This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris Glanden: Welcome to Barcode. I’m your host, Chris Glanden. And today I’m joined by Slava Kostantinov, a macOS lead architect at ThreatLocker, where he drives and designs the implementation of advanced cybersecurity solutions to protect against sophisticated threats. Slava is a seasoned IT professional with over a decade of experience and is an expert in macOS security. He is also a recognized authority in defending against foreign cyber threats including those from nation-state actors. His technical expertise and global perspective make him a renowned voice in cybersecurity, especially in safeguarding digital ecosystems from advanced cyber adversaries. Slava, welcome to Barcode, my friend.

Slava Konstantinov: Thanks for having me. Thanks Chris. It’s really nice to be here.

Chris Glanden: Absolutely man. So if you don’t mind in your own words, , introduce yourself and tell us a little bit about your background. 

Slava Konstantinov: Yeah, so my name is Slava Konstantinov and I’m a lead architect as you all already mentioned. So I’m working for the Threadlocker, but my journey starts like a long time ago. So I’ve started, like if you don’t mind, I’m just going back a little bit. So I started like when I was in school and stuff. So I started to use, I used Windows a lot.  at the same time, I have a lot of neighbors and friends that was asking me like to, can you reinstall Windows or help to clean the computer up because it’s slow or something like that. So I was doing a lot of these things and I saw there’s a lot of people, had a adware on their computer, like the exchange browsers and something like that. And I got so tired of it. And basically I…  I just wrote a small app that was cleaning this thing up, like, because I was tired to clean it myself. And after that, I started to just like lean into the cybersecurity because I was like, maybe it’s my destiny to protect people. Just kidding, . So it was something like that, but I get so tired of Windows. And then I didn’t have money to buy a Mac.  

Chris Glanden: Yeah 

Slava Konstantinov: So I installed a thing called Hackintosh. So it’s a Mac OS on the PC. It was pretty hard to install, pretty hard to set up. after you set it up, I knew like on the Mac, it’s easier. But after you just install it, it worked like out of the box. Like Apple says, it just works. So I probably had like PTSD from Windows back in the day, from that kind of stuff. And I was like, no, it’s so good. So it works. 

Chris Glanden: Hahaha. 

Slava Konstantinov: It just works, you can install it. And back in the day, because Mac wasn’t so was always viruses on the Mac, there was not a lot. I haven’t seen one back in a day, so I was like, it’s cool, it doesn’t have it. So I just started to continue cybersecurity journey, but with loving and working with Macs. basically like that. And I’ve worked with a lot of different cybersecurity companies and even outsource companies and we’ve worked with a lot of clients. We did like EVs, we did firewalls, we did like a lot of drivers on a Mac, it’s called kernel extensions. So we’ve done, I’ve done a lot of things like that and just leaned into Mac. because I started as a Windows still because Mac wasn’t a thing back in the day, I couldn’t find a job to work for Mac.  But as it grew, I just started to lean into Mac more. 

Chris Glanden: Yeah, I do want to address, , that common perception that Macs or devices that run Mac OS have a lower risk profile. And I feel as though Windows is still, , the most targeted because it’s in in more organizations or larger organizations that appear to be more Windows heavy. So I do want to sort of validate that with you. , our systems that run Mac OS generally more protected against enterprise based threats. 

Slava Konstantinov: I mean, there’s no perfect security. mean, obviously, so on the Mac, there’s more things that, there’s more protections than Windows. Apple doing pretty good job. But at the same time, there’s still a lot of like exploits found in the like vulnerabilities found in the Mac OS. And Apple’s doing a good job fixing that, but it doesn’t mean that it’s perfect.  Obviously, when the like OS or some kind of like any OS, gets more popular. There’s more people try to target that. That’s the only only thing that people thought that. Remember, if you remember, there was a ad called like Mac versus PC, that’s Apple. And they said like, oh, Mac doesn’t have any viruses. I mean, it’s it’s not true, but people believe that. And now it’s getting. 

There's no perfect security—every system has vulnerabilities, and as macOS becomes more popular, it faces increasingly targeted attacks. Share on X

Chris Glanden: Mm-.  Yeah. 

Slava Konstantinov: more popular and it’s getting more like targeted attacks, especially for the Mac OS. Because a lot of people in the company is like people in a lot of organizations, they use Macs. Even like, org itself can use a lot of Windows computers. But a lot of people, wanna use Macs. like, if they don’t care about the software, I mean, software is pretty much the same right now, but… 

Chris Glanden: Mmm. 

Slava Konstantinov: If they don’t care, they just like, Mac is more protected. Mac is easier to use or something like that. So they started to use Macs. And it’s getting more popular. It’s getting into the enterprise. It’s not as popular as Windows, but still. 

