Normal view

There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

Welcome to the Adversary Universe Podcast: Unmasking the Threat Actors Targeting Your Organization

13 July 2023 at 18:18

The modern adversary is relentless. Today’s threat actors target global organizations with increasingly sophisticated attacks. As we’ve said since the founding of CrowdStrike: “You don’t have a malware problem, you have an adversary problem.” Protection starts by unmasking the threat actors targeting your organization. Who are they? What are they after? And most importantly, how can you defend against them?

CrowdStrike answers these questions and more in the new Adversary Universe podcast. Hosted by CrowdStrike SVP of Intelligence Adam Meyers and Field CTO of the Americas Cristian Rodriguez, the podcast will deliver a deep understanding of adversaries and their motivations and evolving tactics so organizations can better protect themselves.   

“There’s a human behind this attack,” Adam says in the first episode of the Adversary Universe podcast. “And if you understand who those humans are, how they operate, and what they’re after, then you can defend your business.” 

New episodes will be released on a bi-weekly basis every other Thursday on Spotify, Google Podcasts, Apple Podcasts, Amazon Music and the Adversary Universe podcast webpage

The first episode — “Who Is the Adversary?” — is available now. This episode introduces listeners to the podcast series and sheds light on the history of CrowdStrike and how we pioneered the concept of an adversary-focused approach to cybersecurity. It begins to tell the story of modern adversaries: who they are, how they’re tracked and why you should learn more about them. Tune in to learn about CrowdStrike’s early days, the origin of the name Fancy Bear, the importance of adversary intelligence and more. 

“There is a very big reason why overall awareness of these various tradecrafts and these campaigns — and understanding who is responsible for these attacks — is so important to your business,” Cristian explains. “You shouldn’t just ignore it because it doesn’t directly impact you, or there’s a perception of lack of impact.”

Here’s a sneak peek of what’s coming in future episodes:

  • Cloud Is the New Battleground: We’ll explore how threat actors use the cloud to their advantage: how they breach cloud environments, the actions they take once they’re in, and the ways they use the cloud as a tool in their attacks.
  • Invisible Threats: Discovering, Tracking and Mitigating Vulnerabilities: How do you know when your software is vulnerable? How should you prioritize patching? What do you do when a patch isn’t available? What is a zero-day? Tune in as we dive into the world of vulnerability intelligence. 
  • Have You Been Breached? Along with a guest from CrowdStrike’s incident response team, we’ll share the warning signs that could indicate a breach has occurred, the immediate next steps to take, and why having the right data is essential to recovery.

We’re excited to launch this podcast and share CrowdStrike’s unparalleled threat intelligence and compelling insights with the world. New episodes will drop every two weeks starting today — mark your calendars now! 

Additional Resources 

Adversaries Can “Log In with Microsoft” through the nOAuth Azure Active Directory Vulnerability

14 July 2023 at 16:50

On June 20, 2023, Descope published research detailing how a combination of a flaw in Azure Active Directory and poorly integrated third-party applications — dubbed “nOAuth” — could lead to full account takeover. nOAuth is the latest in a large number of vulnerabilities and architectural weaknesses in Microsoft software and systems like Active Directory that can be exploited and put organizations at risk. 

While Microsoft has responded to the vulnerability, until developers make code changes in their applications, the proposed mitigation relies on organizations having strong identity protection capabilities to protect privileged accounts from misuse by rogue administrators. 

The Architectural Limitations of the Microsoft Identity Ecosystem Persist

The architectural weaknesses in Active Directory and Azure Active Directory (Azure AD) have been well documented over the years. These structural weaknesses and vulnerabilities have become a modern attack surface for the adversary. Despite this, Active Directory and Azure Active Directory continue to serve as the identity infrastructure for a large number of organizations. According to a Frost & Sullivan report, 90% of Fortune 1000 companies use Active Directory. 

Azure AD was Microsoft’s opportunity to start with a clean slate and build a modern, secure identity and access management (IAM) solution. However, the repeated vulnerabilities in its identity infrastructure can make organizations susceptible to breaches. While Microsoft recently changed the name of Azure AD to Entra ID, the security concerns remain.

As nOAuth, exposed flaws from Azure AD’s integration with Active Directory, and vulnerabilities associated with session theft show, the identity security problem has shifted to the cloud. It is worth noting that the response Microsoft issued for nOAuth on June 20 was more than two months after the vulnerability was disclosed to the company. This leads to two primary questions organizations need to consider:

  • How many more of these vulnerabilities exist that are yet to be discovered? 
  • Can you really afford to wait two months for mitigation of a risk that could lead to total account takeover? 

This consistent discovery of vulnerabilities, coupled with the architectural limitations of Active Directory and Azure AD, calls for comprehensive identity security that should be:

  • Abstracted from the identity provider: A person or workload may have many accounts spread across different identity providers. Therefore, centralized visibility, detection and prevention is the only way to stop identity-based attacks. 
  • Correlated and contextualized with the rest of the security stack: Only by blending endpoint, identity and third-party telemetry can you understand the full attack chain and detect all adversary activity whilst also reducing complexity and tool sprawl. 
  • Independent of detecting “known vulnerabilities”: Identity protection should combine CVE-based detections with real-time behavioral analysis to detect adversary activity. 
  • Hybrid identity protection extended from on-premises to the cloud: This includes examining credential entitlements to mitigate the impact of a breach if it occurs.
  • Capable of monitoring applications for misconfigurations: Typical approaches to identity security focus on analyzing the identity providers for vulnerabilities. While identity providers should provide best-practice implementation advice, if the application is misconfigured, you remain vulnerable. 

What is nOAuth?

As detailed by Descope, nOAuth describes a vulnerability in the trust between an identity provider (in this case, Azure AD) and a relying party (an application). The name “nOAuth” is a play on the authorization protocol “OAuth,” whereby the application is issued a token by the identity provider that contains information about the user and the data they wish to share with the application. These are called “claims.” 

Whether you are familiar with OAuth or not, there is a high probability you’ve used it before! Think about all of the times you’ve registered for a service, where you have an option to “Sign in with Google” or “Sign in with Microsoft” or “Sign in with Facebook.” Does a screen like this look familiar?

After clicking one of those options, you authenticate to the identity provider and are then asked what you want to share with the application — name, address, gender, etc. After selecting preferences, the identity provider issues a token that the application reads so it knows:

  • Who you are, which is important so a profile can be created inside the application. For example, if you sign up for an account with a grocery store, you want it to remember your favorite items to build recommendations for what else you might like. 
  • Which data the application is allowed to request from the identity provider. For example, you might want the grocery store to have your address (so it knows where to send your shopping), but you might not want them to have your date of birth. 

Coming back to nOAuth, it is the “who you are” claim that is manipulated by the adversary. Many applications that implement OAuth incorrectly use “email” as the user identifier, as opposed to an immutable value, like the object identifier (OID). This means as long as the adversary can generate a claim with the victim’s email address, they gain full access to their account without knowing their password or having to perform multifactor authentication (MFA). 

In the Azure AD scenario, it is much more significant as it’s easy for anyone to generate that claim:

The team at Descope created a powerful demonstration of how effective this is. 

Let’s clearly frame where the problem lies with nOAuth and Microsoft:

  • Microsoft allows anyone with an Azure AD account to modify the email attribute of an account to any email address — whether that tenant had proved they “owned” the domain or not. For example, even though you own the domain mycompany.com, an adversary could change a user account in their own Azure AD tenant to have a mycompany.com address too. 
  • When developers were building OAuth integration with Azure AD, they opted to use email as the user identifier, as opposed to an immutable value like OID.

Microsoft Response to nOAuth

On June 20, Microsoft released guidance on how to manage the nOAuth vulnerability:

  • To mitigate the risk for existing applications, you can modify the authenticationBehaviors API (which currently has beta status) to reject unverified email claims. 
  • When developers are ready to update their code and migrate users to an immutable identifier, like OID, they can use the “xms_edov” claim to verify the email address is verified in the Azure AD tenant before the user identifier is changed. 

Developer Security Awareness

Developers must abide by best practices and recommendations for securing modern identity protocols like OAuth. This is a reminder that security training provided by organizations must span beyond non-technical staff. Developers, infrastructure engineers, architects and support staff are all responsible for building and maintaining the next generation of business-critical applications. They need to be aware of the ramifications of how a weak implementation of an authentication journey in an application can undo much of the great work IAM teams may have done to secure the identity provider itself. 

Despite the Response, the Problem Remains

As of Thursday, July 13, it is still possible to create a free Azure AD account and map any email address to a user account, without any validation of domain ownership. Therefore, until developers update their code to use immutable values as the user’s primary identifier, all organizations can do is mitigate the risk. 

The mitigation step, which involves using a beta Microsoft Graph API, is vulnerable to modification by a rogue Azure AD administrator. 

Therefore, the solution to this problem is securely transitioning applications from an email-based identifier, which requires developers to update code within homegrown apps. The same applies for developers who work for third parties that provide the business-critical, modern applications you use. Making this change also isn’t as simple as it sounds — it could have a downstream impact on the application experience, which may extend the length of time it takes to implement the change.

The question now becomes, “What countermeasures can you put in place in the interim to mitigate the rogue administrator risk and proactively protect against future vulnerabilities in your hybrid identity ecosystem?”

Countermeasures for Identity-Based Attacks in AD and Azure AD

CrowdStrike Falcon Identity Threat Protection, fully integrated with the CrowdStrike Falcon platform, provides organizations with comprehensive protection against identity-based attacks. It detects attacks and prevents lateral movement, stopping breaches stemming from vulnerabilities in Active Directory and Azure AD. In the context of nOAuth, this allows you to detect rogue administrator activity that could be an indication of intent to exploit nOAuth.

Proactively Identify AzureAD Applications that Permit Unverified Email Claims

Microsoft’s mitigation to this issue is to set “removeUnverifiedEmailClaim” to true using the GraphAPI. Falcon Cloud Security has hundreds of Indicators of Misconfigurations (IOMs), including one that can proactively identify the applications with the value set to false, enabling customers to rapidly identify and mitigate the risk of exploitation.

Falcon Cloud Security IOM Policy Screen (click to enlarge)

Correlate Audit and Access Events

An email address change is a perfectly legitimate activity. However, that activity correlated with other telemetry occurring around the same time, such as privilege escalations and anomalous access to resources, could indicate rogue administrator activity. CrowdStrike gives you this visibility, transforming the threat hunting experience for SOC and IAM teams by linking all of the events in the kill chain into a single incident view:

Detect and Prevent Hybrid Lateral Movement 

While many organizations use Azure AD for conditional access and single sign-on (SSO), Active Directory is often the “true” identity provider. User objects are created and modified in on-premises Active Directory then synchronized to the cloud via Azure AD Connect. Therefore, an adversary inside your network with sufficient permissions in Active Directory can create accounts and modify email addresses, which replicate to Azure AD, all without the adversary having administrative access to the Azure AD portal. They can also exploit known vulnerabilities in AD, such as Overpass-the-Hash attacks, to move laterally into Azure AD without being challenged for authentication. 

To understand how Falcon Identity Protection identifies risks, and detects and prevents lateral movement, please see this video. We demonstrate how CrowdStrike detects and prevents adversaries from moving laterally from Active Directory to Azure AD.

Monitor Unusual Activity

Building behavioral baselines across all of your accounts is critical, but reviewing these single events in isolation often leads to false positives. For example, if a user who has worked in the organization for a long time is granted access to an application due to a role change, how can you determine the difference between anomalous and malicious activity? 

Therefore, it is important to combine anomalous events with other telemetry you have about the user to determine whether an action is malicious, as opposed to just anomalous. In this example, we show geographical anomalies occurring alongside the anomalous application access:

Define and Monitor Privileged Accounts

Privileged accounts are often defined as those that have administrative privileges in the identity store — for example, a domain administrator in Active Directory or a Global Admin in Azure AD. However, a user who is the global administrator in your CRM solution is privileged as well, and the impact to your business if that account is compromised could be devastating. CrowdStrike allows you to map business privileges to the potential business impact of a specific account being compromised. This elevates the risk score associated with those accounts, meaning detections are raised with a higher priority, prompting the SOC and IAM teams to prioritize review and remediation.

Correlate Application and Identity Store Audit Logs

Correlating audit logs between the identity provider and the application can be a powerful way to detect malicious activity. For example, seeing an authentication event at the identity provider that does not correlate with an access event in the application logs, can be an indication a user’s account has been compromised. 

By combining the power of CrowdStrike Falcon Identity Threat Protection and Falcon LogScale, you could use a scheduled query like this that will correlate login events between the identity provider and the application audit log to highlight anomalies.

Proactively Identify Vulnerable Applications 

Identifying the weak points and the assets you need to protect is the critical step in protecting your organization. However, the process of identifying vulnerable applications can be difficult. External attack surface monitoring tools, like CrowdStrike Falcon® Surface, have the capability to identify applications, such as those using OAuth or OIDC, so you know which applications need to be reviewed. 

Additional Resources

 

Meet the Protectors: New Video Series Spotlights Cybersecurity Leaders Powered by CrowdStrike

21 July 2023 at 16:37

You don’t have a malware problem — you have an adversary problem. CrowdStrike has relentlessly focused on finding and stopping the humans behind cyberattacks. Today, we’re launching a new series that highlights the people who fight back against these threats every day.

We’re excited to announce the launch of the Protectors Spotlight, a new series of short videos celebrating the cybersecurity professionals protecting their organizations and communities. Each video pulls the curtain back to tell the story of the customers fighting the good fight on a daily basis. The series looks at who they are, the organization they’re defending, the winding road of their security journeys and how they use the CrowdStrike Falcon® platform to stop breaches so their organization can innovate and grow. 

Protectors partner with CrowdStrike to stop breaches and protect their data. Many will be joining us at Fal.Con 2023. Register now and meet us in Las Vegas Sept. 18-21! 

Every customer has a unique story, and each faces different challenges in protecting their organizations from today’s relentless and sophisticated adversaries. But they all have one thing in common: trusting CrowdStrike to keep them secure and protect what matters most.

In the first few Protectors videos, we spotlight leaders at nine organizations across critical industries that face constant adversary attacks, including healthcare, financial services, state and local government, and more. Listen to the Protectors at Montage Health, Mercury Financial, Vijilan Security, Seagate Technology, The City of Las Vegas, State of Oklahoma, Claroty, Jemena and Parkway Schools tell their stories and share their journey with CrowdStrike. 

One of these leaders is Kevin Nejad, Founder and CEO of Vijilan Security. He was in a tough spot when the company’s legacy security information and event management (SIEM) system couldn’t keep up with demand — eventually impeding growth.

“Our infrastructure couldn’t scale very well, performance went down, and costs went through the roof,” he said in his Protectors video. “The management of data using SIEM technology became a hindrance in our growth. And that’s when we discovered CrowdStrike.” 

Watch the trailer:

Also featured in the Protectors Spotlight is David Worthington, CISO of Australian energy firm Jemena. He saw an opportunity to improve visibility across the business environment and, in doing so, quickly address potential threats.

“When you have visibility and you know what’s going on, you can actually plan and make sure things are going right, rather than waiting for some actor to come along and do something,” he said. “For me, that was the key. We’re going to see things earlier and respond a lot quicker.”

We are honored to highlight the people who fight back against these threats every day with fearlessness and a sense of mission and purpose — just as CrowdStrike does. We stop breaches so our customers can continue doing what they do best: Build a better world while serving their customers. 

Additional Resources

Prevention Is the Best Preparation for the SEC’s New Breach Disclosure Rules

31 July 2023 at 15:24

The U.S. Securities and Exchange Commission (SEC) this week voted to adopt new rules for how companies inform investors about cybersecurity concerns. The vote comes after years of gradually increasing guidance and scrutiny over companies’ handling of cybersecurity events and follows a lengthy comment period where companies, including CrowdStrike, provided input. 

The new rules, which go into effect later this year, will require publicly listed companies to disclose material cybersecurity incidents within four business days of determining a material incident occurred. This includes stand-alone incidents as well as the cumulative impact of a series of related incidents. They also require these companies to regularly disclose how they manage cybersecurity risks, who is responsible and how these risks are reported to the board of directors.

From our view, the intent of the SEC rules is to protect investors by requiring more clarity, consistency and timeliness in how companies handle cyber-related disclosures. An ancillary effect is that companies may implement better overall cybersecurity hygiene and risk management processes to be more resilient to cyber incidents in the first place. 

While there will continue to be a debate on whether the new disclosure rules will ultimately force organizations to prematurely disclose details of an incident that may be ongoing, public companies, or any organization looking to implement more mature security controls, can use this opportunity to double down on proactive defenses that can get them ahead of a potential incident.

Contact CrowdStrike to schedule an SEC security briefing to learn more about the new SEC rules on cybersecurity and how your organization can prepare.

The Best Preparation Is Proactive Prevention

The best strategy for handling the SEC’s disclosure rules is to prevent material incidents from occurring in the first place. While a company is debating whether an incident is material, they’ve already missed the opportunity to do something about it. Proactive prevention is the best opportunity to stop an incident completely or minimize the damage during a critical period. 

When it comes to cybersecurity, speed is essential. According to the CrowdStrike 2023 Global Threat Report, the average time it takes an adversary to compromise a system and move laterally into the rest of the network is just 84 minutes. Companies need to ensure they have the tooling and teams necessary to respond to and remediate an incident with the same speed. This means augmenting existing teams with services and AI that can automate protection and accelerate investigation.

Although it’s up to a company to make its own legal determination as to whether a series of related occurrences is material, adversaries increasingly utilize public, coercive techniques to force victims to comply with demands. CrowdStrike’s 2023 Global Threat Report also found that data leak extortion campaigns are at an all-time high, and certain threat actors taunt victims with references to privacy, data protection or other compliance obligations breaches might impact. Consequently, holistic visibility into security events coupled with intelligence about the threat actors behind them can play an important role in assessing obligations.

It is not enough to work reactively after an incident has occurred. Configuration management — through endpoint and cloud hardening, Zero Trust architectures and external attack surface management — needs to be a cornerstone of a robust security posture. Proactive threat hunting to identify activity that tools missed and threat intelligence to hone in on what to look for also need to be part of this mix. 

Even with proactive prevention in place, companies will still need a game plan for complying with the new disclosure rules should an incident occur. This requires defining how they will assess materiality and who will ultimately sign off on what constitutes a material incident. To date, this has not been a standard component of most incident response plans, so most companies will need to develop a framework and conduct exercises to test and refine it. From a technical perspective, companies will need to ensure they have a system of record that tracks the impact of incidents so they are able to consider the cumulative impact of smaller related incidents when making their materiality assessments. 

Companies that cannot investigate incidents quickly will be seriously disadvantaged in trying to make these assessments. Not only can investments in rapid detection and remediation capabilities reduce the likelihood of material incidents, they also increase the amount and reliability of the information available when evaluating incident impact and defending the decision later.

Register for our live webinar to learn more about the new SEC rules on cybersecurity and how you can prepare.

How CrowdStrike Can Help Your Organization Prepare

The best thing public companies can do in the face of these new requirements is focus on the fundamentals of good security practices. These both reduce the likelihood that a cyber incident will be material and provide a foundation for an organization’s required annual disclosure on cyber risk management. 

The CrowdStrike Falcon® platform delivers the highest levels of visibility, simplicity and control by providing the necessary capabilities for unified prevention, detection, hunting, intelligence and remediation. With CrowdStrike, organizations are able to prepare for the new disclosure rules by embracing proactive prevention and empowering them to:

  • Understand Risk and Enforce Cyber Hygiene: Cyber resiliency starts with an assessment of where an organization is at greatest risk for a security incident. This enables an organization to proactively address the risk before an incident happens.  CrowdStrike Falcon® Surface enables companies to understand their external attack surface and minimize the risk of a cyber incident stemming from an exposed asset, while CrowdStrike Falcon® Spotlight helps prioritize the vulnerabilities that threat actors are most likely to target.
  • Automate Protection and Accelerate Investigation: With CrowdStrike Falcon® Insight XDR, companies can detect incidents faster and with greater accuracy. With AI-powered automation embedded across the Falcon platform, organizations can rapidly ingest data and generate detections across domains to stop breaches earlier, reduce the materiality of an incident and speed overall response times.
  • Protect Cloud Environments: The CrowdStrike 2023 Global Threat Report highlights that cloud exploitation continues to rise. Cloud exploitation cases grew by 95% and incidents involving cloud-conscious threat actors nearly tripled from 2021. CrowdStrike Falcon® Cloud Security provides complete protection and visibility to prevent incidents and breaches of cloud environments. 
  • Stop Identity-Based Attacks: 80% of cyberattacks now leverage stolen or compromised credentials. CrowdStrike Falcon® Identity Threat Protection provides organizations with comprehensive protection against identity-based attacks. Organizations can rapidly detect an attack, stop lateral movement and prevent an incident from escalating into a material event. 
  • Leverage Managed Detection and Response (MDR): Outsourcing critical security capabilities to leading MDR services can help organizations overcome the skills gap and reduce the complexity of their security environment. CrowdStrike Falcon® Complete is widely recognized as the industry’s leading MDR, providing the 24/7 prevention, threat hunting, detection and response capabilities needed to reduce the likelihood of a material incident. CrowdStrike Falcon Complete XDR extends these powerful capabilities across all key attack surfaces to help organizations close the cybersecurity skills gap and stop attempted threats quickly, making disclosures within the time frame more possible, if required.
  • Integrate Threat Intelligence into Security Strategies: A comprehensive threat intelligence program can align an organization on which threats and adversaries to focus their security efforts. CrowdStrike Falcon® Intelligence enables organizations to easily operationalize intelligence within the security operations center, gain visibility into adversary tactics and motives, and receive best-of-breed intelligence reporting and technical analysis.
  • Proactively Hunt for Threats and Incidents: Cyberattacks continue to become more sophisticated and harder to detect. Seventy-one percent of attacks are now malware-free. CrowdStrike Falcon® OverWatch provides proactive threat hunting capabilities that enable organizations to detect and disrupt hidden attacks. Identifying hands-on-keyboard activity can minimize the scope of a potential incident. 
  • Optimize Your Logging Strategies: It is not an uncommon occurrence during investigations to run into a lack of available logs to support an investigation. The availability and cost of logging has been the challenge of many CIOs and CISOs, and the migration to cloud has compounded the problem. Solutions like CrowdStrike Falcon® LogScale deliver powerful logging capabilities that speed investigations and deliver full visibility while reducing overall costs. Understanding what to log, how long the log data should be retained and the capabilities of staff/responders to access this data quickly when needed should be part of the overall plan.
  • Train for the Fight: Regular exercises are a critical part of maintaining an organization’s readiness posture as well as testing out new plans and processes. CrowdStrike’s Red Team/Blue Team exercises give technical responders an opportunity to practice against hands-on-keyboard threat activity, while Tabletop Exercises test coordination across security teams, business leaders and the board. Any new frameworks for reviewing materiality and making disclosures should ideally be exercised in a simulation. 

