SentinelOne is delighted to release its third, comprehensive Mac-focused ebook for enterprise security teams, the Complete Guide to Understanding Apple Mac Security for Enterprise.

Following on from How To Reverse macOS malware and A Guide to macOS Threat Hunting & Incident Response, our latest macOS ebook is an all encompassing guide to the native security technologies built-in to macOS: how they work, where they fail, what they protect against, and what they don’t.

Who is the macOS Security Ebook For?

The SentinelOne Complete Guide to Understanding Apple Mac Security for Enterprise is an essential reference for anyone needing to understand the strengths and weaknesses of the security controls built into Apple Macs and the macOS platform.

The guide covers macOS right up to and including the latest release of macOS 12 Monterey and answers many common questions asked by system administrators and security teams managing Mac devices, including:

How secure are Macs by design?
Are third-party AV security controls required on macOS?
What kind of security software works best on macOS?
Which approaches to macOS security are the most effective?
What sort of threats do businesses with macOS fleets face in 2021?

What Will You Learn from the macOS Security Ebook?

In the guide, you’ll find detailed sections on areas such as:

Architecture & Codesigning: Does the new M1 architecture provide increased security over Intel machines? Is it still possible to run unsigned malicious code on macOS Monterey on both of these architectures?
Gatekeeper: How easy is it for malware or malicious insiders to circumvent Gatekeeper’s controls? Are these bypasses used by in-the-wild malware?
Notarization & OCSP: What do these technologies achieve, and what are their limitations? How does malware circumvent these checks?
XProtect and MRT: How do these technologies work on modern versions of macOS, how can you test if they are protecting against specific kinds of malware, and how effective are they?
TCC Privacy controls: How well does TCC protect sensitive data on a Mac, and in what situations does TCC fail to work?

What Kind of Malware Threats Target macOS?

Throughout, the guide discusses the Mac’s built-in security technologies with references to real, in-the-wild malware such as XCSSET, Shlayer, Bundlore, Adload and others, describing exactly how security breaches can occur on systems that remain unprotected by additional security controls.

XCSSET malware tries to social engineer victims for additional privileges

Administrators and security teams charged with protecting macOS endpoints will learn about vulnerabilities in Apple’s platform that can be and are used by threat actors to compromise Mac devices, circumvent code signing requirements, beat Gatekeeper, bypass OCSP and Notarization, and defeat TCC privacy protections.

Learn How to Test Mac AV Software

SentinelOne’s Complete Guide to Understanding Apple Mac Security for Enterprise also includes sections on how to test security products against known malware samples, and what to look out for when evaluating third-party security products for Mac. Learn why, for example, a revoked code signature does not mean your Macs are protected from a particular malware family.

Only last month, we saw how a new targeted threat, macOS.Macma, was able to beat Apple’s on-device security and yet was easily detected by third-party behavioral engines like SentinelOne.

SentinelOne’s behavioral AI detects macOS.Macma on execution without pre-defined signatures

This guide also explains, with examples, how Mac admins can test for themselves whether the Mac’s own AV tools, XProtect and MRT (Malware Removal Tool), have been updated to protect against a particular threat or not. Learn how to test which malware you are protected from, and which you are not.

Why You Should Read the macOS Security Ebook

Apple Mac computers are increasingly common in today’s enterprise. Despite its shared Unix heritage with Linux, Apple’s macOS is idiosyncratic, as are the attack vectors that it is susceptible to, and the security implications of running a fleet of Macs in the enterprise is not widely understood. This is true even more so now that Apple has moved away from Intel architecture to its own implementation of ARM, ‘Apple silicon’.

Throughout this ebook, we illustrate areas where Macs face security risks by referencing real, in-the-wild malware that we have seen emerge or adapt in the last 12 to 18 months,

It’s vital that enterprise security teams managing a fleet of Macs are up-to-date with just how the latest threats can and do target the macOS platform.

This guide will help security teams bridge the gap and understand how best to protect Macs in the enterprise.

The Complete Guide to Understanding Apple Mac Security for Enterprise
Learn how to secure macOS devices in the enterprise with this in-depth review of the strengths and weaknesses of Apple’s security technologies.

A guest post by Jessica Stanford, CMO at Cado Security

When it comes to attack containment, time is of the essence. The speed at which security teams can dive deep to determine root cause and scope is essential to fully remediating an incident before it’s at risk of escalating. Delays or hurdles that prevent a thorough investigation from occurring have significant impact and leave your organization vulnerable to future breaches.

