Behind the Book: Threat Hunting macOS with Jaron Bradley

Welcome to 13 Cubed. In this episode, I'm joined by Jiren Bradley. He's the author of an upcoming book called Threat Hunting Mac OS. When I was building the latest 13 cubed training course, Investigating Mac OS Endpoints, I came across Jiren's website and his book, so I decided to reach out to see if he would be willing to come on to the channel and talk about it. If you have any interest in Mac OS security, you're going to want to check this out. I also think his book is going to make a great companion to investigating Mac OS endpoints. So, let's get started. Welcome to 13 Cubed, Jiren. Thanks.

Happy to be here. Thanks, Richard. Awesome. So, to get started, uh, tell us a little bit about you. Like, who are you and what's your background? Yeah. So, my name is Jiren and uh I am a uh I'm the director of threat labs uh at JF. Uh and we essentially we put a lot of focus uh on the Mac OS operating system. Uh and we look for new ways basically to detect malware and detect threat actors um on uh on the Mac OS ecosystem basically. Outside of that, I also manage uh the MittenMac. Uh, it's a website that I run. Uh, and essentially there I try to host some different blog posts, fairly spread out, admittedly, fairly spread out in terms of how often I get to posting content on there, but also um free tools uh that users uh can use to both um some are for incident response and then some are more for kind of learning the operating system and understanding uh what kind of events that uh the operating system can sort of um uh display or pass out uh to inform you of various things that are occurring. Uh, one of the major tools that I've released on the website that uh that I put a fair bit of work into is True Tree. Uh, that's more geared towards incident responders. Uh, basically lets you kind of get this um, in the Linux world, you know, you have your like PS tree like output where you can sort of print a huge process list. Uh, on Mac OS, um, it's a lot harder because everything's very linear. everything as a parent of launchd uh and true tree tries kind of connect a lot of dots for you and uh build like a proper tree to inform you know of running processes so uh stuff like that you know nerdy stuff yeah it's awesome uh that's actually how I came across you uh because when I was researching content for investigating Mac OS endpoints and just pulling in resources from everywhere I could trying to learn as much as I could and fill in gaps in my own knowledge I ran across the Mitten Mac website and saw the tools that you had created and read some of the articles that you've written. Um, which also leads us into the next point talking about your book which we'll get to in a moment. But in terms of I guess

your Mac story, tell us a little bit about that. Have you always been like the hardcore Mac OS nerd or do you experiment and play with Windows and Linux as well? Tell me a little about that. Yeah, I haven't been. Um, and I get into that a bit in uh in chapter one of my book. Uh but essentially like I I grew up on Linux uh well rather I went through college very strongly purely on Linux um and loving everything about it as I learned um and then outside of that I was a gamer so that was kind of my side that I had exposure to right Mac was just that redheaded stepchild that I that like my brother had one uh I didn't really seem to play any games that seemed to be familiar like Linux but I knew it wasn't Linux and couldn't do a lot of the same stuff. But um so no, I did I certainly did not grow up on Mac. It wasn't until somebody set one down one day uh on my desk at work and was like, we don't know how to, you know, to secure these. do incident response on these. Somebody has to figure it out, right? And like through this kind of um accidental volunttoled, you know, uh scenario, I said, "Yeah, I'll take a look. It can't be that hard. " And uh before you know it, you're the you're the, you know, quote unquote Mac guy that everybody's even though you even though you're still figuring it out, right? And over time, that's sort of been the journey where my focus has shifted more and more to Mac OS. And it's been quite fun kind of learning about the different security components uh and how Apple has built their ecosystem um because it's a bit of a niche space I think and it's definitely fun to learn. Yeah, for sure. Uh your background is not all that different than mine. I also grew up not in the Mac world, right? So, uh I was born in 77, so I'm dating myself here, but I kind of grew up in the 80s, like the birth of the personal computer. And uh it was I was like hardcore DOSs basically and then you know followed Windows all the way through and uh when I'd run my first business from 1996 to 2006 we did a lot of IT consulting work and building computers and whatnot and we would you know in the early years just joke around the office like we don't want to touch Macs we don't want anything to do with Macs but you know for me that all changed in I guess it was 2001 when the public beta of Mac OS 10 came out, right, which essentially is, you know, next step from Steve Jobs next computer company that Apple ended up purchasing. And when I saw Mac OS 10 and

