There is an increasing number of threat actors attacking macOS – for example the state-sponsored APT28 utilized Trojan.MAC.APT2 to attack military and government organizations. Malware examples such as OSX.AppleJeus and OSX.NetWire.A are widely used by malicious actors to attack cryptocurrency exchanges. Although macOS is popular, we observed that research seldom discusses attack and defense techniques on macOS. As a result, both blue teams and red teams are not acquainted with macOS security, protection mechanisms and tools for investigations. A systematic survey of macOS attack and defense techniques is necessary, and a modularized cyber range for training red teams and blue teams would greatly improve the skills and experiences of the teams.
Our proposed system is composed of three fundamental components: an attack-defense association graph, a Go language-based red team emulation tool, and a toolkit for blue team performance evaluation. We demonstrate the effectiveness of our proposed cyber range with real-world scenarios, and believe it will stimulate more research innovations on threat analysis for macOS.
Yi-Hsien Chen is a member of BambooFox CTF team, and also an intern of CyCraft Research team. He currently studies for a master degree in Department of Electrical Engineering, National Taiwan University. He researches on attack related to macOS, such as APT and vulnerability exploitation. He participated in several CTF, and won 12th, 2nd in DEFCON 26, 27 with BFS, BFKinesiS CTF team. He was also a lecturer for Cyber Security Club and Computer Security course in NCTU.
Yen-Ta Lin is a security research intern at CyCraft Technology Corp. He conducted researches on macOS digital forensics and developed a test platform for monitoring the behavior of macOS malware. He was the director and lecturer of the Information Security Club at NTUST and participated in CTF. He was also admitted to the master’s program for Electrical Computer Engineering at Carnegie Mellon University for a focused study in Computer Security.