All web traffic flowing out of your company network should be passing through a web proxy. These proxy logs are a great resource for threat hunting and security investigations, yet they often translate into extremely large volumes of data.

In a previous blog post, we shared the value of proxy logs in addressing a range of use cases, including hunting for threats, investigating access to unknown domains and phishing sites, searching for indicators of compromise (IOCs) and meeting compliance requirements. In this blog, we’ll show how you can achieve this with CrowdStrike® Falcon LogScale, using Zscaler proxy data as an example.

Video

 

Bringing Proxy Logs into Falcon LogScale

You can use the HTTP API to bring your proxy logs into Falcon LogScale. When working with Zscaler, you can use Zscaler Nanolog Streaming Service (NSS), which comes in two variants:

1. Cloud NSS allows you to send logs directly to Falcon LogScale.
2. VM-based NSS allows you to collect logs on a VM, where they can be sent to Falcon LogScale via syslog.

Once data is streaming into Falcon LogScale, you can extract the relevant fields during the parsing process. These fields include:

Destination Host Name	The domain or URL being accessed
Destination IP	The IP address being accessed
Destination Port	The network port being accessed
User Agent	The user agent used to initiate the traffic (Chrome, Mozilla, Curl)
Request Method	Was it a GET or POST request?
Device Action	Did the proxy allow or deny the requested traffic?
Referrer	Who referred the traffic toward the destination host name?
Domain/URL Category	What is the domain/URL categorized as? (e.g., malicious or business)
Requested File Name	The requested file name when accessing a website

 

The Zscaler package can be installed from the Falcon LogScale marketplace. It includes parsers for extracting fields from DNS, firewall, web and tunnel logs. It also provides saved queries and out-of-the-box dashboards, which show details such as:

 

Web: Threat Activity

This dashboard provides high-level threat activity showing a range of widgets, including IOCs, data loss prevention (DLP), vendor-defined threats and enrichment with CrowdStrike threat intelligence.

 

Web: Web Activity

This dashboard provides details about user activity and actions as well as blocked and allowed domain activity, application activity and even information about user agents being used.

 

Web: User Investigation

This feature allows you to drill down into a specific user’s activity and is a combination of the Threat Activity and Web Activity dashboards.

Threat Hunting Queries with Zscaler Proxy Data

Here are useful searches and queries to hunt for threats across Zscaler proxy data:

 

Proxy Traffic Summary by User

| groupBy([Vendor.deviceowner, Vendor.devicehostname, Vendor.cip, Vendor.department, event.action, Vendor.hostname] , function=[ collect([http.response.status.code,http.request.method,Vendor.proto,Vendor.contenttype,Vendor.appclass,Vendor.appname,Vendor.ereferer,Vendor.eurl,Vendor.urlcat,Vendor.urlclass,Vendor.urlsupercat,Vendor.agent.original]),
sum(Vendor.reqsize, as=totalRequestSize),
sum(Vendor.respsize, as=totalResponseSize),
count(Vendor.url, as=totalHits),
min(@timestamp, as=earliest),
max(@timestamp, as=latest)
])
| asn(Vendor.cip, as=asn)
| formatTime("%Y/%m/%d %H:%M:%S", as=earliest, field=earliest, locale=en_US, timezone=Z)
| formatTime("%Y/%m/%d %H:%M:%S", as=latest, field=latest, locale=en_US, timezone=Z)

 

Proxy Traffic Timeline for a User

| select([@timestamp, #Vendor.action, host.name, http.request.referrer, Vendor.urlcat,Vendor.urlclass,Vendor.urlsupercat,user_agent.original, http.response.status_code,http.request.method,Vendor.proto, Vendor.contenttype, Vendor.eurl])

 

Abnormal User Agent Strings

user_agent.original=/(?i)(?:bits|WebDAV|PowerShell|Curl|Microsoft)/

 

Open Redirect

Vendor.eurl=/s?\:\/\/(?:www\.)?t\.(?:[\w\-\.]+\/+)+(?:r|redirect)\/?\?/

 

Dynamic DNS

Vendor.urlcat = "Dynamic DNS Host"

 

Top User Agents

| event.action=Allowed | top(Vendor.eua, limit=100)

 