not only how pretty it was, but just also the technical infrastructure behind it, um, I became, you know, pretty enamored with it and kind of started daily driving Macs in addition to Windows and Linux stuff, uh, really since, you know, the early 2000s. So, it's been time has flown for sure and uh it's been interesting to see the ecosystem evolve like you mentioned and just kind of things change over time. So, yeah. And it's fun that you bring up like the whole next step process and all that because that's like going from um uh going from kind of uh how I got into the space in chapter one um into the second chapter is all about kind of that a bit about the computer wars through the 70s, right? And how Apple kind of just a little bit of history on Apple the company. uh followed by yeah Steve Jobs stepping away um going off with Avi Tavanian to build NextStep um after pulling him in and then next step all of a sudden like magically becoming the next Apple ecosystem. Um the whole second chapter is based on that. And honestly like this unique design of BSD uh meets uh this addition of the mock concepts. Um this is one of the things that makes forensics so difficult on Mac OS right like this really complex hybrid operating system that's like two platforms merged together. Um, that is one of the things that makes threat hunting and forensics so much different on Mac OS. Um, and that's why I try to sort of lay the foundation out in terms of talking about how it came into existence because I think that understanding is relevant to furthering the internals of the operating system. So yeah, totally agree. And speaking of

Mac OS over the years, Mac OS 10 and then Mac OS as we call it now, have you had a chance to play with Mac OS 26, Mac OS Tahoe? Yeah, the betas are out. Um, I myself haven't done a lot of toying because I've been busy uh getting the lab material put together for the book, which then of course uh have to go and translate and make sure it all still kind of works the same way on, you know, the new Mac OS. Um, and uh, so yeah, I haven't done a lot of playing. I've uh I have a lot of guys uh on my team that have got in there and checked to see, you know, okay, this tool set that we've been using, does it still work? Has anything broken? Uh, stuff like that. The fun like major changes that really have to check. Uh, for Apple, that tends to be about once a year, right? So, absolutely. Yep. And I'm doing the same thing for investigating Mac OS endpoints because, you know, it obviously released right around the time Mac OS 26 beta came out. Uh we've been testing it since day one and I certainly won't draw any conclusions yet or make any definitive statements, but so far uh it appears that those major core artifacts on which we rely are still in place in the same locations. And you know, a lot of the tools that I've tested still work the same. you know, whether it's, you know, parsing a DS store file or something like that, all of that seems to work the same. So, um, good news there. But, u, you know, just like you, if I find any kind of major forensic artifact that's new or one that's changed, where there's a caveat in Mac OS 26, I'll obviously go back and update those relevant sections in my course as well. So, I feel you on that. It's always a cat and mouse game like Yeah, 100%. And then even uh with the true tree tool I mentioned earlier that uses some like some very obscure APIs that you know you wouldn't even really know exist because they're barely documented and like they're kind of marked deprecated and so just waiting for the right the next release to come out and be like just come on please still be there like and so far so good but totally understand that. So um speaking

of Mac OS as well, one of the things I wanted to ask you is, uh are you seeing an increase in attacks against Mac OS in the enterprise? Can you speak to that a little bit? Yeah, I don't have the hard numbers per se. Um uh but we've certainly like as uh as working on a team that basically is involved with Mac OS uh on a regular day-to-day basis um I can certainly say you know after doing this for uh after kind of being geared towards Mac OS for the past 10 years of my career like it is certainly shifted right like um one of the major things probably in the past three years that have just exploded on Mac OS has been uh Atomic Steelers right this new kind like at some point like uh at some point attackers have realized there's a big enough market share on Mac OS that you're missing out if you don't write back doors and stealers for Mac OS you're going to miss out on a lot of power users right not to mention developers and who holds great keys to the city generally developers right so um so we've been uh just even in the past three years the amount of social engineering and malware that's gone to work and been seen out in the wild. It's been explosive compared to the years prior to that from the Mac OS perspective. And I would argue a lot of that does have to do with the market share, right? Like as more Mac get into more hands of users, it's no longer just like the execs at the company anymore that are using Macs. It's the developers. It's it's everybody. Um and uh I think uh actors everywhere from uh you know cyber crime to AP have started making sure that their tool belt includes something uh for the Mac OS ecosystem. So yeah that's exactly what I've seen as well. So that's what I always tell people. You know people getting into forensics typically start with Windows forensics and obviously that's very important. Windows is everywhere. Uh but then I make the argument well so is Linux. you know, chances are the web server that you're pulling up when you hit a website is probably powered by Linux, for example. And then in terms of uh desktop use, uh obviously Mac OS is uh you know, definitely like everywhere you look, you see people with MacBook Pros or MacBook Airs. It's um it feels definitely more like you know, the market share has increased a lot. I also don't have hard numbers to prove that, but um you know, I feel like you know, you're just seeing a lot more Macs nowadays. um than was the case even 10 years ago. Um I think one Yeah. I think one big part of that too is Apple Silicon which you know is um I'm definitely a fan. Like Apple silicon's incredible like the um it's just amazing. Um I'll give you a quick

