Behavioral Detections: Kandji EDR's Latest Defense Update Against Threats

As attackers increasingly regard Mac computers as enterprise targets and evolve their attack methods, file-based malware detections can fall short in catching emerging and unknown threats. Sophisticated malware can evade these conventional security measures by operating entirely in memory without writing files to disk, using polymorphic code that constantly changes its signature, or leveraging legitimate system tools for malicious purposes. 

Modern malware authors are becoming more adept at circumventing conventional defenses, often by mimicking legitimate software behavior or utilizing living-off-the-land techniques that leverage existing system tools. The defenses against these targeted and evolving threats need to be just as nimble and flexible. 

That's why we're excited to announce behavioral detections, a powerful new capability in Kandji Endpoint Detection & Response (EDR) that analyzes process behaviors in real-time. This new approach layers over Kandji EDR’s existing static file analysis and checksum-based detections. By monitoring and analyzing the actual behavior of processes on endpoints, this new feature can identify potential threats—even if they’ve never been seen before.

Kandji EDR customers can enable behavioral detections at no cost by toggling it on in the Avert Library Item and configuring its response settings.

How Behavioral Detections Work

At their core, behavioral detections leverage Apple’s Endpoint Security framework to evaluate each process before execution. The Kandji Agent processes these events in real-time, analyzing them for signs of suspicious or malicious behavior. This happens entirely on the device, ensuring protection even when offline.

The integration with the Endpoint Security framework provides deep visibility into system events, allowing behavioral detections to monitor critical activities such as process creation, file system operations, and network connections. This comprehensive visibility ensures that potentially malicious activities can't slip through unnoticed.

For example, consider software running on the endpoint that attempts to download additional payloads from a suspicious URL. Even if the software isn't in any database of known malicious software and does not trigger alarms from static file analysis, behavioral detections would identify the suspicious download attempt and either alert administrators or block the process entirely, depending on the severity of the behavior.

Behavioral detections categorize concerning activities into two levels, each triggering different responses:

Suspicious Behaviors

These are activities that warrant investigation but may have legitimate uses in certain contexts. For example:

• Unexpected SSH connections.
• Unusual process spawning patterns that deviate from typical application behavior.
• Atypical system configuration changes.

When these behaviors are detected, administrators receive alerts through the Kandji web app, and can dig into the details of the behavior in the threat details view. IT and security teams can investigate the context and determine if further action is needed.

The ability to distinguish between suspicious and malicious behaviors helps reduce alert fatigue while ensuring that potentially dangerous activities don't go unnoticed. This nuanced approach helps lean IT and security team to conserve their time and focus on the most critical alerts.

Malicious Behaviors

These are activities with a high confidence of being threats, such as:

• Processes attempting to download files from known malware distribution URLs.
• Attempts to disable security features or monitoring tools.
• Known malware command-and-control communication patterns.

When malicious behaviors are detected, Kandji EDR can take immediate action by blocking the process execution and terminating related processes if necessary, while also alerting administrators. Admins can explore the threat event in the Kandji web app for more context about the malicious event and its impact.

The instant response to malicious behaviors provides critical time savings in incident response. Behavioral detections stop attacks in their tracks, preventing potential damage while still providing security teams with detailed information about the attempted attack.

Proactive Protection Backed by Expert Research

In 2024, Kandji's Security Research team discovered and reported multiple new malware variants targeting macOS and, as such, was the first EDR to protect against them. Kandji’s Security Research team also discovered over a dozen macOS vulnerabilities and reported them to Apple. The vulnerabilities were subsequently addressed by Apple through several macOS security updates which helped protect the broader macOS ecosystem.

The robust research program has delivered unparalleled protection to customers and will continue to expand its capabilities through behavioral detections. Kandji’s Security Research team will continue to develop new behavioral detection patterns as new threats emerge. This ongoing development is laser-focused on protecting against the latest attack techniques and patterns.

About Kandji

Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.