Top Threat Activity

| Vendor.threatname!="None" | timechart(Vendor.threatname, limit=10)

 

CloudFront Domain Connection

| event.action=Allowed Vendor.event.hostname=/cloudfront.net/i

 

Suspicious Web Categories

Vendor.urlcat=/(?i)(?:adware\/spyware\ssites|botnet\scallback|browser\sexploit|shost|malicious\scontent|phishing|remote\saccess\stools|spyware\scallback|spyware\/adware|suspicious\scontent)/ | table([Vendor.devicehostname ,Vendor.urlcat, Vendor.eurl, @timestamp])

Unbeatable Scale and Performance

Join leading organizations by augmenting or replacing your security information and event management (SIEM) solution with Falcon LogScale for unbeatable scale and performance. With its unique index-free architecture and advanced compression technology, Falcon LogScale empowers you to stop breaches by delivering high-speed search and sub-second latency for live dashboards and real-time alerting.

 

With Falcon LogScale, you can cut costs by up to 80% compared to legacy SIEM solutions. Its vast scale and affordable price let you avoid making tough tradeoffs between cost, how much data you can collect and how long you can store it. With Falcon LogScale, you can retain petabytes of data for years.

 

To learn more about Falcon LogScale integrations, visit the Integrations page. To find out if Falcon LogScale can help you fulfill your SIEM and logging requirements, contact a CrowdStrike expert today.

 

Additional Resources

• View Zscaler and Broadcom ProxySG integration instructions.
• Download the CrowdStrike eBook, 8 Things Your Next SIEM Must Do, to understand the critical capabilities to look for when evaluating SIEM solutions.
• See Falcon LogScale in action by watching a fast-paced demo.
• Sharpen your threat hunting skills with Falcon LogScale by attending a hands-on lab.
• Find out how to log everything to answer anything in real time by visiting the Falcon LogScale product page.

 

This month marks the 20th anniversary of Patch Tuesday, and Microsoft has released security updates for 104 vulnerabilities, including three zero-days. One of the zero-days (CVE-2023-41763) is an elevation of privilege vulnerability in Microsoft Skype for Business. The second (CVE-2023-36563) is an information disclosure vulnerability in Microsoft WordPad, and the third (CVE-2023-44487) enables a distributed denial-of-service (DDoS) attack technique named “HTTP/2 Rapid Reset.” Twelve of the vulnerabilities addressed today are rated as Critical while the remaining 92 are rated as Important.

October 2023 Risk Analysis

This month’s leading risk type is remote code execution (43%), followed by elevation of privilege (25%) and denial of service (16%).

 

The Microsoft Windows product family received the most patches this month (78), followed by Microsoft Office (7), and Azure (6).

Actively Exploited Zero-Day Vulnerability Affecting Microsoft Skype for Business

Microsoft Skype for Business has received a patch for CVE-2023-41763, which is rated Important and has a CVSS score of 5.3. This local privilege escalation vulnerability allows an attacker to gain access to sensitive information on a target Skype for Business server. The vulnerability allows an attacker to send specially crafted network calls to the target server and potentially reveal IP addresses and/or ports to the attacker. The proof-of-concept has already been publicly disclosed.

Severity	CVSS Score	CVE	Description
Important	5.3	CVE-2023-41763	Skype for Business Elevation of Privilege Vulnerability

Table 1. Zero-day in Microsoft Skype for Business

Actively Exploited Zero-Day Vulnerability Affecting Microsoft WordPad

Microsoft WordPad has received a patch for CVE-2023-36563, which is rated Important and has a CVSS score of 6.5. The vulnerability allows for information disclosure, specifically NTLM (Windows New Technology LAN Manager) hashes. This allows an attacker to steal NTLM hashes by utilizing the preview pane when opening a document. NTLM hashes are important for gaining account access due to the nature of the protocol allowing for secure authentication, and an attacker would be able to exploit the vulnerability to crack the hashes or use them in an NTLM relay attack. The proof-of-concept has already been publicly disclosed.

