Normal view

There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

Three Ways to Enhance Your Cloud Security with External Attack Surface Management

The IT future is a cloudy one. Organizations are increasingly relying on cloud servers, as today’s IT environments use a combination of public and private clouds alongside on-premise infrastructure. Gartner® estimates that by 2026, 75% of organizations will adopt a digital transformation model predicated on the cloud as the fundamental underlying platform. Moreover, global spending on public cloud services is forecast to grow 21.7% to total $597.3 billion USD in 2023, up from $491 billion USD in 2022, according to the firm’s latest forecast.1  

This rapid acceleration into the cloud has dramatically expanded the modern attack surface, making it increasingly difficult for security teams to keep up. Data from CrowdStrike Falcon® Surface external attack surface management shows that in the United States, 23% of all exposed assets detected in a week are hosted on the cloud. More importantly, 25% of those exposed assets have a severe vulnerability.2 These vulnerable assets can be remote access servers, databases, web servers,  gateways, VPNs, development tools and more. The high number of exposed assets indicates that although cloud adoption might be easy, securing the cloud can be hard.

The risk of cloud exploitation is not a new problem. The CrowdStrike 2023 Global Threat Report showed that cloud exploitation cases grew by 95% from 2021 to 2022. Cases involving cloud-conscious actors nearly tripled in the same time frame. These actors primarily obtained initial access to the cloud by exploiting public-facing applications — such as web servers — using existing valid accounts, resetting passwords or placing webshells or reverse shells for persistence. These findings underscore the need for robust cloud security measures and proactive exposure management to address the growing threat of cloud-based attacks.

Evolving Safely in the Cloud Requires 24/7 Exposed Asset Monitoring

Contrary to popular belief, the onus to protect cloud data falls on companies and not the cloud host provider. While organizations may have safeguards in place for their known cloud enclaves, employees can easily create their own cloud instances without following  the central process or alerting central IT, leading to the emergence of “shadow IT.”  

With the complexity of cloud configurations, it’s easy for teams to make a mistake that can leave sensitive data exposed or leave cloud resources vulnerable to attack. Misconfigurations can occur in several places, including network security settings, storage permissions, access controls and more. Attackers are well aware of this and are actively scanning cloud environments for misconfigurations to exploit. 

Improper access management, cloud services misconfiguration, cloud applications provisioned outside IT visibility and lack of staff with the skills to manage security for cloud applications can all leave companies exposed and vulnerable to attack — and they are far more common than assumed. 

External attack surface management (EASM) is needed for companies to safely evolve in the cloud. It delivers a comprehensive inventory of externally exposed, known and unknown cloud assets, and enables teams to uncover issues like unknown misconfigured environments (staging, testing, development, etc.) and legacy webpages and assets hosted on unofficial hosting providers. In addition, it analyzes and prioritizes every risky exposure and generates a plan with actionable insights so teams can resolve more issues in less time. 

EASM provides a powerful complement to the cloud native application protection platform capabilities (CNAPP) required to mitigate the risks outlined above. CrowdStrike combines  EASM with the cloud security offerings of Falcon Cloud Security through a unified platform, empowering  customers with complete visibility and protection across their cloud environments no matter what stage they are in their cloud journey.

Three Ways EASM Enables Companies to Maximize Cloud Security

1. Gain outside-in visibility into critical asset exposure while moving to cloud storage and services

Companies that are just starting their cloud migration face the decision of which services and data to host on cloud service providers. It is essential for those companies to carefully manage their asset inventory and understand which security controls are in place, what they cover and where their security gaps are. EASM is the natural place to start. As a fast and easy-to-deploy tool, it enables security teams to gain an immediate understanding of where exposures are, stay on top of asset inventory management in real time and maintain an overarching view of the entire attack surface — regardless of if it’s in the cloud or on-premises.

2. Prioritize risks in hybrid cloud environments 

As companies grow and evolve in the cloud, they’ll be looking at cybersecurity strategies to prevent risk and exposure. This is particularly important given that the average breakout time for interactive eCrime intrusion activity was 79 minutes in the past 12 months and the fastest observed breakout time was a mere 7 minutes, as revealed in the recently released CrowdStrike 2023 Threat Hunting Report — highlighting the need for dynamic and thorough cybersecurity measures to protect digital assets. 

If the goal is to host more sensitive services in the cloud, EASM can arm CISOs with unique insight into where teams should spend time to reduce risk, bookmark high-value assets for monitoring and integrate with most popular XDR  and IR systems. CISOs can receive prompt alerts for exposed assets, ultimately preventing long-term exposure. 

3. Ensure no asset is left unknown on full cloud infrastructure 

Once operating on full cloud infrastructure across multiple providers, security tools can be deployed to support the efforts of CISOs, like cloud security posture management (CSPM) platforms. There’s a catch — CSPM doesn’t account for the entire ecosystem and may not cover subsidiaries, the supply chain and third-party vendors. An EASM solution is easily integrated for always-on, real-time, thorough monitoring of cloud environments as well as other attack vectors — so CISOs can ensure nothing is missed. 

Move Safely into the Cloud with Falcon Cloud Security and Falcon Surface  

CrowdStrike provides comprehensive capabilities to stop cloud breaches: CrowdStrike Falcon® Cloud Security delivers the industry’s most complete agent-based and agentless cloud-native application protection platform (CNAPP) capabilities. When paired with Falcon Surface, our EASM module, as part of the unified CrowdStrike Falcon platform, teams gain a significant advantage against the adversary. 

By adding Falcon Surface, security teams can see their attack surface like adversaries can — across their entire digital perimeter. Based only on a domain address, it enables them to detect, prioritize and manage unknown risky, exposed internet-facing assets that are centralized or remote across on-premises environments and subsidiary, cloud and third-party vendors. All exposed assets are automatically classified, analyzed and prioritized according to a contextualized risk score, allowing for quick-to-implement remediation steps.

Together, Falcon Cloud Security and Falcon Surface provide real-time visibility and protection across the entire cloud environment. By leveraging the best of agent-based and agentless technology, CISOs and their security teams can work together to protect the entire attack surface and stop breaches. 

Additional Resources

  1. Gartner Press Release, Gartner Forecasts Worldwide Public Cloud End-User Spending to Reach Nearly $600 Billion in 2023, April 19, 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
  2.  Data powered by CrowdStrike Falcon Surface.

Discovering and Blocking a Zero-Day Exploit with CrowdStrike Falcon Complete: The Case of CVE-2023-36874

CrowdStrike Counter Adversary Operations is committed to analyzing active exploitation campaigns and detecting and blocking zero-days to protect our customers. In July 2023, the CrowdStrike Falcon® Complete managed detection and response (MDR) team discovered an unknown exploit kit leveraging a still-unknown vulnerability affecting the Windows Error Reporting (WER) component. Our team prepared to report this newly discovered vulnerability to Microsoft — only to discover that the Google Threat Analysis Group had independently discovered and disclosed it shortly before we did. Microsoft assigned the identifier CVE-2023-36874 to the vulnerability. 

Given this vulnerability was a zero-day when Falcon Complete found it, we are sharing the story of how our team discovered this issue, as well as technical details and some indicators of compromise. The CrowdStrike Falcon® platform protects against exploitation of CVE-2023-36874.

The Story

On June 22, 2023, Falcon Complete observed multiple binaries being dropped onto a system owned by a European technology entity via Remote Desktop Protocol (RDP) connection from an unmanaged host. The Falcon sensor blocked and quarantined the execution of several of these binaries as it detected potential exploits for CVE-2021-24084. An initial analysis by the Falcon Complete team was conducted to determine the final objectives of these binaries; however, it was inconclusive. CrowdStrike Counter Adversary Operations was asked to assist, given the team’s expertise in both threat hunting and adversary intelligence, in order to accelerate the detection and remediation of threats.

During the first static analysis of these binaries, a string containing the Russian word 0дэй — translated as “0day” — indicated the binaries may be exploits related to an unknown vulnerability. A thorough analysis ensued to pinpoint the correct potential vulnerability used. The results indicated the use of an unknown vulnerability affecting the WER component. Hence, at the time of execution, Falcon Complete detected a still-unknown zero-day in the wild, along with an exploit kit using it.

The Technical Details

The WER service is a privileged service whose role is to analyze and report various software issues that may arise on a Windows host. This service can be interacted with through several undocumented COM interfaces, which can be found in wercplsupport.dll. In particular, by chaining the following function calls, it is possible to get a pointer to a IWerReport COM interface:

  1. CoCreateInstance(CLSID_ERCLuaSupport, NULL, CLSCTX_LOCAL_SERVER, IID_IErcLuaSupport, (PVOID*)&pIErcLuaSupport);
  2. pIErcLuaSupport->CoCreateIWerStoreFactory(&pIWerStoreFactory);
  3. pIWerStoreFactory->CoCreateIWerStore(&pIWerStore);
  4. pIWerStore->EnumerateStart()
  5. pIWerStore->LoadReport(<reportName>, &pIWerReport); where reportName is the name of a directory containing a WER report to be processed

As a result of calling IWerReport->SubmitReport, the WER service will call the WerpSubmitReportFromStore function from wer.dll. This eventually leads, under conditions that were not analyzed, to the call of the UtilLaunchWerManager function, itself calling the CreateProcess API in order to start the C:\Windows\System32\wermgr.exe executable. 

The core problem of this vulnerability lies in the fact that the CreateProcess API running under impersonation will follow any file system redirection set up by a threat actor but will use the calling process security token and not the impersonated token to set the security context of the process. In the case of the WER service, impersonation is indeed present when the wermgr process creation occurs, as highlighted in the following screenshot:

Click to enlarge

This means, in the case a prior file system redirection points to an attacker-controlled wermgr executable, this executable will be executed instead of the legitimate wermgr executable. This allows the attacker-controlled executable to be run with the privileges of the WER service (i.e., SYSTEM).

In the case of the observed exploit, the following steps are taken to achieve privilege escalation:

  1. The exploit sets up the necessary files on the system to achieve successful exploitation later. Two different objectives are followed at this step:
    1. Set up a dummy Report.wer file in the directory C:\ProgramData\Microsoft\Windows\WER\ReportArchive\WER1CF4123. This dummy file will be referenced in the IWerReport->SubmitReport function at the start of the exploit chain. 
    2. Set up a fake C:\ root hierarchy under the C:\Users\public\test directory so the file system redirection will point to the attacker files instead of the legitimate ones. In this hierarchy, the exploit creates a copy of itself as C:\Users\public\test\Windows\System32\wermgr.exe as well as a dummy WER report Report.wer inside C:\Users\Public\test\ProgramData\Microsoft\Windows\WER\ReportArchive\WER1CF4123.
  2. Creates a redirection from the C:\ drive to C:\Users\public\test by calling the NtCreateSymbolicLink function, where the third and fourth parameters point respectively to \??\C: and \GLOBAL??\C:\Users\Public\Test. This redirection is created when changes are detected in the C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue directory. 
  3. Triggers IWerReport->LoadReport() with WER1CF4123 as a parameter. 
  4. Triggers IWerReport->SubmitReport() with WER1CF4123 as a parameter.  
  5. Due to redirection, C:\Users\public\test\Windows\System32\wermgr.exe is executed instead of the legitimate wermgr.exe. The exploit binary is now executing with high privileges.

A Look at the Exploit Kit

In the exploit kit observed, all exploit binaries aim to spawn a privileged interpreter, either the traditional command interpreter cmd.exe, or powershell_ise.exe, in the interactive session from which the binary was launched. If this aim cannot be fulfilled, then a privileged scheduled task is created to serve as a proxy for the spawning of the privileged interpreter. 

Within the exploit kit observed, some binaries are packed while others are not. Some contain C++ code while others appear to be pure C code. Some binaries were apparently able to launch multiple versions of the same exploit depending on the host’s OS version while others appear dedicated to a single OS. This information tends to indicate that the privilege escalation vulnerability was likely known to a group of different developers.

At the time of this writing, CrowdStrike Counter Adversary Operations does not attribute the activity to a particular actor.

Indicators of Compromise

The following table lists the different binaries that CrowdStrike observed being dropped. It should be noted the following indicators are of low fidelity. Indeed, several of them are packed, indicating the threat actor has the potential capability to generate new binaries, with different hashes, containing the exploit.

Filename SHA256 Hash
10new+11_ISE_0x000109D59D6CC3F4.exe e800d1271b15d1db04280a64905104a912094d2938fd6b024ce143f1221d22f5
8_ise.exe 338ac127e81316d3b4a625ddf28eff2693778f3c8f1050cc06467845232e8da2
8.exe 15b9f282717b6539e44a7a5e0ceafaae1eff09cadfbf46982e4d7e78a605cf3c
2019_ise.exe 11243b8c4da386fed7efd500076f5671f649c25b7edb90416ec91b3e4a2073a5
2019.exe 69411eebef102e63d86bd3e88c363375934ed9dee94ca9342b694c4be232c792
2016_ise.exe 7de07008373bacf77ce9079c2374dd87afaa605b857b8ab440661faa0ca7d504
2016.exe 5251fb2f9979dbc21b83e6e770c767595848ad9b01c94713683613a6d8561561
WER_Research_07062023_ise_0x00000F0B67DB1762.exe 7251149fe93811b5b1a84418d0fe07296469c34b57f70f9107e0b9a1726b1080
10new+11.exe 1efd5006979b10c60eefc367f529799b7b9dd2be1162e0195b22eedde32b7f7b
8_0x000109ABFE57D295.exe 06d1a0752960576051ae5845d2ec38154a33b5de36ed268d61da26574bba3368
2019_0x000109ED1C1A33D9.exe ed6e026059653e3b6d05a479ad27c1b38f790a840bcef38f1a06a73ff476525d
10_ISE_0x000109C422FAC8CA.exe 84ea56d15ebb895b1688339fb230e2b9b61b35389cc7ea8dedbd2f92bb92ab10
WER_Research_07062023_cmd_0x00000EF75A5B64F2.exe 130f0a4293fb842d99d2044d449e3320de8add982177ed1ad03ba0fef9bcf096
10new+11_ise.exe 80185c0c10a4046fd4ca1242ccbd63bef7765c6e93a3f53c90107d34e0d790fe
10_0x000109BCF309A283.exe 06be6b9b7163489854864292f9516558f6e192dda01560ea772fbc82dc1471df
2016_0x000109DC78E96163.exe 96f0546ac6c722576f860f9a23d35fd93a8df1c547bd92d0836bb845cc875002
2019_ISE_0x000109F402AB3D7F.exe 0c19f42339735cdd9d6a4c55e2f8f93b9d559d7a3420557487a75f67a2a946c0
8_ISE_0x000109B5EDC3E0B1.exe 5fe77c71b75b71d95f2d62c71f3054afce1f3026873d107a9a56d701c503c2d7
10.exe 43f3a7a5300fa89b7b9783cf97ca3a5f9d1f45535e71a80ac2b8b16d21a64fe8
10_ise.exe 1b3ee2bbb3baff96e3637b0ee3ad5831c9c7741db7a32411281d0bcd4f26f012


It is critical to ensure timely vulnerability patching in order to protect enterprise devices. However, when adversaries target unknown vulnerabilities, timely patching becomes irrelevant. This is why it’s essential for organizations to implement multiple layers of defense such as CrowdStrike Falcon Complete managed detection and response. The Falcon Complete team actively monitors for, and remediates, vulnerabilities such as CVE-2023-36874 so organizations have 24/7 protection from the latest threats — including zero-days exploited in the wild.  

Additional Resources


August 2023 Patch Tuesday: Two Actively Exploited Zero-Days and Six Critical Vulnerabilities Addressed

9 August 2023 at 13:02

Microsoft has released security updates for 76 vulnerabilities and two zero-days for its August 2023 Patch Tuesday rollout. One of the zero-days (CVE-2023-38180) is a denial-of-service vulnerability in .NET and Visual Studio. The other zero-day (CVE-2023-36884) received a Defense in Depth update to mitigate a flaw under active attack; however, it is not a patch. Six of the vulnerabilities addressed today are rated as Critical while the remaining 68 are rated as Important and two are Moderate.

August 2023 Risk Analysis

This month’s leading risk type is remote code execution (37%), followed by elevation of privilege (29%) and information disclosure (17%).

Figure 1. Breakdown of August 2023 Patch Tuesday attack types

The Microsoft Windows product family received the most patches this month with 36, followed by Extended Support Updates (25) and Microsoft Office products (15).

Figure 2. Breakdown of product families affected by August 2023 Patch Tuesday

Defense in Depth Update Mitigates an Actively Exploited Zero-Day Vulnerability 

Microsoft Office has released an update for a previously disclosed unpatched vulnerability (CVE-2023-36884). As Microsoft stated, installing this update will stop the attack chain leading to the exploitation of the Windows Search security feature bypass vulnerability. It is recommended that users install the Office updates as well as the Windows updates from August 2023.

Impact Severity CVE Description
Defense in Depth Moderate ADV230003 Microsoft Office Defense in Depth Update

Table 1. Zero day in Microsoft Office & Windows

Actively Exploited Zero-Day Vulnerability Affects .NET and Visual Studio

Microsoft .NET & Visual Studio has received a patch for CVE-2023-38180, which is rated Important and has a CVSS of 7.5. The vulnerability allows for a denial-of-service attack. Details of the flaw have not been publicly disclosed.

Severity CVSS Score CVE Description
Important 7.5 CVE-2023-38180 .NET and Visual Studio Denial of Service Vulnerability

Table 2. Zero day in Microsoft .NET & Visual Studio

Critical Vulnerabilities Affect Windows

CVE-2023-29328 and CVE-2023-29330 are Critical remote code execution vulnerabilities affecting Microsoft Teams each with a CVSS of 8.8. To exploit these vulnerabilities, the attacker must deceive the victim into joining a malicious Teams meeting, which would allow them an opportunity to execute code on the system remotely. No special privileges are necessary for a successful attack.

CVE-2023-36910, CVE-2023-36911 and CVE-2023-35385 are Critical vulnerabilities affecting Microsoft Message Queuing (MSMQ), and each has a CVSS score of 9.8. In order for an attacker to take advantage of these vulnerabilities, they would need to transmit a specifically designed MSMQ packet to an MSMQ server, leading to remote code execution. Microsoft has provided guidance on best practices and steps to see if there is a service running Message Queuing and TCP port 1801 listening on a system.

CVE-2023-36895 is a Critical vulnerability affecting Microsoft Outlook with a CVSS of 7.8. According to Microsoft, this is an Arbitrary Code Execution flaw. The attack complexity is low, no privileges required to exploit this attack and exploitation is less likely according to Microsoft.

Severity CVSS Score CVE Description
Critical 8.8 CVE-2023-29328 Microsoft Teams Remote Code Execution Vulnerability
Critical 8.8 CVE-2023-29330 Microsoft Teams Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-36910 Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-36911 Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-35385 Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 7.8 CVE-2023-36895 Microsoft Outlook Remote Code Execution Vulnerability

Table 3. Critical vulnerabilities in MS Windows

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture. 

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of security events every day from across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Spotlight vulnerability management can help you quickly and easily discover and prioritize vulnerabilities here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

  • For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
  • See how Falcon Spotlight can help you discover and manage vulnerabilities and prioritize patches in your environments. 
  • Learn how CrowdStrike’s external attack surface module, Falcon Surface, can discover unknown, exposed and vulnerable internet-facing assets enabling security teams to stop adversaries in their tracks.
  • Learn how Falcon identity protection products can stop workforce identity threats faster. 
  • Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards
  • Test CrowdStrike next-gen AV for yourself with a free trial of Falcon Prevent.

CrowdStrike Debuts Counter Adversary Operations Team to Fight Faster and Smarter Adversaries as Identity-Focused Attacks Skyrocket

8 August 2023 at 04:00

CrowdStrike is proud to announce the launch of CrowdStrike Counter Adversary Operations, a newly formed, first-of-its kind team that brings together CrowdStrike Falcon® Intelligence and the CrowdStrike® Falcon OverWatch™ threat hunting team to disrupt today’s adversaries and ultimately raise their cost of doing business. 

Both threat hunting and intelligence operations are essential to detect, disrupt and stop today’s adversaries. CrowdStrike Counter Adversary Operations will have the power of both — along with the trillions of telemetry events from the AI-powered CrowdStrike Falcon® platform — to quickly act and intensify its impact on adversary activity. CrowdStrike’s deep adversary knowledge, expertise in pursuing and stopping threats, and visibility derived from the Falcon platform make us uniquely qualified to deliver the most effective method of stopping breaches and protecting customers.

Today’s adversaries are increasingly fast and elusive, with quickly changing motives and tactics. The tradecraft CrowdStrike sees in the wild is, far too often, bypassing legacy and even modern security measures. CrowdStrike Counter Adversary Operations represents a new model for the security industry that brings together the best adversary insight and expertise, and puts this information in the hands of teams on the front lines so they can disrupt adversaries faster than ever before. 

There has never been a greater need for threat hunting and intelligence to come together, as evidenced by Nowhere to Hide: CrowdStrike 2023 Threat Hunting Report. This report, the first to be published under the CrowdStrike Counter Adversary Operations unit, provides a comprehensive look at the evolving techniques of today’s adversaries. 

Nowhere to Hide: A Closer Look at Modern Adversary Activity

The CrowdStrike 2023 Threat Hunting Report, now in its sixth edition, is the culmination of 12 months of proactive and intelligence-informed threat hunting. Our threat hunters and intelligence analysts observed a massive jump in identity-based intrusions, evolving expertise in cloud-focused attacks, and a breakout time of 79 minutes — a new all-time low and decrease from the 84 minutes recorded in 2022. 

A standout theme of the report is adversaries’ persistent focus on identity: Our experts observed a 583% increase in Kerberoasting attacks, a technique adversaries can use to obtain valid credentials for Active Directory service accounts. These often provide attackers with higher privileges and allow them to lurk undetected in victim environments for longer stretches of time.

This wasn’t the only statistic indicating identity is a hot target: 62% of all interactive intrusions involved the abuse of valid accounts, and there was a 160% increase in attempts to collect secret keys and other credentials through cloud instance metadata APIs. Access broker advertisements, which often offer ready access to valid accounts, increased by 147% in criminal and underground communities.

Adversaries are also leading the charge in cloud know-how, navigating cloud environments with a level of skill and confidence often unmatched by enterprise security teams. CrowdStrike observed a threefold increase in the use of linPEAS, a Linux privilege escalation tool quickly gaining popularity among adversaries operating in the cloud. This finding, combined with the 95% jump in cloud exploitation and threefold increase in cases involving cloud-conscious threat actors, underscores the critical need for organizations to prioritize securing their cloud environments.

Other notable findings include a 312% year-over-year increase in adversaries using legitimate remote monitoring and management (RMM) tools to evade detection and blend in with a target environment, and a stunning 80% increase in interactive intrusions targeting the financial sector. 

The data is clear: Adversaries are relentlessly seeking new ways to broaden their reach, optimize their tradecraft and deepen their impact across operations, using tactics intended to bypass legacy security products using traditional detection methods. As they demonstrate greater proficiency and speed in targeting organizations, it is imperative that defenders stay one step ahead to proactively identify and stop their activity. 

Counter Adversary Operations’ First New Offering: Identity Threat Hunting

In response to the evolving sophistication of adversary tradecraft and identity-based attacks CrowdStrike is seeing in the wild, Counter Adversary Operations is introducing its first new offering: CrowdStrike® Falcon OverWatch™ Elite Identity Threat Hunting.

This offering, immediately available as part of CrowdStrike® Falcon OverWatch™ Elite, brings together the latest intelligence on adversary motives, tactics, techniques and procedures, and combines this data with CrowdStrike Falcon® Identity Threat Protection and the elite Falcon OverWatch threat hunters. This combination makes it possible to quickly identify and remediate compromised credentials, track lateral movement and stay ahead of adversaries with 24/7 coverage. 

At a time when adversaries have their sights set on identities, Falcon OverWatch Elite Identity Threat Hunting brings organizations peace of mind with an always-on service to help them outpace current and emerging threats. This offering is available to new and existing CrowdStrike Falcon OverWatch Elite customers at no additional cost.

And there’s more to come: Falcon OverWatch Elite Identity Threat Hunting is the first of many accelerated innovations from Counter Adversary Operations. This offering and future capabilities will close the loop between the discoveries CrowdStrike researchers make in the wild and new customer-focused innovations to come in the Falcon platform.    

