Between new types of malware, egregious bugs, and universal threats like phishing, Macs are not the invulnerable lockboxes Apple once touted. But in thinking about how to defend Macs against a new generation of threats, researchers at the security firm Digita are taking advantage of features Macs already offer, to monitor threats in unexpected ways. And it’s all powered by Apple’s logic engine for videogames.
At the RSA security conference in San Francisco on Tuesday, Digita chief research officer Patrick Wardle is presenting GamePlan, a tool that watches for potentially suspicious events on Macs and flags them for humans to investigate. The general concept sounds similar to other defense platforms, and it hooks into detection mechanisms—has a USB stick been inserted into a machine? has someone generated a screen capture? is a program accessing a webcam?—Apple already offers in macOS. But GamePlan, cleverly written with Apple’s GameplayKit framework, collects all of this data in a centralized stream and uses the videogame logic engine to process it.
“GameplayKit takes care of evaluating events and spinning out an action,” Wardle says. “So in PacMan, by default the ghosts are hunting PacMan, so that’s a rule. If PacMan eats a power pellet, the ghosts run away. That’s another rule. So we realized that Apple has done all the hard work for us. Its game-logic engine can also be used to very efficiently process events on a system and spit out a warning.”
For example, a rule could state: “If a file is created in a certain directory, and it’s created by a program that the user downloaded from the internet that isn’t cryptographically signed as trusted by Apple, then generate an alert.” And rules can build on other rules. For instance: “If an unsigned program from the internet persists and accesses the webcam when the user is not active, then generate an alert.”
“Basic security compliance stuff is not very sexy, but it’s one of those things that’s really important to know.”
Blake Darché, Area 1 Security
Using this approach, GamePlan can easily function as a traditional signature-based antivirus service; it can have a set of rules that say, “If you detect this malware signature, then generate an alert.” But the rules can also be flexible and relate to foundational system information, so that it’s possible to detect unknown malware by simply writing rules that watch out for the types of actions that can indicate infection. GamePlan also has the ability to flag things like insider threats, by looking for the types of actions a person might take if they were compromising a device or exfiltrating data from it.
Rules can also eliminate unnecessary warnings by getting more specific. A rule to protect against a rogue employee stealing personnel data with a flash drive might be: “If files are copied onto removable USB storage from a developer laptop: No alert. But from a human resources laptop: Alert.” Similarly, “If an operating system component was modified by Apple’s updater: No alert. If it was modified by an untrusted program: Alert.”
“Your imagination is the limit,” Wardle says. He also notes that it is easy for both Digita and GamePlan users to write their own rules or combine types of rules into “rule packs” that customers can choose to deploy on their systems, depending on their specific setup and needs.
Wardle has already experimented with using elegantly simple event information to warn users about so-called Evil Maid attacks in which a hacker gets their hands on a target device. Similarly, GamePlan doesn’t take any type of immediate action beyond a notification to deal with threats that crop up. And it is built to err on the side of false positives rather than false negatives. But Blake Darché, CSO of the firm Area 1 Security, which has been trying out GamePlan on almost all of its company Macs, says that the tool generates a reasonable number of notifications. And when it’s being “too verbose” about a certain type of event, as Darché puts it, it’s relatively easy to tailor the offending rule.
“I liked that instead of putting all the focus on cloud and machine learning, which is where most of the market’s been moving, these guys are coming at it from a different perspective of doing more on the Mac itself,” Darché says. “And it’s great for compliance checking. Things like, ‘Hey, is the firewall on? Is FireVault enabled? Basic security compliance stuff is not very sexy, but it’s one of those things that’s really important to know.”
Digita is continuing to build out its framework for pre-populating rules for customers and writing new ones based on new threats. But Wardle says the crucial concept is letting Apple’s own systems do a lot of the work for them, to get as close to what’s really going on with as much context as possible.
“When you’re sick you might not know exactly what you have, but you know something is wrong,” Wardle says. “With this it’s kind of the same thing. With these things that aren’t normal, if you’re watching enough of those events you can make a good decision.”
