The biggest challenge faced by Mac security researchers today: Too many people still subscribe to the idea that Mac systems are impervious to security threats. That was the top takeaway from a conversation I recently had with two of those security pros: Tony Piazza, purple team lead and offensive security engineer at Nvidia, and Christopher Lopez, senior researcher at Kandji. We talked about how they got to where they are in their careers, how they spend their workdays now, and how they try to tell the world a more realistic story about Mac security.
The Mac Security Career Path
Chris started his IT career in a security operations center (SOC) in an organization that predominantly used Windows. With no prior security experience, he developed his security skills first by understanding Microsoft’s OS and its vulnerabilities.
He then moved to a new company where Mac was the most widely used platform. Due to a lack of support for macOS analysis at that new gig, that transition wasn't easy and Chris had to climb the learning curve on his own. That curve started with simple internet searches, which soon led him to Patrick Wardle's blog. Inspired by that blog, Chris began watching streams from Wardle’s Objective-by-the-Sea (OBTS) conference, where Mac security specialists provided the latest info about what was happening in the field. His involvement with OBTS led directly to his job at Kandji.
Tony's career path wasn’t particularly premeditated, either. He started by getting his Security+ certification from CompTIA, which eventually led him to a job at Booz Allen. There, he ventured into the uncharted (for him) territory of red teaming. Tony continued his learning journey at companies such as Box, Zoom, and (now) Nvidia. He also shares what he’s learned with the next generation of security experts as a teaching assistant and moderator for SANS.
Despite their different routes into the field, both Chris and Tony have stayed in it because of their deep knowledge of Mac’s unique security features. Studying Mac security threats requires—and then rewards—such specialized expertise.
Their work analyzing Mac malware also demands specialized tools. Chris is a particular fan of Patrick Wardle's collection, as well as other essentials such as
codesign for file analysis. (The latter two are built into macOS.) Tony is also a fan of Patrick’s tools, as well as his book The Art of Mac Malware. Red-teaming tool Mythic and Jonathan Levin’s books also play a huge role for him.
Mac Security Research in Practice
Chris and Tony agreed that no two days in the Mac security-research business are ever the same, because the threats are constantly changing.
Chris says his typical day breaks down into three parts: He typically spends the morning either reading through the latest research or analyzing fresh malware samples. Threat actors are continually changing their tactics, and it’s his job to keep up with those changes. "The security landscape doesn't pause or rewind,” he says. “It's always playing at double speed."
Around midday he switches gears to delve into the behaviors of potentially dangerous programs, stepping through the sequences of events—creating a reverse shell, say, or reaching out to questionable domains—that could indicate a security breach.
The end of his day he typically devotes to writing, distilling the lessons of the day into digestible information. That writing could wind up in a security bulletin, a company-wide briefing, or an online forum, where shared knowledge can strengthen group defenses.
Tony’s days are less structured. His routine involves more research, comparing his work to putting together puzzles where the pieces only sometimes fit. "I could spend hours, even days, chasing what seems like an anomaly, only to find that it's a feature, not a flaw," he says. It's a process that can be as exhilarating as it is frustrating.
He also dedicates a big portion of his day to experimentation—delving into possible vulnerabilities and testing the response of macOS security features. "Every test, every result adds to the body of knowledge I bring to the next challenge," he says.
Despite their different approaches, Chris and Tony both stay current on Apple's most recent security updates and advisories and keep their antennae out for even the slightest hint of new exploits. They both say that they’re constantly balancing the proactive with the reactive.
Mac Security Misconceptions
One of the most important things they both do is work to dispel the widespread misconception that Macs are immune to malware. They agree that, while that myth is slowly fading, it is still rampant. They emphasized how critical it is for security professionals to recognize this misconception and, at the same time, prepare for an increasing incidence of Mac-targeted malware in the wild.
One reason for that increase, Tony says, is Apple’s reliance on its own hardware: “Due to the smaller number of Apple security researchers, hardware bugs in Apple’s proprietary chips might not be found and, so, fixed as quickly as those in Intel and AMD chips.”
Also, Chris pointed out, the threats are constantly changing: “As macOS continues to add new capabilities, as the complexity of the OS increases, malware can leverage more unique methods of compromising endpoints.” We’ve already seen this happening in recent malware attacks such as RustBucket, in which an advanced persistent threat (APT) group took a hitherto novel approach to infecting Mac computers.
As for defensive tactics, Chris and Tony both emphasize the importance of keeping endpoint operating systems up to date. It's “the most straightforward step” admins and users alike can take, says Chris.
Tony also mentioned the benefit of reporting discovered vulnerabilities through Apple’s bug bounty program. That program is a great way to let researchers find issues and get them resolved, and can sometimes lead to a nice payout.
In Chris and Tony’s world (which is my world, too), security research is as much about anticipating the next thing as it is about keeping up with what’s just happened. That dance can be intricate. As Tony puts it, "There's a rhythm to the madness, and once you find it, every day is a chance to discover something incredible."
Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints, with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.