Additional Resources

CrowdStrike Scores 100% in SE Labs Q2 2023 Enterprise Advanced Security Detection Test, Wins AAA Award

  • The CrowdStrike Falcon® platform achieved 100% attack detection with zero false positives in the Q2 2023 SE Labs Enterprise Advanced Security (EAS) test, earning the AAA award for its perfect performance in the rigorous evaluation. 
  • SE Labs analysts’ intelligence-led testing employed the real-world tactics, techniques and procedures (TTPs) of four advanced threat groups, using four different threat series with full attack chains for each (16 attacks in total) in an attempt to evade detection by leading endpoint detection and response (EDR) products.
  • This latest performance underscores our mission to stop breaches and shows our continued commitment to participating in independent testing, which provides transparency into the Falcon platform’s industry-leading automated detection and prevention capabilities.

The CrowdStrike Falcon® platform recently earned the SE Labs AAA award by delivering 100% attack detection with zero false positives in the Q2 2023 SE Labs Enterprise Advanced Security (EAS) test. The platform achieved perfect scores across every evaluation category. 

This year’s evaluation presented a unique challenge to testing participants. SE Labs tested solutions to a full kill chain attack, from initial contact through reconnaissance, data exfiltration and lateral action. However, in order to capture each security product’s full insight into every stage of an attack, SE Labs analysts deliberately shut down each product’s preventive capabilities, giving the attackers an unhindered ability to run their full kill chain. 

With the Falcon platform’s advanced protection in place, attackers will fail to break out and advance anywhere near to the stage of actually breaching a system. But the goal of the evaluation was to test detection capabilities. Shutting down prevention allows the detection test to evaluate the degree of total insight a product has into every stage of an attack — not only detection of the threat or attack but also associated activity including privilege escalation, actions and lateral movement. 

Points were awarded based on detection accuracy through every stage of each attack. In addition, the security products were also awarded points based on their ability to classify user interactions with legitimate applications and URLs, and false positives were penalized during testing because they negatively impact users.

SE Labs Q2 2023 EAS Detection Test Was Realistic and Demanding — and the Falcon Platform Crushed It

As part of the testing scenario, SE Labs emulated the real-world, observed tactics, techniques and procedures (TTPs) of four known, formidable adversary groups: Russia-nexus Turla (known as VENOMOUS BEAR in CrowdStrike adversary naming), China-nexus Ke3chang (VIXEN PANDA), China-nexus Threat Group-3390 (EMISSARY PANDA) and North Korea-nexus Kimsuky (VELVET CHOLLIMA). For each of these adversary groups, the testers ran four attack scenarios, for a total of 16 different attacks.

SE Labs describes the importance of this approach, which it says comprises the widest range of threats of any currently available public test:

“This test exposed market-leading endpoint security products to a diverse set of exploits, fileless attacks and malware, comprising the widest range of threats in any currently available public test. All of these attack types have been witnessed in real-world attack over the previous few years. They are representative of a real and present threat to business networks the world over … It is important to note that while the test used the same types of attacks, new files were used. This exercised the tested product’s abilities to detect certain approaches to attacking systems rather than simply detecting malicious files that have become well-known over the previous few years. The results are an indicator of potential future performance rather than just a compliance check that the product can detect old attacks.” 

Source: Q2 2023 SE Labs Enterprise Advanced Security EDR Detection report

CrowdStrike Falcon performed flawlessly during each of the attack stages across the four different adversaries:

  • Delivery: 100% detection
  • Execution: 100% detection
  • Action: 100% detection
  • Escalation: 100% detection
  • Post-Escalation Action: 100% detection
  • Lateral Movement: 100% detection
  • Lateral Action: 100% detection

The Falcon platform had zero misses, for a 100% detection score during testing. This means the platform was fully aware of every stage of every attack, providing 360-degree visibility across the entire attack surface. It was able to report exactly what was happening, and if preventions hadn’t been disabled as part of the testing process, the Falcon platform would have taken action to block the attack from progressing. 

In addition, with the same configuration, Falcon also scored a 100% Legitimate Accuracy rating, meaning analysts were not wasting time and resources chasing false positives. This is a big win for Falcon customers. The global shortage of cybersecurity professionals shows no signs of abating, and the digital skills gap continues to widen, making these highly trained security experts’ time extremely valuable. Any time spent investigating false positives is time that SOC analysts are not spending to prevent a costly breach. Falcon’s perfect performance and lack of false positives means fewer SOC analysts are required to effectively operate a company’s security stack. 

More Than an Award: The Falcon Platform Delivers 100% Detection Accuracy to Customers

During the SE Labs EAS testing, points were awarded based on detection accuracy through every stage of each attack and on their ability to classify user interactions with legitimate applications and URLs, while false positives were penalized. This scoring is reflective of the real-life cost-benefit analysis of deploying a security solution — one that can see all aspects of an attack and stop it. However, it’s also important that the solution does not disrupt the business or waste valuable SOC analyst time with false positives. 

With 100% detection accuracy (perfect detection with zero false positives), the Falcon platform won the AAA Award for the SE Labs April/May 2023 EAS test. However, the important message is more than just a headline about the award itself. 

This performance is another example of CrowdStrike proving through independent, third-party testing that the Falcon platform is a leader at stopping sophisticated adversaries in their tracks, while offering a low total cost of ownership. Moreover, this independent testing was performed by SE Labs using the same version of Falcon used by CrowdStrike customers. There were no unrealistic configurations, vendor optimizations or special capabilities in play. The Falcon platform enables customers to deploy our agent to thousands of endpoints in minutes, rapidly activating the same industry-leading protection used in this evaluation in their environments.

CrowdStrike’s Commitment to Independent Testing  

The SE Labs Q2 2023 EAS test is an example of the importance of participating in impartial, third-party testing. Evaluations by organizations like SE Labs are an invaluable resource, enabling security professionals to gauge the real-life performance of different security solutions under realistic, real-world attack scenarios. Independent testing also helps to drive innovation and product improvement and leads to a stronger cybersecurity industry in general. The benefits of these initiatives are why CrowdStrike remains firmly committed to industry research and independent testing.

The Falcon platform’s performance in public tests is also a showcase for the effectiveness of our advanced technology. It demonstrates just how effective machine learning, artificial intelligence, cloud-native architecture and CrowdStrike’s vast network of telemetry are at preventing breaches. It proves that CrowdStrike is a cybersecurity industry leader for a reason.

Additional Resources


CrowdStrike Named a Leader that “Delivers World-Class Threat Intelligence” in 2023 Forrester Wave

3 August 2023 at 07:12

We’re excited to share that Forrester has named CrowdStrike a Leader in The Forrester Wave™: External Threat Intelligence Services Providers, Q3 2023. CrowdStrike received the highest ranking of all vendors in the Current Offering category, with the highest score possible in 16 criteria, surpassing all other vendors evaluated in the report.  

From the report: “CrowdStrike delivers world-class threat intelligence to power its Falcon platform. CrowdStrike Falcon Intelligence enables an extensive set of threat intelligence use cases integrated into the CrowdStrike Falcon platform … CrowdStrike Falcon Intelligence is a comprehensive solution that firms should consider for an overall threat intelligence program even if they are not using the vendor’s EDR tools.”

This recognition is the latest in a string of industry accolades for CrowdStrike Falcon Intelligence. In February 2023, CrowdStrike earned Frost & Sullivan’s Global Company of the Year Award in Cyber Threat Intelligence. We were also named a Leader in the Frost Radar for Cyber Threat Intelligence. In 2022, CrowdStrike was named a Leader in the 2022 SPARK Matrix for Digital Threat Intelligence Management by Quadrant Knowledge Solutions.

CrowdStrike Falcon Intelligence Leads the Pack

CrowdStrike is globally known as a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data — and our highly differentiated threat intelligence offerings are the foundation of our ability to stop breaches. Without a deep, robust understanding of the adversary and their tactics and tools, you can’t stop emerging attacks.

Here are three distinctive areas that set Falcon Intelligence apart:

  1. Our intelligence starts with global data collection

CrowdStrike’s intelligence collection strategy is a critical differentiator: The Falcon platform regularly collects trillions of events every day, powering the protection of millions of endpoints across the globe and providing real-time visibility into attacks, including zero-days.

In its report, Forrester states: “CrowdStrike supplements traditional public open sources and underground sources of intelligence with telemetry from its established Falcon platform customer base, lessons learned from 500-plus incident response engagements and experience gained by the Falcon OverWatch threat hunting teams.”

CrowdStrike’s comprehensive collection strategy — with the Falcon platform telemetry at its core — underscores our ability to collect data that no one else can, resulting in threat intelligence that no other vendor can provide.

  1. We provide relevant, timely intelligence at your fingertips

To be actionable, threat intelligence must be presented in context and easily accessible within a security team’s daily workflow. Intelligence is at the heart of the Falcon platform and enriches the modules we deliver across endpoint, cloud security, identity protection and more. 

With the best threat intelligence at its foundation, the Falcon platform helps customers move faster than the adversary with rapid and precise detections, investigations and response. As new threats are uncovered, the intelligence is fed back into the platform, strengthening its ability to stop breaches. Endpoint security and XDR tools that lack leading intelligence capabilities, such as Microsoft Defender and SentinelOne, can leave customers exposed to new adversary tradecraft.

  1. We offer industry-leading expertise

We enhance our threat intelligence with services that provide access to the CrowdStrike Intelligence Customer Operations team. Our staff of seasoned intelligence analysts has unsurpassed expertise in battling nation-state, eCrime and hacktivist adversaries. 

Assigned analysts work directly with the customer and are dedicated to learning the unique security challenges each organization faces. This understanding enables our analysts to help apply threat intelligence more effectively and defeat the adversaries targeting the organization. 

Adversaries Don’t Stand a Chance

You don’t have a malware problem, you have an adversary problem. Whether it’s ransomware or a new vulnerability exploit, there’s a human element behind every attack. This human adversary is the real threat.

It was with this belief that CrowdStrike pioneered adversary intelligence. This intelligence is woven deeply into the Falcon platform and enriches everything we do. It’s derived from our world-class threat researchers and the firsthand experience of our threat hunters and professional services teams.

CrowdStrike’s deep adversary knowledge, expertise in pursuing and stopping threats, and visibility derived from the Falcon platform make us uniquely qualified to deliver the most effective means of stopping breaches and protecting customers.

Start Your Threat Intelligence Journey

Building a threat intelligence practice is a journey. It’s critical to find a vendor that aligns with your definition of intelligence, supports you on your journey and provides room for your team to grow. 

Further, they should challenge you to take the next step into a new use case so you can better protect your business. CrowdStrike Falcon Intelligence is designed to meet you where you are on your threat intelligence journey. It’s built directly into the platform, supporting your daily workflow by providing detection context and defensive strategies at your fingertips. If you are not a Falcon platform customer, CrowdStrike Falcon Intelligence is also available separately, cloud-delivered and operational on day one.

We agree with Forrester when it says “external cyber threat intelligence is necessary for effective cyber security.” CrowdStrike Falcon Intelligence enables all organizations, regardless of size or expertise, to easily operationalize intelligence within the security operations center, gain visibility into the cybercriminal underground to protect their brand and executives, and receive best-of-breed intelligence reporting and technical analysis backed by a dedicated team of intelligence professionals.

The CrowdStrike Falcon Intelligence modules include:

  • CrowdStrike Falcon Intelligence: Enriches the events and incidents detected by the Falcon platform, automating intelligence so security operations teams can make better, faster decisions. 
  • CrowdStrike Falcon® Intelligence Recon: Provides visibility into the cybercriminal underground so customers can effectively mitigate threats to their brands, employees and sensitive data.
  • CrowdStrike Falcon® Intelligence Premium: Delivers world-class intelligence reporting, technical analysis, malware analysis and threat hunting capabilities. Falcon Intelligence Premium enables organizations to build cyber resiliency and more effectively defend against sophisticated nation-state, eCrime and hacktivist adversaries.
  • CrowdStrike Falcon® Intelligence Elite: Expands your team with access to an intelligence analyst with the expertise to help you better defend against threats targeting your organization.

Additional Resources


Prevention Is the Best Preparation for the SEC’s New Breach Disclosure Rules

31 July 2023 at 15:24

The U.S. Securities and Exchange Commission (SEC) this week voted to adopt new rules for how companies inform investors about cybersecurity concerns. The vote comes after years of gradually increasing guidance and scrutiny over companies’ handling of cybersecurity events and follows a lengthy comment period where companies, including CrowdStrike, provided input. 

The new rules, which go into effect later this year, will require publicly listed companies to disclose material cybersecurity incidents within four business days of determining a material incident occurred. This includes stand-alone incidents as well as the cumulative impact of a series of related incidents. They also require these companies to regularly disclose how they manage cybersecurity risks, who is responsible and how these risks are reported to the board of directors.

From our view, the intent of the SEC rules is to protect investors by requiring more clarity, consistency and timeliness in how companies handle cyber-related disclosures. An ancillary effect is that companies may implement better overall cybersecurity hygiene and risk management processes to be more resilient to cyber incidents in the first place. 

While there will continue to be a debate on whether the new disclosure rules will ultimately force organizations to prematurely disclose details of an incident that may be ongoing, public companies, or any organization looking to implement more mature security controls, can use this opportunity to double down on proactive defenses that can get them ahead of a potential incident.

Contact CrowdStrike to schedule an SEC security briefing to learn more about the new SEC rules on cybersecurity and how your organization can prepare.

The Best Preparation Is Proactive Prevention

The best strategy for handling the SEC’s disclosure rules is to prevent material incidents from occurring in the first place. While a company is debating whether an incident is material, they’ve already missed the opportunity to do something about it. Proactive prevention is the best opportunity to stop an incident completely or minimize the damage during a critical period. 

When it comes to cybersecurity, speed is essential. According to the CrowdStrike 2023 Global Threat Report, the average time it takes an adversary to compromise a system and move laterally into the rest of the network is just 84 minutes. Companies need to ensure they have the tooling and teams necessary to respond to and remediate an incident with the same speed. This means augmenting existing teams with services and AI that can automate protection and accelerate investigation.

Although it’s up to a company to make its own legal determination as to whether a series of related occurrences is material, adversaries increasingly utilize public, coercive techniques to force victims to comply with demands. CrowdStrike’s 2023 Global Threat Report also found that data leak extortion campaigns are at an all-time high, and certain threat actors taunt victims with references to privacy, data protection or other compliance obligations breaches might impact. Consequently, holistic visibility into security events coupled with intelligence about the threat actors behind them can play an important role in assessing obligations.

It is not enough to work reactively after an incident has occurred. Configuration management — through endpoint and cloud hardening, Zero Trust architectures and external attack surface management — needs to be a cornerstone of a robust security posture. Proactive threat hunting to identify activity that tools missed and threat intelligence to hone in on what to look for also need to be part of this mix. 

Even with proactive prevention in place, companies will still need a game plan for complying with the new disclosure rules should an incident occur. This requires defining how they will assess materiality and who will ultimately sign off on what constitutes a material incident. To date, this has not been a standard component of most incident response plans, so most companies will need to develop a framework and conduct exercises to test and refine it. From a technical perspective, companies will need to ensure they have a system of record that tracks the impact of incidents so they are able to consider the cumulative impact of smaller related incidents when making their materiality assessments. 

Companies that cannot investigate incidents quickly will be seriously disadvantaged in trying to make these assessments. Not only can investments in rapid detection and remediation capabilities reduce the likelihood of material incidents, they also increase the amount and reliability of the information available when evaluating incident impact and defending the decision later.

Register for our live webinar to learn more about the new SEC rules on cybersecurity and how you can prepare.

How CrowdStrike Can Help Your Organization Prepare

The best thing public companies can do in the face of these new requirements is focus on the fundamentals of good security practices. These both reduce the likelihood that a cyber incident will be material and provide a foundation for an organization’s required annual disclosure on cyber risk management. 

The CrowdStrike Falcon® platform delivers the highest levels of visibility, simplicity and control by providing the necessary capabilities for unified prevention, detection, hunting, intelligence and remediation. With CrowdStrike, organizations are able to prepare for the new disclosure rules by embracing proactive prevention and empowering them to:

  • Understand Risk and Enforce Cyber Hygiene: Cyber resiliency starts with an assessment of where an organization is at greatest risk for a security incident. This enables an organization to proactively address the risk before an incident happens.  CrowdStrike Falcon® Surface enables companies to understand their external attack surface and minimize the risk of a cyber incident stemming from an exposed asset, while CrowdStrike Falcon® Spotlight helps prioritize the vulnerabilities that threat actors are most likely to target.
  • Automate Protection and Accelerate Investigation: With CrowdStrike Falcon® Insight XDR, companies can detect incidents faster and with greater accuracy. With AI-powered automation embedded across the Falcon platform, organizations can rapidly ingest data and generate detections across domains to stop breaches earlier, reduce the materiality of an incident and speed overall response times.
  • Protect Cloud Environments: The CrowdStrike 2023 Global Threat Report highlights that cloud exploitation continues to rise. Cloud exploitation cases grew by 95% and incidents involving cloud-conscious threat actors nearly tripled from 2021. CrowdStrike Falcon® Cloud Security provides complete protection and visibility to prevent incidents and breaches of cloud environments. 
  • Stop Identity-Based Attacks: 80% of cyberattacks now leverage stolen or compromised credentials. CrowdStrike Falcon® Identity Threat Protection provides organizations with comprehensive protection against identity-based attacks. Organizations can rapidly detect an attack, stop lateral movement and prevent an incident from escalating into a material event. 
  • Leverage Managed Detection and Response (MDR): Outsourcing critical security capabilities to leading MDR services can help organizations overcome the skills gap and reduce the complexity of their security environment. CrowdStrike Falcon® Complete is widely recognized as the industry’s leading MDR, providing the 24/7 prevention, threat hunting, detection and response capabilities needed to reduce the likelihood of a material incident. CrowdStrike Falcon Complete XDR extends these powerful capabilities across all key attack surfaces to help organizations close the cybersecurity skills gap and stop attempted threats quickly, making disclosures within the time frame more possible, if required.
  • Integrate Threat Intelligence into Security Strategies: A comprehensive threat intelligence program can align an organization on which threats and adversaries to focus their security efforts. CrowdStrike Falcon® Intelligence enables organizations to easily operationalize intelligence within the security operations center, gain visibility into adversary tactics and motives, and receive best-of-breed intelligence reporting and technical analysis.
  • Proactively Hunt for Threats and Incidents: Cyberattacks continue to become more sophisticated and harder to detect. Seventy-one percent of attacks are now malware-free. CrowdStrike Falcon® OverWatch provides proactive threat hunting capabilities that enable organizations to detect and disrupt hidden attacks. Identifying hands-on-keyboard activity can minimize the scope of a potential incident. 
  • Optimize Your Logging Strategies: It is not an uncommon occurrence during investigations to run into a lack of available logs to support an investigation. The availability and cost of logging has been the challenge of many CIOs and CISOs, and the migration to cloud has compounded the problem. Solutions like CrowdStrike Falcon® LogScale deliver powerful logging capabilities that speed investigations and deliver full visibility while reducing overall costs. Understanding what to log, how long the log data should be retained and the capabilities of staff/responders to access this data quickly when needed should be part of the overall plan.
  • Train for the Fight: Regular exercises are a critical part of maintaining an organization’s readiness posture as well as testing out new plans and processes. CrowdStrike’s Red Team/Blue Team exercises give technical responders an opportunity to practice against hands-on-keyboard threat activity, while Tabletop Exercises test coordination across security teams, business leaders and the board. Any new frameworks for reviewing materiality and making disclosures should ideally be exercised in a simulation. 

Preparing People and Processes for Risk Management Disclosure Rules

In addition to pushing public companies to implement better cybersecurity hygiene, the SEC is also pushing to strengthen risk management processes. This will put more of an onus on executive leaders and the boards that advise them. By requiring organizations to identify which business leaders are responsible for cyber risk, as well as their level of expertise, the SEC is underscoring that security oversight cannot be a rubber stamp. 

For boards of directors, CIOs and CISOs, this means asking probing questions about the tooling, people, processes and vendors that make up your security ecosystem, and supporting change where appropriate to uplevel the ability to detect, prevent, respond, recover and report as effectively as possible. It also means challenging claims of inexpensive, “check-box” solutions and focusing on the ability to evolve the security posture as the threats to your business and the rules change.

To the extent that cyber risk assessments are not already formalized, public companies will need to ensure they have a strategy for evaluating their risk exposure. In most cases, this will involve a layered approach, including periodic holistic risk assessments, more frequent red teaming, and tooling that supports continuous risk identification and management. It’s also recommended that companies use this opportunity to strengthen their internal risk governance practices and monitoring processes, which can help expedite and inform the evaluation requirements. 

The new rules suggest that directors and officers across the board — even if they are not directly responsible — will need to expand their knowledge of cyber risk. Most are already doing this. Many of our customers’ board members have asked to participate in or observe cyber tabletop exercises focused on testing their organization’s response. Others are requesting dedicated training or more frequent briefings on the threats to the business as well as the results of tests and assessments. 

CrowdStrike will continue to engage with the SEC and other regulators to advocate for the harmonization of new and existing cybersecurity incident reporting requirements. As new rules are put forth, it will be important to ensure alignment with existing regulations so that victim organizations can comply in a timely and transparent manner while continuing to focus on the fundamentals that keep their networks secure.

Additional Resources

Meet the Protectors: New Video Series Spotlights Cybersecurity Leaders Powered by CrowdStrike

21 July 2023 at 16:37

You don’t have a malware problem — you have an adversary problem. CrowdStrike has relentlessly focused on finding and stopping the humans behind cyberattacks. Today, we’re launching a new series that highlights the people who fight back against these threats every day.

We’re excited to announce the launch of the Protectors Spotlight, a new series of short videos celebrating the cybersecurity professionals protecting their organizations and communities. Each video pulls the curtain back to tell the story of the customers fighting the good fight on a daily basis. The series looks at who they are, the organization they’re defending, the winding road of their security journeys and how they use the CrowdStrike Falcon® platform to stop breaches so their organization can innovate and grow. 

Protectors partner with CrowdStrike to stop breaches and protect their data. Many will be joining us at Fal.Con 2023. Register now and meet us in Las Vegas Sept. 18-21! 

Every customer has a unique story, and each faces different challenges in protecting their organizations from today’s relentless and sophisticated adversaries. But they all have one thing in common: trusting CrowdStrike to keep them secure and protect what matters most.

In the first few Protectors videos, we spotlight leaders at nine organizations across critical industries that face constant adversary attacks, including healthcare, financial services, state and local government, and more. Listen to the Protectors at Montage Health, Mercury Financial, Vijilan Security, Seagate Technology, The City of Las Vegas, State of Oklahoma, Claroty, Jemena and Parkway Schools tell their stories and share their journey with CrowdStrike. 

One of these leaders is Kevin Nejad, Founder and CEO of Vijilan Security. He was in a tough spot when the company’s legacy security information and event management (SIEM) system couldn’t keep up with demand — eventually impeding growth.

“Our infrastructure couldn’t scale very well, performance went down, and costs went through the roof,” he said in his Protectors video. “The management of data using SIEM technology became a hindrance in our growth. And that’s when we discovered CrowdStrike.” 

Watch the trailer:

Also featured in the Protectors Spotlight is David Worthington, CISO of Australian energy firm Jemena. He saw an opportunity to improve visibility across the business environment and, in doing so, quickly address potential threats.

“When you have visibility and you know what’s going on, you can actually plan and make sure things are going right, rather than waiting for some actor to come along and do something,” he said. “For me, that was the key. We’re going to see things earlier and respond a lot quicker.”

We are honored to highlight the people who fight back against these threats every day with fearlessness and a sense of mission and purpose — just as CrowdStrike does. We stop breaches so our customers can continue doing what they do best: Build a better world while serving their customers. 

Additional Resources

Adversaries Can “Log In with Microsoft” through the nOAuth Azure Active Directory Vulnerability

14 July 2023 at 16:50

On June 20, 2023, Descope published research detailing how a combination of a flaw in Azure Active Directory and poorly integrated third-party applications — dubbed “nOAuth” — could lead to full account takeover. nOAuth is the latest in a large number of vulnerabilities and architectural weaknesses in Microsoft software and systems like Active Directory that can be exploited and put organizations at risk. 

While Microsoft has responded to the vulnerability, until developers make code changes in their applications, the proposed mitigation relies on organizations having strong identity protection capabilities to protect privileged accounts from misuse by rogue administrators. 

The Architectural Limitations of the Microsoft Identity Ecosystem Persist

The architectural weaknesses in Active Directory and Azure Active Directory (Azure AD) have been well documented over the years. These structural weaknesses and vulnerabilities have become a modern attack surface for the adversary. Despite this, Active Directory and Azure Active Directory continue to serve as the identity infrastructure for a large number of organizations. According to a Frost & Sullivan report, 90% of Fortune 1000 companies use Active Directory. 

