re not. So at some point you just got to accept the risk and invite them in and then start working on what is a repeatable process that allows us to coexist where we all have the same goal, which is we all want to just be able to click whatever we want to click and not have to worry.

Tom Bridge:
Yeah, I was going to say one of the recurring themes both here at Objective by the Sea and at MacSysAdmin, which are going on at the exact same time, I’m really looking forward to my nine hour flight home because I have at least 10 hours worth of talks to watch. But we think about the state of communication between Apple and the professional users of its platform, whether those are security professionals, whether those are IT administrators, whether those are MDM manufacturers. There is a deficit in the communication side of the house. And it feels like that while things are getting better on the platform technology side all of the time, everything that we saw this week with endpoint security, everything that we’ve seen in the development of the MDM platform, it shows that Apple is firmly committed to the platform as a whole. And professionals using that platform, they just don’t seem to be as cognizant of the deficit in their communications. Would you say that’s accurate?

Cat Self:
I mean, I’m not going to say they’re not cognizant. I mean, we’re really loud and annoying and we drop zero days at DEF CON and Objective by the Sea and even Patrick when he’s asked about the philosophy, he’s like, “It’s local, they should fix it.” I’m like, “I don’t think we’re very quiet.” Even some of the speakers will be talking behind the scenes and we’re like, “I know Apple’s here, how should I say this?” And we are all struggling with like, it’s how do we limit the frustration and try to be, not to be a pun with objective, but how do we be objective? How do we be gracious? But how do we be like, “Dude, seriously, how long is this going to take?”? You can only bank on kindness so much.
So I mean it’s tricky, right? Because you also understand there’s a lot more going on than you’re necessarily privy to. Any of us that aren’t in an enterprise environment, when we’re like, “Why didn’t you patch this three years ago?” And we’re all up in arms like, “I was on the red team.” And I was like, “Why isn’t this fixed yet? I can exploit this, blah blah blah.” Then I realize about the 17 other dependencies that that organization has to deal with, how they’re struggling with it, how they’re waiting on their upgrades because it breaks A, B and C and D, E and F. It’s so much more complicated than that, right? So it’s like, I get it, but the thing I asked for Apple was a roadmap. That’s all I want. I know you don’t want to do this forward thinking thing, which is ironic. So ironic by the way with a “Think Different” how they branded. But I get it, there’s just got to be some type of lifeline I would say.

Tom Bridge:
I think some of it is also formal communications versus interpretive dance. I was going to say the talk I just gave at MacSysAdmin was all about how communication with Apple is oftentimes interpretive dance. While you know can go to study those kind of things, turning those interpretive dance movements into interpretations on which you can base policy is hard. The challenge that Mac Admins face, whether they’re security Mac Admins or IT Mac Admins, is very clearly talking clearly with Apple. And I think that that’s something that I hope that they can hear and do better at. I think that their professional workflows team, which is brand new based out of San Diego I believe, is starting to do those kind of things. And so I know that there are people on those teams, people who have come out of the Mac Admin community. That’s a very positive element and I’m really excited for them to get a rare and full force representing the enterprise within Apple. I really hope that those kind of teams paid dividends in the long run.