Severity	CVSS Score	CVE	Description
Important	6.5	CVE-2023-36563	Microsoft WordPad Information Disclosure Vulnerability

Table 2. Zero-day in Microsoft WordPad

Actively Exploited Zero-Day Attack Technique Affecting HTTP/2

Microsoft has released an update and workarounds to help protect against denial of service attacks exploiting CVE-2023-44487, which is rated Important. This vulnerability on HTTP/2 allows malicious actors to launch DDoS attacks targeting HTTP/2 servers by sending HTTP requests using HEADERS and RST_STREAM frames in a single connection. By doing this, an attacker can eventually bring down the server due to resource exhaustion. Microsoft and many other vendors have already applied mitigations and various protections to their own infrastructure to address Layer 7 request floods.

Severity	CVSS Score	CVE	Description
Important	N/A	CVE-2023-44487	MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack

Table 3. Zero-day distributed denial-of-service (DDoS) attack against HTTP/2

Critical Vulnerabilities Affecting Microsoft Windows

CVE-2023-35349 and CVE-2023-36697 are Critical remote code execution (RCE) vulnerabilities affecting Microsoft Message Queuing (MSMQ), and both have a CVSS score of 9.8. MSMQ has been highlighted in the past blogs and continues to be patched. To successfully exploit this vulnerability, an attacker would have to send a specifically crafted malicious MSMQ packet to a MSMQ server, leading to remote code execution. This Windows component needs to be enabled for a system to be vulnerable. Microsoft recommends checking if the “Message Queuing” service is running and TCP port 1801 is listening on the machine; if service is running and not being utilized, consider disabling.

CVE-2023-41765, CVE-2023-41767, CVE-2023-41768, CVE-2023-41769, CVE-2023-41770, CVE-2023-41771, CVE-2023-41773, CVE-2023-41774 and CVE-2023-38166 are Critical RCE vulnerabilities affecting Layer 2 Tunneling Protocol, and all have a CVSS score of 8.1. For an attacker to take advantage of these vulnerabilities, they would need to win a race condition by sending specially crafted protocol messages to a routing and remote access service (RRAS) server. This can lead to remote code execution (RCE)on the targeted server.

CVE-2023-36718 is a Critical RCE vulnerability affecting Microsoft Virtual Trusted Platform Module with a CVSS score of 7.8. Successfully exploitation of this vulnerability relies on complex memory shaping techniques, and the attacker must have privileges to the target environment. Operating as a guest user within the virtual machine, an attacker can potentially escape the isolated machine and access resources outside of that protected device.

Severity	CVSS Score	CVE	Description
Critical	9.8	CVE-2023-35349	Microsoft Message Queuing Remote Code Execution Vulnerability
Critical	9.8	CVE-2023-36697	Microsoft Message Queuing Remote Code Execution Vulnerability
Critical	8.1	CVE-2023-41765	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical	8.1	CVE-2023-41767	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical	8.1	CVE-2023-41768	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical	8.1	CVE-2023-41769	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical	8.1	CVE-2023-41770	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical	8.1	CVE-2023-41771	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical	8.1	CVE-2023-41773	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical	8.1	CVE-2023-41774	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical	8.1	CVE-2023-38166	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical	7.8	CVE-2023-36718	Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability

Table 4. Critical vulnerabilities in Windows 

Out-of-Band Zero-Day’s Patched Vulnerabilities Affecting Edge, Teams, Skype and Visual Studio

CVE-2023-4863 is a Critical heap buffer overflow vulnerability in libwebp (WebP image library) in Chromium Open Source Software (OSS) that is utilized by Microsoft Edge (Chromium-based) and has a CVSS score of 8.8. This allows for a remote attacker to perform an out-of-bounds memory write via a specially crafted HyperText Markup Language (HTML) page. Microsoft released security updates to VP9 Video Extension, Skype, WebP Image Extension, Teams and Edge (Chromium-based) on October 4, 2023. The proof-of-concept has already been publicly disclosed and is actively being exploited.

CVE-2023-5346 is a High severity type confusion vulnerability in Version 8 of Microsoft Edge (Chromium-based). The vulnerability allows for a remote attacker to potentially exploit heap corruption via a crafted HyperText Markup Language (HTML) page. Microsoft released security updates to Microsoft Edge (Chromium-based) on October 4, 2023.