Chris Glanden: Yeah,  now there was a long running urban legend that Macs were bulletproof and, , it that was a it’s not true. Not true. So I did recently read an article about the Cthulhu Stealer and I possibly may have just booked that name there. But from my understanding, this is malware designed specifically for Mac OS and intended to steal crypto wallets and browser creds. 

Slava Konstantinov: Yeah, it’s not true at all. 

Chris Glanden: and again, from my understanding, the sophistication level here wasn’t very advanced. so many suggest that it may have to do with some of the ways in which the security community has once dismissed the, susceptibility of max in the past. So because this was such a prominent attack in 2024, would it be safe to say that, , organizations with a meaning, a meaningful OS device footprint?  probably has that stealer lurking somewhere in their environment. 

Slava Konstantinov: In most of the steelers, we were talking about Cthulhu, there’s Atomic Steeler, there’s, I forgot their names, like Poseidon, something else. I just can’t remember it now, but so… 

Chris Glanden: Mm-.  But they’re all formed  from like this core atomic steeler. Is that correct? Okay. 

Slava Konstantinov: Yeah, ,  we can say that. But they’re not persistent in the system. If we’re talking about stealers and even ransomware, there’s obviously there’s a back door. It’s a different story. if we’re talking about stealers, most of the time, not saying all of the time, but most of the time, they do their job and they just gone. They don’t want to be detected. So and it also 

Chris Glanden: Mm. 

Slava Konstantinov: They work as so it’s called malware as a service. So the developers who wrote that hackers or whatever you call them, they wrote an app and they just sell it. They just sell it to potential like threat actors and they’re not distributed like to the computers. So, so they don’t want to be detected because it’s their business. So they’re trying to get into the computer, steal data and just be gone. I’ve seen multiple. 

Chris Glanden: Yeah. 

Slava Konstantinov: computers that I knew that was compromised because the data was stolen. It was like only on that computer and it got stolen. We know it got stolen, but at the same time there was no signs. There was like some couple of leftover files on the computer, but it was no signs of anything that was there like that stole its data basically. So that’s that’s , that’s a lot of things how I mean. 

Chris Glanden: Interesting. 

Slava Konstantinov: Obviously, like spyware, can persist on the computer. even like some applications with the back doors, obviously they’re going to persist, but they’re not doing stuff most of the time, like bad stuff. They’re just waiting until someone asks them to do that. 

Chris Glanden: interesting, man. So I mentioned this, you’re currently working for ThreatLocker. ThreatLocker is known for its advanced cybersecurity solutions. And I think more generally now, organizations are siding to use Mac. I think it’s becoming much more heavier in enterprise environments. Just curious, how is ThreatLocker addressing that? 

Slava Konstantinov: Yeah, so we use the zero trust approach. Basically zero trust approach is don’t trust anyone except the one you trust. So what we have, we have a lot of products. It’s called like application control, storage control, network control, detect, elevation, ring-fencing. So we have all of these products. They can work separately or together to protect your system. Like for example, application control is the… 

The zero trust approach is simple: don't trust anyone except the ones you trust, and only allow what is explicitly permitted. Share on X

Slava Konstantinov: So your computer only allowed to run certain applications that’s in a database that we learned or so we know of or of and you trust them. And this approach, I mean, it works good for organizations because usually organizations, know what software they’re using, right? And they don’t want anything else because sometimes like social engineering attacks.

Slava Konstantinov: I’ve seen people running software on their work computer that was not supposed to be there. it’s just regular app and sometimes it’s the app that steals your data or like gets into your organization through you like that. So this is how we address this kind of attacks. But there’s a storage control so we can stop applications or system-wide. 

Slava Konstantinov: system itself even like accessing like USB drives or something else. So we can block USB drives, we can block specific folders, we can allow specific applications to access the folders. We have ring-fencing that basically says, okay, we allow an app to run on your computer, but at the same time, you’re not allowed the app itself, I’m not gonna say it’s in a sandbox, but it’s…  almost like a sandbox, so we protect your files or other interactions with your computer software. We protect your computer by saying what this app allowed to do or not allowed to do. So go to the network, go to the, like run the scripts from the like term access terminal. 

Slava Konstantinov: or access some specific folders. Also we have network control which manages network, obviously, and we have elevation with managers like users credentials. If you’re a standard user and you don’t have admin password, we can elevate some kind of applications without using the password.  And we also have Detect, which is not on Mac yet, but it’s currently in development. It’s going to be there pretty soon, I hope. So it’s an MDR solution. 

Chris Glanden: Got it. So Slava with your expertise in defending against nation state threat actors, what have you observed in terms of evolving TTPs and how are things different now? , what do you anticipate to see that could be changing in 2025 and what should organizations be doing to consistently proactively prepare for new attack types? 