Once malicious activity is detected, security analysts need to be able to quickly understand its impact:

What happened?
When did it happen?
Is this the first time it happened?
How many machines were involved?
How did the attackers get in?
Has data left the environment?

However, using traditional digital forensics and incident response (DFIR) approaches, it can take days to weeks to manually capture and process the data needed to answer these pressing questions. To make matters worse, due to the heavy uplift and time required, incidents often get closed without digging deep enough.

That’s where the combination of the SentinelOne Singularity XDR platform and Cado Response can help — by delivering the data and context security teams need to quickly identify the root cause of incidents and enable faster response.

The SentinelOne Singularity XDR Platform provides the broad visibility needed to detect and respond to malicious activity in real-time across user endpoints, cloud workloads and IoT. Many DFIR investigations begin with a high-severity detection – SentinelOne provides best-in-class behavioral detection with Storyline, as evidenced by the 2021 MITRE Engenuity ATT&CK evaluations. SOC teams use SentinelOne to ‘stop the bleeding’ and perform automated responses, such as killing processes, quarantine a threat or rolling back the effects of ransomware.

SentinelOne Remote Script Orchestration (RSO) takes automation within incident response a step further to enable security and IT teams to remotely execute customizable remediation and response actions and to send custom scripts to one machine, a few hundred machines, or even millions of machines concurrently.

DFIR investigations take incident response a level further by analyzing additional forensic data such as memory and disk snapshots. Joint customers can use RSO to deploy Cado Response, which provides deep forensic-level analysis, enabling DFIR teams to respond to present and future cyberattacks faster.

SentinelOne and Cado Security’s joint solution enables security teams to take a modern approach to DFIR by speeding up cyber investigations in three ways.

1. Automated Capture

A forensics analysis often requires massive amounts of data. Complicating things even further, this data can live across countless regions, systems and users. Capturing, processing, and triaging the data required to conduct a detailed investigation using traditional methods is no easy task. Fortunately, automation flips the script. By automating the most tedious parts of a forensics investigation, including data capture and processing, security teams can drastically reduce the amount of time and effort that’s required to understand the root cause and impact of an incident.

2. Leverage The Cloud

As mentioned above, when it comes to forensic investigations, speed is of the essence. Forensic investigations require complete visibility, across on-premises, hybrid, and cloud environments. Gaining access to the data is step one. Then analysts need to normalize and preserve the data for an investigation. This can require extensive time and manual effort but results in no added value until the processing is complete.

Using SentinelOne, DFIR teams can gain visibility across all environments, whether they be user endpoints or enterprise workloads, whether on-premises, hybrid or in public cloud environments like Amazon Web Services. With RSO, Cado Response automatically processes data from endpoints of interest, leveraging the cloud for rapid processing of hundreds of files and systems in parallel to drastically reduce the time it takes to begin an investigation from days to minutes. The cloud enables security analysts to get access to the information they need, when they need it.

3. Managing DFIR At Scale

Using automation, RSO enables the scale and speed of deployment of forensic tools across the entire endpoint fleet to help teams manage IR processes at scale. From within SentinelOne, teams can seamlessly deploy Cado Response, view the status of script deployment, ensuring the complete forensic capture of all affected endpoints.

Capturing and processing 100% of the data from all impacted systems is a feat in and of itself, but it’s just the beginning of an investigation. Once the data is processed, security teams need to analyze it to identify the root cause and fully remediate an incident.

The challenge here is adding context and awareness to the data. Cado Response uses the power of machine learning-driven analytics and threat intelligence to correlate all systems, users, processes, files, and more. It also creates a complete timeline of events in a single pane of glass so analysts can immediately visualize the scope very quickly and seamlessly dive into important data. This enables them to conduct an investigation in aggregate rather than analyzing systems one by one.

Preventing Future Breaches

Conducting a thorough forensics investigation post breach is critical to identifying the root cause and preventing future breaches. That’s why ourCado Response’s recently announced partnership with SentinelOne is so important, as it delivers the breadth and depth security teams need to detect, investigate, and respond to incidents with unmatched speed.

SentinelOne Remote Script Orchestration (RSO) can alleviate the SOC burden for remote forensics and incident response. RSO allows customers to remotely investigate threats on multiple endpoints across the organization and enables them to easily manage their entire fleet. It lets incident responders run scripts to collect data and remotely respond to events on endpoints. Through SentinelOne’s Remote Script Orchestration (RSO) capability, security analysts can launch Cado Response to perform an in-depth forensic investigation across their SentinelOne Singularity Platform-protected endpoints in a single click, simplifying forensic data capture and accelerating triage.