Azure AD was Microsoft’s opportunity to start with a clean slate and build a modern, secure identity and access management (IAM) solution. However, the repeated vulnerabilities in its identity infrastructure can make organizations susceptible to breaches. While Microsoft recently changed the name of Azure AD to Entra ID, the security concerns remain.

As nOAuth, exposed flaws from Azure AD’s integration with Active Directory, and vulnerabilities associated with session theft show, the identity security problem has shifted to the cloud. It is worth noting that the response Microsoft issued for nOAuth on June 20 was more than two months after the vulnerability was disclosed to the company. This leads to two primary questions organizations need to consider:

  • How many more of these vulnerabilities exist that are yet to be discovered? 
  • Can you really afford to wait two months for mitigation of a risk that could lead to total account takeover? 

This consistent discovery of vulnerabilities, coupled with the architectural limitations of Active Directory and Azure AD, calls for comprehensive identity security that should be:

  • Abstracted from the identity provider: A person or workload may have many accounts spread across different identity providers. Therefore, centralized visibility, detection and prevention is the only way to stop identity-based attacks. 
  • Correlated and contextualized with the rest of the security stack: Only by blending endpoint, identity and third-party telemetry can you understand the full attack chain and detect all adversary activity whilst also reducing complexity and tool sprawl. 
  • Independent of detecting “known vulnerabilities”: Identity protection should combine CVE-based detections with real-time behavioral analysis to detect adversary activity. 
  • Hybrid identity protection extended from on-premises to the cloud: This includes examining credential entitlements to mitigate the impact of a breach if it occurs.
  • Capable of monitoring applications for misconfigurations: Typical approaches to identity security focus on analyzing the identity providers for vulnerabilities. While identity providers should provide best-practice implementation advice, if the application is misconfigured, you remain vulnerable. 

What is nOAuth?

As detailed by Descope, nOAuth describes a vulnerability in the trust between an identity provider (in this case, Azure AD) and a relying party (an application). The name “nOAuth” is a play on the authorization protocol “OAuth,” whereby the application is issued a token by the identity provider that contains information about the user and the data they wish to share with the application. These are called “claims.” 

Whether you are familiar with OAuth or not, there is a high probability you’ve used it before! Think about all of the times you’ve registered for a service, where you have an option to “Sign in with Google” or “Sign in with Microsoft” or “Sign in with Facebook.” Does a screen like this look familiar?

After clicking one of those options, you authenticate to the identity provider and are then asked what you want to share with the application — name, address, gender, etc. After selecting preferences, the identity provider issues a token that the application reads so it knows:

  • Who you are, which is important so a profile can be created inside the application. For example, if you sign up for an account with a grocery store, you want it to remember your favorite items to build recommendations for what else you might like. 
  • Which data the application is allowed to request from the identity provider. For example, you might want the grocery store to have your address (so it knows where to send your shopping), but you might not want them to have your date of birth. 

Coming back to nOAuth, it is the “who you are” claim that is manipulated by the adversary. Many applications that implement OAuth incorrectly use “email” as the user identifier, as opposed to an immutable value, like the object identifier (OID). This means as long as the adversary can generate a claim with the victim’s email address, they gain full access to their account without knowing their password or having to perform multifactor authentication (MFA). 

In the Azure AD scenario, it is much more significant as it’s easy for anyone to generate that claim:

The team at Descope created a powerful demonstration of how effective this is. 

Let’s clearly frame where the problem lies with nOAuth and Microsoft:

  • Microsoft allows anyone with an Azure AD account to modify the email attribute of an account to any email address — whether that tenant had proved they “owned” the domain or not. For example, even though you own the domain, an adversary could change a user account in their own Azure AD tenant to have a address too. 
  • When developers were building OAuth integration with Azure AD, they opted to use email as the user identifier, as opposed to an immutable value like OID.

Microsoft Response to nOAuth

On June 20, Microsoft released guidance on how to manage the nOAuth vulnerability:

  • To mitigate the risk for existing applications, you can modify the authenticationBehaviors API (which currently has beta status) to reject unverified email claims. 
  • When developers are ready to update their code and migrate users to an immutable identifier, like OID, they can use the “xms_edov” claim to verify the email address is verified in the Azure AD tenant before the user identifier is changed. 

Developer Security Awareness

Developers must abide by best practices and recommendations for securing modern identity protocols like OAuth. This is a reminder that security training provided by organizations must span beyond non-technical staff. Developers, infrastructure engineers, architects and support staff are all responsible for building and maintaining the next generation of business-critical applications. They need to be aware of the ramifications of how a weak implementation of an authentication journey in an application can undo much of the great work IAM teams may have done to secure the identity provider itself. 

Despite the Response, the Problem Remains

As of Thursday, July 13, it is still possible to create a free Azure AD account and map any email address to a user account, without any validation of domain ownership. Therefore, until developers update their code to use immutable values as the user’s primary identifier, all organizations can do is mitigate the risk. 

The mitigation step, which involves using a beta Microsoft Graph API, is vulnerable to modification by a rogue Azure AD administrator. 

Therefore, the solution to this problem is securely transitioning applications from an email-based identifier, which requires developers to update code within homegrown apps. The same applies for developers who work for third parties that provide the business-critical, modern applications you use. Making this change also isn’t as simple as it sounds — it could have a downstream impact on the application experience, which may extend the length of time it takes to implement the change.

The question now becomes, “What countermeasures can you put in place in the interim to mitigate the rogue administrator risk and proactively protect against future vulnerabilities in your hybrid identity ecosystem?”

Countermeasures for Identity-Based Attacks in AD and Azure AD

CrowdStrike Falcon Identity Threat Protection, fully integrated with the CrowdStrike Falcon platform, provides organizations with comprehensive protection against identity-based attacks. It detects attacks and prevents lateral movement, stopping breaches stemming from vulnerabilities in Active Directory and Azure AD. In the context of nOAuth, this allows you to detect rogue administrator activity that could be an indication of intent to exploit nOAuth.

Proactively Identify AzureAD Applications that Permit Unverified Email Claims

Microsoft’s mitigation to this issue is to set “removeUnverifiedEmailClaim” to true using the GraphAPI. Falcon Cloud Security has hundreds of Indicators of Misconfigurations (IOMs), including one that can proactively identify the applications with the value set to false, enabling customers to rapidly identify and mitigate the risk of exploitation.

Falcon Cloud Security IOM Policy Screen (click to enlarge)

Correlate Audit and Access Events

An email address change is a perfectly legitimate activity. However, that activity correlated with other telemetry occurring around the same time, such as privilege escalations and anomalous access to resources, could indicate rogue administrator activity. CrowdStrike gives you this visibility, transforming the threat hunting experience for SOC and IAM teams by linking all of the events in the kill chain into a single incident view:

Detect and Prevent Hybrid Lateral Movement 

While many organizations use Azure AD for conditional access and single sign-on (SSO), Active Directory is often the “true” identity provider. User objects are created and modified in on-premises Active Directory then synchronized to the cloud via Azure AD Connect. Therefore, an adversary inside your network with sufficient permissions in Active Directory can create accounts and modify email addresses, which replicate to Azure AD, all without the adversary having administrative access to the Azure AD portal. They can also exploit known vulnerabilities in AD, such as Overpass-the-Hash attacks, to move laterally into Azure AD without being challenged for authentication. 

To understand how Falcon Identity Protection identifies risks, and detects and prevents lateral movement, please see this video. We demonstrate how CrowdStrike detects and prevents adversaries from moving laterally from Active Directory to Azure AD.

Monitor Unusual Activity

Building behavioral baselines across all of your accounts is critical, but reviewing these single events in isolation often leads to false positives. For example, if a user who has worked in the organization for a long time is granted access to an application due to a role change, how can you determine the difference between anomalous and malicious activity? 

Therefore, it is important to combine anomalous events with other telemetry you have about the user to determine whether an action is malicious, as opposed to just anomalous. In this example, we show geographical anomalies occurring alongside the anomalous application access:

Define and Monitor Privileged Accounts

Privileged accounts are often defined as those that have administrative privileges in the identity store — for example, a domain administrator in Active Directory or a Global Admin in Azure AD. However, a user who is the global administrator in your CRM solution is privileged as well, and the impact to your business if that account is compromised could be devastating. CrowdStrike allows you to map business privileges to the potential business impact of a specific account being compromised. This elevates the risk score associated with those accounts, meaning detections are raised with a higher priority, prompting the SOC and IAM teams to prioritize review and remediation.

Correlate Application and Identity Store Audit Logs

Correlating audit logs between the identity provider and the application can be a powerful way to detect malicious activity. For example, seeing an authentication event at the identity provider that does not correlate with an access event in the application logs, can be an indication a user’s account has been compromised. 

By combining the power of CrowdStrike Falcon Identity Threat Protection and Falcon LogScale, you could use a scheduled query like this that will correlate login events between the identity provider and the application audit log to highlight anomalies.

Proactively Identify Vulnerable Applications 

Identifying the weak points and the assets you need to protect is the critical step in protecting your organization. However, the process of identifying vulnerable applications can be difficult. External attack surface monitoring tools, like CrowdStrike Falcon® Surface, have the capability to identify applications, such as those using OAuth or OIDC, so you know which applications need to be reviewed. 

Additional Resources


Welcome to the Adversary Universe Podcast: Unmasking the Threat Actors Targeting Your Organization

13 July 2023 at 18:18

The modern adversary is relentless. Today’s threat actors target global organizations with increasingly sophisticated attacks. As we’ve said since the founding of CrowdStrike: “You don’t have a malware problem, you have an adversary problem.” Protection starts by unmasking the threat actors targeting your organization. Who are they? What are they after? And most importantly, how can you defend against them?

CrowdStrike answers these questions and more in the new Adversary Universe podcast. Hosted by CrowdStrike SVP of Intelligence Adam Meyers and Field CTO of the Americas Cristian Rodriguez, the podcast will deliver a deep understanding of adversaries and their motivations and evolving tactics so organizations can better protect themselves.   

“There’s a human behind this attack,” Adam says in the first episode of the Adversary Universe podcast. “And if you understand who those humans are, how they operate, and what they’re after, then you can defend your business.” 

New episodes will be released on a bi-weekly basis every other Thursday on Spotify, Google Podcasts, Apple Podcasts, Amazon Music and the Adversary Universe podcast webpage

The first episode — “Who Is the Adversary?” — is available now. This episode introduces listeners to the podcast series and sheds light on the history of CrowdStrike and how we pioneered the concept of an adversary-focused approach to cybersecurity. It begins to tell the story of modern adversaries: who they are, how they’re tracked and why you should learn more about them. Tune in to learn about CrowdStrike’s early days, the origin of the name Fancy Bear, the importance of adversary intelligence and more. 

“There is a very big reason why overall awareness of these various tradecrafts and these campaigns — and understanding who is responsible for these attacks — is so important to your business,” Cristian explains. “You shouldn’t just ignore it because it doesn’t directly impact you, or there’s a perception of lack of impact.”

Here’s a sneak peek of what’s coming in future episodes:

  • Cloud Is the New Battleground: We’ll explore how threat actors use the cloud to their advantage: how they breach cloud environments, the actions they take once they’re in, and the ways they use the cloud as a tool in their attacks.
  • Invisible Threats: Discovering, Tracking and Mitigating Vulnerabilities: How do you know when your software is vulnerable? How should you prioritize patching? What do you do when a patch isn’t available? What is a zero-day? Tune in as we dive into the world of vulnerability intelligence. 
  • Have You Been Breached? Along with a guest from CrowdStrike’s incident response team, we’ll share the warning signs that could indicate a breach has occurred, the immediate next steps to take, and why having the right data is essential to recovery.

We’re excited to launch this podcast and share CrowdStrike’s unparalleled threat intelligence and compelling insights with the world. New episodes will drop every two weeks starting today — mark your calendars now! 

Additional Resources 

CrowdStrike Expands XDR Ecosystem to Give Customers a Data Advantage

13 July 2023 at 06:00

Cybersecurity is fundamentally a data problem. As adversary techniques continue to mature, organizations still struggle to collect the right data from all their security and IT point products to detect and respond to evolving threats. 

CrowdStrike offers a clear data advantage in the cybersecurity market. For the past 12 years, we’ve collected, correlated and analyzed trillions of events from thousands of customers around the globe to provide unparalleled threat intelligence and build technology powered by AI. 

As the modern threat landscape evolves, security requires a collaborative approach that combines Falcon and third-party telemetry for unified detection and response. The CrowdStrike extended detection and response (XDR) ecosystem brings together more than 20 best-of-breed partners to help security teams eliminate threats across multiple domains from the unified Falcon platform. 

Today, we’re expanding the CrowdXDR Alliance to help you consolidate threat visibility with the addition of a new alliance partner.

Skyhigh Security Joins the CrowdXDR Alliance

CrowdStrike is pleased to announce that Skyhigh Security has joined the CrowdXDR Alliance. As a leader in security service edge (SSE), Skyhigh Security brings more than a decade of cloud and data security expertise to the CrowdStrike XDR ecosystem.

Through this collaboration, Skyhigh Security’s SSE integrates with CrowdStrike Falcon® Insight XDR to provide comprehensive cross-domain visibility of threats across web, sanctioned cloud apps, email and private apps. Skyhigh Security shares traffic threats with Falcon Insight XDR, providing real-time threat protection against advanced cloud-focused threats. Skyhigh Security applies CrowdStrike Zero Trust Assessment (ZTA) scores to its robust Zero Trust policy enforcement to further secure unauthorized access to private applications.

This latest XDR integration, driven by customer demand, demonstrates our commitment to expanding the CrowdStrike security ecosystem. The addition of Skyhigh Security gives Falcon Insight XDR customers the best in XDR protection.

The Need for an XDR Ecosystem 

The speed and sophistication of today’s adversaries heighten the need for XDR. The CrowdStrike 2023 Global Threat Report found the average breakout time for an eCrime incident — the time between when an attacker gains initial access and when they begin to move laterally — dropped to 84 minutes in 2022. A staggering 71% of attacks detected by CrowdStrike Intelligence did not involve the use of malware.

While attacks continue to gain speed and sophistication, new threat actors are emerging. In 2022, CrowdStrike Intelligence started monitoring 33 new adversaries, bringing the total number of adversaries tracked to over 200. 

To stop breaches, it’s crucial for customers to match and exceed the speed of today’s adversaries. The traditional approach of relying on multiple point solutions from different vendors has led to silos, poor visibility and increased complexity, making it difficult to quickly identify and respond to threats. 

XDR collects threat data from previously siloed security tools across the technology stack for easier and faster threat hunting, investigation and response. Falcon Insight XDR delivers market-leading protection by bringing together security telemetry across endpoints, cloud workloads, network, email and more.

Exploring the Breadth of CrowdStrike XDR Integrations

CrowdStrike works with the broadest XDR ecosystem of vendors to offer data ingestion and response action capabilities. 

The value of data-ingestion vendors lies in their ability to enrich and enhance the CrowdStrike threat intelligence ecosystem. By integrating data from a diverse range of sources, organizations can gain a comprehensive view of their environment, enabling faster and more effective detection, response and mitigation of sophisticated cyber threats. 

CrowdStrike also provides automated response actions through vendor integrations, enabling customers to take swift and effective actions to contain and remediate threats, further strengthening incident response capabilities and minimizing the impact of cyberattacks.

CrowdStrike XDR integrations cover critical security domains, including:  

Security Service Edge (SSE)

  • Cloudflare One data ingestion helps increase visibility and reduce risks by verifying, filtering, inspecting and isolating user traffic from internet threats.
  • Menlo Security data ingestion prevents highly evasive adaptive threats (HEATs) that target web browsers.
  • Netskope data ingestion helps detect and stop web-based threats faster by unifying security data across endpoint and SSE domains.
  • Skyhigh Security data ingestion helps mitigate unauthorized access, data risk and threats, protecting organizations’ data across web, cloud, email, and private apps.
  • Zscaler Internet Access data ingestion funnels relevant security data at scale, providing network and cloud application visibility for accelerated investigations and responses.
  • Zscaler Internet Access response actions allow you to control access to critical information and automate manual tasks.

Network Detection and Response

  • Corelight Zeek-based network data ingestion visualizes seemingly unrelated events to unlock new analytics, investigate faster and disrupt future attacks.
  • ExtraHop Reveal(x) 360 data ingestion enables rapid and precise action for more effective threat detection, investigation and response across IT environments.
  • Vectra® AI-driven Attack Signal Intelligence™ data ingestion enables SOC teams to rapidly detect, prioritize and contain cyberattacks long before they progress and become breaches.


  • Cisco Adaptive Security Appliance (ASA) data ingestion helps monitor network threats continuously in real time.
  • Fortinet FortiGate data ingestion leverages firewall logs to enable cross-domain XDR detections and data to perform investigations, write queries and create custom XDR detections.
  • Palo Alto Networks Next-Generation Firewall data ingestion helps proactively and intelligently monitor network security using machine learning.


  • ForgeRock data ingestion provides cross-domain threat detection for identity-based threats.
  • Okta data ingestion and response unifies security data to enable response actions across endpoint and identity domains.
  • Ping Identity PingOne data ingestion helps log and ingest data from the PingOne Cloud Platform to allow direct action against identity-based threats.

Email Security

  • Cisco Secure Email Gateway data ingestion helps monitor email threats continuously in real time with threat prioritization.
  • Microsoft Graph data ingestion enhances XDR detections with Microsoft Defender for Office 365 email and Azure Active Directory identity data.
  • Mimecast data ingestion brings together email and endpoint security data to enable faster cross-domain threat detection and alerting.
  • Mimecast response actions accelerate response time and enhance accuracy by enabling Mimecast email response actions.
  • Proofpoint data ingestion helps detect and stop targeted email threats faster by unifying security data across endpoint and email domains.

The CrowdStrike Data Advantage

The traditional approach of relying on multiple point solutions from different vendors creates gaps for adversaries to exploit, while driving up cost and complexity — all at a time when the stakes have never been higher for security teams.

Our industry-leading XDR ecosystem continues to expand rapidly, enabling you to consolidate your cybersecurity platform and workflows, and give you a data advantage to protect against modern threats.

Additional Resources

July 2023 Patch Tuesday: Six Actively Exploited Zero-Days and Nine Critical Vulnerabilities Identified

11 July 2023 at 22:43

Microsoft has released security updates for 131 vulnerabilities and a disclosure for one yet-unpatched vulnerability for its July 2023 Patch Tuesday rollout: 9 are rated as Critical while the remaining 122 are rated as Important. There is one vulnerability without a severity rating.

July 2023 Risk Analysis

This month’s leading risk type is remote code execution (28%), followed by elevation of privilege (25%) and denial of service (17%).

Figure 1. Breakdown of July 2023 Patch Tuesday attack types

The Microsoft Windows product family received the most patches this month with 104, followed by Extended Support Updates (56) and Microsoft Office products (16).

Figure 2. Breakdown of product families affected by July 2023 Patch Tuesday

Actively Exploited Zero-Day Vulnerability Affects Office and Windows HTML

Microsoft Office and Windows has disclosed an unpatched and Important-rated vulnerability CVE-2023-36884, which has a CVSS of 8.3. Microsoft has released guidance on this unpatched remote code execution vulnerability impacting Windows and Office products. Microsoft states, “Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.” The Microsoft Threat Intelligence team has released a blog summarizing the findings and tools, TTPs and recommendations needed to defend against these attacks.

Rank CVSS Score CVE Description
Important 8.3 CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability

Table 1. Zero day in Microsoft Office and Windows HTML

Actively Exploited Zero-Day Vulnerability Affects Windows MSHTML Platform

Microsoft Windows MSHTML has received a patch for CVE-2023-32046, which is rated Important and has a CVSS of 7.8. This vulnerability could allow an attacker to gain user access to the affected application by sending a specially crafted file via email or web. User interaction is required for successful exploitation. Microsoft recommends, “To stay fully protected, we recommend that customers who install Security Only updates install the IE Cumulative updates for this vulnerability.”

Rank CVSS Score CVE Description
Important 7.8 CVE-2023-32046 Windows MSHTML Platform Elevation of Privilege Vulnerability

Table 2. Zero day in Windows MSHTML platform

Actively Exploited Zero-Day Vulnerability Affects Windows SmartScreen

A patch has been released for CVE-2023-32049, a security feature bypass vulnerability in Microsoft Windows SmartScreen that is rated Important and has a CVSS of 8.8. This vulnerability allows for an adversary to bypass the Open File Security Warning prompt when a file is downloaded or opened via the internet. User interaction is required in order to successfully exploit this vulnerability.

Rank CVSS Score CVE Description
Important 8.8 CVE-2023-32049 Windows SmartScreen Security Feature Bypass Vulnerability

Table 3. Zero day in Windows SmartScreen

Actively Exploited Zero-Day Vulnerability Affects Windows Error Reporting Service

Microsoft Windows Error Reporting Service is receiving a patch for CVE-2023-36874, which is rated Important and has a CVSS of 7.8. Microsoft states that an attacker must have local access to the machine with default user privileges in order to successfully exploit the flaw and gain administrative privileges.

Rank CVSS Score CVE Description
Important 7.8 CVE-2023-36874 Windows Error Reporting Service Elevation of Privilege Vulnerability

Table 4. Zero day in Windows Error Reporting Service

Actively Exploited Zero-Day Vulnerability Affects Microsoft Outlook

Microsoft Outlook is receiving a patch for Important-rated vulnerability CVE-2023-35311, which has a CVSS of 8.8. This vulnerability resides in the Outlook Security Notice Prompt, allowing for an attacker to bypass. Microsoft states that the Preview Pane is an attack vector for this vulnerability and user interaction is required.

Rank CVSS Score CVE Description
Important 8.8 CVE-2023-35311 Microsoft Outlook Security Feature Bypass Vulnerability

Table 5. Zero day in Microsoft Outlook Security

Critical Vulnerabilities Affect Windows

CVE-2023-35315 is a Critical vulnerability affecting Windows Layer-2 Bridge Network Driver with a CVSS of 8.8. Microsoft says, “An unauthenticated attacker could exploit the vulnerability by sending a specially crafted request to a Windows Server configured as a Layer-2 Bridge.” To successfully exploit this vulnerability, an attacker must first gain access to the restricted network prior to launching an attack.

CVE-2023-35352 is a Critical vulnerability affecting Windows Remote Desktop with a CVSS of 7.5. Microsoft states that this vulnerability is more likely to be exploited. If the vulnerability is successfully exploited, an adversary would be able to bypass authentication using certificates or private keys when initiating a remote desktop session.

CVE-2023-35365, CVE-2023-35366 and CVE-2023-35367 are Critical vulnerabilities affecting Windows Routing and Remote Access Service (RRAS), and each has a CVSS score of 9.8. These vulnerabilities are only exploitable on Windows servers that have Routing and Remote Access Service (RRAS) roles, which are not installed and configured by default. Microsoft states, “… to exploit this vulnerability, an attacker would need to send specially crafted packets to a server configured with the Routing and Remote Access Service running.”

CVE-2023-32057 is a Critical vulnerability affecting Microsoft Message Queuing (MSMQ) with a CVSS of 9.8. In order to successfully exploit this vulnerability, an attacker would have to send a specifically crafted malicious MSMQ packet to a MSMQ server, leading to a remote code execution. This Windows component needs to be enabled for a system to be vulnerable. Microsoft recommends checking if “Message Queuing” service is running and TCP port 1801 is listening on the machine.

CVE-2023-35297 is a Critical vulnerability affecting Windows Pragmatic General Multicast (PGM) with a CVSS of 7.5. Microsoft states,“This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.” With a high attack complexity, an attacker must perform additional actions beforehand.

Rank CVSS Score CVE Description
Critical 8.8 CVE-2023-35315 Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability
Critical 7.5 CVE-2023-35352 Windows Remote Desktop Security Feature Bypass Vulnerability
Critical 9.8 CVE-2023-35365 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-35366 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-35367 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-32057 Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 7.5 CVE-2023-35297 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

Table 6. Critical vulnerabilities in MS Windows

Guidance on Microsoft Signed Device Drivers Being Used Maliciously 

Microsoft was recently alerted to the malicious exploitation of drivers certified through its Microsoft Windows Hardware Developer Program (MWHDP) in post-exploitation activities. These attacks involved the adversary obtaining administrative privileges on compromised systems and subsequently utilizing the compromised drivers. Microsoft has immediately suspended the developer accounts involved in this incident. Microsoft services are not affected by this issue, according to its investigation. The company recommends that all customers install the latest Windows updates and ensure antivirus and endpoint detection products are up-to-date. Please see the Microsoft Security Advisory for more information.

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture. 