example. I have um I have an M3 Ultra right here that I'm using has 512 gigs of RAM and I'm able to run Deep Seek R1. Uh, granted it's the four-bit quantization, but I can run that entire 671 billion parameter model locally on the Mac, which is insane, right? I mean, you would need like I won't do the math in my head, but you'd need a lot of 590s and 4090s, you know, uh, with, you know, a few thousand watts of power consumption to do that. And this thing's sitting over here as I'm looking drawing a couple hundred watts, you know, just, uh, in normal usage. So yeah, it was funny because we had like we had the move, you know, Apple's done a move in terms of processor architecture multiple times, right? It's how we got this fat binary as it were, universal binary and like there was this awesome time for just a short period where we didn't have that. Everything was just Intel and Intel 64-bit and we didn't have to worry about any changes and then all of a sudden they introduce silicon, right? and we're running ARM and we're back to the universal binaries where everything's twice the size that it used to be and like to me that was kind of like ah but then you see the benefit you get from it once you get that ARM processor like running and yeah it's fantastic I would agree with that as well. Yeah. Speaking of which I heard that Mac OS 26 is supposedly the final version to support Intel uh based Macs. I think Apple had officially announced that. So that's uh that's going to be interesting. That means Mac OS 27 will theoretically be Apple Silicon only. So yes, I believe I heard that as well. Although I thought it was Oh, yeah. Yeah, that might be right. I couldn't remember if it was the release of 27 or if it was 2027. I can't even remember the the release now that they're calling it by year now, right? That that's what by year. Yep. They've changed the nomenclature, but uh yes, so it's uh it's coming though. So the death of Intelbased Macs is uh is well depending on your perspective fortunately or unfortunately coming uh before you know it. So I think it depends on when you bought your Mac. If you bought it year before Yeah. If you bought a uh $50,000 uh Intel powered Mac Pro, I uh Yeah, that's not a good place to be in. But all right. Well, um the main thing I wanted to ask you about here, uh for sure was your book, uh because um you know, I know that you have a new threat hunting book, uh that is coming out. I've pre-ordered it myself. And by the way, if you check this video's description, you'll find links to pre-order the book. Um as well as to the Mitt and Mack website and the things that we've been discussing here. But tell us a little bit about this book. what does it cover and what you know what was your uh I guess motivation for writing it and so on. Yeah, absolutely. I've always had an interest in kind of trying to share the knowledge, right? And I feel the uh I feel the Apple space is the right place for that because again it it's still it's at a point where we're starting to get a lot more attention from a security perspective on uh on Mac OS. Um, but it still remains fairly niche and it still remains like a lot of the, you know, big quote unquote sexy, if you will, attacks are still occurring on Windows. Windows has their server infrastructure, right? Macs are generally owned by a single individual. But like there was this time where somebody would get hit and nobody knew how to look at it. determine if an attacker was successful on the system. um and that's shifting a little bit, but there's still a lot of I find um desire for knowledge on how to find those threats um and determine what happened based on a number of events. Right? So, uh I do have a first book that I wrote that's uh that's called OSX, Incident Response Scripting and Analysis. As you can probably tell by that name, it's pretty old. That book was 2016, right? Uh and that was uh there was a lot of focus on that for more or less handling artifacts. Um a lot of stuff that you're covering, you know, in your training now. Um except you're doing it in a very more modern updated way. So uh but the original book I put out was about being hands-on, getting artifacts, and then parsing those artifacts to tell a story. uh and this uh this new book that I'm working on is more geared towards how do you do that uh with kind of uh from an EDR perspective, right? How do you take events that a system that many systems and security software sends up to the cloud in real time? Um how do you take those events and tell a story? Uh so uh a lot of that is through um process creation, right? Monitoring process creation. what are different processes, things like that. Um, file activity. How do you know when a certain file is modified? Take a look at the process that modified it. How do we look at the process heritage to determine if that's weird or not? Um, basically just trying to teach uh a lot of stuff that I've done over the past, you know, 10 years of my career. Uh, and trying to put that in what is hopefully a digestible manner. Um the ultimate goal is to teach uh Mac OS internals so that you can use that internals knowledge for your security benefit, right? Um and trying to find that line of internals versus security content can be pretty tricky like some people go heavy on one like the computer science side, some people go heavy on the other. But I think learning about threat hunting is finding that balance of both. Um, and that's what I'm trying to do with the book. Yeah. Excellent. I also noticed on