Slava Konstantinov: mean, obviously, first thing I would do is to, it’s not a perfect, but get a trainings for your employees. That’s the first thing because most of the attacks happening from social engineering. and it’s obviously there is a zero day like exploits. There’s no one knows about there, but still at the same time, social engineering. 

Social engineering is still the biggest threat, and with AI, attackers can now fake voices and video calls to make these attacks even more convincing. Share on X

Chris Glanden: Yeah. 

Slava Konstantinov: is the first and the biggest thing. Now, because like you asked like what they use, what they’re gonna use more, they’re gonna use AI more to fake voices, fake your face, like video calls and all kinds of stuff. So this is the thing that I think gonna be evolving like for the 2025 most because we’ve seen a lot of this kind of attacks. 

Chris Glanden: Mm . Yeah. 

Slava Konstantinov: Like in 2024, it’s it’s creeping up. 

Chris Glanden: Right, right. So it’s still social engineering, just a new form factor. Yeah. 

Slava Konstantinov: Yes, yes, mean, most of them, not  not all of it. Obviously, there’s as I told you, there is zero day exploits that is everywhere. And Apple’s doing a good job fixing that. But it’s there’s still a lot of it. So you got to you got to know what you’re running on your computer. Because to get a lot of most of the exploits that I’ve seen, not all of them, obviously, but they’ve 

Chris Glanden: Mm-.  Mm-. 

Slava Konstantinov: they used by a software that you run on your computer. Basically, it’s like a legitimate software. You think it’s legitimate. It can be even signed and an Apple term, it’s signed and notarized. So you’re running, you think it’s legitimate software, but it has a backdoor or it escapes a sandbox or it’s like do some kind of shady things on your computer without you even knowing that. So run trusted software, please. 

Chris Glanden: Yeah, , I’m using a trusted software here, so don’t worry. So when you design and implement security solutions, I’m just curious, , how do you balance the components of productivity and usability with comprehensive security safeguards? 

Slava Konstantinov: Hahaha 

Chris Glanden: , especially in environments where you have Mac OS, you have Windows or other OS’s that coexist. So what do you have to keep in mind to accomplish this? 

Slava Konstantinov: I mean, obviously, if we’re talking about business logic of things from a user perspective, it’s pretty much the same because we still have applications, still have file system, we still have network. Implementation is different for every OS, but at the same time, if we run some application, the executable file of that application, we can calculate its hash.  And the hash, if something changed in the executable file, hash is going to change. what we do, it’s the same for every operating system. Same for file systems. As I told you, for network, it’s exactly the same. Implementation wise, it’s completely different. But users shouldn’t care about implementation details, But the challenges with Mac OS, 

Chris Glanden: Mm. 

Slava Konstantinov: We’re not in, so Apple does not allow us like third party developers to go into kernel anymore. So we don’t have drivers or how Apple call it, kernel extensions. We don’t have it anymore. So it’s, they present us with the tools to detect a lot of events, but at the same time, Apple strictly says, you can do this, this or that. And we can do like,  So sometimes we’re trying to be creative and trying to find some workarounds to make it better because a lot of things, so we’re really struggling with like productivity. in zero trust approach, we… 

Chris Glanden: Mm-. 

Slava Konstantinov: need to see all of the events and we need to respond to events as quick as possible. Because like there’s some kind of events that we may stop the system from doing. or until we make our decision, Apple gives us a deadline for every specific event until we make decision, block it or run it. So that’s a pretty big challenge because sometimes it takes more time to respond to some kind of event.  So we gotta be more creative, that’s what I’m gonna end. 

Chris Glanden: Okay, so Slava, you thought you get away without hearing an AI question, but I got one for you. So with AI and machine learning continuing to aggressively influence the threat landscape, are there any specific dangers or specific advantages or disadvantages that Mac OS  environments should be aware of in this regard. 

Slava Konstantinov: I mean, it’s the same as Windows, so it’s social engineering attacks. So I don’t think there’s something specific for Mac. I’ve never seen one. Like, I mean, obviously, like it can target Mac, but like from the user standpoint, it’s still the same. Obviously with the chat GPT, can like, people can write like simple malware. They can like, they can write simple things. I mean, obviously it’s not gonna write everything for you, but at the same time, 

Chris Glanden: Mm-. 

Slava Konstantinov: If you ask the question the way that it’s not going to recognize you want to write a malware or something, it’s going to give you some pieces of code. It’s not perfect at all, but at the same time you can use it. Even like regular users can do simple things with that. using social engineering, AI to get into your computer, they can run a lot of things and like just 

Chris Glanden: Yeah. 

Slava Konstantinov: steal your data at least. 

Chris Glanden: Yeah, for recon purposes, right? Using chat GPT to target those creative environments again, where you tend to see, , a very Mac OS heavy presence. 

