Host file-access logs can be a valuable source of information when it comes to detecting the theft of sensitive files or the establishment of persistence by malware. But how can we leverage logs, such as those produced by Santa, for early malware mitigation when monitoring a fleet that makes an enormous amount of benign file accesses every day? Enter the Suspicious File Access Detection pipeline - an internal, ML-backed detection mechanism developed through collaboration between Security and AI software engineers at Google. The pipeline is used by Google's Detection & Response team to score, surface, and investigate clandestine file access behaviours.

I’ll take you through the process of how we created a ML model to score file access logs based on their relative suspicion level. We’ll dig into how we can go beyond prevalence-based anomaly detection and utilize embeddings to not just identify activity that is rare, but activity that is extremely suspicious for a given host. This approach aims to detect behaviourally-agnostic malware activity involving the modification of sensitive files on disk for Google’s corporate fleet.

For the purpose of this talk I’ll demonstrate how we use this pipeline with Santa, a publicly available binary and file access authorization system for macOS. I’ll take you through the process of how Santa can be configured to monitor areas of the macOS filesystem that are modified to establish persistence at runtime, and how the logs are utilized by the SFAD model.