Preparing People and Processes for Risk Management Disclosure Rules

In addition to pushing public companies to implement better cybersecurity hygiene, the SEC is also pushing to strengthen risk management processes. This will put more of an onus on executive leaders and the boards that advise them. By requiring organizations to identify which business leaders are responsible for cyber risk, as well as their level of expertise, the SEC is underscoring that security oversight cannot be a rubber stamp. 

For boards of directors, CIOs and CISOs, this means asking probing questions about the tooling, people, processes and vendors that make up your security ecosystem, and supporting change where appropriate to uplevel the ability to detect, prevent, respond, recover and report as effectively as possible. It also means challenging claims of inexpensive, “check-box” solutions and focusing on the ability to evolve the security posture as the threats to your business and the rules change.

To the extent that cyber risk assessments are not already formalized, public companies will need to ensure they have a strategy for evaluating their risk exposure. In most cases, this will involve a layered approach, including periodic holistic risk assessments, more frequent red teaming, and tooling that supports continuous risk identification and management. It’s also recommended that companies use this opportunity to strengthen their internal risk governance practices and monitoring processes, which can help expedite and inform the evaluation requirements. 

The new rules suggest that directors and officers across the board — even if they are not directly responsible — will need to expand their knowledge of cyber risk. Most are already doing this. Many of our customers’ board members have asked to participate in or observe cyber tabletop exercises focused on testing their organization’s response. Others are requesting dedicated training or more frequent briefings on the threats to the business as well as the results of tests and assessments. 

CrowdStrike will continue to engage with the SEC and other regulators to advocate for the harmonization of new and existing cybersecurity incident reporting requirements. As new rules are put forth, it will be important to ensure alignment with existing regulations so that victim organizations can comply in a timely and transparent manner while continuing to focus on the fundamentals that keep their networks secure.

Additional Resources

CrowdStrike Named a Leader that “Delivers World-Class Threat Intelligence” in 2023 Forrester Wave

3 August 2023 at 07:12

We’re excited to share that Forrester has named CrowdStrike a Leader in The Forrester Wave™: External Threat Intelligence Services Providers, Q3 2023. CrowdStrike received the highest ranking of all vendors in the Current Offering category, with the highest score possible in 16 criteria, surpassing all other vendors evaluated in the report.  

From the report: “CrowdStrike delivers world-class threat intelligence to power its Falcon platform. CrowdStrike Falcon Intelligence enables an extensive set of threat intelligence use cases integrated into the CrowdStrike Falcon platform … CrowdStrike Falcon Intelligence is a comprehensive solution that firms should consider for an overall threat intelligence program even if they are not using the vendor’s EDR tools.”

This recognition is the latest in a string of industry accolades for CrowdStrike Falcon Intelligence. In February 2023, CrowdStrike earned Frost & Sullivan’s Global Company of the Year Award in Cyber Threat Intelligence. We were also named a Leader in the Frost Radar for Cyber Threat Intelligence. In 2022, CrowdStrike was named a Leader in the 2022 SPARK Matrix for Digital Threat Intelligence Management by Quadrant Knowledge Solutions.

CrowdStrike Falcon Intelligence Leads the Pack

CrowdStrike is globally known as a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data — and our highly differentiated threat intelligence offerings are the foundation of our ability to stop breaches. Without a deep, robust understanding of the adversary and their tactics and tools, you can’t stop emerging attacks.

Here are three distinctive areas that set Falcon Intelligence apart:

  1. Our intelligence starts with global data collection

CrowdStrike’s intelligence collection strategy is a critical differentiator: The Falcon platform regularly collects trillions of events every day, powering the protection of millions of endpoints across the globe and providing real-time visibility into attacks, including zero-days.

In its report, Forrester states: “CrowdStrike supplements traditional public open sources and underground sources of intelligence with telemetry from its established Falcon platform customer base, lessons learned from 500-plus incident response engagements and experience gained by the Falcon OverWatch threat hunting teams.”

CrowdStrike’s comprehensive collection strategy — with the Falcon platform telemetry at its core — underscores our ability to collect data that no one else can, resulting in threat intelligence that no other vendor can provide.

  1. We provide relevant, timely intelligence at your fingertips

To be actionable, threat intelligence must be presented in context and easily accessible within a security team’s daily workflow. Intelligence is at the heart of the Falcon platform and enriches the modules we deliver across endpoint, cloud security, identity protection and more. 

With the best threat intelligence at its foundation, the Falcon platform helps customers move faster than the adversary with rapid and precise detections, investigations and response. As new threats are uncovered, the intelligence is fed back into the platform, strengthening its ability to stop breaches. Endpoint security and XDR tools that lack leading intelligence capabilities, such as Microsoft Defender and SentinelOne, can leave customers exposed to new adversary tradecraft.

  1. We offer industry-leading expertise

We enhance our threat intelligence with services that provide access to the CrowdStrike Intelligence Customer Operations team. Our staff of seasoned intelligence analysts has unsurpassed expertise in battling nation-state, eCrime and hacktivist adversaries. 

Assigned analysts work directly with the customer and are dedicated to learning the unique security challenges each organization faces. This understanding enables our analysts to help apply threat intelligence more effectively and defeat the adversaries targeting the organization. 

Adversaries Don’t Stand a Chance

You don’t have a malware problem, you have an adversary problem. Whether it’s ransomware or a new vulnerability exploit, there’s a human element behind every attack. This human adversary is the real threat.

It was with this belief that CrowdStrike pioneered adversary intelligence. This intelligence is woven deeply into the Falcon platform and enriches everything we do. It’s derived from our world-class threat researchers and the firsthand experience of our threat hunters and professional services teams.

CrowdStrike’s deep adversary knowledge, expertise in pursuing and stopping threats, and visibility derived from the Falcon platform make us uniquely qualified to deliver the most effective means of stopping breaches and protecting customers.

Start Your Threat Intelligence Journey

Building a threat intelligence practice is a journey. It’s critical to find a vendor that aligns with your definition of intelligence, supports you on your journey and provides room for your team to grow. 

Further, they should challenge you to take the next step into a new use case so you can better protect your business. CrowdStrike Falcon Intelligence is designed to meet you where you are on your threat intelligence journey. It’s built directly into the platform, supporting your daily workflow by providing detection context and defensive strategies at your fingertips. If you are not a Falcon platform customer, CrowdStrike Falcon Intelligence is also available separately, cloud-delivered and operational on day one.

We agree with Forrester when it says “external cyber threat intelligence is necessary for effective cyber security.” CrowdStrike Falcon Intelligence enables all organizations, regardless of size or expertise, to easily operationalize intelligence within the security operations center, gain visibility into the cybercriminal underground to protect their brand and executives, and receive best-of-breed intelligence reporting and technical analysis backed by a dedicated team of intelligence professionals.

The CrowdStrike Falcon Intelligence modules include:

  • CrowdStrike Falcon Intelligence: Enriches the events and incidents detected by the Falcon platform, automating intelligence so security operations teams can make better, faster decisions. 
  • CrowdStrike Falcon® Intelligence Recon: Provides visibility into the cybercriminal underground so customers can effectively mitigate threats to their brands, employees and sensitive data.
  • CrowdStrike Falcon® Intelligence Premium: Delivers world-class intelligence reporting, technical analysis, malware analysis and threat hunting capabilities. Falcon Intelligence Premium enables organizations to build cyber resiliency and more effectively defend against sophisticated nation-state, eCrime and hacktivist adversaries.
  • CrowdStrike Falcon® Intelligence Elite: Expands your team with access to an intelligence analyst with the expertise to help you better defend against threats targeting your organization.

Additional Resources

 

CrowdStrike Scores 100% in SE Labs Q2 2023 Enterprise Advanced Security Detection Test, Wins AAA Award

  • The CrowdStrike Falcon® platform achieved 100% attack detection with zero false positives in the Q2 2023 SE Labs Enterprise Advanced Security (EAS) test, earning the AAA award for its perfect performance in the rigorous evaluation. 
  • SE Labs analysts’ intelligence-led testing employed the real-world tactics, techniques and procedures (TTPs) of four advanced threat groups, using four different threat series with full attack chains for each (16 attacks in total) in an attempt to evade detection by leading endpoint detection and response (EDR) products.
  • This latest performance underscores our mission to stop breaches and shows our continued commitment to participating in independent testing, which provides transparency into the Falcon platform’s industry-leading automated detection and prevention capabilities.

The CrowdStrike Falcon® platform recently earned the SE Labs AAA award by delivering 100% attack detection with zero false positives in the Q2 2023 SE Labs Enterprise Advanced Security (EAS) test. The platform achieved perfect scores across every evaluation category. 

This year’s evaluation presented a unique challenge to testing participants. SE Labs tested solutions to a full kill chain attack, from initial contact through reconnaissance, data exfiltration and lateral action. However, in order to capture each security product’s full insight into every stage of an attack, SE Labs analysts deliberately shut down each product’s preventive capabilities, giving the attackers an unhindered ability to run their full kill chain. 

With the Falcon platform’s advanced protection in place, attackers will fail to break out and advance anywhere near to the stage of actually breaching a system. But the goal of the evaluation was to test detection capabilities. Shutting down prevention allows the detection test to evaluate the degree of total insight a product has into every stage of an attack — not only detection of the threat or attack but also associated activity including privilege escalation, actions and lateral movement. 

Points were awarded based on detection accuracy through every stage of each attack. In addition, the security products were also awarded points based on their ability to classify user interactions with legitimate applications and URLs, and false positives were penalized during testing because they negatively impact users.

SE Labs Q2 2023 EAS Detection Test Was Realistic and Demanding — and the Falcon Platform Crushed It

As part of the testing scenario, SE Labs emulated the real-world, observed tactics, techniques and procedures (TTPs) of four known, formidable adversary groups: Russia-nexus Turla (known as VENOMOUS BEAR in CrowdStrike adversary naming), China-nexus Ke3chang (VIXEN PANDA), China-nexus Threat Group-3390 (EMISSARY PANDA) and North Korea-nexus Kimsuky (VELVET CHOLLIMA). For each of these adversary groups, the testers ran four attack scenarios, for a total of 16 different attacks.

SE Labs describes the importance of this approach, which it says comprises the widest range of threats of any currently available public test:

“This test exposed market-leading endpoint security products to a diverse set of exploits, fileless attacks and malware, comprising the widest range of threats in any currently available public test. All of these attack types have been witnessed in real-world attack over the previous few years. They are representative of a real and present threat to business networks the world over … It is important to note that while the test used the same types of attacks, new files were used. This exercised the tested product’s abilities to detect certain approaches to attacking systems rather than simply detecting malicious files that have become well-known over the previous few years. The results are an indicator of potential future performance rather than just a compliance check that the product can detect old attacks.” 

Source: Q2 2023 SE Labs Enterprise Advanced Security EDR Detection report

CrowdStrike Falcon performed flawlessly during each of the attack stages across the four different adversaries:

  • Delivery: 100% detection
  • Execution: 100% detection
  • Action: 100% detection
  • Escalation: 100% detection
  • Post-Escalation Action: 100% detection
  • Lateral Movement: 100% detection
  • Lateral Action: 100% detection

The Falcon platform had zero misses, for a 100% detection score during testing. This means the platform was fully aware of every stage of every attack, providing 360-degree visibility across the entire attack surface. It was able to report exactly what was happening, and if preventions hadn’t been disabled as part of the testing process, the Falcon platform would have taken action to block the attack from progressing. 

In addition, with the same configuration, Falcon also scored a 100% Legitimate Accuracy rating, meaning analysts were not wasting time and resources chasing false positives. This is a big win for Falcon customers. The global shortage of cybersecurity professionals shows no signs of abating, and the digital skills gap continues to widen, making these highly trained security experts’ time extremely valuable. Any time spent investigating false positives is time that SOC analysts are not spending to prevent a costly breach. Falcon’s perfect performance and lack of false positives means fewer SOC analysts are required to effectively operate a company’s security stack. 

More Than an Award: The Falcon Platform Delivers 100% Detection Accuracy to Customers

During the SE Labs EAS testing, points were awarded based on detection accuracy through every stage of each attack and on their ability to classify user interactions with legitimate applications and URLs, while false positives were penalized. This scoring is reflective of the real-life cost-benefit analysis of deploying a security solution — one that can see all aspects of an attack and stop it. However, it’s also important that the solution does not disrupt the business or waste valuable SOC analyst time with false positives. 

With 100% detection accuracy (perfect detection with zero false positives), the Falcon platform won the AAA Award for the SE Labs April/May 2023 EAS test. However, the important message is more than just a headline about the award itself. 

This performance is another example of CrowdStrike proving through independent, third-party testing that the Falcon platform is a leader at stopping sophisticated adversaries in their tracks, while offering a low total cost of ownership. Moreover, this independent testing was performed by SE Labs using the same version of Falcon used by CrowdStrike customers. There were no unrealistic configurations, vendor optimizations or special capabilities in play. The Falcon platform enables customers to deploy our agent to thousands of endpoints in minutes, rapidly activating the same industry-leading protection used in this evaluation in their environments.

CrowdStrike’s Commitment to Independent Testing  

The SE Labs Q2 2023 EAS test is an example of the importance of participating in impartial, third-party testing. Evaluations by organizations like SE Labs are an invaluable resource, enabling security professionals to gauge the real-life performance of different security solutions under realistic, real-world attack scenarios. Independent testing also helps to drive innovation and product improvement and leads to a stronger cybersecurity industry in general. The benefits of these initiatives are why CrowdStrike remains firmly committed to industry research and independent testing.

The Falcon platform’s performance in public tests is also a showcase for the effectiveness of our advanced technology. It demonstrates just how effective machine learning, artificial intelligence, cloud-native architecture and CrowdStrike’s vast network of telemetry are at preventing breaches. It proves that CrowdStrike is a cybersecurity industry leader for a reason.

Additional Resources

 

CrowdStrike Debuts Counter Adversary Operations Team to Fight Faster and Smarter Adversaries as Identity-Focused Attacks Skyrocket

8 August 2023 at 04:00

CrowdStrike is proud to announce the launch of CrowdStrike Counter Adversary Operations, a newly formed, first-of-its kind team that brings together CrowdStrike Falcon® Intelligence and the CrowdStrike® Falcon OverWatch™ threat hunting team to disrupt today’s adversaries and ultimately raise their cost of doing business. 

Both threat hunting and intelligence operations are essential to detect, disrupt and stop today’s adversaries. CrowdStrike Counter Adversary Operations will have the power of both — along with the trillions of telemetry events from the AI-powered CrowdStrike Falcon® platform — to quickly act and intensify its impact on adversary activity. CrowdStrike’s deep adversary knowledge, expertise in pursuing and stopping threats, and visibility derived from the Falcon platform make us uniquely qualified to deliver the most effective method of stopping breaches and protecting customers.

Today’s adversaries are increasingly fast and elusive, with quickly changing motives and tactics. The tradecraft CrowdStrike sees in the wild is, far too often, bypassing legacy and even modern security measures. CrowdStrike Counter Adversary Operations represents a new model for the security industry that brings together the best adversary insight and expertise, and puts this information in the hands of teams on the front lines so they can disrupt adversaries faster than ever before. 

There has never been a greater need for threat hunting and intelligence to come together, as evidenced by Nowhere to Hide: CrowdStrike 2023 Threat Hunting Report. This report, the first to be published under the CrowdStrike Counter Adversary Operations unit, provides a comprehensive look at the evolving techniques of today’s adversaries. 

Nowhere to Hide: A Closer Look at Modern Adversary Activity

The CrowdStrike 2023 Threat Hunting Report, now in its sixth edition, is the culmination of 12 months of proactive and intelligence-informed threat hunting. Our threat hunters and intelligence analysts observed a massive jump in identity-based intrusions, evolving expertise in cloud-focused attacks, and a breakout time of 79 minutes — a new all-time low and decrease from the 84 minutes recorded in 2022. 

A standout theme of the report is adversaries’ persistent focus on identity: Our experts observed a 583% increase in Kerberoasting attacks, a technique adversaries can use to obtain valid credentials for Active Directory service accounts. These often provide attackers with higher privileges and allow them to lurk undetected in victim environments for longer stretches of time.

This wasn’t the only statistic indicating identity is a hot target: 62% of all interactive intrusions involved the abuse of valid accounts, and there was a 160% increase in attempts to collect secret keys and other credentials through cloud instance metadata APIs. Access broker advertisements, which often offer ready access to valid accounts, increased by 147% in criminal and underground communities.

Adversaries are also leading the charge in cloud know-how, navigating cloud environments with a level of skill and confidence often unmatched by enterprise security teams. CrowdStrike observed a threefold increase in the use of linPEAS, a Linux privilege escalation tool quickly gaining popularity among adversaries operating in the cloud. This finding, combined with the 95% jump in cloud exploitation and threefold increase in cases involving cloud-conscious threat actors, underscores the critical need for organizations to prioritize securing their cloud environments.

Other notable findings include a 312% year-over-year increase in adversaries using legitimate remote monitoring and management (RMM) tools to evade detection and blend in with a target environment, and a stunning 80% increase in interactive intrusions targeting the financial sector. 

The data is clear: Adversaries are relentlessly seeking new ways to broaden their reach, optimize their tradecraft and deepen their impact across operations, using tactics intended to bypass legacy security products using traditional detection methods. As they demonstrate greater proficiency and speed in targeting organizations, it is imperative that defenders stay one step ahead to proactively identify and stop their activity. 

Counter Adversary Operations’ First New Offering: Identity Threat Hunting

In response to the evolving sophistication of adversary tradecraft and identity-based attacks CrowdStrike is seeing in the wild, Counter Adversary Operations is introducing its first new offering: CrowdStrike® Falcon OverWatch™ Elite Identity Threat Hunting.

This offering, immediately available as part of CrowdStrike® Falcon OverWatch™ Elite, brings together the latest intelligence on adversary motives, tactics, techniques and procedures, and combines this data with CrowdStrike Falcon® Identity Threat Protection and the elite Falcon OverWatch threat hunters. This combination makes it possible to quickly identify and remediate compromised credentials, track lateral movement and stay ahead of adversaries with 24/7 coverage. 

At a time when adversaries have their sights set on identities, Falcon OverWatch Elite Identity Threat Hunting brings organizations peace of mind with an always-on service to help them outpace current and emerging threats. This offering is available to new and existing CrowdStrike Falcon OverWatch Elite customers at no additional cost.

And there’s more to come: Falcon OverWatch Elite Identity Threat Hunting is the first of many accelerated innovations from Counter Adversary Operations. This offering and future capabilities will close the loop between the discoveries CrowdStrike researchers make in the wild and new customer-focused innovations to come in the Falcon platform.    

Additional Resources

August 2023 Patch Tuesday: Two Actively Exploited Zero-Days and Six Critical Vulnerabilities Addressed

9 August 2023 at 13:02

Microsoft has released security updates for 76 vulnerabilities and two zero-days for its August 2023 Patch Tuesday rollout. One of the zero-days (CVE-2023-38180) is a denial-of-service vulnerability in .NET and Visual Studio. The other zero-day (CVE-2023-36884) received a Defense in Depth update to mitigate a flaw under active attack; however, it is not a patch. Six of the vulnerabilities addressed today are rated as Critical while the remaining 68 are rated as Important and two are Moderate.

August 2023 Risk Analysis

This month’s leading risk type is remote code execution (37%), followed by elevation of privilege (29%) and information disclosure (17%).

Figure 1. Breakdown of August 2023 Patch Tuesday attack types

The Microsoft Windows product family received the most patches this month with 36, followed by Extended Support Updates (25) and Microsoft Office products (15).

Figure 2. Breakdown of product families affected by August 2023 Patch Tuesday

Defense in Depth Update Mitigates an Actively Exploited Zero-Day Vulnerability 

Microsoft Office has released an update for a previously disclosed unpatched vulnerability (CVE-2023-36884). As Microsoft stated, installing this update will stop the attack chain leading to the exploitation of the Windows Search security feature bypass vulnerability. It is recommended that users install the Office updates as well as the Windows updates from August 2023.

Impact Severity CVE Description
Defense in Depth Moderate ADV230003 Microsoft Office Defense in Depth Update

Table 1. Zero day in Microsoft Office & Windows

Actively Exploited Zero-Day Vulnerability Affects .NET and Visual Studio

Microsoft .NET & Visual Studio has received a patch for CVE-2023-38180, which is rated Important and has a CVSS of 7.5. The vulnerability allows for a denial-of-service attack. Details of the flaw have not been publicly disclosed.

Severity CVSS Score CVE Description
Important 7.5 CVE-2023-38180 .NET and Visual Studio Denial of Service Vulnerability

Table 2. Zero day in Microsoft .NET & Visual Studio

Critical Vulnerabilities Affect Windows

CVE-2023-29328 and CVE-2023-29330 are Critical remote code execution vulnerabilities affecting Microsoft Teams each with a CVSS of 8.8. To exploit these vulnerabilities, the attacker must deceive the victim into joining a malicious Teams meeting, which would allow them an opportunity to execute code on the system remotely. No special privileges are necessary for a successful attack.

CVE-2023-36910, CVE-2023-36911 and CVE-2023-35385 are Critical vulnerabilities affecting Microsoft Message Queuing (MSMQ), and each has a CVSS score of 9.8. In order for an attacker to take advantage of these vulnerabilities, they would need to transmit a specifically designed MSMQ packet to an MSMQ server, leading to remote code execution. Microsoft has provided guidance on best practices and steps to see if there is a service running Message Queuing and TCP port 1801 listening on a system.

CVE-2023-36895 is a Critical vulnerability affecting Microsoft Outlook with a CVSS of 7.8. According to Microsoft, this is an Arbitrary Code Execution flaw. The attack complexity is low, no privileges required to exploit this attack and exploitation is less likely according to Microsoft.