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of security events every day from across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Spotlight vulnerability management can help you quickly and easily discover and prioritize vulnerabilities here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

  • For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
  • See how Falcon Spotlight can help you discover and manage vulnerabilities and prioritize patches in your environments. 
  • Learn how CrowdStrike’s external attack surface module, Falcon Surface, can discover unknown, exposed and vulnerable internet-facing assets enabling security teams to stop adversaries in their tracks.
  • Learn how Falcon identity protection products can stop workforce identity threats faster. 
  • Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards
  • Test CrowdStrike next-gen AV for yourself with a free trial of Falcon Prevent.

How to Augment or Replace Your SIEM with the CrowdStrike Falcon Platform

11 July 2023 at 15:36

In Part 1 of our SIEM blog series, we discussed the state of SIEMs today and how CrowdStrike Falcon® LogScale solves five key SIEM use cases while improving security outcomes and cost savings compared to traditional SIEMs.

Our conversations with customers have made it clear: SIEM requirements don’t stop at the five use cases covered in that blog. Modern SIEM systems extend beyond log management to deliver full threat detection, investigation and response. To take advantage of this broader set of use cases, you need additional capabilities including analytics, intelligence and managed services. 

In this post, we’ll explore how you can use Falcon LogScale with other elements of the CrowdStrike Falcon® platform to augment or replace your existing SIEM, while also getting industry-leading threat detection, petabyte-scale logging and low total cost of ownership

1. Modern log management

As the name indicates, the number one job of a security information and event management (SIEM) system is managing information and events. SIEMs should empower you to collect and retain data from a variety of sources, swiftly search through log data to find threats, and scale to support increasing log volumes. Unfortunately, many of today’s SIEMs are hindered by outdated, index-based architectures and can’t keep up with data growth.

Falcon LogScale delivers the massive scale, exceptional performance and sub-second latency you need to detect and quickly respond to threats. As a modern log management platform, it collects up to one petabyte of data per day, per deployment, and instantly notifies you of attacks with real-time alerting customized by your team. You can uncover threats quickly, and because of its affordable licensing options, Falcon LogScale allows you to retain data as long as you need for security and compliance, without hassling with separate data lakes or cumbersome cold storage.

One of the greatest hurdles of migrating to a new SIEM platform is simply getting data in. CrowdStrike simplifies this process by offering multiple ways to collect and process data, including automated collection of Falcon endpoint, cloud and identity data, a broad set of partner integrations through the Falcon LogScale Marketplace, the full-featured LogScale Collector agent and the CrowdStream observability pipeline capability.

Click to enlarge

When it comes to searching, correlation and visualization, Falcon LogScale has you covered. Its flexible, mature query language lets you construct advanced searches with regular expressions while its free-text search lets you easily query any field. Live dashboards provide a real-time view of security status and drill-down capabilities let you pivot from charts to detailed data with a single click. Its high-speed search, dynamic live dashboards and petabyte-scale log collection make Falcon LogScale a powerful tool for SIEM use cases. 

2. User behavior analytics

With a staggering 80% of attacks involving stolen or misused credentials, stopping modern threats requires extending visibility and protection to identity data. User behavior analytics can help you uncover credential-based attacks, even those that evade the use of traditional malware or exploits, by profiling user activity and spotting anomalies indicative of attacks.

The CrowdStrike Falcon® Identity Threat Detection module delivers the ironclad security you need to detect credential-based attacks and unusual behavior, such as lateral movement and insider abuse, by comparing live traffic against behavioral baselines. It discovers all identities across your enterprise, including stale accounts, with password hygiene and finds weaknesses in identity stores such as Microsoft Active Directory. Its deep protocol analysis reveals stealthy threats like Pass-the-Hash and Golden Ticket attacks while risk scores with custom insights remove the guesswork from investigations.

But Falcon platform security doesn’t end with detection. It can proactively stop threats by revoking unauthorized access, triggering reauthentication, enforcing stepped-up authentication and more through CrowdStrike Falcon® Complete Identity Threat Protection. This solution combines CrowdStrike’s leading technology with the expertise of our industry-leading CrowdStrike Falcon® Complete managed detection and response (MDR) team to monitor your environment and surgically remediate malicious activity in minutes.

Click to enlarge

If you want to search, correlate or retain identity data, you can collect identity events and alerts in Falcon LogScale. Native integration between Falcon LogScale and Falcon Identity Threat Detection makes it easy to onboard and access identity data for threat hunting, investigations and compliance. Falcon LogScale and Falcon Identity Threat Detection work together to deliver end-to-end user behavior analytics and much more to shield your organization from credential-based attacks.

3. Threat intelligence

To build an effective cybersecurity program, you need up-to-date and actionable threat intelligence. Armed with this information, your team can effectively detect and investigate threats by correlating security events with known threats, identifying indicators of compromise (IOCs) in your environment, and gaining valuable context for investigations. 

However, the task of tracking adversaries and developing a reliable threat intelligence feed is a Herculean effort. Frankly, most logging and SIEM companies are not up to the task.

CrowdStrike Falcon® Threat Intelligence enables you to prepare for, prevent and rapidly investigate nation-state, eCrime and hacktivist attacks. It delivers real-time, accurate threat data on a global scale that’s regularly correlated with trillions of events every day, and it streamlines analysis by revealing pertinent details such as known attack tools or patterns, as well as the adversary responsible. You can rely on Falcon Threat Intelligence — named a leader by Forrester, Frost and Sullivan, and Quadrant Knowledge Solutions — for up-to-date, accurate and comprehensive threat feeds. 

Click to enlarge

Falcon Threat Intelligence seamlessly integrates with Falcon LogScale to provide analysts with comprehensive attack information to enhance their decision-making. This includes CrowdStrike’s in-depth research of 200+ threat groups and unparalleled analysis into malware, geopolitical trends and real-time campaigns. Falcon LogScale automatically integrates threat intelligence feeds from CrowdStrike, including malicious IP addresses, domains and URLs, to reveal IOCs in your environment and help analysts determine the source, objective, expected tactics and other key elements of an attack. 

4. Endpoint detection and response 

As SIEMs transform into full-featured threat detection, investigation and response platforms, security has moved to the forefront. SIEMs have expanded beyond user behavior analytics and increasingly offer out-of-the-box detections for other data sources such as network, cloud and endpoint data. 

While some SIEM vendors might offer free or low-cost endpoint detection and response (EDR), few of these offerings measure up in real-world tests, such as the MITRE ATT&CK® evaluations. In fact, traditional SIEMs, even if they offer limited EDR capabilities, still miss 76% of all MITRE ATT&CK techniques used by adversaries, on average. Rather than settling for an inferior EDR agent from your SIEM vendor, carefully evaluate prospective EDR products to ensure they meet your security, deployment and management requirements.

When it comes to endpoint security, no offering compares to CrowdStrike Falcon® Insight XDR. Falcon Insight XDR continuously monitors all endpoint activity, detects attacks with analytics and AI, accelerates investigations by unraveling entire attacks on one screen, and empowers you to respond in real time to stop attacks before they become breaches. You can streamline operations with Falcon Fusion, a cloud-scale security orchestration, automation and response (SOAR) framework with intuitive automation to simplify enterprise security workflows.

But don’t take our word for it: listen to analysts, testers and customers. CrowdStrike is ranked #1 in market share for modern endpoint security. With our relentless focus on innovation and fanatical commitment to customers, we aim to protect organizations around the world into the future.

Click to enlarge

Falcon LogScale seamlessly integrates with Falcon Insight XDR for extended retention of your endpoint data, enabling you to hunt for threats at blazing-fast speed and store all of your endpoint data for as long as you need it, cost effectively. Predefined queries and dashboards let you get up and running quickly so you can spend less time on setup and more time investigating endpoint threats and correlating endpoint telemetry with other data. 

5. Deployment, configuration and management services

If you’re replacing your SIEM with the Falcon platform, you might want to ease deployment with quickstart packages or augment your team with managed detection and response. CrowdStrike can enhance your security posture and cut incident response times with comprehensive 24/7 managed services. Our world-class team can also show you how to gain real-time visibility and insights from your log data to maximize efficiency and security efficacy.

Whether you’d like assistance migrating from your existing SIEM to Falcon LogScale or want a team of experts monitoring your environment around the clock, CrowdStrike offers a range of managed services to meet your needs. With Falcon Complete LogScale, you can rely on a team of Falcon LogScale specialists and detection engineers to operationalize your log data and build correlation rules, queries and dashboards to solve your SIEM use cases. Or you can let our experts work on your behalf with Falcon Complete for end-to-end monitoring, investigation and remediation for Falcon Insight XDR.

Our Falcon Complete offerings deliver:

  • Incident response
  • Forensic investigations
  • Threat hunting
  • Managed detection and response (MDR)
  • Dedicated log management and expert guidance for critical security use cases 

With Falcon Complete, you can gain peace of mind knowing our world-class experts are working continuously to keep you safe.

One Platform for Complete Protection

CrowdStrike offers a wealth of technologies and services to meet today’s toughest SIEM requirements. Every CrowdStrike Falcon module works in concert to combine the power of AI, a diverse and comprehensive security dataset, and world-class expertise to deliver a unified platform for stopping breaches.

Every day, we see customers augmenting or replacing their SIEM and consolidating their cybersecurity with the Falcon platform, while achieving the best security outcomes on the market today. 

The centerpiece of CrowdStrike’s approach to next-generation security operations is Falcon LogScale, a modern log management solution that lets you log everything to answer anything in real time. Falcon LogScale integrates with the entire Falcon platform to deliver unrivaled threat detection, investigation and response. And with its affordable price, you can broaden visibility and eliminate blind spots by logging more data and retaining it — as hot storage — for as long as you need.

To find out if Falcon LogScale, along with the entire Falcon portfolio, can help you fulfill your SIEM and logging requirements, contact a CrowdStrike expert today.

Additional Resources

Why Customers Are Consolidating Cybersecurity with CrowdStrike

10 July 2023 at 17:08

As adversaries continue to evolve their tactics and techniques, organizations are scrambling to shore up their security posture. Security teams have historically turned to point products to fill gaps in their defenses, driving the issue of tool sprawl: The average enterprise deploys 45 cybersecurity-related tools, according to the Ponemon Institute.

When it comes to security, more tools often create more problems. Point products are rarely integrated, even when they come from the same vendor. This lack of integration creates blind spots that adversaries can exploit and makes it harder for organizations to detect attacks.

To uncover threats, analysts juggling myriad products are forced to bounce between disjointed tools to piece together event context during investigations — a tedious process that eats up valuable time. With eCrime breakout time down to 84 minutes in 2022, any time spent toggling between consoles and piecing information together is more time for the adversary to achieve their goals.

Read the ebook Five Business Drivers for Cybersecurity Consolidation to learn how cybersecurity consolidation can help you stay ahead of evolving threats.

Tool sprawl creates operational challenges as well, as separate tools burden operations with parallel contracting, deployment and update timelines. Moreover, the more tools you have, the more experts you need to run them, exacerbating hiring challenges. 

Complexity is also the enemy of budgets. Organizations want fewer point products, fewer agents and fewer technologies that consume fewer resources. They want to spend less on licensing costs and realize a lower total cost of ownership (TCO) for their security strategy, which includes infrastructure, implementation, training, maintenance, staffing and more.  

For all of these reasons, cybersecurity consolidation is in full swing, a trend fueled by the availability of security platforms that allow organizations to eliminate point products and achieve better security outcomes with lower cost and complexity. In 2022, a full 75% of organizations were pursuing security vendor consolidation.

The Falcon Platform: Complete Protection

Over the past few months, I’ve personally met with many customers, prospects and partners. Our conversations all centered on the same topic: how customers can consolidate their security stack to improve cost efficiencies while unlocking new capabilities — without sacrificing security and their ability to stop breaches.

The CrowdStrike Falcon® platform provides a unified agent-based and agentless approach: One intelligent, lightweight agent consolidates the capabilities of point products to stop advanced attacks. And when an agent can’t be installed, an agentless approach provides full visibility into cloud workloads. 

What’s most notable about the Falcon platform is how it delivers more value than the sum of its individual modules. Here’s why customers are consolidating with the Falcon platform. 

1. Better security: Stop breaches 

Often, when a point product detects suspicious activity, it rarely has the context needed to trigger an automated remediation. And with adversaries getting better at blending in with benign behavior, the best you can hope for with most solutions is an alert to manually triage. More commonly, however, adversaries slip between the cracks in point products, leading to breaches.

The Falcon platform correlates activities across endpoints, workloads, data and identities, then maps it back to known MITRE ATTACK® tactics and techniques to assemble a holistic picture of adversary activity and stop attacks earlier in the kill chain. Customers, partners and analysts alike recognize the power of Falcon to provide the best-in-class detection coverage on the market.

Read how the Falcon platform achieved the highest detection coverage in the 2022 MITRE Engenuity ATT&CK® Evaluations for Security Services Providers. 

2. Operational efficiency 

Customers want to replace point products with security platforms that are easy to deploy and manage. When vendors stitch together capabilities through mergers and acquisitions, there’s often a lack of integration that results in multiple agents and consoles, which in turn leads to security gaps, employee burnout and slower response times.

With the Falcon platform, customers get a unified, cloud-native architecture built from the ground up to integrate capabilities and deliver powerful protection across all key attack surfaces. All platform capabilities are delivered via one lightweight agent that extends across on-premises and remote deployments, as well as cloud workloads, with minimal impact on performance. Customers get one command console for all capabilities, allowing analysts of all skill levels to make fast and intelligent decisions. 

3. Cost savings

One obvious benefit of cybersecurity consolidation is cost savings in the form of fewer licenses. But consider the less obvious benefits. For one, security platforms generally require fewer people to operate them compared to point products. You can also hire more entry-level staff and spend less time training them when your platform is easy to use. When viewed through the lens of a widening cybersecurity skills gap, a security platform that delivers better outcomes with fewer people is exactly what businesses need right now.

Further down the value chain, there’s enormous benefit in closing gaps in your security system, helping you stop breaches and avoid the costs and reputational damage related to them. This is another area where an integrated platform adds tremendous value. 

The business imperative of cybersecurity consolidation is crucial at a time when budgets are tightening. Businesses are accelerating their standardization on trusted platforms that deliver immediate ROI and lower TCO. In Q1 2023, 50% more customers adopted the Falcon platform with eight or more modules compared to the previous year, highlighting the increasing customer demand for consolidation using Falcon.

Customers that Consolidated with CrowdStrike

Here are a few recent examples of companies using CrowdStrike to consolidate while improving their cybersecurity outcomes. 


CoreWeave is a specialized cloud provider that offers a high-performance, fully managed, Kubernetes-native cloud platform. When CISO Matt Bellingeri wanted to extend protections from endpoints to cloud workloads, he chose the Falcon platform.

“Having a single pane of glass for all our security tools is huge for us,” said Bellingeri. “The fact that we can go right to the CrowdStrike Store, enable a 30-day trial for any module and deploy it within minutes drastically reduces our time-to-value.” 

Anywhere Real Estate

In the wake of a security incident, Anywhere Real Estate wanted to sunset its legacy security tools. Not only were they insufficient against advanced attacks, they contained multiple agents competing for CPU and memory. By consolidating to the Falcon platform, Anywhere gets a single lightweight agent for modern endpoint security, plus CrowdStrike® Falcon OverWatch™ for managed threat hunting at a price they can afford.

“From a productivity and efficiency standpoint, there’s tremendous value in consolidating with the Falcon platform,” said Anywhere Deputy CISO Brett Fernicola. 

Mercury Financial

Mercury Financial wanted to consolidate its security stack with a single platform to protect endpoints, cloud and workloads. After testing several solutions, the company chose the Falcon platform. Now, Mercury has a single interface to protect its entire IT infrastructure, including AWS and Azure cloud environments.

Consolidate with CrowdStrike

When compared to point products, the Falcon platform is a force multiplier that delivers better security outcomes with considerably less effort. Consolidate with the Falcon platform to improve your security posture, increase operational efficiency and lower your security TCO.  

Additional Resources

Falcon Insight for ChromeOS: The Industry’s First Native XDR Offering for ChromeOS

6 July 2023 at 11:14

In recent years, ChromeOS device usage among businesses has seen a significant uptick, particularly in its adoption across verticals, from schools to large enterprises. According to recent IDC research, 16% of North American organizations have ChromeOS devices1 and the percentage is only expected to increase. The success of ChromeOS devices like Chromebooks can be attributed to built-in security, simple management and premium performance.

Equally appealing to IT and security, ChromeOS devices are designed to be secure by default. But just like the rest of their fleet, security teams need visibility into these devices and the ability to implement uniform security policies. This is especially important when you consider the popularity of ChromeOS for remote or hybrid work use cases, due to its deployment features such as zero-touch enrollment. No matter where in the world the device might be, security teams still need unified visibility across all their devices in one place.

CrowdStrike recently introduced the industry’s first EDR/XDR offering to deliver visibility and threat detection for ChromeOS devices without the need for a mobile device management (MDM) solution. With CrowdStrike Falcon® Insight for ChromeOS, organizations will benefit from Falcon Insight XDR’s industry-leading detection and response capabilities to stop adversaries across ChromeOS, Linux, macOS and Windows devices, all from the unified Falcon console to deliver the broadest cross-platform coverage in the industry.

Developed in close collaboration with the ChromeOS team, CrowdStrike Falcon® is the first security platform to ingest XDR events natively collected by ChromeOS. This means no new agents need to be deployed to ChromeOS devices to enable monitoring. Get up and running in minutes and enable broad visibility across your different devices in the unified Falcon console.  With the Falcon platform, managing your diverse environment is as simple as possible.

Native ChromeOS XDR

Native event telemetry ingested directly from ChromeOS helps eliminate visibility gaps across operating systems. With native visibility for ChromeOS devices built right into the Falcon platform, analysts can quickly see the big picture and easily scope out suspicious activity from one unified command console. Eliminating additional consoles for monitoring streamlines workflows and minimizes the time it takes to triage and respond to a potential threat.

Accelerated Incident Triage and Response

Customers can harness the power of CrowdStrike Falcon® Insight XDR as Falcon Insight for ChromeOS leverages the extended detection and response technology at the core of the Falcon platform. Unlock critical orchestration and automation tools that are already built into the platform and available for all Falcon customers. Security teams can speed up triage and response with automated workflows and notifications based on contextual insights and detections with the CrowdStrike Falcon® Fusion integrated security orchestration automation and response (SOAR) capability.

Up and Running in Minutes

Falcon Insight for ChromeOS does not require device-level deployment across the organization’s fleet of endpoints, and it can easily scale with an organization’s growth, making it an excellent choice for large enterprises and rapidly growing organizations. With Falcon Insight for ChromeOS, CrowdStrike eliminates the need to deploy additional agents or third-party mobile device management (MDM) solutions to secure ChromeOS devices. Since there’s no need to deploy an agent on all of the devices, there is no adverse impact on the performance of the ChromeOS devices. This leaves the end-user experience unaffected while still providing the necessary security measures to keep the organization protected.

As modern workplace demands continue to evolve, so will the security needs associated with hybrid work and remote access. Lacking centralized visibility into a large portion of your endpoint fleet can be an open invitation to bad actors — CrowdStrike’s native, agentless integration with ChromeOS helps rescind this invitation.

See CrowdStrike Falcon Insight XDR in action in this short demo.

1 Endpoint Security Survey, IDC, December 2022

Additional Resources

How CrowdStrike Uses Similarity-Based Mapping to Understand Cybersecurity Data and Prevent Breaches

28 June 2023 at 10:48
  • CrowdStrike data scientists describe a new similarity paradigm to organize information and make it accessible, searchable and mappable
  • The new similarity-based mapping of cybersecurity data associates disparate representations of various objects important for cybersecurity, providing scientists and analysts with the tools necessary to prevent and respond to breaches more effectively

The CrowdStrike Falcon® platform harnesses massive amounts of data, collected from trillions of events that are routinely captured on a daily basis. This data must be organized in a way that facilitates the confluence of disparate representations before the inherent value of that data can be realized.

Cybersecurity data consists not only of files, event data, behavioral sequence data, network traffic, etc., but also the representations thereof. The leveraging of this data is currently task-specific, i.e., collections of objects and their representations are siloed according to use case. For example, files are parsed in terms of both static features and event sequence data; the former representation is for use in training static classifiers and the latter in training time series-based classifiers. This separation of representation is necessary to quickly develop and train classifiers, but presents a major risk moving forward as attacks become more multifaceted and complex. 

The key to understanding cybersecurity data and leveraging its true value to prevent breaches is similarity, both within fixed representations and across disparate representations. 

This post describes a new paradigm for how we must think about similarity and the long-term goals that emanate from this new paradigm. At a high level, similarity should be thought of as a route to organizing information and making it accessible, searchable and mappable. The creation of a mapping that associates disparate representations of various objects important for cybersecurity will provide scientists and analysts the tools to prevent and respond to breaches more effectively. The realization of this map, or set thereof, could take the form of visualizations, searchable tabular databases, graph databases, vector databases or universal embeddings, and in all cases should be the result of solving a well-posed optimization problem.  

Consider for a moment a topographical map of the United States, which represents mountains, highways and state lines and is perhaps color-coded for vegetation, waterways and average rainfall. An economist may, strictly from intercity trade statistics, make an inference about geography or infrastructure, but it is the map that immediately reveals the truth of that inference. Our goal as cybersecurity researchers and scientists should be the construction of such a map for cybersecurity data. 

Defining Similarity

Similarity is the area of study that quantifies the extent to which objects of interest are related. In cybersecurity, these objects include executable files, behavioral sequence data, documents, scripts, logs, critical assets, networks and network traffic. To make certain abstract topics more concrete, we focus on executable files and their various representations in this post. 

Because the quantification of similarity is ultimately a mathematical endeavor, we adopt the convention that two objects are similar if they are close in some embedding space V. By “similarity measure” we mean a function

 D:V x V → R≥0

that associates to each pair of objects (v,w) a real number D (v,w) such that


if v and w are more similar to each other than v'and w'are to each other. 

Why Similarity Is Important in Cybersecurity

Consider the following concrete use cases:          

  1. Given a false positive or false negative, remediation requires finding similar samples that contain features on which the model is overfitting.
  2. Parasitic file infector remediation requires querying for true negatives near a given false negative.
  3. Given a set of samples on which the model is misclassifying, a similarity-based querying tool facilitates discovery of similar samples that can be upweighted in training.
  4. Similarity allows for the curation of training and test sets in more sophisticated and useful ways than randomly splitting the corpus.
    • Given samples representative of several subfamilies, query for more samples from each subfamily to obtain a corpus consisting of subfamilies in specified proportions, which may be those observed in the wild across customers.
    • Given a similarity threshold, one can prevent information leak between training and test sets, which improves models by preventing a false sense of performance. By “information leak” we mean the presence of files in the disjoint training and test sets, the similarity of which is beyond a given threshold (i.e., the files are nearly identical).
  5. Facilitate online clustering for the sake of creating high-trust labels for use downstream in training a new machine learning model.

While each of the above examples leverages a homogeneous storage scheme along with a querying capability, the true value of similarity is in the construction of a map that coalesces disparate object representations. 

Before making this notion comprehensible and concrete, we must gain a deeper understanding of the objects of interest, their various representations, and how to measure similarity among and between these representations.

Similarity, Classification and Models

How an object is mapped to the representation of that object defines an implicit paradigm when comparing objects via the given representation.

One of our primary interests in cybersecurity is in classifying objects (files, behaviors, system states, etc.) as either benign or malicious. This task is accomplished at scale by leveraging a parser along with a machine learning classifier, the latter of which we typically term a “model.” Referring to the model as a model of malware is misleading in the following sense: A model is a representation of a system or object in a form that facilitates the study of that system or object. More appropriate would be to refer to the parser itself as the file model, and to what we term the model as a scoring function. When we study files, our primary concern is file execution, and it is the choice of parser that determines the modeling paradigm. A file can be parsed — that is, “modeled” — in many different ways. These include byte sequences, static feature vectorization, detonation (event time series data) and disassembly, which can comprise both sequence and graph data. 

Each of these methods models the file from a different point of view, but all serve as proxies for file behavior at runtime in the wild. 

Nature of the Model (Parser)

Understanding the above distinction between the file model and the scoring function is critical for several reasons. If, for example, the parser is too coarse, the parser may map very different files to the same point in feature space. This may not present a problem for the scoring function because the collided files may have the same label, but it presents a major obstruction to studying similarity. On the other hand, if the parser is too fine, semantically identical versions of a fixed file may be mapped to disparate regions of feature space, which also obstructs the study of similarity — but in a different way. As in the previous example, this may not present a problem for the scoring function, as long as the scoring function has a sufficient number of parameters to adapt to the higher-variance embedding.