Slava Konstantinov: Yeah.  Yeah, lot of people, so when they run some app, a lot of this tool who stealer and a lot of them, they ask user to, can you type in the user password? And they present the custom window for that. And a lot of users just type in the password. And like it’s pretty easy to steal. You don’t need to have like a Mac OS when your abilities are like exploits for something in Mac or Windows, whatever. 

Chris Glanden: Mm.  Yeah. 

Slava Konstantinov: If you type in the password, you’re just giving it away. Yeah. 

Chris Glanden: Yeah, straightforward.  So what advice would you give to those looking to specialize in macOS security specifically? Are there any particular skills, experiences or training that you would say are essential to success? 

Slava Konstantinov: I mean, I’ve never had any specific trainings or certifications. I’ve been just playing with macOS by myself, reading books, and first, I’m talking to smart people, people smarter than me to learn from them. And first of all, it doesn’t matter if you’re starting your journey as a security researcher or if you already established security researcher for Windows or Linux.  You got to know internals. So every person should start with that. Obviously, some reverse engineering and detecting techniques. So like it’s books, it’s knowledge, it’s just experience. So you got to start doing from small things and just grow and try to find smart people, like people who know what they’re doing and they’re going to help you. 

To succeed in macOS security, you need hands-on experience, knowledge of system internals, and the willingness to learn from smarter people. Share on X

Chris Glanden: Great advice, So Slava, where are you currently based? 

Slava Konstantinov: I’m based at Orlando, Florida, where the Threatlocker headquarters is. 

Chris Glanden: Nice. Yeah, I’ll be down there next month for Zero Trust World. So I’m looking forward to So when I come down there or if I have others listeners that are coming down or they’re they’re visiting Orlando soon for a security conference or for other reasons, , are there any good bars in the area that you would recommend I go to after a long day? And, , what makes it special? 

Slava Konstantinov: Yeah, I mean, after a long day, usually I go home. Yeah, it’s a home bar. have a small bar in my house, but I tend not to drink like during the week. Try not to. Yeah. Yeah. So I’m not sure about like really good bars. Like, mean, I go to bars, but usually I don’t. I can’t say I don’t care, but at the same time, I don’t like I don’t have like specific bars because I’m trying to explore. 

Chris Glanden: Home bar.  That’s good. That’s good.  Mm-. 

Slava Konstantinov: So, but like my favorite, it’s not something you can do after work, but it’s Epcot at Disney. So this one is really good. If you wanna go, they have drinks around the world. So that’s pretty fun. You’ll get pretty drunk. Yeah. 

Chris Glanden: .  Yes, yes, I’ve done, I’ve done that. I’ve done that.  You also have City Walk at Universal, too. 

Slava Konstantinov: .  City Walk. City Walk and Disney Springs. It’s also because Epcot is a park, so you got to pay to get to enter that. like City Walk and Disney Springs, that’s basically it’s free and they have a lot of cool bars there. There’s karaoke. Actually, there’s karaoke. They have a live band in the karaoke. you can join. I mean, they have a list of the people you you enlist yourself there. And but they got a pick. 

Chris Glanden: Okay. 

Slava Konstantinov: whoever sings with them. But it’s a live band. It’s pretty cool. 

Chris Glanden: okay.  Yeah, you don’t want me to No, you would, you would lose people. 

Slava Konstantinov: But I mean, it depends  if you if you’re drunk. No one cares. 

Chris Glanden: Yeah, , , then it don’t matter.  if you opened a cyber security theme bar, what would the name be and what would your signature drink be called? 

Slava Konstantinov: That’s Obviously not to be super creative like it’s a eyebrow. Yeah, Apple style. Yeah, . I can’t think like I need to sit and think I can’t just do like that. I improvise like that. Yeah, but if we’re talking about drink, probably like a brain hack. Yeah. 

Chris Glanden: I brew.  I love that.  You  A brain hack. Nice. 

Slava Konstantinov: That’s 

Chris Glanden: Nice. 

Slava Konstantinov: gotta be a strong one. Just put everything in it and hack your brain. 

Chris Glanden: Yes, yes.  I feel like that one could hurt. That one could hurt. Yeah, exactly. So thank you so much for your time Slava really appreciate you go tell our listeners where they can find you and connect with you online. 

Slava Konstantinov: Next day.  they can find me at Threadlocker. So you can connect with a Threadlocker. We have a YouTube channel. We have LinkedIn page. We’re basically almost everywhere. So you can contact like Threadlocker and I’m here. 

Chris Glanden: Okay, man, and I’ll see you down at ZTW soon connect with you there. So. 

Slava Konstantinov: I’ll be there.  Yeah, looking forward to it. 

Chris Glanden: Yeah, . Thanks, man. I really appreciate it. You take care. Thanks. 

Slava Konstantinov: Thank you.  Thanks.