Severity CVSS Score CVE Description
Critical 8.8 CVE-2023-29328 Microsoft Teams Remote Code Execution Vulnerability
Critical 8.8 CVE-2023-29330 Microsoft Teams Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-36910 Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-36911 Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-35385 Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 7.8 CVE-2023-36895 Microsoft Outlook Remote Code Execution Vulnerability

Table 3. Critical vulnerabilities in MS Windows

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture. 

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of security events every day from across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Spotlight vulnerability management can help you quickly and easily discover and prioritize vulnerabilities here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

  • For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
  • See how Falcon Spotlight can help you discover and manage vulnerabilities and prioritize patches in your environments. 
  • Learn how CrowdStrike’s external attack surface module, Falcon Surface, can discover unknown, exposed and vulnerable internet-facing assets enabling security teams to stop adversaries in their tracks.
  • Learn how Falcon identity protection products can stop workforce identity threats faster. 
  • Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards
  • Test CrowdStrike next-gen AV for yourself with a free trial of Falcon Prevent.

Discovering and Blocking a Zero-Day Exploit with CrowdStrike Falcon Complete: The Case of CVE-2023-36874

CrowdStrike Counter Adversary Operations is committed to analyzing active exploitation campaigns and detecting and blocking zero-days to protect our customers. In July 2023, the CrowdStrike Falcon® Complete managed detection and response (MDR) team discovered an unknown exploit kit leveraging a still-unknown vulnerability affecting the Windows Error Reporting (WER) component. Our team prepared to report this newly discovered vulnerability to Microsoft — only to discover that the Google Threat Analysis Group had independently discovered and disclosed it shortly before we did. Microsoft assigned the identifier CVE-2023-36874 to the vulnerability. 

Given this vulnerability was a zero-day when Falcon Complete found it, we are sharing the story of how our team discovered this issue, as well as technical details and some indicators of compromise. The CrowdStrike Falcon® platform protects against exploitation of CVE-2023-36874.

The Story

On June 22, 2023, Falcon Complete observed multiple binaries being dropped onto a system owned by a European technology entity via Remote Desktop Protocol (RDP) connection from an unmanaged host. The Falcon sensor blocked and quarantined the execution of several of these binaries as it detected potential exploits for CVE-2021-24084. An initial analysis by the Falcon Complete team was conducted to determine the final objectives of these binaries; however, it was inconclusive. CrowdStrike Counter Adversary Operations was asked to assist, given the team’s expertise in both threat hunting and adversary intelligence, in order to accelerate the detection and remediation of threats.

During the first static analysis of these binaries, a string containing the Russian word 0дэй — translated as “0day” — indicated the binaries may be exploits related to an unknown vulnerability. A thorough analysis ensued to pinpoint the correct potential vulnerability used. The results indicated the use of an unknown vulnerability affecting the WER component. Hence, at the time of execution, Falcon Complete detected a still-unknown zero-day in the wild, along with an exploit kit using it.

The Technical Details

The WER service is a privileged service whose role is to analyze and report various software issues that may arise on a Windows host. This service can be interacted with through several undocumented COM interfaces, which can be found in wercplsupport.dll. In particular, by chaining the following function calls, it is possible to get a pointer to a IWerReport COM interface:

  1. CoCreateInstance(CLSID_ERCLuaSupport, NULL, CLSCTX_LOCAL_SERVER, IID_IErcLuaSupport, (PVOID*)&pIErcLuaSupport);
  2. pIErcLuaSupport->CoCreateIWerStoreFactory(&pIWerStoreFactory);
  3. pIWerStoreFactory->CoCreateIWerStore(&pIWerStore);
  4. pIWerStore->EnumerateStart()
  5. pIWerStore->LoadReport(<reportName>, &pIWerReport); where reportName is the name of a directory containing a WER report to be processed

As a result of calling IWerReport->SubmitReport, the WER service will call the WerpSubmitReportFromStore function from wer.dll. This eventually leads, under conditions that were not analyzed, to the call of the UtilLaunchWerManager function, itself calling the CreateProcess API in order to start the C:\Windows\System32\wermgr.exe executable. 

The core problem of this vulnerability lies in the fact that the CreateProcess API running under impersonation will follow any file system redirection set up by a threat actor but will use the calling process security token and not the impersonated token to set the security context of the process. In the case of the WER service, impersonation is indeed present when the wermgr process creation occurs, as highlighted in the following screenshot:

Click to enlarge

This means, in the case a prior file system redirection points to an attacker-controlled wermgr executable, this executable will be executed instead of the legitimate wermgr executable. This allows the attacker-controlled executable to be run with the privileges of the WER service (i.e., SYSTEM).

In the case of the observed exploit, the following steps are taken to achieve privilege escalation:

  1. The exploit sets up the necessary files on the system to achieve successful exploitation later. Two different objectives are followed at this step:
    1. Set up a dummy Report.wer file in the directory C:\ProgramData\Microsoft\Windows\WER\ReportArchive\WER1CF4123. This dummy file will be referenced in the IWerReport->SubmitReport function at the start of the exploit chain. 
    2. Set up a fake C:\ root hierarchy under the C:\Users\public\test directory so the file system redirection will point to the attacker files instead of the legitimate ones. In this hierarchy, the exploit creates a copy of itself as C:\Users\public\test\Windows\System32\wermgr.exe as well as a dummy WER report Report.wer inside C:\Users\Public\test\ProgramData\Microsoft\Windows\WER\ReportArchive\WER1CF4123.
  2. Creates a redirection from the C:\ drive to C:\Users\public\test by calling the NtCreateSymbolicLink function, where the third and fourth parameters point respectively to \??\C: and \GLOBAL??\C:\Users\Public\Test. This redirection is created when changes are detected in the C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue directory. 
  3. Triggers IWerReport->LoadReport() with WER1CF4123 as a parameter. 
  4. Triggers IWerReport->SubmitReport() with WER1CF4123 as a parameter.  
  5. Due to redirection, C:\Users\public\test\Windows\System32\wermgr.exe is executed instead of the legitimate wermgr.exe. The exploit binary is now executing with high privileges.

A Look at the Exploit Kit

In the exploit kit observed, all exploit binaries aim to spawn a privileged interpreter, either the traditional command interpreter cmd.exe, or powershell_ise.exe, in the interactive session from which the binary was launched. If this aim cannot be fulfilled, then a privileged scheduled task is created to serve as a proxy for the spawning of the privileged interpreter. 

Within the exploit kit observed, some binaries are packed while others are not. Some contain C++ code while others appear to be pure C code. Some binaries were apparently able to launch multiple versions of the same exploit depending on the host’s OS version while others appear dedicated to a single OS. This information tends to indicate that the privilege escalation vulnerability was likely known to a group of different developers.

At the time of this writing, CrowdStrike Counter Adversary Operations does not attribute the activity to a particular actor.

Indicators of Compromise

The following table lists the different binaries that CrowdStrike observed being dropped. It should be noted the following indicators are of low fidelity. Indeed, several of them are packed, indicating the threat actor has the potential capability to generate new binaries, with different hashes, containing the exploit.

Filename SHA256 Hash
10new+11_ISE_0x000109D59D6CC3F4.exe e800d1271b15d1db04280a64905104a912094d2938fd6b024ce143f1221d22f5
8_ise.exe 338ac127e81316d3b4a625ddf28eff2693778f3c8f1050cc06467845232e8da2
8.exe 15b9f282717b6539e44a7a5e0ceafaae1eff09cadfbf46982e4d7e78a605cf3c
2019_ise.exe 11243b8c4da386fed7efd500076f5671f649c25b7edb90416ec91b3e4a2073a5
2019.exe 69411eebef102e63d86bd3e88c363375934ed9dee94ca9342b694c4be232c792
2016_ise.exe 7de07008373bacf77ce9079c2374dd87afaa605b857b8ab440661faa0ca7d504
2016.exe 5251fb2f9979dbc21b83e6e770c767595848ad9b01c94713683613a6d8561561
WER_Research_07062023_ise_0x00000F0B67DB1762.exe 7251149fe93811b5b1a84418d0fe07296469c34b57f70f9107e0b9a1726b1080
10new+11.exe 1efd5006979b10c60eefc367f529799b7b9dd2be1162e0195b22eedde32b7f7b
8_0x000109ABFE57D295.exe 06d1a0752960576051ae5845d2ec38154a33b5de36ed268d61da26574bba3368
2019_0x000109ED1C1A33D9.exe ed6e026059653e3b6d05a479ad27c1b38f790a840bcef38f1a06a73ff476525d
10_ISE_0x000109C422FAC8CA.exe 84ea56d15ebb895b1688339fb230e2b9b61b35389cc7ea8dedbd2f92bb92ab10
WER_Research_07062023_cmd_0x00000EF75A5B64F2.exe 130f0a4293fb842d99d2044d449e3320de8add982177ed1ad03ba0fef9bcf096
10new+11_ise.exe 80185c0c10a4046fd4ca1242ccbd63bef7765c6e93a3f53c90107d34e0d790fe
10_0x000109BCF309A283.exe 06be6b9b7163489854864292f9516558f6e192dda01560ea772fbc82dc1471df
2016_0x000109DC78E96163.exe 96f0546ac6c722576f860f9a23d35fd93a8df1c547bd92d0836bb845cc875002
2019_ISE_0x000109F402AB3D7F.exe 0c19f42339735cdd9d6a4c55e2f8f93b9d559d7a3420557487a75f67a2a946c0
8_ISE_0x000109B5EDC3E0B1.exe 5fe77c71b75b71d95f2d62c71f3054afce1f3026873d107a9a56d701c503c2d7
10.exe 43f3a7a5300fa89b7b9783cf97ca3a5f9d1f45535e71a80ac2b8b16d21a64fe8
10_ise.exe 1b3ee2bbb3baff96e3637b0ee3ad5831c9c7741db7a32411281d0bcd4f26f012

Conclusion

It is critical to ensure timely vulnerability patching in order to protect enterprise devices. However, when adversaries target unknown vulnerabilities, timely patching becomes irrelevant. This is why it’s essential for organizations to implement multiple layers of defense such as CrowdStrike Falcon Complete managed detection and response. The Falcon Complete team actively monitors for, and remediates, vulnerabilities such as CVE-2023-36874 so organizations have 24/7 protection from the latest threats — including zero-days exploited in the wild.  

Additional Resources

 

Three Ways to Enhance Your Cloud Security with External Attack Surface Management

The IT future is a cloudy one. Organizations are increasingly relying on cloud servers, as today’s IT environments use a combination of public and private clouds alongside on-premise infrastructure. Gartner® estimates that by 2026, 75% of organizations will adopt a digital transformation model predicated on the cloud as the fundamental underlying platform. Moreover, global spending on public cloud services is forecast to grow 21.7% to total $597.3 billion USD in 2023, up from $491 billion USD in 2022, according to the firm’s latest forecast.1  

This rapid acceleration into the cloud has dramatically expanded the modern attack surface, making it increasingly difficult for security teams to keep up. Data from CrowdStrike Falcon® Surface external attack surface management shows that in the United States, 23% of all exposed assets detected in a week are hosted on the cloud. More importantly, 25% of those exposed assets have a severe vulnerability.2 These vulnerable assets can be remote access servers, databases, web servers,  gateways, VPNs, development tools and more. The high number of exposed assets indicates that although cloud adoption might be easy, securing the cloud can be hard.

The risk of cloud exploitation is not a new problem. The CrowdStrike 2023 Global Threat Report showed that cloud exploitation cases grew by 95% from 2021 to 2022. Cases involving cloud-conscious actors nearly tripled in the same time frame. These actors primarily obtained initial access to the cloud by exploiting public-facing applications — such as web servers — using existing valid accounts, resetting passwords or placing webshells or reverse shells for persistence. These findings underscore the need for robust cloud security measures and proactive exposure management to address the growing threat of cloud-based attacks.

Evolving Safely in the Cloud Requires 24/7 Exposed Asset Monitoring

Contrary to popular belief, the onus to protect cloud data falls on companies and not the cloud host provider. While organizations may have safeguards in place for their known cloud enclaves, employees can easily create their own cloud instances without following  the central process or alerting central IT, leading to the emergence of “shadow IT.”  

With the complexity of cloud configurations, it’s easy for teams to make a mistake that can leave sensitive data exposed or leave cloud resources vulnerable to attack. Misconfigurations can occur in several places, including network security settings, storage permissions, access controls and more. Attackers are well aware of this and are actively scanning cloud environments for misconfigurations to exploit. 

Improper access management, cloud services misconfiguration, cloud applications provisioned outside IT visibility and lack of staff with the skills to manage security for cloud applications can all leave companies exposed and vulnerable to attack — and they are far more common than assumed. 

External attack surface management (EASM) is needed for companies to safely evolve in the cloud. It delivers a comprehensive inventory of externally exposed, known and unknown cloud assets, and enables teams to uncover issues like unknown misconfigured environments (staging, testing, development, etc.) and legacy webpages and assets hosted on unofficial hosting providers. In addition, it analyzes and prioritizes every risky exposure and generates a plan with actionable insights so teams can resolve more issues in less time. 

EASM provides a powerful complement to the cloud native application protection platform capabilities (CNAPP) required to mitigate the risks outlined above. CrowdStrike combines  EASM with the cloud security offerings of Falcon Cloud Security through a unified platform, empowering  customers with complete visibility and protection across their cloud environments no matter what stage they are in their cloud journey.

Three Ways EASM Enables Companies to Maximize Cloud Security

1. Gain outside-in visibility into critical asset exposure while moving to cloud storage and services

Companies that are just starting their cloud migration face the decision of which services and data to host on cloud service providers. It is essential for those companies to carefully manage their asset inventory and understand which security controls are in place, what they cover and where their security gaps are. EASM is the natural place to start. As a fast and easy-to-deploy tool, it enables security teams to gain an immediate understanding of where exposures are, stay on top of asset inventory management in real time and maintain an overarching view of the entire attack surface — regardless of if it’s in the cloud or on-premises.

2. Prioritize risks in hybrid cloud environments 

As companies grow and evolve in the cloud, they’ll be looking at cybersecurity strategies to prevent risk and exposure. This is particularly important given that the average breakout time for interactive eCrime intrusion activity was 79 minutes in the past 12 months and the fastest observed breakout time was a mere 7 minutes, as revealed in the recently released CrowdStrike 2023 Threat Hunting Report — highlighting the need for dynamic and thorough cybersecurity measures to protect digital assets. 

If the goal is to host more sensitive services in the cloud, EASM can arm CISOs with unique insight into where teams should spend time to reduce risk, bookmark high-value assets for monitoring and integrate with most popular XDR  and IR systems. CISOs can receive prompt alerts for exposed assets, ultimately preventing long-term exposure. 

3. Ensure no asset is left unknown on full cloud infrastructure 

Once operating on full cloud infrastructure across multiple providers, security tools can be deployed to support the efforts of CISOs, like cloud security posture management (CSPM) platforms. There’s a catch — CSPM doesn’t account for the entire ecosystem and may not cover subsidiaries, the supply chain and third-party vendors. An EASM solution is easily integrated for always-on, real-time, thorough monitoring of cloud environments as well as other attack vectors — so CISOs can ensure nothing is missed. 

Move Safely into the Cloud with Falcon Cloud Security and Falcon Surface  

CrowdStrike provides comprehensive capabilities to stop cloud breaches: CrowdStrike Falcon® Cloud Security delivers the industry’s most complete agent-based and agentless cloud-native application protection platform (CNAPP) capabilities. When paired with Falcon Surface, our EASM module, as part of the unified CrowdStrike Falcon platform, teams gain a significant advantage against the adversary. 

By adding Falcon Surface, security teams can see their attack surface like adversaries can — across their entire digital perimeter. Based only on a domain address, it enables them to detect, prioritize and manage unknown risky, exposed internet-facing assets that are centralized or remote across on-premises environments and subsidiary, cloud and third-party vendors. All exposed assets are automatically classified, analyzed and prioritized according to a contextualized risk score, allowing for quick-to-implement remediation steps.

Together, Falcon Cloud Security and Falcon Surface provide real-time visibility and protection across the entire cloud environment. By leveraging the best of agent-based and agentless technology, CISOs and their security teams can work together to protect the entire attack surface and stop breaches. 

Additional Resources

  1. Gartner Press Release, Gartner Forecasts Worldwide Public Cloud End-User Spending to Reach Nearly $600 Billion in 2023, April 19, 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
  2.  Data powered by CrowdStrike Falcon Surface.

Three Recommendations for a Next-Generation Cybersecurity Framework

3 October 2023 at 18:27

Cyberattacks evolve daily, and defenders are forced to adapt at the same rate. Cybersecurity best practices, however, are updated and codified much less frequently. There is broad experimentation in the field, and it takes some time for authoritative working groups to sort out which new practices and controls are practical and consistently effective for a large cross-section of users. Some guidelines and standards are updated every year or two and others much less frequently.  

When the National Institute of Standards and Technology (NIST) announced in February 2022 that it would update the Cybersecurity Framework (CSF), leading to the publication of a “CSF 2.0,” cybersecurity policy analysts and practitioners took note. Long regarded as a key reference, the CSF is used by organizations globally to assess and enhance their cybersecurity maturity.   

CrowdStrike’s Public Policy team submitted input for the first and second public comment opportunities based on our experience defending against and remediating cyberattacks. This blog post provides a quick overview of the evolution of the CSF as well as some of our ideas for this upcoming revision. 

Background of NIST CSF  

NIST’s CSF has been applauded for its flexibility, risk-based approach and relevance to all sectors. When building the CSF ahead of its initial release in 2014, NIST engaged with various stakeholder groups, which has led to its success as a widely adopted and usable framework. A key contribution of the framework at launch was to divide a messy and overlapping set of security and risk management imperatives into five easily understandable functions: identify, protect, detect, respond and recover. These functions are further divided into more descriptive categories, and further to subcategories that map to other control sets.1 The CSF also outlines implementation tiers and provides reference profiles. 

NIST released an update, CSF 1.1, in 2018, providing additional categories on identity management and supply chain cybersecurity. This reflected the evolving baseline security measures organizations needed to take to protect themselves from adversaries. In 2022, NIST began the update process again, this time pursuing a 2.0 version of the CSF to “help the Framework keep pace with technology and threat trends, integrate lessons learned, and move best practice to common practice.”2 In August 2023, the CSF 2.0 Public Draft was released for comment, and NIST noted the final CSF 2.0 will be published in early 2024.  

CrowdStrike’s Recommendations 

In our comments, we supported NIST’s intent to add a “Govern” function and expand its coverage of supply chain security. In the CSF 2.0 Public Draft, we were pleased to see the Govern function includes crosscutting cybersecurity governance practices such as determining priorities and risk tolerances of the organization. The NIST Privacy Framework has a Govern function, and similar CSF 2.0 categories about governance policies, processes and procedures are important because data privacy and cybersecurity cannot exist without each other and are more intertwined than ever before. 

Cybersecurity supply chain security is more important than ever due to recent, widespread cybersecurity supply chain attacks. NIST updated supply chain practices in the 2018 CSF 1.1 version. Now that new technologies exist, such as cybersecurity systems that leverage artificial intelligence and machine learning to better find threats, it is timely that a supply chain security refresh is included in CSF 2.0. 

Zero Trust Architecture

Zero Trust Architecture is no longer a “next step” organizations can take to bolster their security posture — it should be a security baseline. The current CSF’s characterization of best practices for identity management, authentication and access control are modest relative to widely adopted practices in the field. Explicit guidance on Zero Trust Architecture implementation would yield stronger cybersecurity outcomes. The CSF 2.0 should include a subcategory titled “Implement a Zero Trust Architecture” under the “Protect” function and “Identity Management, Authentication and Access Control” category. 

A new Zero Trust subcategory can include best practices like the use of cloud-based endpoint detection and response (EDR), comprehensive logging, identity protection and use of multifactor authentication. Due to fundamental problems with today’s widely used authentication architectures, organizations must incorporate new security protections focused on authentication.  

As reported in the CrowdStrike 2022 Global Threat Report, 80% of cyberattacks in 2021 leveraged identity-based techniques to compromise legitimate credentials and evade detection, and in 2022, adversaries doubled down on advertising stolen credentials and access-broker services in the criminal underground.3 Identity attacks will only continue to increase. Revising the Protect function to include ZTA will further align CSF 2.0 with existing NIST work and raise organizations’ security against these attacks. 

Combine Detect and Respond 

Given developments in the practice of cybersecurity in recent years, NIST should consider unifying the high-level “Detect” and “Respond” functions in the final CSF 2.0. Once conceptually separate, cybersecurity tools, practices and controls across these functions have evolved and converged over time. Whereas these functions previously took place in serial, often across separate teams, today security operations concepts employ detection and response in parallel. 

The old model failed. Adversaries exploit gaps and delays to achieve their objectives. Breakout time — the time it takes an adversary to move laterally from an initially compromised host — is getting faster each year. Based on CrowdStrike data, breakout time decreased from 98 minutes in 20214 to 79 minutes in 2022.5 For this reason, when responding to a security incident or event, every moment counts. 

The more an organization can do to detect and stop adversaries at the outset of an attack, the better chance of preventing them from achieving their objectives. By combining the “Detect” and “Respond” categories, the CSF 2.0 can reflect a settled consensus within the industry that detection and response are two sides of the same coin. This insight has yielded both EDR capabilities and significant ongoing investment across industry in the extended detection and response (XDR) category.

Threat Intelligence 

CrowdStrike also recommends that NIST consider creating a new “Intelligence” Category under the Identify function. Given the current threat landscape, it is necessary for organizations to be familiar with the adversaries that could target their systems. Cybersecurity threats are evolving and increasing, and as the adversaries continue to evolve and find new ways to target victims, organizations need to increase their emphasis on cybersecurity practices that leverage the most effective technologies.  

Next Steps

Updating the CSF is a positive step to help organizations that use the Framework stay ahead of today’s threats. In the almost 10 years the NIST CSF has existed, it has become a tool numerous organizations use to stay up-to-date with cybersecurity practice accepted by the community as best practices. If the CSF is to maintain currency over the coming years, NIST and stakeholder groups must continue to regularly update it to reflect changes in best practices to keep pace with quickly evolving adversary threats.  