Incident Responders can collect forensic artifacts, execute complex scripts and commands, install IR tools – like Cado Response – on thousands of endpoints simultaneously — Windows, Mac, and Linux, via the SentinelOne console or API. Remote Script Orchestration includes a Script Library from SentinelOne with scripts for all platforms, PowerShell for Windows, and bash scripts for Linux and macOS.

Singularity Marketplace
Extend the power of the Singularity XDR platform with our ecosystem of bite-sized, 1-click applications for unified prevention, detection, and response.

The Cado Response platform is powered by a cloud-based architecture, which automatically scales up and down to provide rapid processing when needed and saves costs when not, drastically reducing time to evidence and time to response. The Cado Response platform simplifies investigation, enabling analysts to easily pivot across evidence items including impacted systems, users, processes, files, and more, so they can rapidly visualize incident scope.


With powerful remote script orchestration within the SentinelOne Singularity Platform and the cloud-native DFIR capabilities of Cado Response, incident responders have an effective toolset for collecting, analyzing, and actioning forensic data from across the endpoint and cloud workload fleet.

Learn more about SentinelOne and Cado Security in this upcoming webinar:

Automation Flips the Script: Augmenting Real-Time Detection with Modern DFIR.

Double Extortion Ransomware Victims Soar 935%

Researchers have recorded a 935% year-on-year increase in double extortion attacks, with data from over 2300 companies posted onto ransomware extortion sites.

Group-IB’s Hi-Tech Crime Trends 2021/2022 report covers the period from the second half of 2020 to the first half of 2021.

During that time, an “unholy alliance” of initial access brokers and ransomware-as-a-service (RaaS) affiliate programs has led to a surge in breaches, it claimed.

In total, the number of breach victims on ransomware data leak sites surged from 229 in the previous reporting period to 2371, Group-IB noted. During the same period, the number of leak sites more than doubled to 28, and the number of RaaS affiliates increased 19%, with 21 new groups discovered.

Group-IB warned that, even if victim organizations pay the ransom, their data often end up on these sites.

Conti was said to be the most aggressive ransomware group, leaking data on 361 victims (16.5%), followed by Lockbit (251), Avaddon (164), REvil (155) and Pysa (118).

The initial access broker landscape has also matured significantly over the past year. Group-IB claimed to have discovered 229 new players in the market, with the total now standing at 262. The number of offers on underground sites to sell access to companies almost tripled, from 362 to 1,099.

The number of sectors impacted by such threats also surged from 20 to 35. Those most affected were manufacturing (9%), education (9%), financial services (9%), healthcare (7%), and commerce (7%). The US (30%) was most frequently targeted, followed by France (5%) and the UK (4%).

Elsewhere, cyber-criminals participating in phishing and scam affiliate programs pocketed a total of at least $10m over the period, while the carding market shrunk by 26%, from $1.9bn to $1.4bn.

Russian Bulletproof Hosting Kingpin Gets Five Years

A Russian man has been sentenced to five years behind bars for his part in a bulletproof hosting venture that helped support countless cybercrime operations.

Aleksandr Grichishkin, 34, and co-conspirators Pavel Stassi, 30, of Estonia, Aleksandr Skorodumov, 33, of Lithuania, and 34-year-old Russian, Andrei Skvortsov, had previously pleaded guilty to conspiracy to engage in a racketeer-influenced corrupt organization.

Grichishkin is purportedly the organization’s founder, which rented out IP addresses, servers and domains to cyber-criminals, who used it to build botnets, access victims’ machines and steal financial data.

Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit were among the malicious tools used by these criminals to target US firms, financial institutions and their customers between 2009 and 2015, according to the Department of Justice (DoJ).

As the organization’s operational leader, Grichishkin is said to have overseen advertising of the firm’s hosting services in underground forums. He also set prices, negotiated with clients, managed employee hiring and compensation, and supervised the work of his sysadmins and other staffers.

“He also regularly instructed other members of the organization on how to ‘resolve’ abuse notices by, among other methods, moving the affected clients’ data to new, ‘clean’ domains and IP addresses,” the DOJ said.

Stassi has already been sentenced to 24 months in prison, while Skorodumov received 48 months for his part in the operation. Skvortsov is awaiting sentencing and faces a maximum of 20 years behind bars.

The FBI brought the men to justice with the help of police in Germany, Estonia and the UK.

The arrests are unlikely to do much to deter bulletproof hosting business owners working in a vast and lucrative industry. This is particularly true for those operating in countries like Russia, where many cybersecurity experts believe authorities turn a blind eye to criminal activity directed at foreign targets.