An important thing to note is that the parser itself does not know which features are important for classification. The scoring function, through training, is how features that are useless for classification are filtered out in favor of valuable features. There is no such analog when computing similarity on a feature space designed for use in classification. While it is true that parsers are engineered in part to describe a given file’s characteristics in a label-agnostic way, the reality is that many of those features are indicators of maliciousness and are not suitable for measuring label-agnostic similarity. To truly statically model files for the sake of measuring similarity, the parser itself must be optimized for this task. This can be done in a variety of ways, but the point is that the engineering of the parser must be, as with classification via a scoring function, viewed as an optimization problem.

In the absence of expert advice, quantification of similarity for a column of a given dataset can only be performed by considering the distribution of the values contained in that column. We infer the meaning of closeness for that column from the nature of the density over the sample space as well as near the considered points. Specifically, we may want to define D(a,b) as a function of P(a≤x≤b) rather than |a-b| for a,b — two values in the considered column. We also must ensure that columns exist on the same scale, which is typically addressed through some sort of linear rescaling, quantile bucketing, or through the application of a monotonic function like natural log. Selecting and implementing these transformations in an algorithmic way is a necessary tradeoff we must accept when the dimensionality of the feature space exceeds the number of transformations that can be engineered by hand. However, these transformations do not represent a complete solution. For example, being within one percentile of normalized file size may mean something very different than being within one percentile of normalized entropy. 

Another challenge is that the similarity function itself may be local in nature, meaning the way we compute similarity depends on where in feature space the similarity function is being applied. Consider the following idealized situation: Let f,g denote two files, and let

u=(u1,u2,...,un), v=(v1,v2,...,vn)

denote their respective featurizations. Assume we have a metric D defined on feature space. Now perturb f to f' and g to g' in such a way that their new vectorizations are given by replacing u1 by u1= u'1+r and v1  by v'1= v'1+r. 

These perturbations have resulted in sliding the pair (u,v) along the first axis to arrive at the pair (u',v'). While it remains true that ||u-v|| =||u'-v'||, it may not be what we actually want. It may not adequately quantify our knowledge of the difference in similarity between the pair (f,g) as opposed to the pair (f',g'). For example, the perturbation may have been the addition of a specific malicious action that renders the perturbations far more similar than indicated by the vector similarity between u and v. The application of Riemannian geometry to measuring similarity on tabular data is beyond the scope of this piece but is an area of active research.  

One must also take care to embed categorical features in a way that respects the absence of the ordering of the values of the categorical variable. The embedding must be constructed in a way that uniformizes pairwise distances between the values. This is key because if a single pair of categorical values is closer in the embedding space than other pairs, the corresponding samples could be closer than is semantically optimal under the chosen metric.

For these reasons, the representation itself should be obtained via an optimization problem in which the loss function is solely informed by the utility of the embedding for similarity. One could accomplish this by training an embedding on the sequence of raw bytes, where the loss function would be constructed by measuring the distance between pairs in this space and comparing to something like a Jaccard distance on bytes.

Constructing a Map of Cybersecurity Data

The challenges when constructing a map of cybersecurity data fall into two distinct categories. The first category consists of the difficulties in measuring the similarity between objects when the nature of the parser is fixed, which were discussed in detail above. The parser defines the paradigm within which the analyst studies the given set of objects. One might also take a different point of view by parsing the same set of files via disassembly, detonation, byte sequences, etc. The second category consists of constructing mappings across paradigms, which we term “cross-paradigm inference.”   

Mapping across paradigms is difficult not because the associated optimization problems are infeasible, but because it is unclear what should be optimized. The mapping optimization problem can be split into three distinct subproblems: 

  1. The learning of a faithful representation of files for each of our defined points of view.
  2. A way of quantifying the similarity between the representations across files for a fixed point of view.
  3. A way of mapping between disparate representations. 

For example, imagine we have the ability to represent a given file via a static feature vectorization and as a representation in terms of behavioral sequence data. If we had a mapping between these two representations, then we would have the ability to query across paradigms. A simple use case is as follows: We observe a malicious sequence of events on a customer machine or network, map the behavioral sequence representation to a feature vector via the cross-paradigm map, and query for nearest neighbors so that these hashes can be blocklisted.

Consider the following two constructions that could serve as initial steps toward the realization of a map of cybersecurity data:

  1. Construct a table, the rows of which are indexed by file hashes and the columns indexed by cluster IDs resulting from clustering different representations of the same files. Cross-paradigm inference in this case would be as simple as choosing a SHA-256, performing a cluster ID lookup for a given column and then indexing into other columns to find hashes associated with the query hash for a variety of disparate representations.
  2. Analysts have the ability to marginalize — i.e., aggregate over unimportant details of a given file to arrive at a humanly understandable behavioral description. The development of a tool in the form of a neural network, which consumes static feature vectors and outputs descriptive tags, would allow scientists and analysts to study feature vectors from the same high-level point of view without needing access to the original binary. Unoccupied regions of feature space could also be similarly explored and described.

Hypothetical Case Study: Sality (Parasitic File Infector) 

Malware Feature Summary

  1. Infects Microsoft systems.
  2. Communicates over peer-to-peer networks to form a botnet (i.e., a network of computers, each running a bot) for spam, proxying communications, exfiltrating sensitive data, compromising web servers and coordinating distributed computing tasks.
  3. Incorporates rootkit functions, which can give root access to an attacker or malicious program. 

Behavioral Description

  1. Is polymorphic, which means the code is different every time it runs, while persisting the same functionality.
  2. Targets .exe or .scr files.
  3. Obfuscates the entry point by:
    • Persisting the host file’s entry point.
    • Replacing the original host code to be executed at the entry point with a stub redirecting execution to the polymorphic viral code, which has been inserted in the final section of the host file.
      • The stub code decrypts and executes the loader, which runs in a separate thread within the infected process and eventually loads the Sality payload that executes the actual malware.
  1. Is run mostly in the context of other processes. 

This sort of file is likely to result in the static scoring function yielding a false negative because the vast majority of the binary’s code is perfectly benign. 

Assume we have constructed a cybersecurity map consisting of static feature vectors, embedded behavioral sequence data, descriptive tag data and similarity functions on each space, with mappings between the three spaces. Also assume a file infected with Sality has run on a given machine. Because of the polymorphic nature of the infector, any associated file discovered on the system could produce a hash that differs from that of the original infected file. Because the file was able to evade the machine learning scoring function, the file presumably ran on the system, producing behavioral event sequence data. This event sequence data would then be embedded into a pre-trained event sequence embedding space, hosted as part of a vector database with fast nearest neighbors querying. The returned vectors would be mapped back to static feature space and a fuzzy blocklist could then be pushed to the sensors. These same feature vectors would be passed through the descriptive autotag neural network so that researchers could provide a human-readable account of the false negative as well as the pushed fuzzy blocklists.

Click to enlarge


Future breaches can be prevented only if we possess a deep understanding of cybersecurity data in the form of a cybersecurity data map that both faithfully represents this data and facilitates the translation between disparate representations.   

This similarity-based mapping initiative is just the latest example of how CrowdStrike researchers and data scientists are constantly pushing the envelope to stay ahead of even the most sophisticated adversaries. While customers of the CrowdStrike Falcon platform obviously benefit from their innovative work, publishing their findings publicly also helps to advance the cybersecurity industry in general. The effort is part of CrowdStrike’s ongoing commitment to industry leadership that includes becoming a Research Partner in the MITRE Engenuity Center for Threat-Informed Defense research program.

Additional Resources

Top 5 SIEM Use Cases CrowdStrike Falcon LogScale Solves Today

23 June 2023 at 18:56

SIEMs play a crucial role in the modern SOC: They allow you to collect, correlate and analyze log data and alerts for security and compliance. Yet, despite their value, SIEMs have struggled to keep up with today’s logging performance and scalability requirements. 

Given that adversaries are operating faster than ever, organizations must prioritize the capabilities that help them identify and respond to threats quickly. 

In this blog post, we share the state of SIEMs today and how CrowdStrike Falcon® LogScale solves five key SIEM use cases, while improving security outcomes and saving you money compared to traditional SIEMs.

Legacy SIEMs Burden You with Exorbitant Cost and Complexity

SecOps teams rely on SIEMs every day for essential security functions such as threat detection and incident response. Unfortunately, though, many legacy SIEMs are saddled with decades-old architectures that have failed to keep pace with today’s requirements. 

SIEMs simply aren’t engineered for today’s data volumes. Legacy SIEMs provide index-based searching, but as log volumes and the number of log sources rise, the size of the indexes grows. This can bog down search speed and make it harder to hunt down threats and stop breaches.

They’re also expensive. Like, really expensive. It costs so much to log everything in legacy SIEMs that most organizations are forced to pick and choose which data to log. But this approach often leads to blind spots and missed attacks. The more data SecOps teams collect, the more likely they can uncover sophisticated attacks, identify the root cause of incidents and fend off fast-moving threats.

See how Falcon LogScale can save you up to 80% compared to legacy SIEMs and log management platforms in the Falcon LogScale savings calculator.

It’s time to break free from slow, costly legacy SIEMs that offer inferior analytics, threat intelligence feeds, and endpoint detection and response capabilities bolted on. Instead, consider a new generation of products that deliver exceptional performance and low latency to cut incident response times and bolster your security posture. To do this, start by identifying the top use cases you wish to solve with your SIEM. For many organizations, Falcon LogScale provides the ideal choice for today’s toughest SIEM use cases.

Top 5 SIEM Use Cases for Falcon LogScale 

Falcon LogScale is a modern log management platform that lets you store, analyze and quickly access all of your data at petabyte scale. Its blazing-fast search, real-time alerting and customizable dashboards make it an ideal solution for a range of security use cases.

Through a modern architecture and advanced compression technology, Falcon LogScale minimizes the computing and storage resources required to ingest and manage data, while delivering the power and speed your team needs to eliminate threats. 

Here are the top five SIEM use cases Falcon LogScale solves for today. 

1. Threat hunting

Falcon LogScale offers the speed, scale and querying flexibility your team needs to proactively search for and identify threats in your environment. To unearth threats, your team needs to sift through mounds of data swiftly while cutting through the noise of benign activity. This is an iterative process that requires constructing complex queries, reviewing results and then refining and rerunning queries. 

Because Falcon LogScale’s mature query language supports regular expressions and a variety of functions, your hunters can optimize their searches and quickly zero in on threats. Plus, analysts of all experience levels can easily query any field with free-text search. Integration with CrowdStrike’s industry-leading database of IOCs provides your threat hunters added context to quickly reveal threats. Overall, Falcon LogScale provides a powerful, high-speed platform for hunting threats.

Click to enlarge

2. Incident response and forensics

When responding to an incident, you’re in a race against time to investigate and resolve it before damage is done. Falcon LogScale can help you every step of the way. Because it offers cost-effective, long-term data retention, you can go back in time for months or years to identify the root cause of the attack. Its scalability lets you log everything, so you can search through a diverse dataset to get a complete picture of an attack, including the impact, scope and full sequence of events. And its blazing-fast search empowers you to gather forensics evidence, reconstruct events and determine next steps in record time. By correlating threat intelligence data, such as malicious IP addresses or domains, Falcon LogScale provides your analysts added insights for attack attribution.

3. Log management and data retention for compliance

SIEMs and compliance go hand in hand. But as regulations grow more stringent, logging requirements — and, consequently, SIEM costs — can quickly mount. Falcon LogScale helps you avoid compliance headaches and escalating costs by providing a scalable, affordable way to store data long term. Scaling to a benchmark of one petabyte of data ingestion per day, it can grow with you as your compliance requirements increase. 

Moreover, Falcon LogScale lets you easily collect and process regulated data from a variety of sources using the LogScale Collector agent, the native CrowdStream observability pipeline, out-of-the-box support for log shippers and data integrations, and a broad set of partner integrations through the Falcon LogScale Marketplace. Customizable dashboards and optional data masking make Falcon LogScale ideally suited for compliance. Flexible, cloud-native and self-hosted deployment options — as well as high compression rates and a small infrastructure footprint — make Falcon LogScale the easy, cost-effective choice for compliance and long-term log storage.

4. Threat detection

No security company understands adversaries and how they operate better than CrowdStrike. So, it’s not surprising that the CrowdStrike Falcon® platform brings multiple defenses to bear to detect threats and shield organizations against attacks. Falcon LogScale customers can develop their own detection engineering and alerts based on live queries that run continuously across correlated data, and can trigger one or more actions. Because of its index-free architecture, Falcon LogScale detects threats in less than a second, on average, which helps you reduce your detection and response time. With Falcon LogScale, you can configure hundreds or even thousands of alerts to detect threats in real time. In addition, you can take advantage of out-of-the-box detections through Falcon LogScale Marketplace integrations.

In addition, Falcon LogScale integrates with CrowdStrike Falcon® Insight XDR and CrowdStrike Falcon® Identity Threat Protection, CrowdStrike’s leading EDR and user behavior analytics products. CrowdStrike customers can search, visualize and correlate data — including threat detections — from the unified Falcon platform.

Click to enlarge

5. Real-time security monitoring and visualization

Falcon LogScale provides you a real-time and complete picture of your security status, letting you analyze trends, detect threats and troubleshoot issues. Its streaming engine updates charts immediately when data arrives, so you can instantly spot anomalies and attacks. With one click, you can drill down from charts to the underlying data to speed analysis. You can easily create custom dashboards or take advantage of pre-built dashboards from the Falcon LogScale Marketplace. Falcon LogScale lets you build dynamic dashboards based on live queries as well as share insights with your team by inviting them to access your dashboards.

Click to enlarge

How Customers Have Transitioned to Falcon LogScale

Here are three CrowdStrike customers that adopted Falcon LogScale when their legacy SIEM couldn’t keep up with their needs or they sought to solve tough SIEM use cases.

Remitly, a global payments and shopping service, previously had a 5TB per day legacy SIEM deployment that failed to meet its needs. The company often pushes the limits of technology, so when it was unable to adapt the solution to meet its requirements due to the complexity of the implementation and the rework required, it turned to Falcon LogScale. Now the company can capture any data it wishes, combine it in the way it deems necessary and build any insight or query it needs. 

Vijilan Security is a boutique cybersecurity company, specializing in state-of-the-art monitoring services. Facing a growing amount of data generated by its clients’ networks, Vijilan CEO Kevin Nejad recognized that its previous security logging solution was no longer up to the task, citing performance issues and an inability to detect and respond to emerging threats in real time. 

“We conducted a thorough evaluation of 6-7 log management, SIEM and other commercially available analytical tools, and Falcon LogScale was the only solution that was powerful, scalable, robust and flexible enough to meet our needs both today and tomorrow,” said Nejad. 

When Great American Insurance Group‘s previous security logging solution could no longer scale with the business, the insurer went looking for a modern alternative. Today, the company uses Falcon LogScale to augment its SIEM by sending a subset of data to the SIEM for more advanced searches.

“Having logs for a longer period gives us the ability to identify root causes of any issue and look at certain cases reactively,” said Sumit Bhargava, Divisional Assistant VP at Great American Insurance Group. “But Falcon LogScale allows us to be more proactive as well, as we now have security dashboards that enable us to do near real-time analysis. The SIEM augmentation strategy is working really well for us.”

In Summary

For many organizations, Falcon LogScale is a powerful and versatile tool that provides the optimal mix of speed, scale and total cost of ownership to solve your toughest SIEM use cases.

This is Part One of a three-part series on Falcon LogScale. In the next post, we’ll share how Falcon LogScale combines with other powerful CrowdStrike technologies to deliver even more advanced SIEM capabilities from the unified Falcon platform. 

Additional Resources

Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft

22 June 2023 at 18:12


On May 24, 2023, industry and government sources detailed China-nexus activity in which the threat actor dubbed Volt Typhoon targeted U.S.-based critical infrastructure entities. CrowdStrike Intelligence tracks this actor as VANGUARD PANDA. 

Since at least mid-2020, the CrowdStrike Falcon® Complete managed detection and response (MDR) team and the CrowdStrike® Falcon OverWatch™ threat hunting team have observed related historical activity in multiple sectors. The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom webshells for persistent access, and living-off-the-land (LOTL) techniques for lateral movement.

Collaboration between Falcon Complete, Falcon OverWatch and the CrowdStrike Intelligence team is a force multiplier protecting customers from the latest threats to ultimately stop breaches.

Incident Case Study

One specific VANGUARD PANDA incident stands out to review in detail. Falcon Complete responded to a detection that was triggered by suspicious reconnaissance commands executed under an Apache Tomcat web server running ManageEngine ADSelfService Plus. 

The malicious activity detailed in the detection included listing processes, network connectivity testing, gathering user and group information, mounting shares, enumeration of domain trust over WMI, and listing DNS zones over WMI. VANGUARD PANDA’s actions indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI.

cmd /C "tasklist /svc"
cmd /C "ping -n 1 [redacted]"
cmd /C "ping -n 1 -a [redacted]"
cmd /C "net group "domain controllers" /dom"
cmd /C "net use \\[redacted]\admin$ REDACTED /u:[redacted]"
cmd /C "dir \\[redacted]\c$\Users"
cmd /C "wmic /node:[redacted] /user:[redacted] /password:"<removed>" process call create "cmd /c nltest /DOMAIN_TRUSTS >>C:\Users\[redacted]\AppData\Local\[redacted].tmp""
cmd /C "dir \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"
cmd /C "type \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"
cmd /C "wmic /node:[redacted] /user:[redacted] /password:"<removed>" process call create "cmd /c Dnscmd . /EnumZones >>C:\Users\[redacted]\AppData\Local\Temp\[redacted].tmp""
cmd /C "dir \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"
cmd /C "type \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"

Upon notification from Falcon OverWatch of the reconnaissance activity taking place underneath the ManageEngine AD SelfService Plus process, Falcon Complete quickly contained the host using the CrowdStrike Falcon® sensor’s Network Containment capability. In doing so, Falcon Complete isolated the host and prevented the adversary from interacting with it.

Following successful containment, Falcon Complete quickly triaged the host, ultimately calling the impacted customer to notify them of this critical incident and the measures being taken to defend against the suspected adversary tradecraft.

Simultaneously, Falcon Complete began technical analysis of the Apache Tomcat access logs located in C:\ManageEngine\ADSelfService Plus\logs.

Upon review of the access logs, multiple HTTP POST requests to /html/promotion/selfsdp.jspx were found with timestamps matching the enumeration and reconnaissance commands seen spawning from the Apache Tomcat web server.

- /html/promotion/selfsdp.jspx "-" [redacted] [redacted] POST [redacted +0000] 203 2043 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0"

Based on the URI from the access logs, Falcon Complete identified the folder and file on disk located at C:\ManageEngine\ADSelfService Plus\webapps\adssp\html\promotion\selfsdp.jspx.

Upon analysis of the .jspx file, Falcon Complete identified it to be a webshell. This is based on Java code that converts the bytes 99, 109 and 100, respectively, into cmd; and the bytes 47 and 67 into /C. Execution of the command cmd /C is a common method by which webshells run commands under the Command Prompt process.

ProcessBuilder pb = new ProcessBuilder(new String(new byte[]{99, 109, 100}), new String(new byte[]{47, 67}), command);

Additionally, the webshell was attempting to masquerade as a legitimate file of ManageEngine ADSelfService Plus by setting its title to ManageEngine ADSelfService Plus and adding links to legitimate enterprise help desk software http[:]//www.manageengine[.]com/products/adself-service/help-desk-software.html and ADSelfService http[:]//www.manageengine[.]com/products/adself-service/index.html.

Now, a retrospective review of the selfsdp.jspx webshell will return successful matches of the EncryptJSP YARA rule released by CISA reporting on Volt Typhoon activity.

rule EncryptJSP {
        $s1 = "AEScrypt"
        $s2 = "AES/CBC/PKCS5Padding"
        $s3 = "SecretKeySpec"
        $s4 = "FileOutputStream"
        $s5 = "getParameter"
        $s6 = "new ProcessBuilder"
        $s7 = "new BufferedReader"
        $s8 = "readLine()"
        filesize < 50KB and 6 of them

CISA also now reports that the following User-Agent (spaces included) was used by VANGUARD PANDA. However, at the time of CrowdStrike’s initial investigation, this information had not yet been reported.

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0)               Gecko/20100101 Firefox/68.0

Retrospective review of the User-Agent that Falcon Complete observed making POST requests to the webshell is an exact match for this User-Agent without the mistake in spacing.

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0

Falcon Complete assessed the activity was malicious and rapidly remediated the webshell on behalf of the customer and provided the customer with further actionable recommendations for patching and user credential resets.

Investigation Follow-Through

This is where an investigation might typically end, but the expected access log artifacts that would indicate CVE-2021-40539 were not present, even though the TTPs of the malicious activity were a match for this CVE.

Additionally, Falcon Complete’s experience with similar advanced intrusions combined with VANGUARD PANDA’s apparent familiarity with the target environment and potential indicators of log tampering, Falcon Complete determined a deeper dive into the associated activity was an important next step to determine if other artifacts remained and could confirm the use of CVE-2021-40539 or possibly indicate another form of exploitation altogether.

More Tradecraft Unearthed

The number of remaining loose ends at this point in the investigation relative to a typical event became a red flag in itself, warranting further investigation because:

  1. VANGUARD PANDA had clearly performed extensive prior recon and enumeration (based on its knowledge and use of remote hosts within the environment); 
  2. Administrator credentials had already been acquired/compromised;
  3. Expected access log artifacts for CVE-2021-40539 did not appear to exist; and
  4. The Falcon sensor was only recently installed on the targeted host

A review of existing evidence showed the identified webshell selfsdp.jspx was written to disk almost 6 months prior to the installation of the Falcon sensor as well as the witnessed hands-on-keyboard adversary activity.

Using the Apache Tomcat access logs, CrowdStrike was able to correlate the timing of the selfsdp.jspx disk write to a HTTP POST request to a URI ​​/html/error.jsp, where the actor then performed an HTTP GET request to /html/promotion/selfsdp.jspx to confirm its presence. 

Falcon Complete investigated the host for the suspected webshell at /html/error.jsp, but this file was not on disk — an important fact that will come up later in the investigation.

Even though the timing of this activity lined up with CVE-2021-40539 exploitation, no such exploitation artifacts were left in the access logs, ManageEngine serverOut logs, or the ManageEngine adslog. The lack of all of these log artifacts combined with the lack of error.jsp on disk suggested that the adversary might be attempting to cover their tracks.

Further review of the Apache Tomcat access logs showed the use of the selfsdp.jspx webshell across multiple months. On one particular day the access log was wiped clean for the first 12 hours of the day, and the first log message recorded of that day being to the selfsdp.jspx webshell.

Now with a specific 12-hour time period in focus, Falcon Complete triaged the host for any further signs of malicious activity that might be connected to the intrusion. This is where CrowdStrike discovered the adversary’s misstep.

The Giveaway: JSP Compilation

A component of Apache Tomcat, the Jasper 2 JSP Engine, is responsible for the generation of Java source code from JSP files and the subsequent compilation of those files into classes.

The Jasper 2 JSP Engine has a configuration setting named “keepGenerated” with the following description:

“Should we keep the generated Java source code for each page instead of deleting it? true or false, default true.”

An important piece of information is that these Java and Class files get created in a separate directory structure.

Where HTML and JSP files may be in C:\ManageEngine\ADSelfService Plus\webapps\adssp\html.

The Java and Class files are written to a separate directory, C:\ManageEngine\ADSelfService Plus\work\Catalina\localhost\ROOT\org\apache\jsp\[foldername]

VANGUARD PANDA went through extensive lengths to clear out multiple log files and remove excess files from disk — but they didn’t clear out the generated Java source or compiled Class files. As a result, Falcon Complete discovered numerous webshells and backdoors all connected to this same attack. 

One Java source code file,, was critically important. The Jasper Engine generated this source code file just prior to known log clearing via the selfsdp.jspx webshell. 


* Generated by the Jasper component of Apache Tomcat
* Version: Apache Tomcat/@VERSION@
* Generated at: [redacted] 11:[redacted]UTC
* Note: The last modified time of this file was set to
* the last modified time of the source file after
* generation to assist with modification tracking.

JSP Backdoor Preparation is the generated Java source code for a deleted file that was named ListName.jsp. Analysis of ListName.jsp reveals its purpose is to deploy a backdoored version of the tomcat-websocket.jar Apache Tomcat library containing a webshell.

First, ListName.jsp tries to load the following three Classes:


Then ListName.jsp moves the following Class files from a JAR archive C:/users/public/tomcat-ant.jar to C:/users/public/tomcat-websocket.jar:


Armed with this knowledge, Falcon Complete confirmed that the version of tomcat-websocket.jar installed in the Apache Tomcat library on disk was backdoored. The tomcat-websocket.jar file timestamp was timestomped to appear unmodified, but unpacking the Java Archive showed the A, B, and C class files with timestamps matching the ListName.jsp timeframe.