In the final version of the CSF 2.0, there are forward-looking changes NIST can make to bring the Framework into 2023 and beyond. We hope our recommendations inform discussion for the CSF 2.0 Public Draft and look forward to continued engagement with NIST and community stakeholders on this subject. In the meantime, organizations can evaluate and adopt these practices now. 

Additional Resources 

  1. https://www.nist.gov/cyberframework/online-learning/components-framework
  2. https://www.nist.gov/cyberframework/updating-nist-cybersecurity-framework-journey-csf-20
  3. CrowdStrike 2023 Global Threat Report: https://www.crowdstrike.com/global-threat-report/
  4. CrowdStrike 2022 Global Threat Report
  5. CrowdStrike 2023 Threat Hunting Report: https://www.crowdstrike.com/threat-hunting-report/

Enabling Breach Prevention on Red Hat OpenShift Service on AWS (ROSA)

7 October 2023 at 00:18

As organizations increasingly deploy business-critical workloads to managed cloud services, enforcing strong security practices needs to be a top priority.  While many managed cloud service providers do a good job of protecting the cloud and infrastructure itself, it’s the responsibility of the customer to protect what’s running inside the cloud. 

This is commonly known as the Shared Responsibility Model, a security and compliance framework that outlines the responsibilities of both the cloud provider and customer. Understanding where responsibilities begin and end is critical as adversaries increasingly turn their sights on cloud exploitation. According to the CrowdStrike 2023 Global Threat Report, cloud exploitation grew by 95% in 2022 and the number of cloud-conscious threat actors nearly tripled.   

CrowdStrike Falcon Cloud Security delivers comprehensive cloud security for complete visibility and protection to stop breaches in the cloud. CrowdStrike is helping customers strengthen the security posture of managed cloud services by supporting the CrowdStrike Falcon® sensor on Red Hat® OpenShift® Service on AWS (ROSA), a Kubernetes-based application platform jointly engineered and managed by Red Hat and Amazon Web Services.

Together, ROSA and the Falcon platform provide customers with a fully managed and protected OpenShift cluster running in their preferred cloud environment so they can rapidly deploy their most critical applications to the cloud with confidence.

ROSA allows platform administrators to offload cluster provisioning, maintenance and 24/7 monitoring to a team of professional site reliability engineers (SREs). CrowdStrike extends this operational efficiency by offloading the collection, analysis and detection of threat indicators to a global team of security analysts and expertly tuned artificial intelligence. CrowdStrike regularly correlates over a trillion events per day with adversarial threat intelligence to stop breaches on Kubernetes and containers before they occur. 

In addition to protecting Kubernetes, the Falcon platform provides endpoint detection and response for Red Hat Enterprise Linux and other operating systems, cloud security posture management for AWS and Azure, identity protection for Active Directory, log management, and more. Aggregating all of these capabilities into a single cloud-hosted platform means tool reduction and cost savings for IT leaders, and higher efficiency and visibility for security analysts.

To make sure that operations teams can match the speed of the adversary and access secured clusters quickly, both ROSA and Falcon can be procured through AWS Marketplace and leverage existing spending commitments.

About the Integration

Protecting Kubernetes requires protecting the host operating system as well as all containers running on top of it. To achieve this on Red Hat’s CoreOS, the Falcon agent is deployed as a lightweight agent that mounts itself at the kernel level, granting it complete visibility and control without impacting performance. With this access, the agent is able to fully protect the cluster from both known and zero-day attacks using on-sensor machine learning and CrowdStrike’s constantly evolving threat intelligence.

To simplify deployment and operations, the Falcon agent is available as a certified operator in OpenShift’s OperatorHub. Operators are Kubernetes-native packages that automate installation and support a configuration-as-code approach to security management. Customers managing many OpenShift clusters can use Red Hat Advanced Cluster Management for Kubernetes to deploy the Falcon agent automatically with fleet-wide policies.

Once installed, the agent uses indicators of attack to break an adversary’s kill chain and prevent data destruction, exfiltration, escalation, lateral movement and many other types of breaches. But runtime protection is only part of the battle. The Falcon platform provides comprehensive cloud-native security with a Kubernetes admission controller to stop risky workloads, infrastructure-as-code and image scanning to “shift left” on enforcement, and posture management and compliance to identify misconfigured cloud resources. For organizations contending with a skills shortage, CrowdStrike’s expert analysts help uplevel your security operations team and can provide managed detection and response around the clock.

Get Started

If you’re already a CrowdStrike Falcon® Cloud Security with Containers customer, follow CrowdStrike’s deployment guide for OpenShift to enable breach prevention on a new or existing OpenShift cluster. This guide covers architecture, workflow, prerequisites and additional learning resources.

Reach out to learn how CrowdStrike Falcon protects Red Hat platforms. 

Additional Resources

Getting Value from Your Proxy Logs with Falcon LogScale

10 October 2023 at 19:59

All web traffic flowing out of your company network should be passing through a web proxy. These proxy logs are a great resource for threat hunting and security investigations, yet they often translate into extremely large volumes of data.

In a previous blog post, we shared the value of proxy logs in addressing a range of use cases, including hunting for threats, investigating access to unknown domains and phishing sites, searching for indicators of compromise (IOCs) and meeting compliance requirements. In this blog, we’ll show how you can achieve this with CrowdStrike® Falcon LogScale™, using Zscaler proxy data as an example.

Video

 

Bringing Proxy Logs into Falcon LogScale

You can use the HTTP API to bring your proxy logs into Falcon LogScale. When working with Zscaler, you can use Zscaler Nanolog Streaming Service (NSS), which comes in two variants:

  1. Cloud NSS allows you to send logs directly to Falcon LogScale.
  2. VM-based NSS allows you to collect logs on a VM, where they can be sent to Falcon LogScale via syslog.

Once data is streaming into Falcon LogScale, you can extract the relevant fields during the parsing process. These fields include:

Destination Host Name The domain or URL being accessed
Destination IP The IP address being accessed
Destination Port The network port being accessed
User Agent The user agent used to initiate the traffic (Chrome, Mozilla, Curl)
Request Method Was it a GET or POST request?
Device Action Did the proxy allow or deny the requested traffic?
Referrer Who referred the traffic toward the destination host name?
Domain/URL Category What is the domain/URL categorized as? (e.g., malicious or business)
Requested File Name The requested file name when accessing a website

 

Package Marketplace

The Zscaler package can be installed from the Falcon LogScale marketplace. It includes parsers for extracting fields from DNS, firewall, web and tunnel logs. It also provides saved queries and out-of-the-box dashboards, which show details such as:

 

Web: Threat Activity

This dashboard provides high-level threat activity showing a range of widgets, including IOCs, data loss prevention (DLP), vendor-defined threats and enrichment with CrowdStrike threat intelligence.

Web Threat Activity

 

Web: Web Activity

This dashboard provides details about user activity and actions as well as blocked and allowed domain activity, application activity and even information about user agents being used.

Web Activity

 

Web: User Investigation

This feature allows you to drill down into a specific user’s activity and is a combination of the Threat Activity and Web Activity dashboards.

Threat Hunting Queries with Zscaler Proxy Data

Here are useful searches and queries to hunt for threats across Zscaler proxy data:

 

Proxy Traffic Summary by User

| groupBy([Vendor.deviceowner, Vendor.devicehostname, Vendor.cip, Vendor.department, event.action, Vendor.hostname] , function=[ collect([http.response.status.code,http.request.method,Vendor.proto,Vendor.contenttype,Vendor.appclass,Vendor.appname,Vendor.ereferer,Vendor.eurl,Vendor.urlcat,Vendor.urlclass,Vendor.urlsupercat,Vendor.agent.original]),
sum(Vendor.reqsize, as=totalRequestSize),
sum(Vendor.respsize, as=totalResponseSize),
count(Vendor.url, as=totalHits),
min(@timestamp, as=earliest),
max(@timestamp, as=latest)
])
| asn(Vendor.cip, as=asn)
| formatTime("%Y/%m/%d %H:%M:%S", as=earliest, field=earliest, locale=en_US, timezone=Z)
| formatTime("%Y/%m/%d %H:%M:%S", as=latest, field=latest, locale=en_US, timezone=Z)

 

Proxy Traffic Timeline for a User

| select([@timestamp, #Vendor.action, host.name, http.request.referrer, Vendor.urlcat,Vendor.urlclass,Vendor.urlsupercat,user_agent.original, http.response.status_code,http.request.method,Vendor.proto, Vendor.contenttype, Vendor.eurl])

 

Abnormal User Agent Strings

user_agent.original=/(?i)(?:bits|WebDAV|PowerShell|Curl|Microsoft)/

 

Open Redirect

Vendor.eurl=/s?\:\/\/(?:www\.)?t\.(?:[\w\-\.]+\/+)+(?:r|redirect)\/?\?/

 

Dynamic DNS

Vendor.urlcat = "Dynamic DNS Host"

 

Top User Agents

| event.action=Allowed | top(Vendor.eua, limit=100)

 

Top Threat Activity

| Vendor.threatname!="None" | timechart(Vendor.threatname, limit=10)

 

CloudFront Domain Connection

| event.action=Allowed Vendor.event.hostname=/cloudfront.net/i

 

Suspicious Web Categories

Vendor.urlcat=/(?i)(?:adware\/spyware\ssites|botnet\scallback|browser\sexploit|shost|malicious\scontent|phishing|remote\saccess\stools|spyware\scallback|spyware\/adware|suspicious\scontent)/ | table([Vendor.devicehostname ,Vendor.urlcat, Vendor.eurl, @timestamp])

Unbeatable Scale and Performance

Join leading organizations by augmenting or replacing your security information and event management (SIEM) solution with Falcon LogScale for unbeatable scale and performance. With its unique index-free architecture and advanced compression technology, Falcon LogScale empowers you to stop breaches by delivering high-speed search and sub-second latency for live dashboards and real-time alerting.

 

With Falcon LogScale, you can cut costs by up to 80% compared to legacy SIEM solutions. Its vast scale and affordable price let you avoid making tough tradeoffs between cost, how much data you can collect and how long you can store it. With Falcon LogScale, you can retain petabytes of data for years.

 

To learn more about Falcon LogScale integrations, visit the Integrations page. To find out if Falcon LogScale can help you fulfill your SIEM and logging requirements, contact a CrowdStrike expert today.

 

Additional Resources

 

October 2023 Patch Tuesday: 104 Vulnerabilities Including Three Actively Exploited Zero-Days

10 October 2023 at 23:54

This month marks the 20th anniversary of Patch Tuesday, and Microsoft has released security updates for 104 vulnerabilities, including three zero-days. One of the zero-days (CVE-2023-41763) is an elevation of privilege vulnerability in Microsoft Skype for Business. The second (CVE-2023-36563) is an information disclosure vulnerability in Microsoft WordPad, and the third (CVE-2023-44487) enables a distributed denial-of-service (DDoS) attack technique named “HTTP/2 Rapid Reset.” Twelve of the vulnerabilities addressed today are rated as Critical while the remaining 92 are rated as Important.

October 2023 Risk Analysis

This month’s leading risk type is remote code execution (43%), followed by elevation of privilege (25%) and denial of service (16%).

Figure 1. Breakdown of October 2023 Patch Tuesday attack types

 

The Microsoft Windows product family received the most patches this month (78), followed by Microsoft Office (7), and Azure (6).

Figure 2. Breakdown of product families affected by October 2023 Patch Tuesday

Actively Exploited Zero-Day Vulnerability Affecting Microsoft Skype for Business

Microsoft Skype for Business has received a patch for CVE-2023-41763, which is rated Important and has a CVSS score of 5.3. This local privilege escalation vulnerability allows an attacker to gain access to sensitive information on a target Skype for Business server. The vulnerability allows an attacker to send specially crafted network calls to the target server and potentially reveal IP addresses and/or ports to the attacker. The proof-of-concept has already been publicly disclosed.

Severity CVSS Score CVE Description
Important 5.3 CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability

Table 1. Zero-day in Microsoft Skype for Business

Actively Exploited Zero-Day Vulnerability Affecting Microsoft WordPad

Microsoft WordPad has received a patch for CVE-2023-36563, which is rated Important and has a CVSS score of 6.5. The vulnerability allows for information disclosure, specifically NTLM (Windows New Technology LAN Manager) hashes. This allows an attacker to steal NTLM hashes by utilizing the preview pane when opening a document. NTLM hashes are important for gaining account access due to the nature of the protocol allowing for secure authentication, and an attacker would be able to exploit the vulnerability to crack the hashes or use them in an NTLM relay attack. The proof-of-concept has already been publicly disclosed.

Severity CVSS Score CVE Description
Important 6.5 CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability

Table 2. Zero-day in Microsoft WordPad

Actively Exploited Zero-Day Attack Technique Affecting HTTP/2

Microsoft has released an update and workarounds to help protect against denial of service attacks exploiting CVE-2023-44487, which is rated Important. This vulnerability on HTTP/2 allows malicious actors to launch DDoS attacks targeting HTTP/2 servers by sending HTTP requests using HEADERS and RST_STREAM frames in a single connection. By doing this, an attacker can eventually bring down the server due to resource exhaustion. Microsoft and many other vendors have already applied mitigations and various protections to their own infrastructure to address Layer 7 request floods.

Severity CVSS Score CVE Description
Important N/A CVE-2023-44487 MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack

Table 3. Zero-day distributed denial-of-service (DDoS) attack against HTTP/2

Critical Vulnerabilities Affecting Microsoft Windows

CVE-2023-35349 and CVE-2023-36697 are Critical remote code execution (RCE) vulnerabilities affecting Microsoft Message Queuing (MSMQ), and both have a CVSS score of 9.8. MSMQ has been highlighted in the past blogs and continues to be patched. To successfully exploit this vulnerability, an attacker would have to send a specifically crafted malicious MSMQ packet to a MSMQ server, leading to remote code execution. This Windows component needs to be enabled for a system to be vulnerable. Microsoft recommends checking if the “Message Queuing” service is running and TCP port 1801 is listening on the machine; if service is running and not being utilized, consider disabling.

CVE-2023-41765, CVE-2023-41767, CVE-2023-41768, CVE-2023-41769, CVE-2023-41770, CVE-2023-41771, CVE-2023-41773, CVE-2023-41774 and CVE-2023-38166 are Critical RCE vulnerabilities affecting Layer 2 Tunneling Protocol, and all have a CVSS score of 8.1. For an attacker to take advantage of these vulnerabilities, they would need to win a race condition by sending specially crafted protocol messages to a routing and remote access service (RRAS) server. This can lead to remote code execution (RCE)on the targeted server.

CVE-2023-36718 is a Critical RCE vulnerability affecting Microsoft Virtual Trusted Platform Module with a CVSS score of 7.8. Successfully exploitation of this vulnerability relies on complex memory shaping techniques, and the attacker must have privileges to the target environment. Operating as a guest user within the virtual machine, an attacker can potentially escape the isolated machine and access resources outside of that protected device.

Severity CVSS Score CVE Description
Critical 9.8 CVE-2023-35349 Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-36697 Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41765 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41767 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41768 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41769 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41770 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41771 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41773 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41774 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-38166 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 7.8 CVE-2023-36718 Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability

Table 4. Critical vulnerabilities in Windows 

Out-of-Band Zero-Day’s Patched Vulnerabilities Affecting Edge, Teams, Skype and Visual Studio

CVE-2023-4863 is a Critical heap buffer overflow vulnerability in libwebp (WebP image library) in Chromium Open Source Software (OSS) that is utilized by Microsoft Edge (Chromium-based) and has a CVSS score of 8.8. This allows for a remote attacker to perform an out-of-bounds memory write via a specially crafted HyperText Markup Language (HTML) page. Microsoft released security updates to VP9 Video Extension, Skype, WebP Image Extension, Teams and Edge (Chromium-based) on October 4, 2023. The proof-of-concept has already been publicly disclosed and is actively being exploited.

CVE-2023-5346 is a High severity type confusion vulnerability in Version 8 of Microsoft Edge (Chromium-based). The vulnerability allows for a remote attacker to potentially exploit heap corruption via a crafted HyperText Markup Language (HTML) page. Microsoft released security updates to Microsoft Edge (Chromium-based) on October 4, 2023.

Severity CVSS Score CVE Description
Critical 8.8 CVE-2023-4863 Chromium: CVE-2023-4863 Heap buffer overflow in WebP
High 8.8 CVE-2023-5346 Chromium: CVE-2023-5346 Type Confusion in V8

Table 5. Vulnerabilities in Chromium, Edge, Teams, Skype and Visual Studio

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched — as is also the case for the ProxyNotShell vulnerabilities. It’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Spotlight can help you quickly and easily discover and prioritize vulnerabilities here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

Additional Resources

CrowdStrike Partners with Box to Add Automated Protections Against Security Breaches and Data Loss

11 October 2023 at 20:29

The risk of cyberattacks continues to grow for small to medium-sized businesses (SMBs). Today, a staggering 70% of cyberattacks target SMBs, a scourge that cost organizations with fewer than 500 employees an average of $3.31 million USD in 2022, up 13.4% over the previous year.  

Adversaries tend to take the path of least resistance. This often means targeting small businesses, which face many of the same security threats as large organizations but lack the resources to defend against them. Today’s businesses face a barrage of attacks, including malware, ransomware, insider threats, phishing and identity-related attacks. Despite this risk, more than 50% of small businesses have no cybersecurity measures in place. 

This is partly because some businesses wrongly believe they’re too small to be targeted, even though many possess valuable data attackers want, including personal and financial information. Cost is another major roadblock, as many SMBs lack the resources to hire and retain in-house security teams or acquire, manage and maintain multiple systems. 

Facing these headwinds, how can businesses mount a strong defense without overspending on a stack of point security solutions that can be costly, complex and ineffective? 

One answer lies in cybersecurity consolidation, a strategy that involves using fewer vendors to improve security outcomes. CrowdStrike sits at the center of the cybersecurity ecosystem, working with hundreds of partners to deliver simple and effective security outcomes — often through integrations with productivity tools that businesses already use. 

We’re pleased to announce a new integration with Box to give joint customers automated protection against security breaches and related data loss. 

Combining the Power of CrowdStrike and Box

Today’s complex threat landscape calls for a collaborative approach that brings together industry-leading technologies and world-class teams to build the strongest defense. CrowdStrike’s partnership with Box includes a new integration that combines Box’s secure content management and collaboration capabilities with CrowdStrike’s industry-leading, AI-powered protection capabilities for automated access control, threat detection and prevention.

Box is trusted by organizations of all sizes, including small and medium-sized businesses, to help them securely manage their content in the cloud. For small businesses in particular — many of which struggle with security — this partnership equates to more robust security protocols with little effort required. Likewise, even fully staffed and provisioned enterprises can benefit from the comprehensive visibility into, and control over, end-user behavior, device activity and data access offered by this integration. Now, organizations can more securely share, manage and collaborate with files and other types of content from any device, across any application, regardless of location, network and cloud.

How the Integration Works

Box leverages CrowdStrike Falcon® Zero Trust Assessment, a CrowdStrike Falcon® platform capability, to extend Box’s protection boundary across the entire cloud and device estate. When data moves to or from Box, a risk score based on end user or device behavior is assigned. If that score exceeds a threshold set by an organization’s security teams, Box customers will be alerted and a remediation action — such as a user logout, revoked access or terminating syncs from Box Drive — will automatically be triggered based on an organization’s granular controls and settings in Box.

This automated workflow bridges IT and security to both make life easier for analysts and secure the entire movement of data as it flows from endpoint to cloud to applications. The automation uses contextual insights from the Falcon platform to evaluate risks in real time and prevent complex malware, ransomware and other suspicious activities. 

The integration will be available for joint customers using Box Shield and any Falcon platform offering that includes endpoint protection. For small businesses, this includes CrowdStrike Falcon® Go, an affordable, next-gen antivirus solution designed to protect small business, and CrowdStrike Falcon® Pro, a similar offering that includes built-in threat intelligence from CrowdStrike. 

Visit CrowdStrike’s virtual booth at BoxWorks for a limited-time offer on Falcon Go and Falcon Pro!

Need of the Hour

During a time of heightened security risk, the need of the hour is to help businesses securely share, manage and collaborate on content from any device and across any application. And critically, for SMBs and other resource-strapped organizations, these security solutions can’t hinder productivity or require complex and costly deployments. 

Through our partnership with Box, CrowdStrike continues to meet businesses where they are, providing frictionless security solutions that protect information inside and outside of the company perimeter without getting in the way of work. 

The new integration is expected to be available for Box and CrowdStrike customers at the end of the year. Specific pricing and packaging will be announced upon general availability. 

Additional Resources

  • Read the press release for more details.
  • Start a free 15-day trial of Falcon Go, affordable cybersecurity designed to protect small businesses.
  • Watch an on-demand demo of CrowdStrike’s pioneering cloud-delivered endpoint protection platform in action.
  • Want to learn more about cybersecurity issues impacting small and medium-sized businesses? Check out our four-part CrowdCast series for Cybersecurity Month 2023 — attend any or all of these interactive sessions or watch them on demand.

How Well Do You Know Your Attack Surface? Five Tips to Reduce the Risk of Exposure

In an increasingly connected digital landscape, the security of your organization’s data and publicly facing assets is more critical than ever. According to the CrowdStrike 2023 Threat Hunting Report, more than 20% of all interactive intrusions are associated with the exploitation of public-facing applications. As an organization’s attack surface expands and cyberthreats proliferate, it is imperative IT and security teams take a proactive approach to safeguarding their digital footprint. This starts with implementing a strong exposure management program across the entire enterprise that drastically reduces all attack surface risks.

Do You Really Know Your Organization’s Attack Surface?

To stop an attack before it begins, you must first understand where critical exposures exist. You can think of your organization’s external attack surface as all of the doorways through which an attacker might attempt to sneak in. This includes anything from domain names, SSL certificates and protocols to operating systems, IoT devices and network services. These assets are scattered across on-premises environments, cloud environments, subsidiaries and third-party vendors, and they represent many of the easiest entry points to internal networks and the sensitive data they contain. 

Building a Successful Exposure Management Strategy with EASM

In an age where unknown entryways can lead to invaluable troves of information, external attack surface management (EASM) can find doors that may be left open. CrowdStrike Falcon® Exposure Management finds those potential access points before adversaries do. 