Severity	CVSS Score	CVE	Description
Critical	8.8	CVE-2023-4863	Chromium: CVE-2023-4863 Heap buffer overflow in WebP
High	8.8	CVE-2023-5346	Chromium: CVE-2023-5346 Type Confusion in V8

Table 5. Vulnerabilities in Chromium, Edge, Teams, Skype and Visual Studio

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched — as is also the case for the ProxyNotShell vulnerabilities. It’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Spotlight can help you quickly and easily discover and prioritize vulnerabilities here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

Additional Resources

• For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
• Download the CrowdStrike 2023 Global Threat Report and CrowdStrike 2023 Threat Hunting Report to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
• See how Falcon Spotlight can help you discover and manage vulnerabilities and prioritize patches in your environments. 
• Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards. 
• Test CrowdStrike next-gen AV for yourself with a free trial of CrowdStrike Falcon® Prevent next-generation antivirus.

The risk of cyberattacks continues to grow for small to medium-sized businesses (SMBs). Today, a staggering 70% of cyberattacks target SMBs, a scourge that cost organizations with fewer than 500 employees an average of $3.31 million USD in 2022, up 13.4% over the previous year.  

Adversaries tend to take the path of least resistance. This often means targeting small businesses, which face many of the same security threats as large organizations but lack the resources to defend against them. Today’s businesses face a barrage of attacks, including malware, ransomware, insider threats, phishing and identity-related attacks. Despite this risk, more than 50% of small businesses have no cybersecurity measures in place. 

This is partly because some businesses wrongly believe they’re too small to be targeted, even though many possess valuable data attackers want, including personal and financial information. Cost is another major roadblock, as many SMBs lack the resources to hire and retain in-house security teams or acquire, manage and maintain multiple systems. 

Facing these headwinds, how can businesses mount a strong defense without overspending on a stack of point security solutions that can be costly, complex and ineffective? 

One answer lies in cybersecurity consolidation, a strategy that involves using fewer vendors to improve security outcomes. CrowdStrike sits at the center of the cybersecurity ecosystem, working with hundreds of partners to deliver simple and effective security outcomes — often through integrations with productivity tools that businesses already use. 

We’re pleased to announce a new integration with Box to give joint customers automated protection against security breaches and related data loss. 

Combining the Power of CrowdStrike and Box

Today’s complex threat landscape calls for a collaborative approach that brings together industry-leading technologies and world-class teams to build the strongest defense. CrowdStrike’s partnership with Box includes a new integration that combines Box’s secure content management and collaboration capabilities with CrowdStrike’s industry-leading, AI-powered protection capabilities for automated access control, threat detection and prevention.

Box is trusted by organizations of all sizes, including small and medium-sized businesses, to help them securely manage their content in the cloud. For small businesses in particular — many of which struggle with security — this partnership equates to more robust security protocols with little effort required. Likewise, even fully staffed and provisioned enterprises can benefit from the comprehensive visibility into, and control over, end-user behavior, device activity and data access offered by this integration. Now, organizations can more securely share, manage and collaborate with files and other types of content from any device, across any application, regardless of location, network and cloud.

How the Integration Works

Box leverages CrowdStrike Falcon® Zero Trust Assessment, a CrowdStrike Falcon® platform capability, to extend Box’s protection boundary across the entire cloud and device estate. When data moves to or from Box, a risk score based on end user or device behavior is assigned. If that score exceeds a threshold set by an organization’s security teams, Box customers will be alerted and a remediation action — such as a user logout, revoked access or terminating syncs from Box Drive — will automatically be triggered based on an organization’s granular controls and settings in Box.

This automated workflow bridges IT and security to both make life easier for analysts and secure the entire movement of data as it flows from endpoint to cloud to applications. The automation uses contextual insights from the Falcon platform to evaluate risks in real time and prevent complex malware, ransomware and other suspicious activities. 

The integration will be available for joint customers using Box Shield and any Falcon platform offering that includes endpoint protection. For small businesses, this includes CrowdStrike Falcon® Go, an affordable, next-gen antivirus solution designed to protect small business, and CrowdStrike Falcon® Pro, a similar offering that includes built-in threat intelligence from CrowdStrike. 

Visit CrowdStrike’s virtual booth at BoxWorks for a limited-time offer on Falcon Go and Falcon Pro!

Need of the Hour

During a time of heightened security risk, the need of the hour is to help businesses securely share, manage and collaborate on content from any device and across any application. And critically, for SMBs and other resource-strapped organizations, these security solutions can’t hinder productivity or require complex and costly deployments. 