The C:/users/public/tomcat-ant.jar was not available on disk, and not located anywhere within the installed Apache Tomcat directory structure.

While unconfirmed due to log clearing and occurring prior to the Falcon sensor installation, VANGUARD PANDA’s workflow likely follows these approximate steps to backdoor apache-tomcat.jar:

  1. Use webshell to retrieve ListName.jsp from a remote source, and place in web server directory
  2. Use webshell to retrieve tomcat-ant.jar from a remote source and move to C:/users/public/
  3. Use webshell to copy tomcat-websocket.jar out of the Apache Tomcat library directory into C:/users/public
  4. Make an HTTP GET request to ListName.jsp, which would move A, B, and C classes from tomcat-ant.jar to tomcat-websocket.jar
  5. Use webshell to replace the tomcat-websocket.jar in the Apache Tomcat library with the backdoored version
  6. Cleanup
    1. Delete JARs out of C:/users/public
    2. Delete ListName.jsp out of the web server directory
    3. Clear Apache Tomcat access logs

JAR Backdoor

Falcon Intelligence reviewed the backdoored tomcat-websocket.jar to understand its purpose. The backdoored library provided VANGUARD PANDA with several possible commands triggered via HTTP URIs containing /addEndpoint/html/lookup.gif

  • C.class adds a new endpoint for B.class, which is reachable under /addEndpoint/html/lookup.gif
  • B.class instantiates A.class, which will handle requests to the previously registered endpoint under /addEndpoint/html/lookup.gif.
  • A.class acts as the webshell. The webshell command data is Base64-encoded and AES-encrypted using the provided key. Command arguments are split using the ampersand (‘&’) character.
Command Description
first&<aes_key> Initializes the webshell class using the given data as the AES key for future requests and responses.
<command_data>&0 Executes the decrypted shell command and returns encrypted command output via the webshell session.
exit&0 If the decrypted command is exit, the webshell session is terminated
<string_data>&1 Writes the decrypted value of the string to the log file C:/users/public/tmp.log

The use of a backdoored Apache Tomcat library is a previously undisclosed persistence TTP in use by VANGUARD PANDA. This backdoor was likely used by VANGUARD PANDA to enable persistent access to high-value targets downselected after the initial access phase of operations using then zero-day vulnerabilities. CrowdStrike Intelligence’s assessment is made with moderate confidence based on:

  • The additional session management options provided by this backdoor compared to the webshell associated with VANGUARD PANDA initial access operations
  • Extensive use of log clearing and artifact deletion to hinder forensic analysis
  • Use of filenames masquerading as legitimate server files to avoid detection

The Falcon Complete MDR Way

Falcon Complete’s subject matter expertise in responding to sophisticated adversaries allowed for the quick containment, identification and remediation of this pre-sensor-installation VANGUARD PANDA intrusion. The first time VANGUARD PANDA became active after the Falcon sensor was installed, Falcon Complete was prepared to investigate, contain and remediate. 

Falcon Complete, Falcon OverWatch and CrowdStrike Intelligence continually partner to proactively hunt, identify, and remediate malicious activity from adversaries. By working together, these teams take full advantage of CrowdStrike’s expertise and keep CrowdStrike customers protected 24/7/365.

Recommendations to Detect and Defend against VANGUARD PANDA

Falcon Complete recommends the following indicators and rules to detect and defend against the malicious VANGUARD PANDA components outlined in this blog.

In ManageEngine ADSelfService Plus, or Apache Tomcat access logs, any requests to the following URI:


Files on disk:

  • C:/users/public/*.jar
  • C:/users/public/tmp.log

Review for unexpected .java or .class files or unexpected timestamps in the following directory and its subdirectories:

C:\ManageEngine\ADSelfService Plus\work\Catalina\localhost\ROOT\org\apache\jsp\

YARA rule from CISA AA23-144a

rule EncryptJSP {
        $s1 = "AEScrypt"
        $s2 = "AES/CBC/PKCS5Padding"
        $s3 = "SecretKeySpec"
        $s4 = "FileOutputStream"
        $s5 = "getParameter"
        $s6 = "new ProcessBuilder"
        $s7 = "new BufferedReader"
        $s8 = "readLine()"
        filesize < 50KB and 6 of them

CrowdStrike Intelligence YARA rules:

rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell : webshell vanguard_panda 
        copyright = "(c) 2023 CrowdStrike Inc."
        description = "Timewarp Java webshell in malicious Tomcat module"
        version = "202306131008"
        last_modified = "2023-06-13"
        actor = "VANGUARD PANDA"
        $ = "setKey"
        $ = "ProcessBuilder"
        $ = "AES/ECB/PKCS5Padding"
        $ = "tmp.log"
        $ = "byteKey"
        $ = "method0"
        $ = "failed to read output from process"
        filesize<50KB and 4 of them

rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell_jar : java vanguard_panda 
        copyright = "(c) 2023 CrowdStrike Inc."
        description = "JAR file containing Timewarp webshell"
        version = "202306131011"
        last_modified = "2023-06-13"
        actor = "VANGUARD PANDA"
        $WsSci = "/WsSci.class"
        $abc1 = "/A.class"
        $abc2 = "/B.class"
        $abc3 = "/C.class"
        $timewarp1 = "/Timewarp.class"
        $timewarp2 = "/Timewarp2.class"
        $timewarp3 = "/Timewarp3.class"
        uint16(0)==0x4b50 and filesize<1MB and $WsSci and (all of ($abc*) or all of ($timewarp*))

rule CrowdStrike_VANGUARD_PANDA_webshell_installer : java vanguard_panda
        copyright = "(c) 2023 CrowdStrike Inc."
        description = "ClassLoader - Java webshell install and execute script"
        version = "202306131012"
        last_modified = "2023-06-13"
        actor = "VANGUARD PANDA"
        $ = "<title>class loader</title>"
        $ = "customEndpoint1"
        $ = "move true <br>"
        $ = "inject true <br>"
        $ = "ListName_jsp"
        $ = "photohelp_jsp"
        $ = "photoparse_jsp"
        $ = "Timewarp.class"
        $ = "WsSci.class"
        $ = "/A.class"
        $ = "srcZipfs.getPath"
        filesize<50KB and 4 of them

Additional Resources

Security Guidance from the Front Lines of Cloud Incident Response

15 June 2023 at 19:21

In our first-ever Cloud Threat Summit, CrowdStrike’s Senior Vice President of Intelligence and Senior Director of Consulting Services discussed the most common ways adversaries breach the cloud and the steps organizations can take to stay safe.

An insightful and engaging conversation during last week’s Cloud Threat Summit featured Adam Meyers, Senior Vice President of Intelligence, and James Perry, Senior Director of Consulting Services, sharing real-world stories of cloud breaches and how they inform best practices for stopping cloud-focused adversaries. Their experience in helping customers navigate cloud security incidents can help organizations fortify their cloud defenses. 

In his years of incident response engagements, James has had a front-row seat to the tactics, techniques and procedures (TTPs) cloud-conscious adversaries use in their attacks. Today’s threat actors have grown adept at breaching enterprise cloud environments and silently moving through them, escalating privileges and accessing sensitive data they can use to further their nefarious agendas — often without the victim’s knowledge. 

CrowdStrike’s Incident Response Services and Threat Intelligence teams work closely during and after incidents, sharing valuable information about the adversary and their traits, capabilities and tactics. In response to the increase in cloud-conscious cyberattacks, the IR Services team has developed cloud specialists. This group consists of experts who have built cloud environments for large corporations, and been trained in incident response; it also consists of incident response experts who have been trained in cloud technology and vernacular. 

“We bring those two skill sets together when a customer has a cloud breach, and that really helps us translate the problems they’re having to execs in an organization,” said James. 

Like the IR Services team, today’s organizations must prepare themselves for cloud-focused attacks. Here, we’ll dig into the key themes of this conversation about cloud threat activity and best security practices.  

Neglecting MFA Opens the Door to Attackers

Many businesses still use credentials with simple passwords and no multifactor authentication (MFA) or have misconfigured access policies that allow attackers to break in without an MFA prompt. The most common error he sees is organizations allowlisting their corporate subnets for no MFA. This would allow an attacker that gains endpoint access to quickly pivot into the cloud, often gaining the “more destructive” access the cloud can provide, James said. Organizations often don’t realize adversaries will use their initial access to breach a victim’s identity system, which allows them into many other applications — including the cloud.

“They want to make things easy for their users, but it also makes things very easy for the attackers,” he said.

Allowing users to provision their own MFA is an issue as well. When you create cloud-only accounts and don’t provision MFA, a threat actor can brute-force the account and register their own device so they can log in with MFA. In some cases, the attacker gains access to an admin account and adds an allowlist for their own IP address to bypass MFA. In others, they abuse certificate-based authentication and enroll their own certificate, which is hard to detect.

“You can reset passwords all you want, but if they have a certificate-based authentication, they can come right back in,” he added.

Adversaries will take the path of least resistance — and the cloud is becoming that path. Consider eCrime adversary SLIPPY SPIDER, or Lapsus Group, which in Summer 2022 was able to breach a trillion-dollar company with just one compromised credential and get all the way into the source code. Credentials are keys, and adversaries have their eyes on them.

Some threat actors will use their initial access to find tools they can use to their advantage. James and Adam discussed the recent trend of adversaries using the capabilities of Azure to execute commands on systems hosted in Azure. Last summer, eCrime threat actor SCATTERED SPIDER used this method to push publicly available remote access tools to every host in the environment they could access. Their persistence in the cloud allowed them to lurk on systems across the environment. An attack like this is tough to detect. It takes expertise in cloud, adversaries and intelligence to understand an adversary may do something like this. 

Log Management: Critical to Cloud Security

As organizations interconnect different clouds, Adam predicts they’ll run into the problem of adversaries moving from one cloud to another to better conceal their activity, and reemerge in different ways to catch their victims off-guard. “That’s going to be an interesting dynamic, if they start to do that,” he said.

This use of multiple clouds also leads to the challenge of managing logs, James added. You’ll have different logs coming from different clouds, in addition to on-premises logs. If you’re operating in multiple environments giving different signals, you need the right way to correlate that information and respond to it.

“I think that’s going to be one of the big challenges you see in the future,” he said. “Customers had all the right data but they didn’t have it in the right place; they didn’t have the ability to search it all quickly and see there was an issue.” 

Adam advises organizations to diversify the applications and tools they use to protect their workloads running in multiple clouds. “One of the things I always tell organizations is, don’t put all your eggs in one basket,” he said. If all of your eggs are in one basket and an attacker gets into that basket, they could simply turn protections off. Make sure you have a third party for that essential cloud workload protection — for endpoint protection.

If you’re using one vendor for your productivity suite, you shouldn’t also use it for enterprise security — instead, rely on a third party with expertise in that area. “You get some diversity that way and you’re not beholden to one flaw that could ruin the whole thing,” Adam said.   

Secure the Cloud: Three Best Practices

Three pieces of advice James has for organizations eager to strengthen their cloud security are:

  • It all starts with hygiene: The cloud is secure — until you go in and start making configuration changes. Many admins don’t have the same in-depth knowledge of the cloud that they have for on-premises infrastructure. Ask yourself: Is your cloud clean? Are any common misconfigurations putting your organization at risk? Are resources exposed to the cloud that shouldn’t be? Basic hygiene is essential to stopping cloud-conscious adversaries.
  • Identity must be a priority: Make sure you understand your identities — your on-premises identities tied to Active Directory, your cloud identities, your cloud-only accounts. Understand how those are configured, who has access to what, and whether MFA is enabled. Review conditional access policies: Who can access your cloud? From where? What identity policies are enforced on that access?
  • Implement cloud-to-endpoint protection: Organizations need active protection on cloud and endpoint. Today’s adversaries will find that path of least resistance, whether that means logging into a cloud environment or pivoting from endpoint to cloud. Ensure they can be stopped before they cause a big problem. 

You don’t have a cloud problem — you have an adversary problem, and the key for defenders is to make attacks more difficult and expensive for them. The more barriers you have in place, the harder you can make it for adversaries to achieve their goals. When they slip up, you’ll be able to quickly take notice and respond.

Additional Resources

  • View this conversation as part of the full Cloud Threat Summit, now available on demand.
  • Learn more about how CrowdStrike’s Cloud Security Services can help you respond to a cloud attack, fortify your cloud defenses and prepare you to defend against cloud-conscious adversaries.
  • To find out more about how to incorporate threat intelligence into your security strategy, visit the CrowdStrike Falcon® Intelligence page.
  • We’re proud to be recognized as a Representative Vendor in the 2023 Gartner® Market Guide for CNAPP, which we believe demonstrates our ability to meet or exceed Gartner’s criteria for CNAPP capabilities.

June 2023 Patch Tuesday: 78 Vulnerabilities with 6 Rated Critical and 38 Remote Code Execution

13 June 2023 at 22:11

Microsoft has released 78 security patches for its June 2023 Patch Tuesday rollout. Of the vulnerabilities patched today, 6 are classified as Critical and 38 are remote code execution (RCE) flaws. 

June 2023 Risk Analysis

This month’s leading risk type is remote code execution (41%), followed by elevation of privilege at nearly 22% and a tie for denial of service and spoofing at 13% each.  

Figure 1. Breakdown of June 2023 Patch Tuesday attack types

The Microsoft Windows product family received the most patches this month with 37, followed by Developer Tools with 25 and Extended Security Update (ESU) with 18.

Figure 2. Breakdown of product families affected by June 2023 Patch Tuesday

Critical Vulnerability in Microsoft SharePoint Server

Microsoft Office is getting a patch for Critical vulnerability CVE-2023-29357, which has a CVSS of 9.8. SharePoint is a powerful collaboration platform that lets organizations share and manage content, knowledge and applications. The Microsoft Security Response Center (MSRC) says an attacker that gains access to spoofed JSON Web Tokens (JWT) can leverage them to execute a network-based attack that bypasses authentication and allows them to potentially access administrator privileges. 

Microsoft states, “Customers who have enabled the AMSI integration feature and use Microsoft Defender across their SharePoint Server farm(s) are protected from this vulnerability. For more information, see Configure AMSI integration with SharePoint Server.”

Rank CVSS Score CVE Description
Critical 9.8 CVE-2023-29357 Microsoft SharePoint Server Elevation of Privilege Vulnerability

Figure 3. Critical vulnerability in Microsoft SharePoint Server

Critical Vulnerabilities Affect Windows Pragmatic General Multicast 

CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 are three Critical distinct vulnerabilities with a CVSS of 9.8. Microsoft Windows Pragmatic General Multicast (PGM) has been updated in the last two monthly patch releases. In this particular case, the vulnerabilities allow a remote, unauthenticated attacker to execute code on an affected system when the Windows Message Queuing service is running in a PGM server environment. As Microsoft states in the description for each CVE: “The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added via the Control Panel. You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine.”

Rank CVSS Score CVE Description
Critical 9.8 CVE-2023-29363 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-32014 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-32015 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

Figure 4. Critical vulnerabilities in MS Windows Pragmatic General Multicast (PGM)

Critical Vulnerability Affects Windows Hyper-V

CVE-2023-32013 is a Critical vulnerability affecting Windows Hyper-V with a CVSS of 6.5. Hyper-V is Microsoft’s virtualization platform that enables administrators to simultaneously run multiple operating systems on the same physical server. According to Microsoft, “Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.” It is likely this vulnerability is rated “Critical” despite the otherwise lower CVSS score because of the importance of Hyper-V on virtualization infrastructures and the ease of access through the network as an attack vector.

Rank CVSS Score CVE Description
Critical 6.5 CVE-2023-32013 Windows Hyper-V Denial of Service Vulnerability

Figure 5. Critical vulnerability in MS Windows Hyper-V

Critical Vulnerability Affects .NET, .NET Framework and Visual Studio

CVE-2023-24897 is a Critical vulnerability affecting Windows .NET, .NET Framework and Visual Studio and has a CVSS of 7.8. .NET and Visual Studio are used to create a variety of business and scientific systems. This particular vulnerability has “remote” in the title but according to Microsoft, “The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.”

Rank CVSS Score CVE Description
Critical 7.8 CVE-2023-24897 .NET, .NET Framework and Visual Studio Remote Code Execution Vulnerability

Figure 6. Critical vulnerability in .NET, .NET Framework and Visual Studio

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture. 

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Spotlight vulnerability management can help you quickly and easily discover and prioritize vulnerabilities here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

  • For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
  • Download the CrowdStrike 2023 Global Threat Report to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
  • See how Falcon Spotlight can help you discover and manage vulnerabilities and prioritize patches in your environments. 
  • Learn how CrowdStrike’s external attack surface module, Falcon Surface, can discover unknown, exposed and vulnerable internet-facing assets enabling security teams to stop adversaries in their tracks.
  • Learn how Falcon identity protection products can stop workforce identity threats faster. 
  • Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards
  • Test CrowdStrike next-gen AV for yourself with a free trial of Falcon Prevent.

Cracking the Code of AI Decision Making: Harnessing the Power of SHAP Values

13 June 2023 at 11:56
  • Machine learning explainability ensures that AI models are transparent, trustworthy and accurate
  • Explainability enables data scientists to understand how and why an AI model arrived at a particular decision or prediction
  • SHAP values are a powerful tool for explainability as they provide a way to measure the contribution of each feature in a model to the final prediction, offering insights into how the model reached a prediction

Despite the race to integrate artificial intelligence (AI) and machine learning (ML) into business systems and processes, the crucial issue of comprehending and articulating the decision-making process of these models is often ignored. Although machine learning is a valuable tool for uncovering pertinent information from vast amounts of data, it is essential to ensure the relevance, accuracy and reliability of this information. Therefore, comprehending and being able to explain the reasoning behind AI models’ decisions can help data scientists construct unbiased, dependable models that produce precise and trustworthy predictions.

Explainability of AI models can help crack the code on AI decision-making. The use of SHAP (SHapley Additive exPlanations) values can be a powerful tool for data scientists to build accurate machine learning models by identifying areas where the model may be making errors or where the data used to train the model may be flawed.

Why Do We Need AI Explainability?

There are three major reasons why AI explainability is critical. First, by providing clear and transparent explanations of how the AI model arrived at its decisions, stakeholders can understand the rationale behind the decisions and build trust in the model. Second, explainable models can help detect and address unintentional biases, ensuring that the decisions made by the model are fair and unbiased. And third, data scientists can identify areas where the model may be making errors in decision-making or where the data used to train the model may be flawed, which can help refine the model and improve its accuracy.

Explainability methods usually aim to reveal what features are the most important for a given prediction (e.g., for classification, the class predicted for that particular example), as displayed in Figure 1. In cybersecurity, with high stakes on the line, being able to understand the reasoning behind the predictions of an AI detection system allows threat analysts to gain a deeper understanding of the threat landscape. Moreover, an automated way of understanding what fuels the decisions of an ML model can facilitate interactions with customers and even advise on the best remediation measures applicable in the case of malicious activity being detected by an AI system. Thus, model explainability is an important topic, but one that is rarely brought up.

Figure 1. Model explainability: the ability to explain, from the model’s perspective, why certain detections happen and how certain features influence the prediction


In Figure 1, the features are represented by Feature 1, Feature 2, Feature 3 and Feature 4. The values on the right-hand side are the features’ actual SHAP values, and they sum to the model’s prediction. The sign of the SHAP values is indicative of the contribution toward positive class.

Depending on the type of problem, architectural constraints or other use-case-specific limitations, there are a variety of explainability paths we can explore. Here we focus on explainability in two different types of ML methods that have become very popular in cybersecurity in recent years: tree-based models (e.g., XGBoost, Random Forest) and neural networks.

Model Explainability for Tree-based Models

SHAP is a game theoretic approach named in honor of Lloyd Shapley and is based on the idea that the outcome of each possible combination of features should be considered to determine the importance of a single feature, as shown in Figure 2. This comes down to training an exponential number of distinct predictive models that are equivalent to each other, but using a different set of features.

Figure 2. The impact of specific features over prediction. The red edges represent the contributions of the feature Feature 1 when different combinations of features are considered.


This approach is very time and resource intensive. Thus, existing feature selection methods take measures to avoid this kind of exhaustive search. One solution is to approximate the decision function by creating a series of perturbations to the sample (e.g., randomly set entries in the feature vector to zero) and then predicting a label for each of these perturbations. Using this sampling strategy, the local neighborhood is roughly approximated, therefore creating SHAP values when solving the regression.

When it comes to tree models and ensembles of trees, a very popular implementation of SHAP is the TreeExplainer, which can be found in the SHAP package, making it our go-to explainer for these types of models. TreeExplainer is a good choice because it includes fast runtime, it works under several different possible assumptions about feature dependence, and it gives exact and insightful information regarding the features’ influence on a prediction, as shown in Figure 3.

Figure 3. The impact different features have on a model’s output. We use blue to draw clean features and red to draw features pointing to this particular sample’s maliciousness.

Model Explainability for Neural Networks

Picking the best candidate for explainability in neural networks is not as straightforward. When first investigating this problem, our interest was in leveraging explainability methods applicable to all common architectures, such as MLPs (multi-layered perceptrons), CNNs (convolutional neural networks) and RNNs (recurrent neural networks). Therefore, approaches such as Grad-CAM (Gradient-weighted Class Activation Mapping) were purposely omitted.

We found a multitude of potential explainers, but before discussing the one we chose, let’s briefly review some of the other techniques that have various advantages and disadvantages:

  • KernelExplainer explains the output of any function using a special weighted linear regression that computes the importance of each feature. However, it suffers from non-determinism and exponential computing time, making it unsuitable for most neural network-based architectures.
  • Gradients and integrated gradients (IG): Gradients output a saliency map that measures prediction changes with respect to a given feature. Integrated gradients use a baseline to compute the importance of a feature by accumulating gradients with respect to that feature along the shortest path from the baseline to the sample. The advantage of this method is it uses the original network as is, and it is simple to implement.
  • GradientExplainer approximates SHAP values to infinite player games using expected gradients, which combines ideas from integrated gradients, SHAP and SmoothGrad. Its drawback is non-determinism.
  • Deep Learning Important FeaTures (DeepLIFT) determines the relevance of a prediction via the decomposition of the output of a neural network on a specific input by back-propagating the contributions of all neurons in the network to every feature of the input. It is efficient and connects with SHAP values.
  • DeepExplainer is based on DeepSHAP and estimates the conditional expectations of SHAP values for deep learning models. It supports a wider variety of architectures but does not support all rules for assigning contribution scores. It scales linearly with the number of background data samples, and 1,000 or even 100 samples can give a good estimate of the expected values.

While working with DeepExplainer, we observed that a version of the SHAP package greater than 0.41.0 is required for TensorFlow v2 models. Also, some of the operations (e.g., the SELU activation) may not be supported yet. Fortunately, this is easily solvable by adding them manually here.

Figure 4. Patterns detected in a PowerShell script using DeepExplainer. Highlights in light red and red indicate substrings contributing weakly and strongly to the classifier’s prediction of maliciousness, respectively.

Our experiments showed that selecting a good baseline is a key step in applying the explainability methods discussed above (Integrated Gradients and DeepLIFT). It should convey a complete absence of signal, so features that are apparent from attributions are properties only of the input and not of the baseline. From our experience (see Figure 4), while applying explainability on neural networks working at character level, we have found that the all-zero input embedding vector is a good baseline.

Table 1. A comparison of explainability methods for neural networks

Our experiments show that all of the methods considered for neural networks seem to mostly agree on the positive or negative impact of a feature. However, the value computed by each of these methods might be different because of the computation technique used. In the end, for consistency reasons we chose DeepExplainer because its determinism and its straightforward implementation in the SHAP package yield definite advantages.

Explainability Methods at CrowdStrike

When dealing with tree-based models as well as tree ensembles, a very promising explainability technique we have leveraged in the past with great success was the TreeExplainer, which is powered by SHAP. When it comes to understanding how certain features influence the prediction of a neural network, we have found that using DeepExplainer can help us gain more insights into a model’s predictions. Explainability methods are a complex topic and are part of an intricate system designed to offer the most accurate predictions to our customers, while ensuring that decisions are as transparent and well-informed as possible.

As part of our workflow, we always make sure to analyze the importance of a model’s features. This is regarded as an important sanity check among many others before deploying any AI model into production. Since classifiers are trained on large corpora, it’s crucial to ensure that features are indeed informative (no high correlation or redundancy) and also that their value distribution in the corpora is representative of real-world data.