Our EASM technology, as part of Falcon Exposure Management, uses a proprietary engine to continuously scan the entire internet, enabling organizations to see their attack surface from an adversary’s perspective. The digital footprint of an organization is simple to generate, using only a company’s root domain. Once generated, it gives security teams a complete view of all of their internet-facing assets, including those on-premises and in the cloud. All exposed assets are automatically classified, analyzed and rated with a contextualized risk score, allowing teams to fix first what matters most.  

Reducing the size of your attack surface can minimize the risk of a breach. By following the five tips below, organizations can reduce the number of opportunities an adversary has, strengthen their cybersecurity posture and proactively  protect valuable assets from malicious actors. 

Top Tips to Reduce External Attack Surface Exposures

  1. Do not allow Remote Desktop Protocol (RDP) connections from outside your organization’s networks

There are plenty of products and open source solutions offering remote access to company resources. When RDP is opened to the internet, it is often not monitored and is susceptible to attacks.

How: 

  • Stand up a server that sits outside of your network perimeter
  • Install nmap or any other network scanner you’re comfortable with
  • Grab a list of your IP ranges
  • Set up a cron job to scan continuously for port 3389
  • Grab the logs weekly 
  • Use this list to figure out the person inside your organization who owns or is responsible for each host that has responded on port 3389
    • Clues:
      • Domain name (if applicable)
      • IPAM IP range notes
      • Login banners
  • For any hosts that MUST have RDP exposed to the internet, enable multifactor authentication (MFA), remove them from your scan script above and continue the process of scanning
  • Use Network Level Authentication, a Remote Desktop Services feature that requires a user to authenticate before connecting to the server
  1. Avoid allowing directory listing on your web servers 

Directory listings expose the server to traversal attacks and a large variety of vulnerabilities. Moreover, the web server may contain files that shouldn’t be exposed through links on the website. Ensure your server does not expose directory listings, and if it must, make sure the directories do not contain sensitive information. 

How: 

  • Stand up a server that sits outside of your network perimeter 
  • Install nmap or any other network scanner you are comfortable with
  • Grab a list of your IP ranges
  • Set up a cron job to scan continuously for open HTTP 
  • Grab the logs weekly 
  • For every host answering on an HTTP or HTTPS port, use this list as an input for your web app scanning tool of choice (such as nikto or dirsearch)
  • For any host allowing directory traversal, figure out the person inside your company who owns or is responsible for this website
    • Clues:
      • Domain name (if applicable)
      • IPAM IP range notes
      • Login banners
      • Other website info
  1. Place test environments behind a VPN 

Ensure none of your development, staging or test environments is exposed to the internet. These environments are often not well-secured and in many cases have access to restricted resources.

How: 

  • Identify all of your production environments:
    • Have a clear list of domains and IP ranges from IT admin, content delivery network providers and web application firewall providers
    • Query whois reverse search under your organization name (there are multiple vendors and open source tools for this) 
  • All other environments (domains, subdomains and machines with external-facing IPs) should be protected with a VPN and MFA
  1. Avoid hostile subdomain takeovers 

Confirm none of your subdomains is expired or points to third-party pages and accounts that no longer exist, as it might be vulnerable to hostile subdomain takeovers. If you find such subdomains, reconfigure the DNS settings or remove the DNS entry pointing to the external service.

How: 

  • Talk to your IT admin team and get access to your DNS (may be route53, may be self-hosted)
  • Do a zone transfer on all of the domains your organization owns
  • Get a list of all of your IP ranges
  • Parse the IP addresses against your known IP range list
  • For any IPs that aren’t part of your infrastructure, figure out who they belong to (whois lookup, published list of cloud provider IP ranges)
  • Determine if they are pointing at anything you know you own
  • Any unused subdomain should be retired properly:
    • Use “Null MX” record
    • Use DMARC configuration to prevent any email from being sent on behalf of the sub/domain
  1. Enforce input validation

Enforce input validation on all internal and external inputs to prevent injection attacks. Input validation best practices include: predefining input size limitation per field and type (str/int if applicable), applying maximum retries for password and user fields, and enforcing backend strict logic to prevent injections (prepared statements with parameterized queries, stored procedures, escaping all user inputs, etc.).

How: 

    • Forms fields
    • Uniform resource identifiers (URIs)
    • APIs
    • Attachments
    • And more

Bonus Tip: Continuously monitor your attack surface

Securing an expanding attack surface is challenging. The dynamic nature of most modern IT ecosystems means secure assets can suddenly become exposed unknowingly due to an error, misconfiguration or simple oversight. This category of forgotten assets can grow for many reasons: employees with revoked access, engineers with lingering cloud token permissions, or unmaintained databases that should have never been exposed in the first place. Moreover, there are instances of abandoned assets that remain unused or unclassified for extended periods, leaving IT departments without records and, consequently, unable to secure them. Regardless of their origin, these assets present significant security risks.

Having an effective exposure management program enables teams to stay vigilant and proactively  monitor and secure entire IT ecosystems, which  is essential in safeguarding an entire  attack surface. You need to add a scalable way to monitor your internet-facing assets and discover your unknown exposures and risks in real time.

Additional Resources

 

CrowdStrike Recognized by Forrester as a Leader in Endpoint Security with the Highest Score in the Current Offering Category

19 October 2023 at 14:34

CrowdStrike has been named a Leader in The Forrester Wave™: Endpoint Security, Q4 2023, the latest recognition in a string of accolades for our market-leading cybersecurity solutions delivered from the unified, AI-native CrowdStrike Falcon® platform. 

In the report, Forrester identified the 13 most significant endpoint security providers and researched, analyzed and scored them based on 25 criteria. Our highlights include:

  • CrowdStrike achieved the highest score in the Current Offering category out of all 13 vendors evaluated and received the highest score possible in 15 of 25 criteria, more than any other vendor evaluated. 
  • CrowdStrike was recognized by Forrester as a “dominant endpoint” solution with  “superior vision,” earning the highest score possible in this criterion. CrowdStrike focuses on stopping adversaries with the “lowest impact on endpoint performance” the report states.
  • The company was also cited as “a good fit for customers who are interested in evolving to EDR or XDR….”
  • The Falcon platform was noted as an “attractive endpoint security solution even for small and medium-sized business (SMB) customers.”

Providing a Seamless Transition to XDR

Endpoint security needs to be the foundation of a strong cybersecurity strategy. Nearly 90% of successful attacks start at the endpoint, as adversaries look to gain a foothold to launch identity-based attacks, pivot to cloud infrastructure, exploit vulnerabilities and more. And once adversaries gain entry, they move quickly: the average breakout time is down to only 79 minutes, and the fastest observed time in the last year was a mere 7 minutes.

To match and exceed the speed and sophistication of today’s adversaries, organizations must prioritize endpoint security as a foundation — delivered from a unified platform that provides powerful capabilities beyond traditional endpoint protection and covers the extended attack surface across cloud, identity, data and more.. In the report, Forrester suggests that endpoint security customers should look for providers that “provide a seamless transition to EDR or XDR.” This has long been a top priority for CrowdStrike. 

Since starting as an endpoint security company in 2011, CrowdStrike has continued to innovate and was recognized in the Wave for adding more protection to its dominant endpoint solution and for having a “full set of prevention functions using a single endpoint agent.” Last year, CrowdStrike was named a Leader in The Forrester Wave™: Endpoint Detection And Response Providers, Q2 2022 which stated that CrowdStrike “dominates in EDR while building its future in XDR and Zero Trust.”

This year, Forrester gave CrowdStrike the highest score possible in the “vision” criterion in The Forrester Wave™: Endpoint Security, Q4 2023, stating: “CrowdStrike’s superior vision focuses on how adversaries will attack the enterprise and how to prevent it from happening, as opposed to cleaning up the mess later, while having the lowest impact on endpoint performance.” 

Empowering Businesses to Do More with Less

The Forrester report recommends that endpoint security customers look for providers that “extend the ability to do more with less,” referencing cybersecurity staffing challenges and the trend toward cybersecurity consolidation.

The Falcon platform’s ability to reduce complexity and make teams faster was recently on display at Fal.Con 2023, the company’s marquee annual event and cybersecurity’s must-attend conference. CrowdStrike showed impressive demonstrations of Charlotte AI, the engine powering the portfolio of generative AI capabilities across the platform utilizing CrowdStrike’s high-fidelity data advantage. Charlotte AI makes security analysts better and faster at their jobs by enabling them to rapidly surface the information they need to make smarter decisions. 

Watch demos of the Falcon platform in action

CrowdStrike also recently announced the Raptor release of the industry-leading Falcon platform, further enabling the petabyte-scale, lightning-fast data collection, search and storage that customers need to stay ahead of rapidly evolving adversary tradecraft and stop breaches. With this update, all CrowdStrike EDR customers now get native XDR to accelerate investigations with comprehensive endpoint, identity, cloud and data protection telemetry from across the Falcon platform.

Engineered for Every Business

The unified, AI-native Falcon platform enables customers to consolidate cybersecurity via one lightweight sensor and command console to secure the entire IT infrastructure. This is particularly useful for businesses looking to reduce cost and complexity while improving security outcomes, including small and medium-sized businesses (SMBs).

Said the Forrester report: “CrowdStrike’s improvements to its protection engines have allowed it to bring its EDR solution to customers who are looking for a solid prevention foundation without needing deep detection investigations. While often thought of as an enterprise-only solution, CrowdStrike’s inclusion of functions like secure configuration management and reporting and extensive attack remediation capabilities has made this an attractive endpoint security solution even for SMB customers.”

Recent Recognition

CrowdStrike is consistently recognized for its leadership and the strength of our foundational endpoint security technology. Below is a roundup of other recent awards and recognition for CrowdStrike’s endpoint solutions: 

Additional Resources

Patch Tuesday Turns 20: The Growth and Impact of Microsoft’s Vulnerability Problem

19 October 2023 at 20:53

Twenty years ago, Microsoft introduced the concept of Patch Tuesday to “reduce the burden on IT administrators by adding a level of increased predictability and manageability.” The goal of  Patch Tuesday was to provide needed structure around what was largely an ad hoc process. 

By consolidating the majority of security updates and required patches into a planned release cycle, IT departments and system administrators could better plan and allocate resources to eliminate some of the chaos that followed a patch release. To this day, Patch Tuesday persists. Microsoft still releases security updates on the second Tuesday of every month. 

But while the schedule has remained constant — with exceptions for occasional emergency fixes — the world has changed since October 2003. To support remote work, organizations raced into the digital age by rapidly moving to the cloud and eliminating traditional security perimeters. The number of endpoints, connected devices, applications and cloud estates that need to be managed has skyrocketed, creating a broader surface for vulnerabilities to manifest. 

The Microsoft product ecosystem has also grown dramatically, covering a range of technology, software, applications, cloud offerings and more. This has resulted in a larger number of vulnerabilities spanning the technology stack and an expansion of enterprise risk. The burden of dealing with this massive growth in vulnerabilities — and cyberattacks targeting them — is too often shifted from the vendor to the customer. 

This is why for many security and IT teams, Patch Tuesday is no longer a beacon of hope in the chaos of patching. It has become emblematic of the nightmare they face each month as they race to prioritize patches, understand the downstream impact and act before an adversary can exploit the vulnerabilities putting them at risk. 

20 Years Later: Microsoft’s Vulnerability Problem Has Grown

The ubiquity of Microsoft products and volume of Microsoft vulnerabilities have created a massive attack surface. This shouldn’t be a surprise given the popularity of Microsoft’s operating system and office software. One survey found “Microsoft Windows is the most widely used computer (desktop, tablet and console) operating system (OS) in the world.”

Adversaries constantly seek weak points in potential victims’ environments. And as we’ve seen with the growth of Patch Tuesday over the years, Microsoft vulnerabilities provide a broad landscape for adversaries to target. 

Since Patch Tuesday began, Microsoft has issued more than 10,900 patches, most of them in just the last few years. Since 2016, Microsoft has patched 124 unique zero-day vulnerabilities, 1,200+ unique vulnerabilities classified as Critical and 5,300+ rated as Important in severity. More than 630 exploits exist for Critical and Important vulnerabilities. In 2023 alone, Microsoft has already issued patches for more than 800 vulnerabilities.

This data can be found at CVE Details.

These numbers may seem high, but they actually conceal the scale of the problem. If we extrapolate the 1,200+ unique critical vulnerabilities Microsoft has issued patches for since 2016 to account for the same vulnerabilities impacting multiple Microsoft products, the number of total critical vulnerabilities jumps to almost 21,000+. While most Microsoft patches will address multiple affected Microsoft products with a single install, there are always exception cases and specific patching processes may vary.

The massive growth of Microsoft’s vulnerability problem has more than offset efficiencies gained through tinkering with the patching process. For many security and IT teams, Patch Tuesday has become more of a burden. They need to scramble to figure out which vulnerabilities to prioritize, which put them most at risk, which could have downstream impact on IT and which could make or break the business. It often seems that just as the team is figuring what to prioritize, another batch of vulnerabilities drops.

This has a huge impact in terms of time, cost, resources and risk. According to the Infosec Institute, the average time it takes to patch a vulnerability can be anywhere from 60 to 150 days. Some security and IT teams take “at least 38 days to issue a patch.” The pace of patching is no match for the speed of the modern adversary and its ability to exploit vulnerabilities.

If a vulnerability isn’t patched fast enough and a breach occurs, the victim is often blamed for falling short of security practices and failing to patch. This ignores the fact that the sheer scale of Microsoft vulnerabilities has once again shifted the burden back to the customer — a burden that grows as adversaries continue to weaponize vulnerabilities.  

Microsoft Vulnerabilities: The Attack Surface of the Modern Adversary

Microsoft product vulnerabilities have become the de facto attack surface of the modern adversary. It shouldn’t be surprising that adversaries are weaponizing this growing problem.  

According to research published by the Cybersecurity and Infrastructure Security Agency (CISA), four of the 12 Top Routinely Exploited Vulnerabilities are in Microsoft products. CISA also noted Microsoft topped the list of exploited CVEs used in ransomware attacks. More than 40% of the vulnerabilities exploited to deploy ransomware are associated with Microsoft products.

Not only are adversaries exploiting existing flaws, they’re also ushering in a new era of “vulnerability rediscovery.” The CrowdStrike 2023 Global Threat Report found adversaries are modifying or reapplying the same exploit to target other, similarly vulnerable products. They’re also circumventing earlier patches. 

As an example of this activity, the report highlights “… the proxy mechanisms exploited to compromise Microsoft Exchange during ProxyLogon and ProxyShell campaigns in 2021 were targeted again in Q4 2022, this time using an authenticated variation called ProxyNotShell (CVE-2022-41040 and CVE-2022- 41082). ProxyNotShell mitigations were subsequently bypassed when ransomware-affiliated actors used an alternative exploitation vector that abused CVE-2022-41080 to accomplish the same objectives.” 

Modern adversaries are faster, smarter and more ruthless than ever, while the volume of vulnerabilities and the process of testing and patching can slow down teams trying to protect their organizations from attacks.  

Patch Tuesday was supposed to give security and IT teams an advantage against the adversary, but the sheer volume of Microsoft vulnerabilities over the last several years has had the reverse effect. Patching systems, changing configurations and similar actions impact the tools and workflows of business. These changes can have a material impact on productivity. This is compounded by the risk of not patching. The speed at which adversaries are exploiting vulnerabilities continues to increase. 

While Patch Tuesday itself is not the problem, it has become emblematic of the broader vulnerability issue that plagues the industry. Until companies like Microsoft start making more secure products by design and alleviate the burden of patching, organizations must understand the risks they face and take proactive steps to discover and prioritize the vulnerabilities that can cause the most damage. 

When it comes to protection, it’s worth asking: Who do you trust? Can you trust the vendor selling security when it’s also responsible for such a high volume of critical vulnerabilities?  

Additional Resources

Small Screens, Big Risks: Falcon for Mobile Releases New Innovations to Accelerate Detection and Response for Mobile Threats

20 October 2023 at 16:58

Mobile devices have become critical endpoints for accessing enterprise applications, systems and data. Adversaries know this all too well, as evidenced by the growing numbers of attacks that target mobile devices. Verizon’s 2022 Mobile Security Index found almost half (45%) of enterprises had recently suffered a mobile-related compromise involving devices in the last 12 months — almost double the amount compared to the year prior. 

High-profile attacks leveraging mobile malware continue to happen, such as the Pegasus Spyware campaign, first observed in 2021 and more recently in September 2023. While this trend impacts every organization, protecting mobile devices from attack has rapidly become a top priority for small and medium-sized businesses (SMBs). A recent survey shows SMBs spend as much as 70% of their security budget on mobile security

Mobile threat defense (MTD) refers to the growing technology category aimed at countering security threats on iOS and Android devices. With CrowdStrike Falcon® for Mobile, CrowdStrike’s MTD offering, customers can extend our industry-leading endpoint detection and response (EDR) and extended detection and response (XDR) to Android and iOS devices, enabling them to manage diverse endpoint fleets through a single integrated console. We’re excited to share the following innovations released for Falcon for Mobile aimed at streamlining mobile device enrollment, advancing detection capabilities for mobile-specific adversary tradecraft and accelerating incident response.

Expanded Detection for Advanced Mobile Threats

Custom Indicator of Compromise (IOC) Management 

Falcon for Mobile customers can now author and manage custom indicators of compromise (IOCs). This capability enables our customers to block any domain, IP or subdomain they consider a risk. Many organizations are also using custom IOCs to block traffic to specific apps or browsers, a scenario that has gained prominence with the recent ban of TikTok across government devices. Falcon for Mobile’s custom IOCs can be created and managed via the same CrowdStrike API for traditional endpoints, enabling customers to retrieve, upload and search for IOCs using indicators provided by threat feeds they have access to. 

Figure 1. Falcon for Mobile allows organizations to create and manage custom IOCs (click to enlarge)

Accelerating Investigations with Automated App Analysis on Android and the Falcon Platform’s Built-in Sandbox 

To reduce response and investigation times, Falcon for Mobile now automatically sends suspicious Android applications to the CrowdStrike Falcon® platform’s built-in sandbox for analysis, enabling organizations to rapidly identify anti-virtualization techniques or attempts by mobile-first adversaries to activate spyware. IT and device managers can then leverage mobile device management (MDM) solutions to globally remove suspicious or malicious apps from devices in their fleets. 

Figure 2. Analysis and report of an Android application in the Falcon platform’s built-in sandbox (click to enlarge)

New Automated Response Integrations   

Automated Response Actions for Mobile Threats

Earlier this year, we launched automated response actions for mobile detections. Enabled via integration with CrowdStrike Falcon® Fusion, CrowdStrike’s integrated security orchestration automation and response (SOAR) framework, Falcon for Mobile customers can now build and customize automated workflows, triggered by mobile detections. This enables organizations of all sizes — especially organizations with smaller security and IT teams — to scale their output by accelerating detection, investigation and response actions, notably in the case of repetitive, manual tasks. 

With Falcon Fusion, incident responders can configure distinct analyst assignments based on unique threat indicators and can further customize how notifications or tickets are sent (e.g., Slack, PagerDuty, Microsoft Teams, email, ServiceNow, Jira). As shown in Figure 3, we can use the example of a new mobile detection triggering multiple workflows, with one alerting select users based on the severity of the threat, and another alerting other groups of users if the impacted endpoint is an iOS device. 

Figure 3. Falcon Fusion workflow based on a mobile detection alert (click to enlarge)

Automated Mitigation via Mobile Network Containment

Customers can mitigate mobile threats by activating a new Network Containment action in the Falcon console for supervised (iOS) or fully managed (Android) devices. This feature expands Falcon for Mobile’s network preventions, enabling customers to respond to mobile threats using the same containment functionality they use for traditional endpoints within the console. 

For other deployment modes, such as unsupervised or Work Profile devices, this mechanism can be used to enforce conditional access for corporate resources, such as blocking access to enterprise apps to protect a customer’s intellectual property. Network Containment can be enabled manually via the host management console as part of active investigations or can be configured to be triggered automatically as part of a Falcon Fusion workflow (Figure 4).  

Figure 4. Falcon for Mobile customers can configure Falcon Fusion workflows for mobile detections to automate network containment of impacted hosts (click to enlarge)

Falcon for Mobile has also released a new mobile policy to protect devices against man-in-the-middle attacks (MiTM), automating network containment in instances where a user has connected to a rogue WiFi network, as shown in Figure 5. 

Figure 5. Falcon for Mobile customers can now enable automated network containment during MiTM attacks (click to enlarge)

Conditional Access for Corporate Assets 

Falcon for Mobile now enables administrators to enforce conditional access to corporate assets. Users can trigger Falcon Fusion workflows using Falcon for Mobile’s custom IOCs to automatically move compromised devices to different host groups. This allows an administrator to configure the specific network resources a device can access, denying access to sensitive resources or systems whenever a device is under an elevated threat level. 

Figure 6. Falcon Fusion workflow that automatically adds hosts to a new host group if a critical-severity mobile threat is detected (click to enlarge)

Enabling Greater Ease-of-Use

Zero-Touch Deployment 

Our customers have ever-expanding endpoint fleets, elevating the importance of a fast, simplified deployment and enrollment process. To enable accelerated onboarding, Falcon for Mobile customers can automatically deploy and activate the Falcon agent through many commonly used MDMs, eliminating the need for end users to open the CrowdStrike mobile app. This specific functionality is available for supervised iOS devices and for most supervised/unsupervised Android devices.

Customers can now leverage our new MDM enrollments wizard to retrieve and configure the exact settings they need for the MDM used by their organization. The enrollment wizard provides users with a list of values that then need to be used within the MDM and that are presented along with the option to download a configuration file for supervised iOS devices.

Figure 7. The Falcon for Mobile MDM enrollments wizard allows users to easily configure profiles for their mobile devices (click to enlarge)

Integrated and Unified Dashboards

To further support accelerated threat hunting and streamlined security operations, CrowdStrike customers can now access Falcon for Mobile dashboards in the UI of the Falcon console. By leveraging a single unified platform to monitor all endpoint classes, customers obtain a holistic understanding of activity that spans devices and identities across their estate. This will enable customers to more easily monitor activity across mobile hosts, including real-time information around OS distribution, platform versions and detections by severity, enabling them to seamlessly drill into activity across their mobile devices as they already do with traditional endpoints. Our intuitively designed dashboards focus analyst attention on critical alerts and surface real-time intelligence to enable accelerated mobile threat hunting.