Through our partnership with Box, CrowdStrike continues to meet businesses where they are, providing frictionless security solutions that protect information inside and outside of the company perimeter without getting in the way of work. 

The new integration is expected to be available for Box and CrowdStrike customers at the end of the year. Specific pricing and packaging will be announced upon general availability. 

Additional Resources

• Read the press release for more details.
• Start a free 15-day trial of Falcon Go, affordable cybersecurity designed to protect small businesses.
• Watch an on-demand demo of CrowdStrike’s pioneering cloud-delivered endpoint protection platform in action.
• Want to learn more about cybersecurity issues impacting small and medium-sized businesses? Check out our four-part CrowdCast series for Cybersecurity Month 2023 — attend any or all of these interactive sessions or watch them on demand.

In an increasingly connected digital landscape, the security of your organization’s data and publicly facing assets is more critical than ever. According to the CrowdStrike 2023 Threat Hunting Report, more than 20% of all interactive intrusions are associated with the exploitation of public-facing applications. As an organization’s attack surface expands and cyberthreats proliferate, it is imperative IT and security teams take a proactive approach to safeguarding their digital footprint. This starts with implementing a strong exposure management program across the entire enterprise that drastically reduces all attack surface risks.

Do You Really Know Your Organization’s Attack Surface?

To stop an attack before it begins, you must first understand where critical exposures exist. You can think of your organization’s external attack surface as all of the doorways through which an attacker might attempt to sneak in. This includes anything from domain names, SSL certificates and protocols to operating systems, IoT devices and network services. These assets are scattered across on-premises environments, cloud environments, subsidiaries and third-party vendors, and they represent many of the easiest entry points to internal networks and the sensitive data they contain. 

Building a Successful Exposure Management Strategy with EASM

In an age where unknown entryways can lead to invaluable troves of information, external attack surface management (EASM) can find doors that may be left open. CrowdStrike Falcon® Exposure Management finds those potential access points before adversaries do. 

Our EASM technology, as part of Falcon Exposure Management, uses a proprietary engine to continuously scan the entire internet, enabling organizations to see their attack surface from an adversary’s perspective. The digital footprint of an organization is simple to generate, using only a company’s root domain. Once generated, it gives security teams a complete view of all of their internet-facing assets, including those on-premises and in the cloud. All exposed assets are automatically classified, analyzed and rated with a contextualized risk score, allowing teams to fix first what matters most.  

Reducing the size of your attack surface can minimize the risk of a breach. By following the five tips below, organizations can reduce the number of opportunities an adversary has, strengthen their cybersecurity posture and proactively  protect valuable assets from malicious actors. 

Top Tips to Reduce External Attack Surface Exposures

1. Do not allow Remote Desktop Protocol (RDP) connections from outside your organization’s networks

There are plenty of products and open source solutions offering remote access to company resources. When RDP is opened to the internet, it is often not monitored and is susceptible to attacks.

How: 

• Stand up a server that sits outside of your network perimeter
• Install nmap or any other network scanner you’re comfortable with
• Grab a list of your IP ranges
• Set up a cron job to scan continuously for port 3389
• Grab the logs weekly 
• Use this list to figure out the person inside your organization who owns or is responsible for each host that has responded on port 3389
  • Clues:
    • Domain name (if applicable)
    • IPAM IP range notes
    • Login banners
• For any hosts that MUST have RDP exposed to the internet, enable multifactor authentication (MFA), remove them from your scan script above and continue the process of scanning
• Use Network Level Authentication, a Remote Desktop Services feature that requires a user to authenticate before connecting to the server

2. Avoid allowing directory listing on your web servers 

Directory listings expose the server to traversal attacks and a large variety of vulnerabilities. Moreover, the web server may contain files that shouldn’t be exposed through links on the website. Ensure your server does not expose directory listings, and if it must, make sure the directories do not contain sensitive information. 