Figure 5. Patterns detected in a PowerShell script using DeepExplainer. Highlights in red and green (light or strong) indicate substrings contributing (weakly and strongly) to the classifier’s prediction of maliciousness and non-maliciousness, respectively.

Explainability methods are also helpful for threat analysts and support teams. Using explainability, we can more easily and accurately explain to customers what triggered specific detections. In Figure 5, you can see some of the patterns that fueled the decision of our malware classifier for PowerShell scripts. This code snippet presents a weak obfuscation of the well-known Invoke-Expression (IEX) cmdlet, which evaluates or runs a specified string as a command. The actual command needs to be decoded from Base64 by a human in order to decide if the script is indeed malicious. Nevertheless, this assessment can serve as the basis for a more complex analysis.

Final Remarks

Auditing and protecting black-box learning systems against attacks is challenging, especially in cybersecurity. A lack of transparency is a significant security issue. Determining the features of an input that are decisive in making a given prediction is an example of a straightforward problem. However, problems like this often prove difficult to solve and are yet of utmost necessity.

Achieving explainability in cybersecurity ML models is crucial for identifying and addressing weaknesses. We discussed various methods for explaining the decision-making process of commonly used ML models in cybersecurity, including tree-based models and neural networks. While TreeExplainer is widely used for the former, the latter poses a challenge due to their opaque decision-making process. To address this challenge, we use a solution based on DeepExplainer that meets multiple requirements such as theoretical justification, accuracy of explanations, determinism, computational complexity, and robustness. While current explainability methods have limitations, they represent a positive step toward achieving explainable AI (XAI), which is essential for identifying and correcting model weaknesses to achieve optimal results.

Additional Resources

Adversaries Go Hands-On in Japan: Know the Threat and Know the Solution

12 June 2023 at 00:52

Japan, known for its innovation and efficiency, is a globally recognized industry leader. This puts Japan-based organizations at risk of being recognized as potentially valuable targets by both criminally motivated and targeted cyber adversaries. This blog, directly from the front lines of CrowdStrike® Falcon OverWatch™ threat hunting, shares intrusion insights drawn from activity observed in Japan throughout 2022 and provides actionable recommendations for securing your environment in 2023 and beyond.

Cybersecurity: A National Security Issue

In late 2022, Japan’s government updated its National Security Strategy (NSS) to reflect the state of the current threat landscape. This comprehensive document outlines the government’s approach to national security, including its cybersecurity policy. In particular, the NSS highlights just how widespread the cybersecurity threat is and outlines a national response to address supply chain risks, protect critical infrastructure and prevent intellectual property theft.  

The revised NSS notes several key improvements, such as increased investment in cybersecurity by Japan’s Self-Defence Force, a large increase in the number of cyber personnel trained to actively defend Japan from cyberattacks, and enhanced cooperation with regional allies and international alliances. 

Equally, the NSS acknowledges that the ever-increasing cyber threat to Japanese government institutions and private organizations requires a joint response effort among government, business and security experts. To participate in this partnership, security practitioners across business must understand, in detail, the threats impacting Japan.

Insights from the Security Industry

CrowdStrike has been actively protecting Japanese organizations for several years. During this time, the Falcon OverWatch threat hunters have seen firsthand the evolution of the threat to Japanese organizations and have been tracking these trends to inform the continued strengthening of their proactive hunting efforts against interactive cyberattacks. 

Over the past three years, interactive intrusion activity against Japan-based organizations has seen sustained year-over-year increases. In particular, an increasing proportion of intrusions has been attributed to eCrime activity. During 2022, eCrime accounted for 60% of all interactive intrusion activity observed by Falcon OverWatch.

Targeted intrusion (aka state-nexus) activity made up 9% of all intrusions uncovered, while the remaining 31% of observed intrusions were unattributed. This is compared with 2021, when eCrime accounted for 46% of activity, and targeted intrusion operations accounted for 27% of activity.

Figure 1. Change in the distribution of observed intrusions of Japan-based organizations by threat type, 2021 vs. 2022 (click to enlarge)

Which Adversaries Are Operating in Japan and Why?

Understanding the motivations and tradecraft of key adversaries operating in Japan is an invaluable insight for defenders looking to improve their capacity to both detect and respond to the latest cyber threats.

Throughout 2022, suspected eCrime adversaries, named SPIDERs in CrowdStrike’s threat actor terminology, were the most prolific adversary group operating in Japan. Japan’s economic strengths make it an obvious target for financially motivated eCrime adversaries. Japan is an internationally recognized innovation hub and home to global brands across key sectors including technology, manufacturing and automotive. With an estimated gross domestic product (GDP) of $4.4 trillion USD in 2023, Japan is the third largest globally, with a GDP value representing more than 2.2% of the world’s economy.1

Falcon OverWatch continues to observe eCrime adversaries targeting high economic growth industries in Japan as a means of generating revenue. In 2022, the technology, software and retail industries were the most commonly targeted. Technology and software companies in particular accounted for 36% of all intrusions observed by Falcon OverWatch, and of those intrusions, 62% were eCrime related.

Among the eCrime activity that Falcon OverWatch uncovered, hunters found activity carried out by two known eCrime groups: CARBON SPIDER and MUMMY SPIDER.

CARBON SPIDER, active in the eCrime space since approximately 2013, is a criminally motivated group that targets primarily the hospitality and retail sectors in pursuit of payment card data. Stolen payment data is sold on the dark web for use in further criminal enterprise, such as fraud or money laundering. 

MUMMY SPIDER is an eCrime group known for their development of Emotet malware. Emotet is often deployed through initial access vectors such as phishing. Once executed, Emotet will often deploy further malware such as banking trojans or information stealers, which then work to collect and exfiltrate information from victims. Emotet can also deploy implants, which may be used by targeted intrusion operators to gain persistent command-and-control over a victim. The growing threat of data loss and data extortion is something organizations need to be acutely aware of. Adversaries have learned that stealing data, rather than simply encrypting data, places them in a much stronger negotiating position when it comes to making ransom demands.

Ransomware campaigns also remained persistently popular in Japan in 2022. Falcon OverWatch observed multiple ransomware families being deployed by eCrime adversaries, the most prevalent being Phobos ransomware. Adversaries deploying this type of ransomware tend to target externally accessible Remote Desktop Protocol (RDP) services as a means of access. By comparison, in 2021, Makop was the most prevalent ransomware family in Japan, also commonly deployed after initial access via unsecured RDP services.

Japan’s targeted intrusion activity was predominantly attributed to suspected China-nexus adversaries — named PANDAs in CrowdStrike adversary terminology— as well as SILENT CHOLLIMA (North Korea-nexus) and NEMESIS KITTEN (Iran-nexus). Organizations need to be particularly alert to the threat of nation-state economic espionage. This moves beyond traditional information-collection campaigns motivated by national security interests into espionage that is commercially motivated.

Again, Japan’s global reputation as an economic powerhouse makes Japan-based organizations an attractive target for adversaries with economic espionage objectives. Japan is considered a leader in technological innovation, and its products and services are highly sought-after globally. With a high concentration of valuable intellectual property and sensitive information, Japan is a valuable target for economically motivated espionage by state-nexus adversaries, including China-affiliated adversaries.  Moreover, Japan and China’s complicated geo-political history may serve as a motivator for more traditional forms of nation-state espionage.

SILENT CHOLLIMA, a North Korea-nexus threat actor, appears to have begun shifting their objectives in 2015. This threat group has expanded beyond intelligence collection on government and military entities into economic espionage operations against privately owned companies with technology that could help DPRK develop its economy. Given Japan’s proximity to North Korea and the geopolitical tensions in the region, Japanese organizations make for opportune targets for SILENT CHOLLIMA to carry out their objectives.

NEMESIS KITTEN, closely aligned with the Iranian government, is known to target misconfigurations and unpatched vulnerabilities in external-facing services, such as those in Microsoft Exchange and more recently Log4j. During follow-on activity, NEMESIS KITTEN often ransoms organizations using in-built encryption software, such as BitLocker full-disk encryption. Organizations must pay the ransom amount in exchange for decryption keys. Given Japan’s strong economy and dependence on technology, Japanese organizations are a target for this kind of activity.

What Does This Threat Activity Look Like?

Both eCrime and targeted intrusion adversaries are increasingly using malware-free techniques to achieve their objectives against entities in Japan. Globally, 71% of all intrusion activity observed by Falcon OverWatch was malware-free. (For more information on global interactive intrusion trends, download a copy of the Falcon OverWatch 2022 Threat Hunting Report.)

eCrime adversaries, in particular, frequently use valid credentials to gain access to victim environments in an attempt to blend in with expected activity. The credentials are often obtained through access brokers — eCrime adversaries that specialize in gaining and then selling access to victim environments — or by brute-force attacks used to guess credentials on externally exposed services. Once access is achieved, eCrime adversaries are abusing legitimate remote access software to retain that access and conduct further command-and-control. Specific tooling observed in Japan includes TightVNC, AnyDesk and Atera Agent. Often these tools and the associated domains they contact are allowlisted by organizations to enable legitimate administrative use. However, Falcon OverWatch continues to observe adversaries bringing “packs” of these tools to compromised endpoints and attempting execution until one succeeds.

These trends are just two of the many examples of why human-driven threat hunting is such a critical part of the security equation. Seemingly valid users using legitimate and allow-listed tooling may not, on their own, trigger an alert from technology-based solutions. However, threat hunters can augment this information with behavioral indicators to rapidly piece together clues that the activity may be malicious. When coupled with technology-based identity threat detection and protection solutions, the door very quickly starts to close on adversaries. 

Watch this short video to see how Falcon OverWatch proactively hunts for threats in your environment.

Leverage People, Process and Technology to Stop Active Intrusions

In a recent intrusion against a Japanese entity, a suspected criminal adversary was observed conducting malicious interactive activity across multiple Windows hosts. The activity was preceded by a large volume of failed login attempts. This was indicative of likely password spraying, a type of brute-force attack where common passwords are tested against many different accounts in an attempt to discover valid account credentials. 

Falcon OverWatch discovered the adversary operating with multiple sets of credentials in their possession. These credentials were used as the adversary deployed and attempted execution of a broad selection of adversary tooling, including GMER, PC Hunter, Defender Control and Process Hacker. These tools are commonly used by adversaries to attempt to disable security tooling. 

The adversary proceeded to perform network reconnaissance operations, including scanning for devices with open RDP ports, likely as a precursor to planned lateral movement attempts. Falcon OverWatch often observes adversaries using multiple sets of valid credentials, which may be used for persistence, privilege escalation and lateral movement.

In this instance the victim organization was able to quickly act on Falcon OverWatch’s timely notifications to stop the adversary in their tracks before damage could be done. When it comes to responding to interactive intrusions, a timely response to Falcon OverWatch notifications is as important as the speed of the notification itself. In the CrowdStrike Falcon OverWatch 2022 Threat Hunting Report, Falcon OverWatch detailed a reduction in average breakout time for eCrime adversaries — the time taken for an adversary to move laterally from their initial beachhead — to 1 hour and 24 minutes.

CrowdStrike Falcon® Complete managed detection and response (MDR), which is seamlessly integrated with continuous Falcon OverWatch managed threat hunting, helps to identify, prevent and remediate active threats. Further, Falcon Complete’s Japanese-speaking analysts provide the opportunity for active partnership with organizations, ensuring that the details of any threats are clearly communicated and recommendations are offered to ensure risks are addressed comprehensively. 

Five Top Tips to Secure Your Environment in 2023

  1. Know Who’s Who

Identity threats are one of the most pervasive risks to organizations today. In 2022, 60% of intrusions Falcon OverWatch observed in Japan involved the abuse of valid accounts, and adversaries are commonly operating with multiple sets of valid credentials. Falcon OverWatch only expects this activity to grow, especially with the proliferation of access brokers such as PROPHET SPIDER, an eCrime actor known to obtain and then sell access to compromised organizations on the dark web and other forums. CrowdStrike Falcon® Identity Threat Detection and CrowdStrike Falcon® Identity Threat Protection provide additional visibility into unauthorized access and support additional layers of authentication, such as multifactor authentication (MFA), to ensure your organization’s identities remain secure.

  1. Secure the Endpoint

As adversaries become more sophisticated, your defenses need to adapt. Traditional on-premises and hosted IT assets remain necessary gateways for the ongoing management of and access to critical cloud workloads, storage repositories and further infrastructure. As a result, these traditional assets also represent increasingly critical points of exposure for organizations as they increasingly rely on the active exchange of sensitive data, process flows and communications to operate and conduct business. With this large onset of data flow, organizations need to look to cloud-native platforms such as CrowdStrike Falcon to collect, organize and process the large volumes of events, while allowing for swift prevention and response through the Falcon sensor.

  1. Secure the Cloud

Adversaries are continuing to adapt to the evolving world of cloud technology and are actively seeking to capitalize on the opportunity it presents to exploit gaps in an organization’s defenses. Falcon OverWatch has observed trends in adversaries gaining access to traditional endpoints and using tools to discover cloud infrastructure, such as enumerating cloud metadata.

  1. Know the Adversary

Every adversary — such as CARBON SPIDER, NEMESIS KITTEN and PROPHET SPIDER discussed above — is unique. Each has their own set of tactics, techniques and procedures they employ to achieve their individual objectives. Knowing who these adversaries target and how they operate can assist organizations in preparing defenses.

  1. Leverage People, Process and Technology

As we have seen in recent cases within Japan and beyond, adversaries are using advanced techniques to subvert technology systems and evade defenses, often blending in with legitimate administrative activities. To effectively detect and respond to this activity, a combination of people, refined processes and cloud-native technology is required. With Falcon OverWatch, organizations can feel more secure with our human experts hunting relentlessly, 24/7/365, for the last 1% of activity that would otherwise go undetected.

Additional Resources

1 International Monetary Fund, World Economic Outlook Database, April 2023

Making Sense of the Dark Web with Falcon Intelligence Recon+

The vastness of the deep and dark web can easily turn attempts to monitor for cyber threats into a firehose of useless information. Part of the problem is the nature of the data streams that need to be monitored. Every day, more credentials are stolen and exposed. Illegal criminal forums are full of repeated spamming of illicit advertisements. Thousands of new domain names are registered daily, including many that can be considered typosquatted. All of this data can generate significant numbers of matches on even well-structured and finely tuned monitoring programs.

As experts in managed digital risk protection, the CrowdStrike Falcon® Intelligence Recon+ team leverages CrowdStrike’s technology to sift through many notifications to find only relevant hits for our customers. In 2022, the Falcon Intelligence Recon+ team triaged hundreds of thousands of notifications and found a true positive rate of only 5.2%. In this blog, we cover several illustrative use cases reflecting the team’s work throughout the year.

Notifications by Industry

Figure 1 provides a breakdown of total Falcon Intelligence Recon+ notifications by customer verticals for 2022. The industries with the most notifications were retail, technology and manufacturing. These industries had true positive rates of 11%, 15% and 24%, respectively.

Figure 1. Percentage of total notifications by industry


Triaged Notifications

The Falcon Intelligence Recon+ team has created nearly 22,000 rules, which yielded more than 700,000 triaged notifications in 2022. Figure 2 shows the breakdown of these notifications.

Figure 2. Triaged notifications


Falcon Intelligence Recon+ Analysis

The analysis shown in Figure 3 is based solely on observations from the Falcon Intelligence Recon+ team and the sources’ effects on our current customer base.

Credential Leaks

Figure 3. Total credential leaks by month in 2022


The Falcon Intelligence Recon+ team triaged approximately 3,000 credential leak notifications over the course of 2022. We observed a significant increase in credential leaks in June. Upon closer examination of June data, we noticed that the normal number of credential leaks in the manufacturing, healthcare and media industries doubled for the month. This also coincides with observations of multiple adversaries testing the KoloVeeman credential harvester. The increase observed in December cannot be attributed to any particular industry, with the entire Falcon Intelligence Recon+ customer set affected. It is possible that threat actors were trying to take advantage of the holidays with workers potentially being out of office.

Top Five Actionable Sources

Figure 4. Top true positive sources


Figure 5. True positives compared to false positives in 2022


Russian Market Analysis

The Russian market is where Falcon Intelligence Recon+ analysts observed the most true positive alerts generated. This marketplace posts hundreds of access-broker-type notifications daily. The majority of these credentials were harvested using either Redline, Vidar or Raccoon malware. Of the 20,000+ Russian market notifications, we observed 50% of the Falcon Intelligence Recon+ monitored domains had stolen credentials.

An example of a poster on the Russian market is an author who uses the handle Mo####yf [Diamond]. The Falcon Intelligence Recon platform showed that this threat actor posted more than 800,000 times in 2022, with posts in English, German, Portuguese, Italian, Spanish, Malay, Turkish, Dutch, Czech and Romanian. This threat actor posted credentials related to more than 90% of the Falcon Intelligence Recon+ customer set. The stealer of choice for the threat actor is Raccoon, which was used in 63% of notifications, followed by Vidar at 34% and Redline at 3%.

Telegram Analysis

Refund Fraud

Falcon Intelligence Recon identified social engineering techniques used to undermine refund methodologies to scam online retail merchants. Malicious threat actors discerned fake tracking ID (FTID) methods that work for specific merchants and traded that information. Commonly, threat actors requested mail-in refunds following expensive purchases, and they returned a package with the correct label but would not put the appropriate item in the box. With this technique, they attempted to either undermine the refund facility or the carrier; while the refund facility can be trained in what to look for, an outline would need to be provided to the carrier. Another method identified was using a legitimate shipping label but obfuscating the relevant information on the label that would identify the person or the order information.

Credential Leaks

Telegram is also used by adversaries to post new and old email/password combinations. Some of the most common Telegram channels we observed posting exposed data are: Unsafe Internet Chat (1524907442), Maill Access (1368931502), Retard Cloud (1587335634) and OPENBULLET(1706265433).

Market BlackPass Analysis

Market BlackPass is used predominantly for selling identity theft information. Considering the intended use, we noticed the retail sector’s customer base and retail organizations’ executive staff as the main victims of information posted on the market. Authors posted personally identifiable information (PII) for sale, including name, date of birth, social security number and even debit/credit card information. Victim information was sold for between $1 and $7 USD per victim.

Typosquatting Analysis

Falcon Intelligence Recon+ analysts researched more than 100,000 typosquatting notifications and identified 1% of those as true positives.

Registrars Most Associated with True Positive Notifications
Name of Registrar Percentage of All True Positives
GoDaddy 17%
NameCheap 11%
Sav[.]com 5%
Google 4%
Alibaba 3%

Pastebin Analysis

Pastebin is similar to Telegram in the variety of types of data that gets shared maliciously. Throughout 2022, we observed different types of exposures on Pastebin, from account credential leaks and discounted brand vouchers to illegal live streaming of televised programs. Pastebin differs from the majority of the other sources in that most of the notifications deemed to be true positive are posted with “guest” being the identity of the author. This can sometimes make it more difficult to determine connections between posts, but it does not hinder our ability to provide our customers with actionable intelligence.

How Falcon Intelligence Recon+ Can Help

Since Falcon Intelligence Recon+ works with deep and dark web data every day, we know which sites to focus on and which ones are less concerning. A customer’s assigned Falcon Intelligence Recon+ analyst provides a managed digital risk protection service. We handle the hunting for external threats to brands, employees and sensitive data, allowing customers’ cyber professionals to devote their time to handling actionable data rather than hunting through a complex and ever-changing data set.

Additional Resources

  • Watch this short demo to see how Falcon Intelligence Recon enables organizations to proactively uncover fraud, data breaches and phishing campaigns to protect their brand from online threats that target their organization.
  • To find out more about how to incorporate threat intelligence into your security strategy, visit the CrowdStrike Falcon® Intelligence page.
  • Read about the cybercriminals tracked by CrowdStrike Intelligence in the CrowdStrike 2023 Global Threat Report.
  • Request a free trial of the industry-leading CrowdStrike Falcon® platform.

Supporting Our Heroes: SkillBridge Program Connects Veterans with CrowdStrike Internships

6 June 2023 at 21:00

SkillBridge, a program sponsored by the U.S. Department of Defense, helps transitioning service members from all branches of the military secure internships with corporate partners. As a steadfast supporter of the military community, CrowdStrike is proud to participate in the SkillBridge program.

CrowdStrike has a long history of championing veterans. In addition to our collaboration with SkillBridge, we’re a Military Friendly® Employer that also supports Operation Motorsport and provides veteran mentorships through our partnership with American Corporate Partners.

SkillBridge is the epitome of win-win at CrowdStrike: Talented service members gain valuable work experience and the opportunity to see how their skills translate in the workforce outside of the military, and CrowdStrike gains direct access to high-caliber candidates who bring diverse backgrounds, skills and experience into the cybersecurity space.

We get lots of questions about the SkillBridge program at CrowdStrike. Below are answers to the most frequently asked questions. 

Frequently Asked Questions

Who’s eligible for SkillBridge?

Per the program’s rules, service members may be eligible to participate in SkillBridge if they meet the following requirements:

  • They have 180 days or fewer of remaining service prior to their date of discharge, and they have at least 180 continuous days of active service.
  • They obtain approval from their unit commander.
  • They complete any additional requirements presented by their branch or command.
  • They complete the application and interview process for a SkillBridge role at CrowdStrike.

How long are SkillBridge engagements at CrowdStrike?

Most participants are approved for up to 12 weeks of corporate work, the timing of which coincides with the date of separation from service.  

Are SkillBridge opportunities at CrowdStrike remote or in person? 

Many SkillBridge positions at CrowdStrike are remote, meaning participants can work remotely from anywhere in the U.S. However, some teams and roles require onsite attendance. The location requirement for open roles is clearly stated in job descriptions.

Do SkillBridge workers get paid? 

All SkillBridge engagements occur within the participant’s last six months of service and therefore they continue to receive their military salary. Per program rules, participants are not allowed to receive payment or remuneration of any kind from CrowdStrike.

What kind of SkillBridge roles are available at CrowdStrike?

SkillBridge interns participate in a broad range of projects at CrowdStrike, ranging from project kickoffs, trialing new programs and mitigating work overflow to threat hunting, incident response, complex system analyses and software development. Most of our opportunities are specific to cybersecurity and/or engineering. 

Do SkillBridge internships ever become paid roles?  

SkillBridge is designed as an internship program without a guarantee of future employment. Some SkillBridge internships last only weeks, with participants jumping right into a project and moving on soon after. In other situations, due to the caliber and experience of participants, several have received offers of employment from CrowdStrike following their internships. We’ve also had participants join CrowdStrike months later after applying directly for a new role.

How do I see SkillBridge openings at CrowdStrike? 

All SkillBridge opportunities are posted on our Careers page with “SkillBridge” in the title.

I still have questions. Who can I reach out to? 

Please email [email protected] for more information about SkillBridge and our other veteran programs. Please note that CrowdStrike does not work with outside vendors for SkillBridge.

More Opportunities in the Works

CrowdStrike is extremely proud to participate in the SkillBridge program. Since becoming an authorized SkillBridge organization, we’ve worked to expand both the number and variety of opportunities for transitioning service members.

More resources and updates are in the works. Meanwhile, we look forward to more SkillBridge success stories in the near future!

CrowdStrike Defines the Future of Cloud Security with One-Click XDR to Automatically Identify and Secure Unmanaged Cloud Assets

6 June 2023 at 11:11

CrowdStrike is defining the future of cloud security by empowering customers to rapidly understand their cloud risk and to detect, prevent and remediate cloud-focused threats. Today we are announcing a series of new cloud security innovations designed to deliver complete visibility into potential attack paths, from endpoint to cloud, and instantly secure vulnerable cloud workloads across build and runtime.

As part of this, CrowdStrike announced a new “One-Click XDR” capability that automatically identifies and secures unprotected cloud workloads by instantly deploying the CrowdStrike Falcon® agent. These agent-based and agentless innovations enable customers to consolidate multiple cloud security point products into a single, unified platform for complete protection across the cloud security lifecycle.

The cloud has quickly emerged as the new adversary battleground. As organizations expand their adoption of cloud infrastructure and services, adversaries follow, refining their tactics and techniques to exploit these environments. The growth of “cloud-conscious” adversaries — groups that abuse cloud-specific features to achieve their goals — represents significant risk to any organization operating in the cloud. 

Request a free CrowdStrike Cloud Security Risk Review to understand how to protect your cloud environment and get customized insights to operationalize best practices for cloud security.

CrowdStrike research shows cloud exploitation cases grew by 95% in the past year, and cases involving threat actors specifically targeting cloud environments nearly tripled. Adversaries are also growing more brazen, infiltrating endpoints and pivoting to cloud infrastructure. The increasingly sophisticated tactics, techniques and procedures (TTPs) of cloud-conscious adversaries are documented in the CrowdStrike 2023 Cloud Risk Report, released today in conjunction with CrowdStrike’s on-demand Cloud Threat Summit.  