the website for the book there was um like some audiobook samples of the book and also something that was a collection of stories from the front line. Can you tell us a little bit about that? Yeah. So, the uh the book is not out yet, but I've released the first two chapters um on Apple Books. Uh, and that also includes um my brother actually uh records um audiobooks professionally and he did the first two chapters for me. So if you don't feel like uh reading uh and you'd rather listen in the car, uh the first two chapters I after reviewing them, I was like these are pretty much justformational. There's not many pictures. You don't there's not a whole lot of diagrams or anything like this would actually make an okay audio book. So uh the first two chapters and only the first two chapters are available in audiobook form and you can listen to those for free uh on my website or on YouTube. Um, and then, uh, the from the front lines that you're referring to, uh, those are stories that I'm putting into the book where, uh, you know, we've, uh, I've gotten to go hands-on with a lot of attacker malware, um, and a lot of different scenarios, uh, that just involve Macs, right? So, uh, while I'm breaking down content, uh, kind of the lecture content in the book, um, if I have a story that's kind of related to that feature I'm speaking of, I'll tell that story. Uh, some of those are around breaking down like a full-scale attack. And then some are really simple things, right? Like, um, what is Bonjour on Mac? Where you can basically just ask the network, hey, there are any other Macs on this network? are they hosting SSH? Right? Like how have I seen attackers use that? How can you detect that very simply with a low false positive ratio? Right? So just trying to get into um uh stories of okay like I have a little tidbit around this story uh or around this feature. I'm going to tell that little story right here in this blurb. Right. So uh that's what I'm also trying to include uh in the book as well. Yeah, I think that's an excellent way to learn too. I try to do that through all of the 13 cube training courses when I explain an artifact or you know how you might leverage an event log to do this that or the other. um if there's a story or some experience I can draw upon even if I have to sanitize it a little bit right because I can't reveal certain things then I'll try to relate that and I think that really helps reinforce things because a lot of the times when you're teaching people who are new to forensics or threat hunting uh you know one of the things they'll say is well that's great that I'm glad that you've given me that information but why do I care like tell me how to practically apply the knowledge you've given me so that I can at the end of the day put together the pieces of the puzzle and tell the story, right? And so I think a lot of books and a lot of training are very good at saying here's an artifact or here's how to threat hunt for this artifact but they don't go into the details of like give me a situation in which this would be useful like how can I actually apply this in the real world not just uh in some contrived scenario right agreed and then I think we run into a lot where we'll speak hypotheticals right we'll say like this file exists here and if it's modified such and such could happen as where like a story of well no like here's a story about an attacker that really did this and why they did it like that goes a bit further than the hypothetical and that's that to me is fun to share those stories so awesome yep so tell us where can people go to

pre-order the book and when is the estimated release date yeah uh to pre-order the book you can go to uh the mittenmack. com and then you can click on book at the top if you want or uh the mittmack. com com/threating-book. Um, and uh, you can pre-order it there right now. Um, I will be putting it through distributors what distributors as well. Once it's finished, you'll be able to get it, you know, on the more common websites that you would order a book. Um, but this I'm calling the author's edition. It's for anybody that just kind of wants an early full color hard cover. um uh and then you know just sign some extra small bonuses uh before I turn it to distributors to print on demand and do all that. So um so yeah uh you can go to my website to order it. You'll see two options there. One is the physical book and then a slightly cheaper option is uh you can pre-order the Apple ebook. Um and I will try to get it available on other ebook platforms as well. Uh this is me taking my first shot at self-publishing. Um and uh we're going to see how it goes here. Um but uh but yeah, so it it's been a journey. Um but uh the book is available there. Um and the content in it is uh half of it uh for every chapter like I do lecture content lecture you know where we try to break down um a different topic about the operating system and then uh in the majority of chapters as well once you get into you know chapter three uh is going to be a full hands-on lab section which could be analysis of a recorded malware snapshot that I have um it's where we actually get really deep into the security analysis side versus just the lecture portion. So, um I'm someone that learns far better by example rather than uh rather than just by reading, right? So, I try to adhere to both on that front. That's great. That sounds awesome. And as I said before, all of the links to the book uh to the website, they'll all be in the video's description here. So, be sure to check that out. Also, if you're considering enrolling in investigating Mac OS endpoints, this book, in my opinion, will be a perfect companion for the course. Once you understand the core artifacts and a bit of the history about how artifacts work and again, why you should care kind of thing, then this book is going to take it to the next level and help you understand threat hunting. And because it does have those practical lab exercises that you can, you know, have some hands-on practice with, I really feel like that'll go a long way to solidify Mac OS forensics and threat hunting knowledge. So that's exactly why I wanted to have Jiren on the channel and interview him. Uh, and this seemed like a perfect time to do that. So, uh, thank you once again, Jiren, for your time. Really appreciate it. And best of luck on the book. Thank you, Richard. Really appreciate that. Awesome. All right, everyone. Thanks for watching and I'll see you in the next 13 cubed episode.