Figure 8. Users can monitor and manage diverse mobile devices in their fleet in the Falcon console (click to enlarge)

Moreover, each user will be able to customize their dashboards to surface the information that is most pertinent to their organization, with easy-to-use drag-and-drop tiles that list real-time detections, analyze trends over time and provide visual breakdowns of endpoint classes.

Figure 9. Users can customize their mobile dashboards to surface critical indicators for the health of their mobile fleets — this can include recent detections, their CrowdScore over time and tables of jailbroken hosts (click to enlarge)

Additional Resources 

CrowdStrike Services Offers Incident Response Executive Preparation Checklist

23 October 2023 at 17:01
  • The CrowdStrike Incident Response Executive Preparation Checklist is a template to help organizations consider the roles of their executives before, during and after an incident.
  • CrowdStrike tabletop exercise delivery teams have leveraged this checklist in engagements with Fortune 500 leadership and Boards of Directors.
  • The checklist addresses our most common findings from tabletop exercises: undefined responsibilities for executives, lack of out-of-band communications, missing guidance on conducting investigations under privilege, uncertainty around engaging the Board of Directors and failure to call on third-party support at the appropriate times.
  • Download the CrowdStrike Incident Response Executive Preparation Checklist.

Within your incident response plan, there typically is (or should be) a trigger to notify your executive team of an impending crisis. While many organizations believe they’ve worked out the logistics of gathering leadership on the phone, getting decisions made, and garnering their support for your proposed response plan, they often find out in the heat of an incident that the leadership team is miles apart in your understanding of what happens next. Does the CFO know to respond to the text notification to join the bridge? Is the CEO willing to accept advice from a breach coach and external counsel? Is the leadership team well-versed on the new U.S. Securities and Exchange Commission (SEC) rules on cybersecurity incidents

Of course, this is why you write plans in the first place: to make sure everyone is on the same page about how to respond. But the reality is incident response plans are long, cumbersome documents. If your executives did read the plan, they’re not likely to remember the details by the time an incident rolls around. That’s why many organizations have begun to develop executive checklists or “tear sheets” that briefly summarize major actions and who is responsible. 

Creating a quick reference for executive leaders is one of the most common recommendations CrowdStrike’s Professional Services team makes when conducting tabletop exercises with our customers. So much so that we built a template to share.  

This incident response executive checklist directly speaks to how the security organization can prepare the company’s most influential responders: their C-suite. The ability to engage executives — with their human biases and predispositions — directly affects the success of the security organization during an incident. The checklist draws from our experience both responding to incidents and conducting tabletop exercises with leadership teams. It addresses our most common findings from tabletop exercises: undefined responsibilities for executives, lack of out-of-band communications, missing guidance on conducting investigations under privilege, uncertainty around engaging the Board of Directors and failure to engage third-party support at the appropriate times. The result is a distilled list of key steps we recommend organizations take before, during and after an incident. 

How to Use the Checklist

This checklist provides a starting point. It identifies many of the common crisis management activities business leaders or executives should consider when responding to a cybersecurity incident. It should be updated to focus on the activities that are most important to your organization and should identify the parties responsible for doing them. You may also consider developing checklists specific to each key leadership role to focus on their responsibilities and clarify who does what.

The checklist contains the following sections:

  • Before an Incident: The checklist starts with the actions you should be taking now before you’re in an active incident. This section emphasizes the importance of testing and training with regular tabletop exercises and identifying the third parties you plan to call for help, such as a digital forensics and incident response (DFIR) provider.
  • During an Incident: Next, the checklist walks you through the actions different leaders must take once an incident has been declared — from the legal team invoking privilege to the compliance team evaluating contractual and regulatory requirements. This section makes sure your teams don’t forget key obligations in the heat of an ongoing investigation. 
  • After an Incident: Incidents don’t end once a threat actor is eradicated from the environment. Executives deal with the reputational and financial fallout that often accompanies major breaches. This section describes after-action processes and considerations. 

Your best defense is preparation. How you educate and engage your executive leaders directly impacts the success of your response to an incident. Adapting the CrowdStrike Incident Response Executive Preparation Checklist to your organization — and practicing with regular tabletop exercises — is key to enhancing your readiness. 

Additional Resources

Five Reasons Why Legacy Data Loss Prevention Tools Fail to Deliver

24 October 2023 at 14:12

Like so many legacy technologies, legacy data loss prevention (DLP) tools fail to deliver the protection today’s organizations need. Implementation challenges, visibility gaps and inconsistent policies negatively impact customers and make data breaches far too easy for adversaries.

With U.S. data breach costs averaging a staggering $4.45 million last year, organizations need a way to better secure their data as cloud adoption accelerates and IT environments evolve. But with the continued security talent shortage and a market of ineffective data protection solutions — which struggle even when it comes to compliance — organizations are desperate for a modern alternative. 

This blog post explores where gaps exist in legacy DLP and how CrowdStrike Falcon® Data Protection is redefining the data protection market to stop data breaches.

Where Legacy DLP Solutions Fail to Deliver

If you rely on a legacy DLP product, some of these challenges may sound familiar. 

  1. Unstructured data on endpoints is at great risk of misuse or breach.

The vast majority of sensitive data no longer resides in databases. USB devices are increasingly used to move large files and file batches. Likewise, organizations are hosting more of their data in a variety of public cloud services, web apps and online storage repositories. Unstructured data on these and other egress channels have become the nexus for sensitive data loss, yet many legacy DLP solutions fail to detect it.

  1. More than a third of DLP deployments fail.

Legacy DLP tools often require large-scale, on-premises software and server installations. These deployments don’t scale without great effort, rarely integrate with other security tools and rely on heavy agents that slow down and crash machines. Due to these inept tools, complex deployments and poor strategies, more than 35% of DLP implementations fail

  1. Most active DLP tools are in monitor-only mode.

Due to complexity, most organizations turn off prevention features and are simply notified after data walks out the door. Even this monitoring capability is problematic, since visibility gaps grow as your business becomes more distributed. Monitor mode doesn’t prevent a breach, and visibility gaps leave security teams without critical insights needed to swiftly respond to threats.

  1. Your data is too complex for legacy DLP tools.

Legacy DLP products overly depend on well-formed data patterns and keywords to detect sensitive data. But organizations now have data with no recognizable content pattern, such as clinical research data, data about business processes and proprietary designs. While security teams can add sensitivity labels to data, that entails a lot of manual work, and any user can change or remove a sensitivity label. It can take security teams a lot of effort to analyze content, which becomes even more frustrating when accuracy is suspect.

  1. DLP tools lack context to stop breaches.

Security teams relying on legacy DLP tools lack visibility into real-world data flows, and they don’t have time to play whack-a-mole with protection rules. As a result, many businesses are overwhelmed by alerts, while being exposed to risks they’re not even aware of. Teams need the ability to find, follow and protect sensitive data. They should know where it originated, where it’s been on its journey, how it’s being copied and used, and who interacted with it. Most legacy DLP solutions simply can’t provide this context.

Introducing the Future of Data Protection

Falcon Data Protection offers a modern approach to securing enterprise data. Powered by the unified CrowdStrike Falcon® platform, Falcon Data Protection provides deep, real-time visibility into what’s happening with your sensitive data, including data artifacts, as they move across web sources, endpoints, USBs, web browsers, cloud and SaaS applications.

With data protection, context is everything. Falcon Data Protection inspects file data as it arrives on the endpoint to identify not only the originating source but unique features within data, allowing it to be tracked as it moves between files. When data egresses from an endpoint, it can be identified as sensitive based on its originating source and content, even if it’s a derivative of the content that was first identified. 

Notably, this similarity detection capability includes preventing data leakage through generative AI tools like ChatGPT. With Falcon Data Protection, security teams can enforce policies for all web-based generative AI tools and trace back derivative content as it’s shared across files and SaaS applications, allowing you to stop malicious and accidental exposures in real time.

Say, for example, an account manager copies a piece of information from Salesforce into Google docs. Maybe he does this across multiple hosts and it goes downstream, creating derivative content across multiple users. With Falcon Data Protection, you can track the source of that content through all derivatives and downstream sharing, allowing you to enforce the original policy. While legacy DLP tracks the file, Falcon Data Protection tracks the content tied to context, making it far more effective with high-fidelity detections and stopping data loss.

Delivered from the Unified Falcon Platform

Falcon Data Protection offers ease of administration and immediate time-to-value because it’s deployed on the industry’s only unified, AI-native security platform, providing exceptional data protection from a single agent and command console. 

If you’re a Falcon platform customer, there’s no extra sensor or installation required to use Falcon Data Protection. One CrowdStrike sensor delivers all of your data protection needs, in addition to industry-leading endpoint, cloud and identity threat protection — providing the visibility and context across all attack surfaces to stop modern attacks.

An organization’s data is among its most valuable assets, and safeguarding it should be a high priority. With Falcon Data Protection, CrowdStrike is reinventing yet another broken legacy market to deliver context-driven data protection from the unified Falcon platform. 

To learn more about CrowdStrike’s modern approach to data protection, register for our upcoming virtual event, “Stop Big Game Hunting Adversaries with Modern Data Protection.”

Additional Resources

Protecting Users from Malicious Sites with Falcon for Mobile

By: Ted Pan
26 October 2023 at 16:08

Introduction

Today, mobile devices are ubiquitous within enterprise environments. But with their proliferation, it provides adversaries with yet another attack surface with which they can target users and cause a breach.

From phishing attacks to malicious apps, mobile users tend to let their guard down and potentially click on obfuscated links to malicious sites. Falcon for Mobile protects users by preventing connections to malicious sites on both iOS and Android devices. Some examples of sources for these malicious connections are texts, emails, apps, or even QR codes.

Falcon for mobile can block navigating to malicious sites and notifying the user why it was blocked, educating the user and reducing the risk in the future.

Security administrators can also view reports within the Falcon Console to identify individuals within the organization that may require additional phishing training.

Video

Protecting Mobile Users

When the device attempts to connect to a phishing site, we see that it cannot be reached. The user is protected from the malicious site that could be attempting to harvest their credentials or install malicious software.

Falcon for Mobile also provides a notification as to why the site was blocked. The user can expand the notification to see additional details.

Mobile Pevent

The mobile detection screen in the CrowdStrike Falcon Console is structured in a way that provides an easy way to view mobile threats identified within the environment.

Each line shows a high level overview of a detection, presenting information such as the threat name, mobile user, and device impacted.

An info pane on the right provides additional details about the threat, such as a description of the threat or additional host information.

Mobile Detection Dashboard

The full details show related threat data such as the domain that was blocked as well as a timeline of activities related to this detection.

Mobile Detection Details

An analyst can adjust the case with options such as setting its status, assigning it to another analyst, adding a tag, or adding a comment.

After they’re done, the status will be updated and tracked to ensure resolution of the case.

Mobile Detection Status

Conclusion

So as we can see, Falcon for Mobile provides powerful protection that prevents users from unknowingly navigating to malicious sites and accidentally sharing data or credentials .

With phishing attacks being such a common vector for mobile attacks, blocking malicious network connections with Falcon for Mobile helps protect organizations from a breach.

More resources

Compromising Identity Provider Federation

  • CrowdStrike’s Incident Response team has seen a recent increase in cases involving adversaries that abuse identity provider federation to gain access to protected services by adding and authorizing rogue domains to federation. From these cases, patterns have emerged that indicate a common attack structure.
  • Monitoring for identity provider abuse can be difficult, given that adversaries do so by leveraging legitimate cloud services, often using compromised accounts for initial access — a reminder that securing identity and authentication services is critical in preventing these attacks.
  • In a recent expansion of CrowdStrike Falcon® Cloud Security detections, CrowdStrike is noting these attacks are prevalent and significant enough to warrant establishing visibility over identity provider management. The indicators of attack discussed in this blog should be considered early indicators that require analysis in context to determine a final verdict on their nature.
  • Since observed attack scenarios predominantly target Microsoft Azure as an identity provider, this blog and the referenced detections focus on that domain.

What Is a Federated Identity Provider? 

A federated identity provider is an outside service provider that has been entrusted by an organization as an authority regarding user authentication and identity management. In the context of a service that leverages single sign-on (SSO), when an individual user requests access to the service, the service contacts the identity provider (IdP) to validate the user’s identity.

This capability enables different identity domains (organized groups of users) to partner with one another in validating users and granting their access to a downstream service, domain or cloud environment without having to replicate or maintain multiple instances of user identities. In this way, if an organization provides a service that has a user population outside of its authentication domain, it can extend access to those outside users by defining a trust relationship with the IdP for that outside user group.

The service provider is trusting that the IdP has performed all relevant authentication actions and verifications, and any subsequent access requests by the user to the service should be considered as authorized.

Okta provides details on federated identity and the role of identity providers in SSO.

The Attack

Adversaries are taking advantage of this architecture by compromising IdPs and modifying them to extend the umbrella of trust to include domains and users controlled directly by the attacker and to expand cross-tenant authentication partnerships. An example attack sequence is depicted in Figure 1.

Figure 1. Illustration of observed IdP compromise (click to enlarge)

Initial Access

The first step in the attack involves establishing access to the IdP’s cloud service provider (CSP) environment at the Control Plane layer with a user account that has permissions to administer resources.

While there are numerous methods that can be used to compromise a user account, CrowdStrike has noted the use of social engineering to obtain credentials as well as using a self-service password reset to take control of an existing account. Some CSPs also add risk analysis indicators to sign-in activity that can also be leveraged to spot signs of initial access.

Once credentials are obtained and authentication is verified, the adversary has been noted to use the CSP command line interface for initial login.

Reconnaissance

Reconnaissance in observed attacks has been focused on obtaining information that can be specifically leveraged to facilitate adding a new domain to federation settings. Observed behaviors during reconnaissance have included:

  • Download users (bulk operation)
  • Download role assignments (bulk operation)
  • Download groups (bulk operation)
  • Get API connectors
  • Get authentication flows policy
  • Get available output claims
  • Get customAuthenticationExtensions
  • Get identity providers
  • Get tenant details
  • Get user flows

It should be noted that CrowdStrike has observed the “get authentication flows policy” action to be extremely common, and by itself, it is not a strong indicator of an attack. It is listed here for reference and is included as part of CrowdStrike Falcon® Cloud Security detection logic as a contributing behavior.

Persistence and Backdoors

Once an attacker has completed their reconnaissance, they move to perform the necessary changes to federation settings to add the domains and user accounts under their control. Actions specifically related to creating a backdoor are listed below:

  • Add unverified domain
  • Add verified domain
  • Verify domain
  • Set domain authentication
  • Update user
  • Set directory feature on tenant

Some attacks may include establishing backdoor access via cross-tenant synchronization, which would be observable via the following:

  • Add a partner to cross-tenant access setting
  • Update a partner cross-tenant access setting
  • Create a partner cross-tenant identity sync setting

Additional actions that have been observed in conjunction with those listed above include the following: 

  • Update named location
  • Add policy
  • Add application
  • Add service principal
  • Add service principal credentials
  • Update application
  • Update service principal
  • Update provisioning setting or credentials
  • Update authorization policy
  • Update authentication flows policy
  • Set company information

As with the behaviors listed as signs of reconnaissance, some of the behaviors CrowdStrike has categorized as persistence and backdoor may also occur in large volume in the normal course of cloud operations. CrowdStrike detections attempt to account for this and only elevate scenarios that resemble a sequence of behaviors that indicate abuse. It is important to evaluate all detections in context before reaching a final verdict.

Actions on Objectives

The primary goal of abusing federated identity providers is to gain access to resources or services that trust the IdP. Abuse of one IdP is likely used to access resources in an external domain, so this scenario should be viewed largely as a method to establish access and maintain persistence via the IdP. 

Some observed actions on objectives related to these attacks include:

  • Creating cloud compute resources or VMs
  • Accessing cloud compute resources and exfiltrating data by exporting virtual disks
  • Obtaining user information from the IdP
  • Accessing data in applications that rely on the IdP access controls
  • Leveraging the Azure run command to deploy other tooling

Why Is It Important to Monitor Changes to Identity Provider Configurations?

Organizations delegate user access controls to outside IdPs, which means the outside IdP is entrusted with maintaining the confidentiality, integrity, and availability of downstream services and data. Identity management and user access control are paramount to information security.

Monitoring for the scenarios outlined above provides customers with early indications of sensitive behaviors — or sequences of behaviors — that CrowdStrike believes warrant awareness and validation. This will give Falcon Cloud Security customers the opportunity to detect these attacks quickly and also obtain evidence that could be useful in incident response activities.  

Falcon Cloud Security Detections

In response to the observed patterns in these attacks, the Falcon Cloud Security team analyzed the prevalence of the noted behaviors and has worked to build detections that attempt to elevate awareness when a matching pattern of activity has occurred. These detections represent a combination of perspectives that warrant awareness and response by security teams.

  1. Configuration changes that rarely occur and have potential for significant abuse
  2. Behaviors that rarely occur in combination with others and may resemble a known attack sequence
  3. Specific behaviors leveraged in these attacks
Detection Name Type Description
User accounts exported from Active Directory Behavior A bulk export was performed of all user accounts in Active Directory. While this could be legitimate Admin behavior, it could also indicate a threat actor is performing reconnaissance of user accounts in an attempt to elevate privileges and move laterally in your tenant. It is recommended this behavior be reviewed to validate the user’s need to export all user accounts and ensure this data is not improperly shared.
User groups exported from Active Directory Behavior A bulk export was performed of all user groups in Active Directory. While this could be legitimate Admin behavior, it could also indicate a threat actor is performing reconnaissance of user groups in an attempt to elevate privileges and move laterally in your tenant. It is recommended this behavior be reviewed to validate the user’s need to export all user groups and ensure this data is not improperly shared.
Role assignments exported from Active Directory Behavior A bulk export was performed of all role assignments in Active Directory. While this could be legitimate Admin behavior, it could also indicate a threat actor is performing reconnaissance of role assignments in an attempt to move laterally and escalate privileges in your tenant. It is recommended this behavior be reviewed to validate the user’s need to export all role assignments and ensure this data is not improperly shared.
New unverified domain added to tenant Behavior A custom domain was added to the Azure Active Directory (Azure AD) tenant. This is often the first step in configuring federated domain authentication. Federated domain authentication is a legitimately used configuration to support using on-premises passwords. Adversaries also leverage this Azure AD feature to create Azure AD persisted backdoors by configuring new federated domains with resources/infrastructure that they control.
Guest users given same permissions to Azure AD resources as member users Behavior Azure Active Directory was updated to give guest users the same access to Azure AD resources as member users. This setting gives guest users the ability to view and interact with Active Directory resources that they may not need access to and should be reviewed to ensure the access is appropriate.
Cross-tenant partner given inbound access Behavior A cross-tenant partner was configured in Azure Active Directory to support automatic user consent for inbound access. Cross-tenant synchronization is a legitimately used configuration to automate creating, updating and deleting Azure AD B2B users across different tenants. Adversaries also leverage this Azure AD feature to create persisted backdoors by adding new cross-tenant partners (controlled by the adversaries) to environments they have compromised.
Cross-tenant partner user syncing enabled Behavior A cross-tenant partner was configured in Azure Active Directory to support inbound user syncing/creation. Cross-tenant synchronization is a legitimately used configuration to automate creating, updating and deleting Azure AD B2B users across different tenants. Adversaries also leverage this Azure AD feature to create persisted backdoors by adding new cross-tenant partners (controlled by the adversaries) to environments they have compromised.
New federated domain added to Azure Active Directory Behavior A domain was configured in Azure Active Directory to support federated authentication. Integrating Azure AD with on-premises Active Directory using Active Directory Federation Services (AD FS) is a legitimately used configuration to support using on-premises passwords. Adversaries also leverage this Azure AD feature to create Azure AD persisted backdoors by configuring new federated domains with resources/infrastructure that they control.
Virtual machine disk exported by user Behavior A virtual machine disk was made available for download/export by a user account. Review the activity and validate the user’s need to export the disk, as this may be a way for an attacker to collect and exfiltrate data stored on the disk.
Default cross-tenant synchronization policy allows outbound automatic user consent Configuration In a breach scenario, an attacker can utilize automatic outbound user consent within a cross-tenant synchronization policy to sync the compromised user account into a partner tenant and grant attacker access using the same initially compromised credentials. It is not recommended to allow automatic outbound user consent.
Partner cross-tenant synchronization policy allows inbound user sync Configuration In a breach scenario, an attacker can utilize inbound identity synchronization within a cross-tenant synchronization policy to sync the compromised user account into a partner tenant and grant attacker access using the same initially compromised credentials. It is not recommended to automatically sync identities into tenants you are not in control of.

Response Recommendations

Because the behaviors outlined in this attack sequence take advantage of normal features of identity provider federation, it is possible that initial setup or routine administrative maintenance may trigger detections. CrowdStrike has considered the potential for producing false positive detections and has concluded that it is worthwhile to maintain vigilant monitoring of these sensitive functions. CrowdStrike recommends that organizations review all changes to IdP settings to verify that:

  1. The user account used to perform the changes is authorized by role and policy to do so.
  2. The user account performing the changes has not been compromised, and endpoints associated with the user are not exhibiting signs of malware.
    1. This should include a review of recent actions performed by the user account to determine if it is being used in an unusual manner.
    2. Consider signs of phishing, social engineering or recent password resets related to the user account.
    3. Consider authentication details for the user account, including source IP address, region and user-agent strings to look for signs it is being accessed from an unusual source.
    4. Review endpoint detections for suspicious activity involving the user account in question.
  3. The observed changes to IdP configurations were authorized through existing governance, risk and compliance (GRC) review and performed in compliance with change management policies and procedures. 
    1. Consider the domains added and their validity in relationship to the business and service context in which they are being used.
    2. Consider the reputation and threat history of new domains.
    3. For suspect domains, review any future login and service access activity originating from the new IdP.

Conclusion

Abuse of federated identity providers appears to be on the rise and represents a significant threat to downstream services, applications and data. 

CrowdStrike has released detections in Falcon Cloud Security that are designed to shed light on administrative behaviors that could represent attempts to compromise this trust architecture so that customers have early warnings an attack may be occurring.

While the attack outlined in this blog shows that adversaries are leveraging legitimate cloud services and configurations to perform their attacks, CrowdStrike’s detections are designed to differentiate normal administrative functions from those with suspect attributes that could indicate an attack in progress.