Staying ahead of the adversary requires knowledge of their TTPs, but stopping breaches in the cloud also requires a unified platform approach to cloud security that delivers complete visibility and protection across cloud workloads. 

To help organizations stop breaches from endpoint to cloud, we’ve extended our industry-leading platform with CrowdStrike Falcon® Cloud Security and unveiled powerful new cloud-native application protection platform (CNAPP) capabilities to deliver complete visibility into potential cloud attack paths and instantly secure unprotected or vulnerable cloud workloads across build and runtime. 

Falcon Cloud Security provides complete coverage across all major cloud providers — AWS, GCP and Azure — and cloud infrastructure. We have created an offering that unifies cloud workload protection, cloud security posture management and cloud identity entitlement management into a holistic CNAPP with industry-leading threat hunting, services and adversary intelligence built in. Our customers can protect their environment from host to cloud using a single platform, operated from a single console.

New innovations that will soon be available in Falcon Cloud Security include:

One-Click XDR: One of the chief causes of cloud breaches is unprotected hosts — without visibility, they are open targets. This innovation enables organizations to easily view all unmanaged AWS EC2 instances for Windows and Linux, as well as unregistered accounts, to identify vulnerable workloads and automatically protect them with our industry-leading EDR/XDR capabilities for full breach prevention with one click. This will start with support with AWS.

Agentless Snapshot Scanning for OS Vulnerabilities: There are several reasons customers may be unable to install agents across their cloud infrastructure — whether it’s an unsupported operating system or PaaS services like Lambda/Functions or AppEngine — leading them to potentially miss vulnerabilities. To address this visibility gap, CrowdStrike is introducing Snapshots for AWS. This agentless capability takes snapshots of running AWS EC2 instances and scans them for potential risks. Security teams can integrate the view of these risks into the attack path visualization and deploy runtime protection with one-click XDR if needed.

Complete Cloud Attack Path Visualization: As organizations adopt more cloud services, it becomes difficult to visualize and prioritize risk. CrowdStrike’s new attack path visualization gives IT and security teams the ability to view potential attack paths an adversary might take to compromise a cloud workload, and in doing so, help them understand areas of risk. CrowdStrike attack path visualization uses pre-runtime and runtime data to provide a complete picture of how an adversary accessed a system and moved laterally, as well as which weaknesses might be exploited to further an attack, all in one easy-to-understand view.  

Compliance Dashboard Enhancements: The proliferation of cloud services and providers has made it increasingly challenging to adhere to industry and organizational benchmarks. Violations often go unnoticed, leading to potential risks and costly consequences. Falcon Cloud Security compares cloud application configurations to these benchmarks to identify violations, as well as the ability to remediate in real time, to ensure application availability across all major cloud providers. 

We have added to our CIS benchmarks across AWS, Azure and Google. Now, we have over 250 adversary-focused policies out-of-the-box, helping organizations save time and reduce operational costs. Our single dashboard provides compliance visualization across AWS, Azure, GCP and on-premises environments. This allows users to identify risks specific to their application or environment and consistently enforce compliance across all major cloud infrastructures.  

Infrastructure-as-Code (IaC) Security: It is critical that organizations ensure applications are secure before they are deployed. IaC security enables IT and security teams to perform IaC scans, which can identify more than 1,000 misconfigurations across cloud and container assets and 10 IaC platforms with a single command-line interface tool. This allows DevOps teams and developers to easily assess the security posture of their software early in the application lifecycle, and it lets security teams monitor the efficacy of preventive controls in the build phase of application development.

Kubernetes Admission Controller (KAC): CrowdStrike’s Kubernetes Admission Controller simplifies container management by providing predefined policies, removing the need for users to write raw Rego rules and preventing the deployment of misconfigured containers. Only our KAC is able to identify and eliminate vulnerable containers and prevent them from re-deploying.

Defending Against the Future of Cloud Threats

CrowdStrike expects cloud-focused threat activity to continue — an assessment made with high confidence based on the persistent increase in cloud targeting and organizations’ expansion into multi-cloud and hybrid cloud environments. While the multi-cloud approach offers greater scalability and flexibility, it also drives complexity and creates new challenges for security teams.

In response to these evolving threats, we will continue to provide industry-leading technologies, adversary tracking, threat intelligence collection and campaign analysis — all delivered in a single unified console to help organizations stay informed and protected against modern cloud threats without adding complexity to their security environment.

Additional Resources

Movin’ Out: Identifying Data Exfiltration in MOVEit Transfer Investigations

5 June 2023 at 12:48

Summary Points

  • Organizations around the globe continue to experience the fallout of the MOVEit Transfer exploit CVE-2023-34362 
  • CrowdStrike incident responders have identified evidence of mass file exfiltration from the MOVEit application, as a result of the webshell activity on compromised MOVEit systems
  • Data exfiltration activity can be identified by analyzing the MOVEit application database and IIS logs
  • CrowdStrike also provides guidance of evidence preservation and service restoration in the event there is an exploit


CrowdStrike incident responders have been at the forefront of investigating impacted victims of CVE-2023-34362. Since the release of the vulnerability, there has been great collaboration across the cybersecurity industry, and this blog will cover novel details for teams investigating the potential impact to their organizations. Specifically, this blog will discuss what CrowdStrike has identified for investigators to determine whether data exfiltration has occurred in their MOVEit Transfer application and its potential impact. 

MOVEit Database Analysis

As widely discussed, the Webshell will utilize an existing user account with permission level “30” or a new randomly generated username to establish a persistent session within the MOVEit application.

Investigators can review the MOVEit application database for evidence of existing sessions created by the Webshell. The associated database names can be found as either moveittransfer or moveitdmz. To perform the manual review, an investigator will require both the .mdf and associated .ldf file for MSSQL based database and the associated files for MySQL installs. Additionally, a backup of the database can be created to preserve evidence for review. The MSSQL and mySQL backups are typically in a .bak and .sql format respectively.

The database table activesessions contains details related to active sessions within the MOVEit application. Identifying the active session can assist investigators by quickly identifying the User account leveraged by the Webshell to interact with the application. The MOVEit database can be configured for mySQL or SQL. Note: If there is not an active session identified at the time of analysis this does not mean one did not exist.

Example queries to find malicious sessions within the activesessions table in SQL and mySQL:


SELECT [Username],[LoginName],[RealName],[IPAddress],[LastTouch],[SessionID],[Timeout]
     FROM [<Database Name>].[dbo].[activesessions]
     Where Timeout = '9999';


SELECT Username,LoginName,RealName,IPAddress,LastTouch,SessionID,Timeout
   FROM <Schema Name>.activesessions
   Where Timeout = '9999';
Username LoginName RealName IPAddress LastTouch SessionID Timeout
<16 Character String> NULL 2023-05-29-01:00:00.000 <SessionID> 9999

Example Table of a malicious session created by the Webshell

An additional method to identify potential accounts of interest is to review the users table for accounts with permission level “30”. This is a lower fidelity search, but can provide a smaller list of users to investigate.

Example queries to identify privileged users of interest within the users table in SQL and mySQL:


     FROM [<Database Name].[dbo].[users]
     Where Permission = '30' AND Deleted = '0';


     FROM <Schema Name>.users
     Where Permission = '30' AND Deleted = '0';

The MOVEit database contains verbose activity logging that will capture the data exfiltration activity events. Investigators can review the log table for action=file_download events to identify potential signs of data exfiltration from the MOVEit application. The log table will include important fields such as Username, IP Address, Filename, Folder, Transfer Size, and User Agent. It is suggested to filter the log table for known IP addresses and users of interest. 

Example queries to review the log table for evidence of file download events:

SQL – View all successful file_download events since 2023-05-01

SELECT [ID],[LogTime],[Action],[Username],[FolderID],[FileID],[IPAddress],[Error],[Parm4],[AgentBrand],[AgentVersion],[XferSize],[Duration],[FileName],[FolderPath],[Hash],[VirtualFolderID],[VirtualFolderPath]
   FROM [<DatabaseName>].[dbo].[log]
   Where LogTime > '2023-05-01 00:00:00' AND Error = '0' AND Action = 'file_download';

SQL – View all successful file_download events from a set of IP Addresses

SELECT [ID],[LogTime],[Action],[Username],[FolderID],[FileID],[IPAddress],[Error],[Parm4],[AgentBrand],[AgentVersion],[XferSize],[Duration],[FileName],[FolderPath],[Hash],[VirtualFolderID],[VirtualFolderPath]
   FROM [<Database Name>].[dbo].[log]
   Where LogTime > '2023-05-01 00:00:00' AND Error = '0' AND Action = 'file_download'
   AND IPAddress IN ( 'IP Address A', 'IP Address B');

mySQL – View all successful file_download events since 2023-05-01

SELECT ID,LogTime,Action,Username,FolderID,FileID,IPAddress,Error,Parm4,AgentBrand,AgentVersion,XferSize,Duration,FileName,FolderPath,Hash,VirtualFolderID,VirtualFolderPath
  	FROM <Schema Name>.log
  	Where LogTime > '2023-05-01 00:00:00' AND Error = '0' AND Action = 'file_download';

mySQL – View all successful file_download events from a set of IP Addresses

SELECT ID,LogTime,Action,Username,FolderID,FileID,IPAddress,Error,Parm4,AgentBrand,AgentVersion,XferSize,Duration,FileName,FolderPath,Hash,VirtualFolderID,VirtualFolderPath
   FROM <Schema Name>.log
   Where LogTime > '2023-05-01 00:00:00' AND Error = '0' AND Action = 'file_download'
   AND IPAddress IN ( 'IP Address A', 'IP Address B');

Internet Information System (IIS) Log Analysis

An additional artifact that should be reviewed is the IIS logs for suspicious requests to download files. CrowdStrike investigators identified that in some instances the IIS logs will capture GET requests with the cs_uri_stem=/download. Within these events, the cs_uri_query will contain multiple FileID’s and FolderID’s for objects within the MOVEit application. Investigators should review for suspicious entries, particularly requests with a large number of files and folders referenced in a single request. The IIS log entries do not typically provide a comprehensive view of the Files and Folders downloaded. These entries can primarily be used to assist with identification of additional IOCs and activity. Entries in the IIS logs with cs_uri_stem=/download that have a cs_Referer reference from human.aspx and contain an IP address rather than a domain name have been found in multiple instances to identify Threat Actor owned IP addresses in the c_ip field. The MOVEit database log table should provide a more verbose view of files downloaded.  Below is an example entry of a GET request related to file exfiltration.

Example IIS Log Entry Containing a Suspicious Download Request (click to enlarge)

Evidence Preservation Guidance 

If indicators of compromise are identified on a system, it is recommended to preserve the available evidence for forensic analysis. The following steps are recommended guidance for preserving evidence for review of MOVEit Transfer investigations:

  1. Create a snapshot or image of the MOVEit Transfer Web Server system(s)
    1. Include the data drive containing wwwroot if it is not installed to C:
  2. Create a backup dump of the MOVEit Transfer database
  3. Export and retain available network logs (WAF, Firewall, Netflow, ELB, ALB, NSG Flow, VPC Flow, etc.)

Recommendations for Service Restoration 

CrowdStrike recommends following the recommendations set out by the Progress team to patch affected systems before restoration of services1. If you suspect that your systems were affected immediately take steps to:

  1. Preserve associated systems and databases for investigation purposes as previously outlined
  2. Temporarily disable TCP 80/443 traffic to affected systems. During this time:
    1. Re-deploy new MOVEit Transfer application servers with latest patch installed
    2. Review database for any recently created users (these can be found in the users table of the database)
    3. Reset credentials of application accounts prioritizing service and administrator accounts
    4. Restrict IP addresses from only trusted sources for administrator accounts access
    5. Ensure security tooling is redeployed on systems and functioning
  1. Re-enable TCP 80/443 traffic to patched systems
  2. Maintain continuous monitoring of associated systems and stay up to date on any latest developments from the Progress team

We thank the Progress team for their communications and updates in keeping the community informed. 


CrowdStrike Enhances Falcon Discover to Reduce the Attack Surface, Streamline Operations and Lower Costs

2 June 2023 at 20:09

CrowdStrike Falcon® Discover delivers deep asset visibility with no hardware to deploy or manage, providing valuable context for all of your assets. For IT and security teams alike, Falcon Discover is a powerful tool to stop breaches. 

The majority of CrowdStrike customers already use Falcon Discover to improve their IT and security posture. To continue providing them with strong protection, we’re continuously enhancing our product to help them tackle some of their most pressing challenges, including reducing the attack surface, investigating and responding to threats, and streamlining IT operations. 

We’re announcing two new features that make Falcon Discover even more powerful: Application inventory with integrated vulnerability insights and expanded system insights

Quick note before we jump into the details: This post is meant to guide users through these new features. If you’re an existing Falcon Discover customer, simply open your Falcon command console and follow along. If you’re curious about how Falcon Discover can help your organization, start your free trial. Note: To enable vulnerability analysis, customers must also license CrowdStrike Falcon® Spotlight.

Application Inventory with Integrated Vulnerability Insights

Falcon Discover currently offers an applications dashboard to help you inventory your applications. Now, we’ve integrated vulnerability insights into this dashboard to give you even more context for controlling applications, enhancing investigations and remediating potential points of compromise.

Try it for yourself: In your Falcon command console, go to Menu > Discover > Applications > Applications dashboards 

Here, you’ll see a summary view of every application in your organization, including sanctioned and unsanctioned applications. You can see the total number of applications, the most used and unused applications, applications by vendor, suspicious applications, applications by category and more. 

This insight can help you proactively reduce the attack surface. For example, by seeing a list of the most used suspicious applications, you can take action to block certain applications, train users or layer in additional security measures. 

This updated applications dashboard can also help you control application license spend. Being able to see which applications your organization is overusing could help you restrict usage, while seeing underused applications can inform renewal decisions.

The applications overview dashboard provides a summary view of every application in your organization (click to enlarge)

Next, go to Menu > Assets > Managed Assets > select asset > See details page

Here, we’ve integrated application and vulnerability context into a single, easy-to-use view. In this view, you can see which applications are installed on the asset and if any application vulnerabilities are present, a feature powered by Falcon Spotlight’s ExPRT.AI

This vulnerability context can help you keep tabs on vulnerable applications. By seeing details such as the number of vulnerabilities, installed patches and failed login attempts for a certain application, you can use this insight to spark deeper investigations, if necessary. 

The new asset details page in Falcon Discover shows application vulnerabilities (click to enlarge)

System Insights

The other exciting update to Falcon Discover is expanded system insights, which provide extensive system information in a single view. Why this level of detail? Three main reasons: 

  1. Managing hardware vulnerabilities

Like software, hardware can have dangerous vulnerabilities. If, for example, there’s a severe vulnerability on an employee’s laptop, the new system insights in Falcon Discover can show you how many and which other assets are tied to the vulnerability to help you expedite remediation.

  1. Monitoring resource usage

Before installing an application or performing a vulnerability scan, you may want to ensure your assets have the capacity to handle it. The new system insights in Falcon Discover provide a near real-time view of system performance to enable this action. Additionally, ITOps and DevOps teams can use CPU and memory data to reallocate underused compute resources.

  1. Meeting compliance requirements

Many organizations strive to encrypt their data to help meet compliance requirements and/or adhere to internal best practices. With visibility into drive encryption data in Falcon Discover, you can quickly see how much of your endpoint data is encrypted or not. You can also identify enabled and disabled Windows OS security settings for all assets, helping improve your security posture.

Try it for yourself: In your Falcon command console, go to Assets > System Insights > Managed assets 

Here, you can see a dashboard of all system information for managed assets, including hardware. If an employee laptop is affected by a hardware vulnerability, for example, this view would allow you to filter on all assets with the same hardware to quickly see the scope of the vulnerability’s impact. From there, you can take the necessary steps to remediate any risks associated with the vulnerability, such as pushing an update. 

The system insights dashboard also allows you to filter on average processor usage. This allows you to verify that adequate performance resources are in place before executing a given task and spin up additional resources for assets near peak usage. Conversely, you can see which assets are being underutilized and could be spun down or retired.

The new System Insights view in Falcon Discover provides an overview of your assets (click to enlarge)

There’s a good reason why more than 70% of CrowdStrike customers use Falcon Discover. With these new features, one of the best IT asset visibility tools in cybersecurity just got better. Explore these new features — and the countless other insights available — to uplevel your IT and security posture today. 

Additional Resources

CrowdStrike Invests in and Partners with Prelude Security to Drive Continuous Security Testing and Validation for Our Customers

1 June 2023 at 11:30

Managing security posture at scale is a significant challenge for global organizations of all sizes. With a rapidly expanding security estate and a global worker gap of 3.4 million, according to (ICS)2, it is imperative that the efficacy of defensive controls is maximized to combat sophisticated adversaries. In order to do so effectively, organizations must test their security controls on a continuous basis to uncover configuration gaps and areas of missing visibility. Regulatory agencies as well as entities involved in the advancement of best practices, including the FBI, CISA and MS-ISAC, have formally recommended continuous testing in a production environment for optimal performance. However, we have observed a limited number of vendors that create a seamless experience for security analysts.

Traditional approaches to testing at scale have been limited based on two primary factors: 1) testing intervals and 2) interoperability with the security controls they test. Testing in weekly intervals is insufficient as adversaries move rapidly to exploit vulnerabilities in ever-changing infrastructure environments. Testing tools require lightweight deployments to proactively test on an intraday basis and produce high-fidelity results. When gaps are uncovered, traditional vendors have typically created an onerous process for the security operations team to investigate and modify configurations with limited context before initiating a subsequent test. To ensure the gaps identified aren’t lost to other priorities within the security organization, it is crucial that continuous testing tools identify the root cause and provide a remediation path that is enriched with the context of the security controls in the customer environment.

Prelude Security is reshaping the continuous security testing market with a deeply integrated, lightweight architecture that reduces the burden on security teams. The Prelude Detect platform deploys kilobyte-sized probes — an ephemeral process that runs in RAM — across endpoint infrastructure and runs tests on a daily interval by default, with the flexibility to run hourly. This approach enables teams to answer the fundamental question of whether their controls are appropriately configured to defend against the latest threats with high fidelity. Prelude’s path to remediation is seamless, as contextual indicators are passed to the defensive controls to ensure subsequent tests are passed.

CrowdStrike is excited to announce its strategic investment in Prelude Security through the CrowdStrike Falcon Fund, our strategic investment vehicle. A key piece of that will be a multi-faceted partnership between CrowdStrike and Prelude to enable continuous testing deeply integrated with our best-in-class XDR security platform and endpoint security solutions. Through our initial integration, CrowdStrike and Prelude create a self-optimizing loop, providing assurance that customer defenses are continuously validated. 

How the Integration Works

Click to enlarge

  • Prelude utilizes CrowdStrike’s best-in-class architecture to deploy its probes to joint customers via Falcon Real Time Response.
    • Falcon Real Time Response allows customers to ensure that their testing scales with their underlying infrastructure.
  • Prelude passes indicators of compromise through CrowdStrike’s open APIs, and our AI/ML capabilities enable the Falcon platform to learn from the findings of Prelude’s test to auto-harden defenses.

Please visit the Prelude integration page in the CrowdStrike Store to learn more and request the integration today.

Additional Resources

  • Learn more about Falcon Fund and CrowdStrike’s partnership with innovative companies.
  • See how CrowdStrike gives you comprehensive protection across your organization through our 15-day free trial
  • Join us this fall at Fal.Con 2023 to see how CrowdStrike is delivering protection to customers around the world.

CrowdStrike 2023 Global Threat Report: Resilient Businesses Fight Relentless Adversaries

28 February 2023 at 06:21

The CrowdStrike 2023 Global Threat Report, among the most trusted and comprehensive research on the modern threat landscape, explores the most significant security events and trends of the previous year, as well as the adversaries driving this activity.

The latest edition of the CrowdStrike Global Threat Report comes at a critical time for organizations around the world. Adversaries have become more sophisticated, relentless and destructive in their attacks, as evidenced by the emergence of several trends in 2022 that threaten enterprise productivity and global stability. It is imperative that businesses pay attention to these changes in the threat landscape and respond with a stronger, more proactive defense.

Nation-state activity was front and center throughout 2022. The year started ominously as Russia’s deadly war of aggression in Ukraine brought about a terrible human toll, threatened international order and put countless global organizations at risk of spillover cyberattacks. China state-nexus adversaries accelerated their cyber espionage campaigns throughout the year, and Iranian actors launched destructive “lock-and-leak” operations using ransomware.  

Learn more: Download the CrowdStrike 2023 Global Threat Report 

Adversaries continued to adapt and refine their techniques, which included re-weaponizing vulnerabilities, a greater focus on cloud exploitation and a rise in malware-free attacks. We saw a dramatic increase in advertisements from access brokers, who acquire access to organizations and provide or sell it to other actors, including ransomware operators. CrowdStrike Intelligence identified a significant increase in access broker activity throughout 2022, with more than 2,500 advertisements identified — a 112% jump from 2021. An especially popular tactic was the abuse of compromised credentials acquired via information stealers or purchased on the criminal underground, reflecting a growing interest in targeting identities that we also saw last year: Our 2022 report found 80% of cyberattacks leveraged identity-based techniques.

CrowdStrike Intelligence began tracking 33 new adversaries in 2022, raising the total number tracked to more than 200. Stopping breaches requires an understanding of these adversaries, including their motivations and the techniques they use to target organizations. Below are some of the trends and findings we explore in greater detail throughout this year’s report:

  • Cloud exploitation skyrocketed: Last year’s Global Threat Report anticipated a rise in cloud exploitation, a trend that unfolded as expected in 2022. Cloud exploitation cases grew by 95% last year, and incidents involving cloud-conscious threat actors nearly tripled from 2021. The cloud continues to evolve as the new battleground as adversaries increasingly target cloud environments.
  • Malware-free attacks continued to rise: Sophisticated adversaries relentlessly searched for new ways to evade antivirus protection and outsmart machine-only defenses. Seventy-one percent of attacks detected were malware-free, while interactive intrusions (hands-on-keyboard activity) increased 50% in 2022.
  • Adversaries re-weaponized and re-exploited vulnerabilities: The constant disclosure of vulnerabilities affecting legacy infrastructure like Microsoft Active Directory continued to burden security teams and present an open door to attackers, while the ubiquitous Log4Shell vulnerability ushered in a new era of “vulnerability rediscovery,” during which adversaries modify or reapply the same exploit to target other similarly vulnerable products. 
  • China-nexus adversaries scaled operations: CrowdStrike Intelligence tracks China-nexus adversaries as the most active targeted intrusion groups. China-nexus adversaries, and actors using TTPs consistent with them, were observed targeting nearly all 39 global industry sectors and 20 geographic regions we track. These intrusions are likely intended to collect strategic intelligence, compromise intellectual property and further the surveillance of targeted groups. 

CrowdStrike: Stopping Breaches So Customers Can Move Forward

The 2023 Global Threat Report shows security must parallel the slope of technology innovation.  As enterprise technology matures, security must also evolve to match the sophistication of the technology organizations rely on. This slope of innovation applies to adversary activity as well: With every innovation we achieve, we can expect adversaries to seek new ways to exploit it. 

At CrowdStrike, our mission today is the same as when we started: to stop breaches so our customers can move forward. Our focus is on delivering the platform, technology and intelligence needed to keep you ahead of the adversary. This is why we’ve unified and delivered critical protections like endpoint and extended detection and response, identity threat protection, cloud security, vulnerability and risk management, threat intelligence and much more — all from a single platform.   

I hope you find this report instructive in how we can continue to work together to protect the world from those who mean to do harm. In the coming weeks, we will publish a series of blog posts taking a deeper dive into each of the key trends discussed in the 2023 Global Threat Report. These posts will examine the drivers of these trends and discuss how organizations can better defend themselves against modern adversaries. Security starts with knowledge — of the adversaries targeting us, their tactics and the vulnerabilities they’ll seek to exploit. With that knowledge comes resolve, that together we can prevail. 

Additional Resources

  • Download the CrowdStrike 2023 Global Threat Report to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
  • Join CrowdStrike for a three-part CrowdCast series for in-depth discussions around the threats, events and trends in the CrowdStrike 2023 Global Threat Report.
  • Want to know the adversaries potentially targeting your organization? Get your own custom threat landscape in the CrowdStrike Adversary Universe.
  • Defending against today’s adversaries requires the best tools. Explore the CrowdStrike Falcon platform and learn how our technology protects against the threats discussed in the 2023 Global Threat Report, including cloud exploitation, advanced adversaries, malware-free attacks, vulnerability exploitation and more.