πŸ”’
There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

How to Use Falcon Spotlight’s ExPRT.AI

10 November 2021 at 21:18

Introduction

Organizations have historically been reliant on CVSS severity scoring to help prioritize vulnerability remediations. Unfortunately, that single data point is often not enough to drive an effective patching strategy. With limited time and resources, organizations are commonly left with large quantities of unaddressed, severely-ranked vulnerabilities. While the standard scoring system plays an important role, it is a measure of severity – not risk or malicious behavior. To ensure production systems are secure with current patches, organizations need more specific guidance to target those remedations that reduce actual risk.

Video

Improved Vulnerability Prioritization

With ExPRT.AI, Falcon Spotlight provides that additional context. Leveraging inputs from a number of different sources including CrowdStrike’s extensive data set, the ExPRT AI rating is dynamically adjusted based on recent exploit status and threat intelligence inputs. This artificial intelligence model enables security teams to prioritize fewer vulnerabilities and allocate remediation efforts accordingly. The Spotlight dashboard illustrates how that information is delivered to customers. While the original CVSS scoring standard is still available, the ExPRT.AI rating highlights a smaller, more accurate subset of open vulnerabilities that represent the highest level of risk to an organization.
spotlight dashboard exprt ai

Using the ExPERT.AI Rating

The main dashboard chart areas are clickable to quickly access the supported details. For example, drilling down on those vulnerabilities with a high rating, presents a filtered list.Β In addition to the ExPERT AI rating, this list can be further filtered on a number of attributes including vendor and exploit status.
spotlight exprt ai vulnerabilities

For each vulnerability, details are available including the description and links to supporting documentation. The details also include the current ExPRT rating as well as some additional insights. As the model continues to learn and collect new threat data, this dynamic rating will change. With that, a chart is presented to illustrate any recent changes along with the date of the highest documented level.Β Β Β 
exprt ai details

CrowdStrike also documents the positive and negative indicators that factored into the ExPRT AI calculation. Directly from this page, links are also available to facilitate remediation of the impacted systems.
exprt AI indicators

Closing

Falcon Spotlights’s ExPRT AI rating uses real time exploit status and threat intelligence to help organizations hone in on the most important vulnerabilities. This enables them to quickly concentrate their efforts on the most time sensitive vulnerabilities, take action and effectively reduce risk.

More resources

Β 

How to Leverage Scheduled Searches

8 November 2021 at 18:56

Introduction

Falcon Insight provides customers with extensive visibility into the events taking place on endpoints and workloads. While triggered detections are an important part of endpoint security, CrowdStrike also provides the ability to search the raw event data. In addition, scheduled searches can be used to automate the recurrence of those searches and trigger various notifications.

Video

Detailed Event Searches

From the main menu, the β€œEvent Search” is available under the β€œInvestigate” app. Based on the Splunk query language, customers can hunt for events based on any number of attributes including host, file, process, application and user.

scheduled search menu

This sample query hunts for the use of different reconnaissance tools run by the local system account.Β  After selecting the time range, the search returns zero results for the past 24 hours. With scheduled searches, this query can be configured to run regularly to identify any future events.

scheduled search recon results

Creating Scheduled Searches

To save a search, the first step is to enter a name and description.

scheduled search details

The following prompts set the frequency along with a start and stop date for the query.

scheduled search timing

CrowdStrike also provides the ability to trigger notifications based on the results of the scheduled search. In this case, an email will be sent to the analyst. The options below can be used to configure if the email is sent each time the query runs or only when it yields results.

scheduled search email

Finally, there is an option to configure multiple notifications or β€œSchedule search”.

scheduled searches save

Managing Scheduled Searches

After saving, the list of all scheduled searches is presented including management features and the option to create additional scheduled searches.

scheduled search listing

This page is also available from the main falcon menu under β€œInvestigate”. The Results/Searches column summaries of how each query has performed to date.

scheduled search results

Β 

The menu includes options to edit, deactivate and delete searches. β€œSee history” will present a list of the results to date including a download function.

scheduled search log

Other Notification Options

In addition to email, there are other notification options available including Slack messages, Teams messages and PagerDuty notifications. Each saved search also can have multiple notifications as needed. Queries that are likely to yield more results are potentially good use cases for the webhook notification. Webhooks are a simple way to send near real-time data from the Falcon platform to third party applications like a SIEM. There is also the option to schedule a search without configuring a notification. Even without triggering an email or message, the search will run and the results will be available for reference as needed.

scheduled searches notification options

Closing

CrowdStrike’s Falcon Insight provides unparalleled EDR visibility along with the flexibility to query that event data. With scheduled searches, those queries can be automated with the option to configure a variety of workflows and notifications to best meet the needs of busy security analysts.

More resources

Β 

How to Enable Kernel Exploit Prevention

30 October 2020 at 18:34
CrowdStrike Tech Center

Introduction

This document and video will demonstrate how to enable kernel exploit prevention to protect hosts from sophisticated attacks that attempt kernel code execution.

Video

Overview

Malware, and in particular ransomware, is increasingly using sophisticated attack chains to bypass traditional AV and execute successfully. As an example, the Robinhood ransomware was updated to load and exploit a legitimately signed driver as a mechanism to achieve kernel code execution. With a lot of endpoint solutions, the malware can execute and successfully encrypt the file system because the driver appears to be legitimate.Β 

Even with a detection only policy, execution of the Robinhood ransomware triggers multiple CrowdStrike detections as shown below. While machine learning correctly identifies the ransomware, Falcon also detects data encryption as well as kernel level defense evasion.

Enabling Kernel Exploit Prevention

To prevent this type of attack, a simple policy change is required. Along with machine learning and behavioral based protections, CrowdStrike can also block executions by category. For this attack, enabling the prevention ofΒ  β€œSuspicious Kernel Drivers” will ensure that any driver found to be malicious by CrowdStrike will be blocked from loading.

Kernel Exploit Protection

With prevention enabled, the attack fails and the files are not encrypted. The execution details illustrate that CrowdStrike blocked the operation to start a malicious driver. The critical severity detection includes the tactic, technique and ID, as well as the triggering indicator of attack and a written description.

Closing

While the use of legitimate drivers might bypass traditional anti virus, CrowdStrike’s easy to configure prevention capabilities enable detection of malicious drivers and protect organizations against sophisticated attacks.

More resources

Β 

The post How to Enable Kernel Exploit Prevention appeared first on .

  • There are no more articles
❌