Cat Self:
Yes, I am so happy to hear that. I did not know that Apple was doing that in San Diego. That makes me want to just move to San Diego. San Diego’s amazing. I love San Diego. Chava, the evil bit, right which I love his Twitter handle. It’s just great. When I saw that, I was like, “That’s brilliant.” He’s based out of Hungary. He had a great presentation. I loved the way he expressed his communication. He’s like, “So I found this bounty. Hmm, not qualified. So I found this other bounty. Hmm, still not qualified. So I found this other bounty, hmm, no response.” So it’s tough. But Patrick Wardle at the end of his talk was asking him questions. He’s like, “So what do you think?” He asked the exact same question that he did, “What can Apple do to make this better?” And Chava started on this route where he was like, “Well, they could just reach out to me and have a conversation.” And then he finished his answer with like, “Wait a minute. That doesn’t scale.”
But I will say this, for right now, the community is pretty small. There’s a lot of really passionate people because the macOS security community is awesome. We’re super friendly, we’re very inclusive, we’re all like, “The more, the merrier. We’re kind of desperate. We love you regardless.” It’s going to take a lot for us not to like you at this point if you just care. The bar is very low. Very high, but very low, right? I shouldn’t have probably say that. But point is, we’re very open and we’re definitely at that point where we’re in a relationship building phase. Apple absolutely has this hungry community that just wants to build a relationship with Apple and make this product that we all love better.
So I think there’s a lot to be said with that team in San Diego. If they just start picking their key people and really try to develop, maybe it’s not everybody, maybe it’s like start with five key influencers in the macOS security space. Develop an influential relationship with them. Ask them for their opinions. Work with them on these bugs. Find a way to funnel stuff through them. Because half of the time, these guys are doing it for free. They’re all on their own dime. No one’s getting paid for this. And they’re still willing to just devote hours of their time to be able to resolve these conflicts. Or not conflicts, but to resolve these issues that are in the operating system. So that’s where I would start Apple, relationships.

Tom Bridge:
Fantastic. I think that’s a great place to leave it. Cat, thank you so much for coming back on the pod. It’s always good to see you. I’m really excited to hear what you’re up to next. Not to put any pressure on you, not that you just haven’t completed this giant project that’s due out at the end of the month, but we hope you’ll come back and tell us whatever you’re working on here on the Mac Admins Podcast.

Cat Self:
Yeah, I love you guys. You guys are so much fun. I’m really, really grateful that you enjoy the talk. I’ll be releasing the comic strips. So for those of you that didn’t see them, I worked with this incredible illustrator, Chris Fleming from Miscreants. We basically did an entire comic strip on pandas trying to get into the palace to be able to get the jade Tiger Lily or Tiger Tally. I keep calling it Tiger Lily. To get the jade Tiger Tally. And we kind of walk through all of the new techniques that we’re adding to macOS and ATT&CK just in a fun, very relatable way. So I’ve got a tweet out with my slides, the talks already… I think he’s going to parse out those talks, then repost them on YouTube, or Patrick Wardle is for Objective by the Sea. And then with a tweet I’ll post out the key pictures that have all of the action shots. But big thank you to Miscreants for the artwork.

Tom Bridge:
Awesome, Thank you so much Cat, and we’ll see you next time.
Here at the Mac Admins Podcast, we want to say a special thank you to all of our Patreon backers. The following people are to be recognized for their incredible generosity. Stu Bacha, thank you. Adam Selby, thank you. Nate Walk, thank you. Michael Sai, thank you. Rick Goody, thank you. Mike Boylan, you know it, thank you. Melvin Vives, thank you. Bill Stites, thank you. Anoush d’Orville, thank you. Jeffrey Compton, M.Marsh, Stu McDonald, Hamlin Krewson, Adam Burg, thank you. A.J. Potrebka, thank you. James Stracey, Tim Perfitt of Twocanoes, thank you. Nate Cinal, Will O’Neal, Seb Nash, the folks at Command Control Power, Stephen Weinstein, Chad Swarthout, Daniel McLaughlin, Justin Holt, Bill Smith and Weldon Dodd. Thank you all so much.
And remember that you can back us if you just head out out to patreon.com/macadmpodcast. Thanks everybody.
Mac Admins Podcast is a production of Mac Admins Podcast LLC. Our producer is Tom Bridge. Our sound editor and mixing engineer is James Smith. Our theme music was produced by Adam Kuga, the first time he opened GarageBand. Sponsorship for the Mac Admins Podcast is provided by the macadmins.org/slack, where you can join thousands of Mac Admins in a free Slack instance. Visit macadmins.org. And also by Technolutionary LLC. Technically, we can help. For more information about this podcast and other broadcasts like it, please visit podcast.macadmins.org. Since we’ve converted this podcast to APFS, the funny metadata joke is at the end.