Due to the nature of this compromise, a timely response is prudent. CrowdStrike recommends taking immediate steps to validate the observed behaviors are authorized and to remediate them if they are not authorized by reversing any changes made. By quickly cutting off access established by an adversary, CrowdStrike customers can disrupt the attack and stop the breach.

Additional Resources

IMPERIAL KITTEN Deploys Novel Malware Families in Middle East-Focused Operations

9 November 2023 at 11:47

CrowdStrike Counter Adversary Operations has been investigating a series of cyberattacks and strategic web compromise (SWC) operations targeting organizations in the transportation, logistics and technology sectors that occurred in October 2023. Based on a detailed examination of the malicious tooling used in these attacks, along with additional reporting and industry reports, CrowdStrike Intelligence attributes this activity to the IMPERIAL KITTEN adversary.

Tune in to today’s episode of the Adversary Universe podcast, “Iran’s Rise from Nascent Threat Actor to Global Adversary” and learn about the history of cyber threat activity linked to Iran.

CrowdStrike Intelligence collection has identified that contemporary IMPERIAL KITTEN intrusion chains leverage the following tactics, techniques and procedures:

  • Use of public scanning tools, one-day exploits, SQL injection and stolen VPN credentials for initial access
  • Use of scanning tools, PAExec and credential theft for lateral movement
  • Data exfiltration by leveraging custom and open source malware to target Middle Eastern entities

CrowdStrike Intelligence analyzed several malware samples associated with IMPERIAL KITTEN activity, including:

  • IMAPLoader, which uses email for command and control (C2)
  • A similar sample named StandardKeyboard
  • A malware sample that uses Discord for C2 
  • A Python generic reverse shell delivered via a macro-enabled Excel sheet

This next-stage tooling indicates IMPERIAL KITTEN continues to use email-based C2 mechanisms, similar to those used in their Liderc malware family.

Inside IMPERIAL KITTEN’s Activity

IMPERIAL KITTEN is an Iran-nexus adversary with a suspected connection to the Islamic Revolutionary Guard Corps (IRGC). The adversary, active since at least 2017, likely fulfills Iranian strategic intelligence requirements associated with IRGC operations. Its activity is characterized by its use of social  engineering, particularly job recruitment-themed content, to deliver custom .NET-based implants. Historically, IMPERIAL KITTEN has targeted industries including defense, technology, telecommunications, maritime, energy, and consulting and professional services.

Between early 2022 and 2023, CrowdStrike Intelligence observed IMPERIAL KITTEN conduct SWC operations with a focus on targeting organizations in the transportation, logistics and technology  sectors. In a SWC, the adversary attempts to compromise victims based on their shared interest by luring them to an adversary-controlled website. 

To date, the following adversary-controlled domains have served as redirect locations from compromised (primarily Israeli) websites, as well as locations where information collected to profile visitor systems is sent:

  • cdn.jguery[.]org
  • cdn-analytics[.]co
  • jquery-cdn.online
  • jquery-stack.online
  • cdnpakage[.]com
  • fastanalizer[.]live
  • fastanalytics[.]live
  • hotjar[.]info
  • jquery-code-download[.]online
  • analytics-service[.]cloud
  • analytics-service[.]online
  • prostatistics[.]live

Early 2022 SWC domains used the Matomo analytics service1 to profile users who visited the compromised Israeli websites. Later iterations of SWC domains use a custom script to profile the visitor by collecting their browser information and IP address, which is then sent to a hardcoded domain. Previously reported activity targeted organizations in the Israeli maritime, transportation and technology sectors.

Industry and CrowdStrike Intelligence collection reporting have described a malware family tracked as IMAPLoader, which is the final payload of the SWC operations. An analysis of IMPERIAL KITTEN’s campaigns, including the use of IMAPLoader and additional malware families, is below.

Initial Access

Industry reporting indicates in some instances, the adversary directly serves malware to victims from the SWC.2 Consistent with prior CrowdStrike reporting on credential stealers from 2021, there is some evidence that IMPERIAL KITTEN targets organizations, such as upstream IT service providers, in order to identify and gain access to targets that are of primary interest for data exfiltration. 

There is also evidence indicating their initial access vectors consist of:

  • Use of public one-day exploits
  • Use of stolen credentials to access VPN appliances
  • SQL injection
  • Use of publicly available scanning tools, such as nmap
  • Use of phishing to deliver malicious documents

All assessments around initial access methods not previously documented in connection with IMPERIAL KITTEN activity carry low confidence based on uncorroborated single-source reporting.

Phishing

IMPERIAL KITTEN’s phishing operations reportedly include the use of malicious Microsoft Excel documents. While the sample mentioned in October 2023 industry reporting is not publicly available, CrowdStrike Intelligence acquired a similar version of the delivery document. 

The lure is a macro-enabled Excel sheet, likely created in late  2023 (SHA256 hash: b588058e831d3a8a6c5983b30fc8d8aa5a711b5dfe9a7e816fe0307567073aed).  

Once the victim opens the file and enables macros, the document extracts the files runable.bat, tool.bat, and cln.tmp, and a copy of the Python 3.11 interpreter to the system’s %temp% directory. The batch files create persistence via the registry Run key named StandardPS2Key, and run the main Python payload SHA256 hash: cc7120942edde86e480a961fceff66783e71958684ad1307ffbe0e97070fd4fd in 20-second intervals.

The Python payload is a simple reverse shell that connects to a hardcoded IP address on TCP port 6443. The shell sends a predefined challenge GUID (3d7105f6-7ca1-4557-b48e-6b4c70ee55a6) and expects the C2 to respond with a separate GUID (fdee81e1-b00f-4a73-ae48-4a0ee5dee49a) for authentication. The malware then reads commands in a loop, executes them and returns the result. The analyzed version supports the following commands:

  • cd (change working directory)
  • run (start subprocess with command)
  • set timer to (change beacon interval)

The analyzed sample was configured with x.x.x.x as the C2 server. This is not valid and will result in an error — it is likely the result of a test build or third-party modification.

Lateral Movement

There is information to suggest IMPERIAL KITTEN achieves lateral movement through the use of PAExec (the open-source PsExec alternative) and NetScan, and uses ProcDump to dump the LSASS process memory for credential harvesting. Lastly, IMPERIAL KITTEN likely deploys custom malware or open source tooling, such as MeshAgent,3 for data exfiltration. These assessments are made with low confidence as they rely on single, uncorroborated source reporting. 

Adversary Tooling

IMPERIAL KITTEN operations reportedly leverage multiple tools, including custom implants; IMAPLoader and StandardKeyboard, which both use email for C2; and a remote access tool (RAT), which uses Discord for C2.  

IMAPLoader is a malware family distributed as a dynamic link library (DLL) to be loaded via AppDomainManager injection.4 It uses email for C2 and is configured via static email addresses embedded in the malware. Typographical errors in embedded folder names and log messages indicate the author is likely not a native English speaker. While timestamps are not available in most samples, the oldest version was first observed in the wild on September 1, 2022. 

Table 1 gives an overview of the available samples and configured C2 email addresses. All of them share the same functionality, although the last sample (SHA256 hash: 32c40964f75c3e7b81596d421b5cefd0ac328e01370d0721d7bfac86a2e98827) differs in naming of the IMAP folders and has only one configured C2 address, indicating it is possibly a development version.

The malware disguises itself as StreamingUX Updater and persists through a scheduled task of that name. It connects to imap.yandex[.]com over TLS and uses the built-in .NET IMAP library to create two folders for C2, prefixed with a randomly generated UUID (including a typographical error):

  • <UUID>-Recive
  • <UUID>-Send

IMAPLoader uses attachments in email messages to receive tasking and send replies. It hardcodes creation and modification dates of the attachment to 2018-12-05 and 2019-04-05, respectively.

Hash SHA256 C2 Email
989373f2d295ba1b8750fee7cdc54820aa0cb42321cec269271f0020fa5ea006 leviblum@yandex[.]com

brodyheywood@yandex[.]com

fa54988c11aa1109ff64a2ab7a7e0eeec8e4635e96f6c30950f4fbdcd2bba336 justin.w0od@yandex[.]com

n0ah.harrison@yandex[.]com

5c945a2be61f1f86da618a6225bc9d84f05f2c836b8432415ff5cc13534cfe2e giorgosgreen@yandex[.]com

oliv.morris@yandex[.]com

87ccd1c15adc9ba952a07cd89295e0411b72cd4653b168f9b3f26c7a88d19b91 harri5on.patricia@yandex[.]com

d3nisharris@yandex[.]com

32c40964f75c3e7b81596d421b5cefd0ac328e01370d0721d7bfac86a2e98827 hardi.lorel@yandex[.]com

Table 1. IMAPLoader samples and C2 email addresses

Industry reporting also noted IMPERIAL KITTEN deploys a malware family named StandardKeyboard,5 which shares similarities with the IMAPLoader malware family. StandardKeyboard also uses email for C2 communication, and the malicious code uses the same open source .NET library for communicating with IMAP servers.6 Unlike IMAPLoader, this malware persists on the infected machine as a Windows Service named  Keyboard Service, created by the malicious .NET executable WindowsServiceLive.exe (SHA256 hash: d3677394cb45b0eb7a7f563d2032088a8a10e12048ad74bae5fd9482f0aead01). StandardKeyboard’s main purpose is to execute Base64-encoded commands received in the email body. The results will be sent to the following email addresses:

  • itdep[@]update-platform-check[.]online
  • office[@]update-platform-check[.]online

The email subject contains the MAC address of the infected machine prepended by “From: ”. The body of the email contains Base64-encoded information listed in Figure 1, followed by the string Sender: <MAC Address>.

***Order: <command>
***Time: <unused integer value>
***Response: <command output>
***Exit: <command exit code>
***At: <attachment>

Figure 1. Data sent to the C2 after command execution

Before initiating the email communication with the C2, StandardKeyboard verifies the availability of internet connection by contacting Google DNS using ICMP and sending the string hi there.

Finally, CrowdStrike Intelligence collection identified another related malware family, posing as a CV creator that uses a company in the logistics sector as a lure (SHA256 hash: 1605b2aa6a911debf26b58fd3fa467766e215751377d4f746189566067dd5929). The malware is heavily obfuscated and drops an embedded payload after multiple stages of decryption and deobfuscation. It establishes persistence through a scheduled task named Windows\System\System.   

The final stage (SHA256 hash: 3bba5e32f142ed1c2f9d763765e9395db5e42afe8d0a4a372f1f429118b71446) uses Discord for C2 and is most likely related to a phishing campaign observed in March 2022. It contains a rare prefix in its PDB path field of the PE header, which, aside from this sample, is only present in samples of IMAPLoader in CrowdStrike holdings. 

Assessment

CrowdStrike Intelligence attributes the above activity, including the use of SWC and IMAPLoader and related malware families, to the IMPERIAL KITTEN adversary. This assessment, made with moderate confidence, is based on:

  • The continued use of previously reported SWC infrastructure 
  • The continued use of email-based C2 and Yandex email addresses for C2
  • Overlaps between IMAPLoader and the industry-reported SUGARDUMP malware family that targeted Israel-based transportation sector organizations in 20227
  • Continued focus on targeting Israeli organizations in the transportation, maritime and technology sectors, which is consistent with the adversary’s target scope
  •  Use of job-themed decoy and lure content used in their malware operations 

CrowdStrike Intelligence attributes the described initial access and post-exploitation methods to IMPERIAL KITTEN with low confidence. This assessment carries low confidence as it is based on single-source reporting that has not been corroborated.

MITRE ATT&CK

Tactic Technique Observable
Reconnaissance T1590.005 – Gather Victim Network Information: IP Addresses IMAPLoader beacons the victims public IP address obtained via a web service
Resource Development T1584.006 – Compromise Infrastructure: Web Services IMPERIAL KITTEN SWC is mostly based on compromised websites
Initial Access T1189 – Drive-by Compromise IMPERIAL KITTEN distributes malware through SWC
Execution T1059.003 – Command and Scripting Interpreter: Windows Command Shell IMAPLoader collects system information via cmd.exe scripts
T1059.005 – Command and Scripting Interpreter: Visual Basic IMPERIAL KITTEN installs Python backconnect shell via malicious visual basic scripts in Excel documents
T1059.006 – Command and Scripting Interpreter: Python Malicious Excel documents drop Python-based backconnect shell
Persistence T1037.005 – Boot or Logon Initialization Scripts: Startup Items IMAPLoader persists through the registry Run key
Defense Evasion T1055 – Process Injection IMAPLoader executes via AppDomainManager injection
T1140 – Deobfuscate/Decode Files or Information IMAPLoader and SUGARRUSH obfuscate C2 addresses via integer arrays
Discovery T1518.001 – Software Discovery: Security Software Discovery IMAPLoader enumerates installed antivirus software
Collection T1005 – Data from Local System IMAPLoader beacons local system configuration and username to C2
Command and Control T1071.003 – Application Layer Protocol: Mail Protocols IMAPLoader, StandardKeyboard and SUGARRUSH utilize email for C2
T1095 – Non-Application Layer Protocol The Python-based backconnect shell relies on raw sockets for communication
Exfiltration T1041 – Exfiltration Over C2 Channel All malware in this report exfiltrate data directly over the C2 protocol

Table 2. Mapping to the MITRE ATT&CK® framework

Appendix: IMPERIAL KITTEN Infrastructure

Virtual private server VPS infrastructure recently associated with IMPERIAL KITTEN tooling is included in Table 3. CrowdStrike Intelligence currently attributes this infrastructure to IMPERIAL KITTEN with low confidence based on the aforementioned reporting.

Domain IP Address Internet Service Provider
NA 146[.]185.219.220 G-Core Labs S.A.
NA 193[.]182.144.12 Interhost Communication Solutions Ltd.
NA 194[.]62.42.98 Stark Industries Solutions Ltd.
NA 64[.]176.165.70 AS-CHOOPA
NA 95[.]164.61.253 Stark Industries Solutions Ltd.
NA 95[.]164.61.254 Stark Industries Solutions Ltd.
NA 45[.]32.181.118 AS-CHOOPA
NA 193[.]182.144.120 Interhost Communication Solutions Ltd.
NA 64[.]176.164.117 AS-CHOOPA
NA 45[.]155.37.140 SHOCK-1
NA 192[.]71.27.150 Interhost Communication Solutions Ltd.
NA 185[.]212.149.35 Oy Crea Nova Hosting Solution Ltd.
NA 51[.]81.165.110 OVH SAS
NA 82[.]166.160.20 Cellcom Fixed Line Communication L.P.
NA 192[.]52.166.71 ASN-QUADRANET-GLOBAL
NA 162[.]252.175.48 M247 Europe SRL
NA 45[.]93.82.109 LLC Baxet
NA 77[.]91.74.230 Stark Industries Solutions Ltd.
NA 77[.]91.74.21 Stark Industries Solutions Ltd.
NA 195[.]20.17.14 CLOUD LEASE Ltd.
NA 185[.]253.72.206 O.M.C. Computers & Communications Ltd.
NA 185[.]220.206.251 O.M.C. Computers & Communications Ltd.
NA 185[.]241.4.7 O.M.C. Computers & Communications Ltd.
NA 195[.]20.17.198 CLOUD LEASE Ltd.
NA 45[.]93.93.198 O.M.C. Computers & Communications Ltd.
NA 83[.]229.81.175 O.M.C. Computers & Communications Ltd.
NA 146[.]185.219.97 G-Core Labs S.A.
NA 193[.]182.144.175 Interhost Communication Solutions Ltd.
NA 103[.]105.49.108 VMHaus Limited
NA 185[.]105.0.84 G-Core Labs S.A.
NA 45[.]81.226.38 Zomro B.V.
NA 149[.]248.54.40 AS-CHOOPA
NA 194[.]62.42.243 Stark Industries Solutions Ltd.
NA 94[.]131.114.32 Stark Industries Solutions Ltd.
NA 45[.]8.146.37 Stark Industries Solutions Ltd.
NA 45[.]155.37.105 SHOCK-1
NA 163[.]182.144.239 NATURALWIRELESS
NA 64[.]176.172.26 AS-CHOOPA
NA 77[.]91.94.151 Clouvider Limited
NA 95[.]164.18.234 Stark Industries Solutions Ltd.
NA 74[.]119.192.252 Stark Industries Solutions Ltd.
NA 82[.]166.160.26 Cellcom Fixed Line Communication L.P.
NA 64[.]176.165.229 AS-CHOOPA
NA 193[.]182.144.52 Interhost Communication Solutions Ltd.
NA 64[.]176.171.141 AS-CHOOPA
blackcrocodile[.]online 217.195.153[.]114 Shock Hosting
updatenewnet[.]com Prev: 45.155.37.105 Edis Gmbh
link.mymana[.]ir 193.182.144[.]52 Edis Gmbh
NA 193.182.144[.]239 Edis Gmbh
NA 64.176.165[.]229 Choopa
NA 64.176.171[.]141 Choopa
NA 64.176.165[.]70 Choopa
NA 95.164.61[.]253 Stark Industries Solutions Ltd.
NA 95.164.61[.]254 Stark Industries Solutions Ltd.

Table 3. IMPERIAL KITTEN infrastructure

Footnotes

  1. https://github.com/matomo-org/matomo
  2. https[:]//www.pwc[.]com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
  3. https[:]//github[.]com/Ylianst/MeshAgent
  4. https[:]//pentestlaboratories[.]com/2020/05/26/appdomainmanager-injection-and-detection/
  5. https[:]//www.pwc[.]com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
  6. https[:]//github[.]com/smiley22/S22.Imap
  7. https://www.mandiant[.]com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping

Additional Resources

Securing the Generative AI Boom: How CoreWeave Uses CrowdStrike to Secure Its High-Performance Cloud

13 November 2023 at 16:35

CoreWeave is a specialized GPU cloud provider powering the AI revolution. It delivers the fastest and most consistent solutions for use cases that depend on GPU-accelerated workloads, including VFX, pixel streaming and generative AI. 

CrowdStrike supports CoreWeave with a unified, AI-native cybersecurity platform, protecting  CoreWeave’s architecture by stopping breaches. What follows is a summary of how CoreWeave uses CrowdStrike Falcon Cloud Security to secure both its cloud infrastructure and the cloud workloads of its customers, as shared in a presentation at Fal.Con 2023.

Watch the Fal.Con 2023 recording: How CoreWeave Secured Cloud Infrastructure and AI Applications with Falcon Cloud Security

Complete Visibility and Protection

To meet the growing demand for its cloud services, CoreWeave needed a modern security platform that met two main requirements: It had to be capable of scaling with CoreWeave, and it couldn’t cause any performance slowdowns, as organizations rely on CoreWeave for its highly efficient processing power. 

After a successful proof of concept with CrowdStrike — in which CoreWeave engineers observed no performance impact after deploying the Falcon sensor on a test cluster — CoreWeave licensed the Falcon platform along with several platform modules, including CrowdStrike Falcon® Insight XDR endpoint detection and response, CrowdStrike Falcon® Prevent next-generation AV and Falcon Cloud Security. 

Within two weeks, the Falcon sensor had been deployed across all worker nodes at CoreWeave, providing the visibility and protection needed. 

On stage at Fal.Con 2023, CoreWeave’s CISO talked about the importance of visibility to see every asset, including endpoints, cloud nodes, apps working on the endpoints and services running on cloud nodes. He also discussed the value of a unified cloud-native application protection platform (CNAPP) to provide one console and one platform for managing all of the different areas of a cloud workflow — down to containers, pods and nodes.

For CoreWeave, the foundation of strong cloud security starts by deploying the Falcon sensor at the bottom of its tech stack. 

Figure 1. CoreWeave deployed the Falcon sensor at the bottom of its tech stack (click to enlarge)

Once CoreWeave deploys its systems into the Kubernetes cluster, the Falcon DaemonSet runs across every node. This does two things: Every time CoreWeave powers up a new node and brings it into its fleet, the company automatically gets detection and response capabilities from CrowdStrike. And by having the Falcon sensor at the bottom layer, the company doesn’t have to worry about higher-level networking issues impacting its security.

How CoreWeave Responds to Detections

CoreWeave responds to a Falcon alert in three steps: detect, investigate and triage.

For detections, CoreWeave relies in part on alerts generated by both CrowdStrike® Falcon OverWatch™ — a CrowdStrike service that provides 24/7 managed threat hunting — as well as CoreWeave security staff who monitor Falcon dashboards. 

When an alert comes in, CoreWeave security staff can see the hostname that may have been compromised and the container ID — both of which help determine what triggered that alert. From there, the team can drop that container ID into the search of Falcon Cloud Security to see details such as host ID and container name, allowing it to zero in on where the container is running in the infrastructure. 

This capability allows security teams to quickly identify and remediate the potential threat. Because CoreWeave effectively sells its cloud infrastructure to customers, CoreWeave uses this information to communicate with any customer whose workload was potentially compromised so they can triage it together and stop the threat before any damage is done.

One Platform for Endpoint-to-Cloud Protection

Every Falcon product module CoreWeave uses is deployed on the unified, AI-native Falcon platform. By consolidating its cybersecurity with CrowdStrike, CoreWeave has been able to respond to threats faster, reduce complexity and streamline provisioning. Critically, having one sensor deployed across its entire IT infrastructure — from endpoint to cloud — gives CoreWeave the context needed to respond to potential threats appropriately. 

Figure 2. The Falcon platform centers around a streamlined, single-agent architecture (click to enlarge)

In many cases, the Falcon platform kills the threat automatically. As CoreWeave’s CISO explained, this saves the company hundreds of hours a year in unnecessary triage. 

For instances that require CoreWeave to triage, the team can act decisively based on context provided by the Falcon platform, which collects and analyzes trillions of endpoint events per week from millions of sensors deployed across 176 countries. CoreWeave supplements this information with CrowdStrike threat intelligence to better understand the nature of the situation. 

All told, CrowdStrike’s industry-leading threat intelligence helps CoreWeave understand any adversaries targeting the company and its customers, enabling CoreWeave to stop them.

This encapsulates the value of the Falcon platform for CoreWeave. The company has its host and servers, which are covered with detections. It’s then able to increase the value of those detections with CrowdStrike threat intelligence to figure out what’s happening and how to fix it.

With CrowdStrike, CoreWeave is able to provide a highly performant, scalable and secure cloud infrastructure to power the generative AI boom and beyond. 

