Hi, I’m a Mac guy! Over the past year, I've received many questions from people—sales people, technical people, directors and executives, end users like my family, and beyond—that all revolve around "why should we protect macOS?" Now, this question is usually in the subtext.
I often get asked things like, "We have far more Windows devices than macOS devices; do we need to spend the extra money to cover macOS?"
There are a handful of macOS security myths out there, which brings a lot of questions from users or the IT community. So, let's address some of the most common questions I've received, and then wrap up by discussing the big one: "Why should I protect my Mac?"
"Is Windows more vulnerable than macOS?"
More vulnerable might not be the most accurate representation. Windows devices are currently targeted more, which could make them seem more vulnerable. macOS is still vulnerable to attacks, but as the devices are still under-represented in the market, it makes sense that there would be a perception that macOS is less vulnerable.
That being said, macOS has put many different security mechanisms into its operating system in order to safeguard the end user. Whether it's transparency into what applications are installing persistence, its Transparency, Consent, and Control (TCC) functionality, or its built-in malware protection, Apple has taken many steps to try to protect its end users.
"I don't hear much about malware on macOS. Why is that?"
I think there are a handful of reasons for this misconception. One possibly being that macOS security isn't as, pardon the expression, "sexy" as it is on Windows. Although threat actors have attempted to target macOS, it has yet to execute thus far and has seen a limited number of very sophisticated attacks.
Lots of the malware found on macOS are more aimed at triggering browser popups, hijacking search engine home pages, and potentially unwanted programs (PUPs); and it's less in the fields of lateral movement, mass data exfiltration, etc.
On top of this, Windows is still the dominating force in the enterprise business space. Even with macOS growing in popularity, it still pales in comparison. So it makes sense that threat actors would be more likely to target Windows devices with their malware, as opposed to writing a macOS version of it. Although we've seen some cross-platform malware before, typically in the form of a script, you're unlikely to see the same volume of malware on macOS as you would on Windows.
"Is macOS actually a viable target for threat actors?"
The short answer: yes. As mentioned above, a huge sect of macOS malware is more adware-y than sophisticated attacks. That isn't to say that these more targeted, specific, highly sophisticated attacks don't exist. We've seen with the XCSSET malware that threat actors can actually target programs in the macOS ecosystem, as well as (ab)use the TCC database. We've witnessed malware exploiting 0-days in the operating system to persist, as well as leveraging shells like zsh along with the Shlayer malware.
"I thought Macs don't get viruses, you're telling me they do?"
Unfortunately, it's true. There was an ad campaign that Apple ran for a number of years in the mid to late 2000s, featuring Justin Long—the "I'm a Mac, and I'm a PC" commercials. Do you remember those? Although more accurate at the time, with the PC complaining of viruses while the Mac claims it doesn't get any, over the last 20ish years, this has been debunked 1000x over.
The sad truth is that Apple just stuck to their guns and never really addressed this folly. This has made many users unaware that the device they use can get viruses. This can also lead to users getting more malware, due to the fact that they are more likely to blindly trust popups on their device because they believe their device is impervious to malware.
"Doesn't Apple handle Mac security for us with their patches and security updates?"
Think of it this way: your home is secure by locking your doors. Maybe you have a deadbolt that you swing shut at night. That's Apple and its security. Yes, it's a first line of defense. And for some users, that's enough. But for me, at my house, I also have additional layers—like security cameras and a doorbell camera. I leverage these third-party tools to get more insight into who is approaching my house before they even cross the threshold of my porch.
That's what a third-party security tool does—offers more insight, tighter security, and can alert you earlier to allow you to take swift action if necessary.
To quote a previous blog post of my own where I spoke about Apple's XProtect/XProtect Remediator:
The lack of consumable visibility into what is happening with XProtect and XPR makes it difficult to triage issues at scale. To add to this, Apple has millions of endpoints and any changes to these rules get pushed to all of those machines. That being said, they have zero wiggle room for false positives, which although it is what every EDR company aims to reduce, the truth is that casting a slightly larger net in order to capture malicious behavior, and risking the occasional false positive in lieu of this (to me) is a great tradeoff. Lastly, although YARA is helpful for capturing more samples of malware families, it doesn’t necessarily capture malicious behavior. The malware has to be from specific families in order to be prevented.
To sum it up, Apple has to be incredibly careful with what they push to their endpoints. As good as Apple can protect your device, there are still many holes, which is why a third-party solution is ideal. If this is something you’re considering for your macOS machines, consider a trial with Huntress.
"Why Should I Protect My Mac?"
I feel like every question here builds up to this one: Why?
Although macOS is a smaller percentage of devices in the SMB market and in the large markets, it's still quite the viable target. If you think about it, if users are wondering why they should protect their Mac and considering not using an AV solution, then threat actors will have an easy time infecting devices.
Don’t be stuck with just a deadbolt to protect your Mac. Invest in a third-party security tool to lock down the whole house.
