top of page
BruCON-2022-102 (1).png

Mastering macOS Threat Detection and Incident Response: A Hands-On Blue Team Training

3-day in-person course

Are you ready to tackle the rising wave of macOS security threats?


This rare 3-day training equips blue teams with practical skills to monitor, detect, and respond to macOS attacks. As one of the few specialized courses in macOS security, it’s an indispensable opportunity to strengthen your defenses


With macOS adoption skyrocketing in enterprises, attackers are innovating to target this platform, shattering the myth of macOS immunity.

Key Takeaways:

  • (Fundamentals) Gain the latest happenings and a comprehensive understanding of macOS security fundamentals, including file systems, timestamps, security features (XProtect, Gatekeeper, TCC etc.), and how attackers bypass them.

  • (Monitoring & Threat Detection) Learn to set up an infrastructure for attack simulation and analyze real-time macOS endpoint telemetry to identify suspicious activity

  • (Incident Response) Develop essential incident response, and forensic artifact analysis skills and utilize investigation tools to minimize damage from cyberattacks.


Attendees will leave with actionable skills, lab instructions, and evidence files to tackle real-world macOS security challenges confidently.


Course Overview


Foundations of macOS Security

  • Deep dive into macOS security fundamentals: directories, file systems, timestamps, and common file types

  • Understanding Apple Platform Security features (XProtect, Gatekeeper, TCC, SIP, etc.) and their role in malware defense

  • Real-life case studies showcasing how attackers bypass these defenses

  • Security checking lifecycle of a macOS binary

  • Hands-on labs to solidify foundational knowledge on macOS security


Attack Simulation and Threat Detection

  • Gain insights into the evolving macOS threat landscape

  • Master macOS telemetry and the Endpoint Security Framework

  • Learn to set up infrastructure for attack simulation and logging

  • Conduct real-time threat detection using macOS endpoint telemetry

  • Hands-on labs to analyze macOS APT activity and gain insights on threat hunting methodologies


Incident Response, Forensic Artifacts & Malware Investigations

  • Master the process of triage data collection

  • Learn system profiling techniques for identifying anomalies

  • Develop skills in Apple unified log analysis

  • Understand how to analyze user and application activity

  • Data Theft & Malware Case Studies (RAT, Infostelaer etc.,)

  • Perform in-depth persistence analysis

  • Investigate process, network, and file activity

  • Hands-on labs providing practical experience in incident response and artifact analysis


Course Challenge & Wrap-up

  • Apply your newfound knowledge in a hands-on course challenge simulating a real-world threat scenario

  • Receive valuable resources for further practice and ongoing learning

Target Audience

 

SOC teams, IT Admins, DFIR teams, and system administrators seeking to strengthen their macOS security posture


Training level


All

Pre-requisites


  • Familiarity with macOS

  • Cybersecurity basics and terminology

  • Curiosity, Willingness, and of course, the Lab requirements too ;-)


Hardware requirements

  • Laptop: Macbook with M* chip

  • OS: macOS 13 or above with Admin rights

  • RAM: min. 16 GB

  • Storage: 100 GB


What is provided for participants?

  • Course Material

  • Step-by-Step Lab Instructions Manual

  • Own Homelab setup guide

  • Lab Artifacts for Investigations practice

  • Carefully curated resources for further learning


Trainer Bio


Surya Teja Masanam is a Digital Forensic Investigator and a Malware Analyst with 8+ years of experience in successfully building and running DFIR programs from scratch with SoPs and field manuals in the organizations he worked for. Currently, Surya leads the Digital Forensics & Incident Response charter at a fintech company, bringing several years of experience in handling cases involving Windows, Linux, macOS and AWS in both corporate and government bodies. Engaging, understanding, and knowledgeable technical trainer, with expertise in instructing both small and large groups across diverse industries. Surya believes evangelism should be an inherent character trait among security professionals. He has delivered trainings at renowned conferences such as Defcon Blue Team Village, Bsides Singapore, Shellcon, Vulncon, CODEBLUE JP and has also raised awareness about cybersecurity in NGOs.

Saksham Tushar specializes in various aspects of Threats, including intelligence, detection, analytics, and hunting. He has experience leading teams and collaborating with organizations such as Informatica, Microsoft, and IBM to establish multiple global Security Operations Centers. Currently, he holds the position of Head of Security Operations at CRED India. He possesses extensive expertise in developing, refining, and transitioning Threat Management programs, including Advanced MDR Operations across ASEAN & EMEA regions. Additionally, he creates threat detections and hunts and shares them with the community through analytical Notebooks.


bottom of page