Additional Resources

CrowdStrike Brings AI-Powered Cybersecurity to Small and Medium-Sized Businesses

15 November 2023 at 13:36

Cyber risks for small and medium-sized businesses (SMBs) have never been higher. SMBs face a barrage of attacks, including ransomware, malware and variations of phishing/vishing. This is one reason why the Cybersecurity and Infrastructure Security Agency (CISA) states “thousands of SMBs have been harmed by ransomware attacks, with small businesses three times more likely to be targeted by cybercriminals than larger companies.” 

In a desperate attempt to defend themselves, SMBs often turn to traditional antivirus (AV) software and even off-the-shelf consumer AV solutions. But these offerings simply can’t keep up with modern attacks. Referred to as “legacy AV,” these solutions are reactive and only able to defend against known malware or ransomware previously cataloged by the AV provider. This is too slow and reactive to stop modern adversaries. It only takes one attack to slip through legacy defenses to bring a business to a halt, or worse, result in a company-ending event.  

Legacy AV is also difficult to manage, especially with limited IT and security staff. The average deployment of these products is three months. In addition, they require quite a bit of tuning and manual configuration to be fully functional, adding to the operational burden of managing and updating legacy security tools.

Uncertain of which cybersecurity offering to buy and then deploy, many businesses throw up their hands in defeat. One poll shows 60% of SMBs use no cybersecurity measures at all. 

SMBs deserve cybersecurity that’s simple, affordable and effective. Today, we’re announcing a new release of CrowdStrike Falcon® Go to bring our industry-leading, AI-powered cybersecurity protection to SMBs in a package that’s never been easier to purchase, install or operate. 

SMBs Need Cybersecurity That Works

CrowdStrike knows how cybercriminals work and why they target SMBs. We also understand SMBs are often understaffed, resource-constrained and lack in-house security expertise. 

Falcon Go delivers award-winning cybersecurity to protect SMBs against ransomware, malware  and unknown threats. This simple yet powerful solution leverages modern technology, including machine learning, behavioral detection and AI, to deliver best-in-class protection against the cyber threats of today and tomorrow. With Falcon Go, small businesses can get the same enterprise-grade protection trusted by the world’s largest organizations and governments in a simple user experience designed for their needs.

SMBs no longer need to worry about staying ahead of evolving cyber threats. Powering Falcon Go is the world’s leading AI-native CrowdStrike Falcon® platform, which collects and analyzes trillions of endpoint events per week, giving SMBs the power of the crowd in a solution that even non-technical staff can use to keep their business safe. 

While other SMB cybersecurity solutions may offer simplicity, businesses need security that actually stops breaches. The Falcon platform scored 100% ransomware prevention in SE Labs testing, demonstrating that SMB cybersecurity can be both simple and effective.

Frictionless Purchasing and Installation in Seconds

CrowdStrike is making it easy for SMBs to purchase elite protection and quickly protect their company. Starting today, Falcon Go is available on Amazon Business, allowing SMBs to purchase industry-leading cybersecurity from the same website that millions of businesses use to purchase everyday business items.

Once purchased, users can instantly download and install Falcon Go to begin preventing threats with a guided setup wizard that recommends pre-configured protection levels. With Falcon Go, small businesses can immediately see which devices are protected and any threat activity, with guided and automated next steps to resolve security concerns. Falcon Go also makes it easy to expand protection to new devices, allowing the solution to support business growth. 

SMBs need simple, fast, modern cybersecurity to stop breaches at a price they can afford. With the release of Falcon Go, small businesses can get AI-powered, award-winning cybersecurity with easy purchasing, installation and operations to stop modern cyberattacks. 

To get started with a free trial of Falcon Go, visit the CrowdStrike website.

Additional Resources

November 2023 Patch Tuesday: 58 Vulnerabilities Including Three Actively Exploited Zero-Days

15 November 2023 at 17:27

Microsoft has released security updates for 58 vulnerabilities, including five zero-days, three of which are being actively exploited. One of the zero-days (CVE-2023-36025) is a Windows SmartScreen Security Feature Bypass Vulnerability, the second (CVE-2023-36033) is a privilege escalation vulnerability in the Windows DWM Core Library, and the third (CVE-2023-36036) is another privilege escalation vulnerability affecting the Windows Cloud Files Mini Filter Driver. Three of the 58 vulnerabilities addressed today are rated as Critical, and the remaining 55 are rated as Important. 

November 2023 Risk Analysis

This month’s leading risk type is elevation of privilege (28%), followed by remote code execution (26%) and spoofing (17%).

Figure 1. Breakdown of November 2023 Patch Tuesday attack types

The Microsoft Windows product family received the most patches this month (32), followed by Extended Support Updates (17).

Figure 2. Breakdown of product families affected by November 2023 Patch Tuesday

Actively Exploited Zero-Day Vulnerability Enables Windows SmartScreen Security Feature Bypass

Windows SmartScreen has received a patch for CVE-2023-36025. According to Microsoft, by exploiting this vulnerability, “The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts.” This vulnerability requires user interaction — the user would have to click on a specially crafted internet shortcut (.URL) or a hyperlink pointing to an internet shortcut file in order to be compromised by the attacker.

Severity CVSS Score CVE Description
Important 8.8 CVE-2023-36025 Windows SmartScreen Security Feature Bypass

Table 1. Zero-day in Windows SmartScreen Security Feature

Actively Exploited Zero-Day Vulnerability Affects Windows DWM (Desktop Window Manager) Core Library

CVE-2023-36033 is a publicly disclosed vulnerability affecting the Windows DWM Core Library. This vulnerability could allow an attacker to gain SYSTEM privileges.

Rank CVSS Score CVE Description
Important 7.8 CVE-2023-36033 Windows DWM Core Library Elevation of Privilege Vulnerability

Table 2. Zero-day in Windows DWM Core Library

Actively Exploited Zero-Day Affects Windows Cloud Files Mini Filter Driver

CVE-2023-36036 is another vulnerability affecting the Windows Cloud Files Mini Filter Driver being exploited in the wild. Successful exploitation of this flaw could allow an attacker to gain SYSTEM privileges.

Severity CVSS Score CVE Description
Important 7.8 CVE-2023-36036 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Table 3. Zero-day affecting Windows Cloud Files Mini Filter Driver

Critical Vulnerabilities 

CVE-2023-36397, a remote code execution vulnerability rated as Critical, affects Windows Pragmatic General Multicast. To successfully exploit this vulnerability, an attacker would have to send a specifically crafted malicious MSMQ packet to a MSMQ server, leading to remote code execution. This Windows component needs to be enabled for a system to be vulnerable. Microsoft recommends checking if the Message Queuing service is running and TCP port 1801 is listening on the machine; if the service is running and not in use, consider disabling.

CVE-2023-36400, a privilege escalation vulnerability rated as Critical, affects Windows HMAC Key Derivation. If exploited, this could allow an attacker to gain SYSTEM privileges. According to Microsoft, “A successful attack could be performed from a low privilege Hyper-V guest. The attacker could then traverse the guest’s security boundary to execute code on the Hyper-V host execution environment.”

CVE-2023-36052 is a Critical vulnerability affecting Azure CLI commands. An attacker could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions in public repositories. Customers using the affected CLI commands must update their Azure CLI version to 2.53.1 or above to be protected against the risks of this vulnerability, Microsoft says. This also applies to customers with log files created using these commands through Azure DevOps and/or GitHub Actions.

Rank CVSS Score CVE Description
Critical 9.8 CVE-2023-36397 Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability
Critical 8.8 CVE-2023-36400 Microsoft Office Remote Code Execution Vulnerability
Critical 8.6 CVE-2023-36052 Azure CLI REST Command Information Disclosure Vulnerability

Table 4. Critical vulnerabilities in Windows and Azure

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j and ProxyNotShell, not every highly exploitable vulnerability can be easily patched. It’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture. 

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Spotlight can help you quickly and easily discover and prioritize vulnerabilities here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

5 Tips to Defend Against Access Brokers This Holiday Season

16 November 2023 at 14:58

The holiday season brings a shift in how people and businesses operate: Some companies may partially shut down, leaving only a skeleton crew to manage their IT environments, while others head into their busiest time of year. This seasonal change in staffing and business operations, combined with the general holiday distraction, often creates risk and makes organizations more vulnerable to cybercrime.

Access brokers — the threat actors who gain and sell access to organizations and simplify eCrime for other cybercriminals — are especially active during this time of year. CrowdStrike data reveals spikes in access broker activity toward year’s end. They capitalize on these seasonal shifts to craft holiday social engineering campaigns, steal more information and make more money by selling their findings to threat actors on underground forums.

Here, we discuss how the threat landscape typically changes during the holidays, how access brokers fit into the cybercrime ecosystem and adapt their activity for this busy time of year, and how organizations can prepare for a safe and secure season.

Meet the Access Brokers

Access brokers have become a pivotal part of the eCrime ecosystem by selling victim access to other threat actors and facilitating myriad criminal activities. Their operations continue to grow: CrowdStrike observed a 147% increase in access broker advertisements across criminal underground communities from July 2022 to June 2023.

Many access brokers have relationships with big game hunting (BGH) ransomware operators and affiliates of prolific ransomware-as-a-service (RaaS) programs. The holiday season is a prime opportunity for ransomware operators to launch ransomware campaigns, extort victims and find potential targets. Access brokers support ransomware operators with this last task by capitalizing on holiday changes to breach organizations and sell access to other adversaries.

In order to defend against access brokers, you must first understand how they operate.

Many access brokers carefully study their victims. They analyze organizations’ attack surfaces to find vulnerabilities they can exploit or use sophisticated social engineering techniques to trick employees and steal credentials. Access brokers seek the path of least resistance into an organization and have quickly adapted as endpoint detection and response (EDR) capabilities have evolved to better detect them. The use of custom malware to gain initial access has dropped substantially — 71% of intrusions in 2022 were malware-free — as threat actors favor more subtle attack methods.

Access brokers are highly organized. They advertise access to victims on underground forums, often categorizing their offerings with contextual details such as business vertical, revenue and asset exploitation. This information is especially valuable to big game hunters selecting their next victim. In some cases, access brokers may eliminate upfront costs for downstream ransomware operators using a profit sharing model. These announcements strengthen the collaboration between access brokers and big game hunters, making the eCrime ecosystem a formidable opponent for all organizations.

Why Access Brokers Welcome the Holidays

Over the past year, access broker advertisements peaked right before and after the holiday season. Spikes were also observed the week before Easter as well as the beginning of the new academic year. While this pattern is not set in stone, access brokers seem to be more active during these moments for several reasons:

  • Leaner staff: IT and security teams may have a skeleton staff during the holidays, leaving fewer people to handle detection tuning, threat hunting or patching. As a result, access brokers have more opportunities to break in unnoticed. Dwell time (the time before getting detected) is likely longer during these low-staff moments, giving access brokers a bigger window of opportunity to get in, steal more data and sell it.
  • It’s vacation time: Employees often take time off during this time of year. Some may have forgotten their passwords by the time they come back from a week’s holiday. When requesting new credentials, users are more vulnerable to phishing attacks. Access brokers know when users come back and have greater success when many users request new credentials.
  • More distractions: IT support or help desk teams may cover only the bare essentials, skipping regular security best practices. Access brokers have recently impersonated regular users and opened support calls to obtain access. If the IT team doesn’t properly validate their information, for example, the attacker will have an easier path in.
  • Business is booming: Industries such as the retail, hospitality and travel sectors enter one of their busiest times of the year. They are in a weaker position during the extortion process because they need to keep business running during the busy season and avoid regulatory violations. With this knowledge in mind, access brokers will advertise access to these organizations at the right moment, with adjusted pricing, knowing other adversaries will want to strike.

Let’s take a closer look at the most popular tactics access brokers use to gain entry into victim organizations.

Well-crafted Social Engineering Campaigns

One of the most notorious actors discovered in 2023, known for both access brokerage and big game hunting, used advanced social engineering to harvest credentials. The actor targeted multiple verticals such as consumer goods, telecommunications and real estate. In many cases, ransomware was deployed.

Throughout these incidents, the adversary was consistent in using social engineering tactics to bypass multifactor authentication (MFA). They relied on a combination of credential-harvesting websites, SMS phishing, SIM swapping, MFA push-notification fatigue and social engineering via vishing to obtain initial access. Once inside, the adversary avoided using unique malware, instead favoring a wide range of legitimate remote management tools to maintain persistent access.

This actor succeeded because they very carefully studied their victims and knew how to impersonate them later. During the holidays, when users are more relaxed and staff is short, access brokers using similar tactics can increase their chance of success.

Web Exploitation and Living-off-the-Land

Another common access broker method involves exploitation of public-facing applications and remote code execution vulnerabilities to gain access. Once inside, the threat actor becomes persistent by deploying standard web shell mechanisms to harvest information related to machine identities (SSH keys, RSA keys). Using standard command-line tools, the actor can even clear system logs to evade detection.

How to Defend Against Access Brokers During the Holidays and Beyond

  1. Understand your environment: The age-old adage You can’t protect what you can’t see” has never been so true. Over the past few years, organizations have accelerated  their use of cloud infrastructure, resulting in a larger digital footprint. Security teams must gain an outside-in view of their full enterprise attack surface in order to identify areas of exposure and close security gaps. Don’t wait for the adversary to strike. Map your assets, visualize attack paths and address them.

 

  1. Prioritize identity protection: The rise in malware-free attacks, social engineering and similar attempts to steal and use credentials drives the need for strong identity protection. CISA’s Shields Up initiative urges organizations to enforce MFA and identify and quickly assess unusual network behavior. Conditional risk-based access policies are advised to reduce the burden of MFA for legitimate users.

Social media training is crucial: Don’t announce department shutdowns or IT service changes on social media, and instruct employees to refrain from sharing personal data on social channels. Train staff to avoid sharing credentials in support calls, emails or tickets. And finally, don’t publish executive or IT contact details on the company website — it may aid adversaries in impersonation efforts.

 

  1. Strengthen cloud protection: The number of observed cloud exploitation cases grew by 95% year-over-year in 2022. Adversaries are aggressively targeting cloud infrastructure and using a broad array of tactics, techniques and procedures to compromise critical business data and applications in the cloud. Stopping cloud breaches requires agentless capabilities to protect against misconfigurations, control-plane and identity-based attacks, and also runtime security to protect cloud workloads.

 

  1. Know your adversary: Organizations spend vast amounts of time and money fighting ghosts and noisy alerts, never knowing the “who, why and how” behind cyberattacks. If you don’t understand your adversary, you are poorly prepared to face them.

Invest in threat intelligence that exposes the humans behind the attack, as well as their motivation, capabilities and tools. Use threat intelligence that continuously scans underground forums for exposed identities and leaked data, and notifies the security team when company credentials are detected. Monitor for websites or newly created domains that mimic your organization. If you don’t have time or resources, work with a third party to mitigate the risk of these look-alike websites.

 

  1. Practice makes perfect: Encourage an environment that routinely performs tabletop exercises and red/blue teaming to identify gaps and eliminate weaknesses in your cybersecurity practices and response.

Prepare how to outpace the adversary with comprehensive visibility into what’s happening on your endpoints. Hunt for hidden intruders by looking for web shells and remote monitoring tools that may be active in your environment. Seek support from expert teams that know access brokers and their tools to help mitigate hidden threats.

 

Access brokers continue to conduct advanced exploitation, social engineering and spear-phishing attacks to gain and sell credentials throughout the year. The end of the year is an ideal time for them to act: IT support organizations are distracted, security teams have a skeleton staff and users request new credentials when they return. Implement strong defenses and don’t let access brokers stuff their stockings with your credentials during the holidays.

Additional Resources

Endpoint and Identity Security: A Critical Combination to Stop Modern Attacks

17 November 2023 at 17:43

Today’s adversaries increasingly use compromised credentials to breach target environments, move laterally and cause damage. When attackers are logging in — not breaking in — legacy  endpoint security offers little help in detecting and stopping breaches.

Exacerbating the problem is an expanding attack surface, largely due to the growth of remote work and evolving supply chains. Today, nearly 25% of modern attacks start at unmanaged hosts such as contractor laptops — parts of the supply chain where organizations often lack direct control over endpoints. 

Download the CrowdStrike ebook, “Stay One Step Ahead of Identity Thieves

Legacy endpoint solutions primarily look for malicious code execution to detect attacks and are unable to detect or stop identity-based threats when the adversary uses valid credentials. Many organizations either don’t have the means to stop identity-based attacks or struggle with multiple point solutions for endpoint and identity security that drive cost and complexity while slowing down response times. 

Read on to learn how unifying endpoint and identity security under the CrowdStrike Falcon® platform can help you stop modern attacks.

Case Study: Land O’Lakes 

Land O’Lakes is an American agricultural cooperative with 9,000 employees and manufacturing operations spanning 60 countries. In the words of Dan Oase, Land O’Lakes Director of Cybersecurity, “That’s a lot of identities to secure.” 

Oase spoke on stage at Fal.Con 2023 about how the company uses CrowdStrike for identity protection: “We think of identities in terms of creating identities, managing identities and securing identities … We use Falcon Identity Protection to safeguard our Active Directory and complement our IAM.”

Watch the Fal.Con 2023 session, “Stop Modern Attacks: Extending Endpoint Security with Identity Protection,” featuring Land O’Lakes

Oase emphasized the importance of speed, citing how cracking an 8-figure password used to take years; now it takes only minutes, thanks in part to advancements in AI. With adversaries getting faster, Land O’Lakes relies on a full suite of Falcon platform modules — including CrowdStrike Falcon® Insight XDR for endpoint detection and response and Falcon Identity Protection — to outpace modern attacks and stop breaches.

“CrowdStrike provides the ‘easy button’ to add identity protection via a single agent and unified platform covering endpoint and identity. This translates into immense value to us as a customer in terms of faster responses, lower costs and better security outcomes,” said Oase.

Oase shared how Falcon Identity Protection delivers real value for Land O’Lakes, compared to before CrowdStrike:

  • 92% faster at investigating and responding to identity-related attacks and anomalies
  • 90% less time spent manually auditing identity hygiene
  • 85% less time prioritizing vulnerabilities
  • 80% reduction in accounts with excessive permissions
  • Consistent removal of stale accounts
  • Immediate and automated response to compromised passwords

As a cybersecurity veteran who’s built world-class security operations at several companies, Oase went deep into the technical aspects of the Falcon identity deployment, covering continuous monitoring, privileged accounts, conditional access policies and other topics. If you’re a security practitioner looking for identity best practices, watch the Fal.Con 2023 session

Making the Case for Unified Endpoint and Identity Security

Identity-related attacks are a serious and growing problem. Consider the numbers:  

  • Over 80% of cyber incidents in 2021 involved the misuse of valid credentials to access an organization’s network, as revealed in the CrowdStrike 2022 Global Threat Report.
  • Kerberoasting attacks, a form of identity-based threat, increased an alarming 583% year-over-year, according to the CrowdStrike 2023 Threat Hunting Report.
  • The same report reveals a 147% increase in access broker advertisements, which often sell compromised credentials, on the dark web.
  • 90% of Fortune 1000 companies rely on Microsoft Active Directory (AD) despite its constant flow of vulnerabilities. 
  • Microsoft AD is a top target due to the access and information it holds. One survey found 50% of organizations have experienced an AD attack in the last couple of years, and 40% of those attacks were successful.

If you’re one of the nearly 75,000 organizations that use AD, combining endpoint and identity security under a single platform can help you stop breaches by providing comprehensive defense against adversaries seeking privileged company data. 

How the Falcon Platform Strengthens Defense

CrowdStrike delivers its market-leading endpoint and identity protection from the AI-native Falcon platform, which uses one lightweight agent to provide:

Comprehensive visibility

CrowdStrike Falcon® Identity Protection offers complete visibility into AD and cloud-based identity solutions, such as Microsoft Entra ID (formerly Azure Active Directory). The Falcon platform uses data collected from on-premises and cloud user directories to create a baseline for normal user behavior and detect anomalous activity across endpoints and identities, eliminating the security gaps created by siloed security tools.

Real-time protection

By deploying CrowdStrike endpoint and identity security solutions together, you can block malicious authentication at the AD level and stop adversaries from gaining access, regardless of whether the endpoint is managed. 

Risk-based response

Falcon Identity Protection continuously monitors user behavior and context based on both identity and endpoint telemetry to compute risk scores, which allows it to dynamically enforce multifactor authentication when the risk level has increased, providing an extra layer of security.

Single Agent, Unified Platform 

These capabilities are difficult to achieve with standalone tools. Organizations are looking to replace point solutions with a unified cybersecurity platform to eliminate gaps between endpoints, identity and cloud workloads, while reducing the number of agents they manage.

CrowdStrike endpoint customers can easily deploy Falcon Identity Protection with no deployment overhead. Simply enable the platform module, and the Falcon sensor immediately starts defending against identity-based attacks.

The Falcon platform is the only adversary-focused AI-powered security platform that brings together endpoint and identity telemetry and correlates it with threat intelligence and the latest adversary tradecraft. This unified platform approach not only provides better and faster detections with full attack-path visibility, it allows you to automate policy-based responses and eliminate manual correlation of threats, thereby improving SOC efficiency.

CrowdStrike endpoint and identity security solutions offer complete coverage of MITRE TTPs

 

The graphic above shows how CrowdStrike’s unified approach to endpoint and identity security fares against MITRE ATT&CK® tactics, techniques and procedures (TTPs). As a market leader in endpoint detection and response (EDR), CrowdStrike has long protected customers from execution, command and control, exfiltration and more. By adding Falcon Identity Protection to their endpoint deployment, customers can benefit from full protection against adversary tactics that leverage valid accounts, such as initial access, lateral movement and privilege escalation.

Put simply: CrowdStrike customers of endpoint and identity security can receive the strongest coverage against adversary TTPs from a single, unified platform.

Get Started with Falcon Identity Protection

Today’s attackers use legitimate credentials to bypass endpoint security solutions. By unifying endpoint and identity security on the Falcon platform, organizations can get robust protections against identity-related attacks, while realizing the other benefits of cybersecurity consolidation.

Get started with Falcon Identity Protection using our complimentary Active Directory Risk Review. This one-on-one session with a CrowdStrike identity expert will delve into your AD hygiene and expose compromised passwords, over-privileged accounts and other best practices to help you stop identity-related attacks

Additional Resources

❌
❌