How: 

• Stand up a server that sits outside of your network perimeter 
• Install nmap or any other network scanner you are comfortable with
• Grab a list of your IP ranges
• Set up a cron job to scan continuously for open HTTP 
• Grab the logs weekly 
• For every host answering on an HTTP or HTTPS port, use this list as an input for your web app scanning tool of choice (such as nikto or dirsearch)
• For any host allowing directory traversal, figure out the person inside your company who owns or is responsible for this website
  • Clues:
    • Domain name (if applicable)
    • IPAM IP range notes
    • Login banners
    • Other website info

3. Place test environments behind a VPN 

Ensure none of your development, staging or test environments is exposed to the internet. These environments are often not well-secured and in many cases have access to restricted resources.

How: 

• Identify all of your production environments:
  • Have a clear list of domains and IP ranges from IT admin, content delivery network providers and web application firewall providers
  • Query whois reverse search under your organization name (there are multiple vendors and open source tools for this) 
• All other environments (domains, subdomains and machines with external-facing IPs) should be protected with a VPN and MFA

4. Avoid hostile subdomain takeovers 

Confirm none of your subdomains is expired or points to third-party pages and accounts that no longer exist, as it might be vulnerable to hostile subdomain takeovers. If you find such subdomains, reconfigure the DNS settings or remove the DNS entry pointing to the external service.

How: 

• Talk to your IT admin team and get access to your DNS (may be route53, may be self-hosted)
• Do a zone transfer on all of the domains your organization owns
• Get a list of all of your IP ranges
• Parse the IP addresses against your known IP range list
• For any IPs that aren’t part of your infrastructure, figure out who they belong to (whois lookup, published list of cloud provider IP ranges)
• Determine if they are pointing at anything you know you own
• Any unused subdomain should be retired properly:
  • Use “Null MX” record
  • Use DMARC configuration to prevent any email from being sent on behalf of the sub/domain

5. Enforce input validation

Enforce input validation on all internal and external inputs to prevent injection attacks. Input validation best practices include: predefining input size limitation per field and type (str/int if applicable), applying maximum retries for password and user fields, and enforcing backend strict logic to prevent injections (prepared statements with parameterized queries, stored procedures, escaping all user inputs, etc.).

How: 

• Follow the OWASP input validation cheat sheet 
• Assume all external user-defined input is an attack surface: 

• • Forms fields
  • Uniform resource identifiers (URIs)
  • APIs
  • Attachments
  • And more

Bonus Tip: Continuously monitor your attack surface

Securing an expanding attack surface is challenging. The dynamic nature of most modern IT ecosystems means secure assets can suddenly become exposed unknowingly due to an error, misconfiguration or simple oversight. This category of forgotten assets can grow for many reasons: employees with revoked access, engineers with lingering cloud token permissions, or unmaintained databases that should have never been exposed in the first place. Moreover, there are instances of abandoned assets that remain unused or unclassified for extended periods, leaving IT departments without records and, consequently, unable to secure them. Regardless of their origin, these assets present significant security risks.

Having an effective exposure management program enables teams to stay vigilant and proactively  monitor and secure entire IT ecosystems, which  is essential in safeguarding an entire  attack surface. You need to add a scalable way to monitor your internet-facing assets and discover your unknown exposures and risks in real time.

Additional Resources

• Tune in to our October CrowdCast, “Shut Down Adversary Opportunities with Proactive Exposure Management,” and learn about the rest of our upcoming series.
• Want to learn more about Falcon Exposure Management ? Visit the Falcon Exposure Management product page.
• Download the Falcon Surface data sheet to learn more about our EASM technology.
• See for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats. Start your 15-day free trial today.

 

CrowdStrike has been named a Leader in The Forrester Wave: Endpoint Security, Q4 2023, the latest recognition in a string of accolades for our market-leading cybersecurity solutions delivered from the unified, AI-native CrowdStrike Falcon® platform. 

In the report, Forrester identified the 13 most significant endpoint security providers and researched, analyzed and scored them based on 25 criteria. Our highlights include:

• CrowdStrike achieved the highest score in the Current Offering category out of all 13 vendors evaluated and received the highest score possible in 15 of 25 criteria, more than any other vendor evaluated. 
• CrowdStrike was recognized by Forrester as a “dominant endpoint” solution with  “superior vision,” earning the highest score possible in this criterion. CrowdStrike focuses on stopping adversaries with the “lowest impact on endpoint performance” the report states.
• The company was also cited as “a good fit for customers who are interested in evolving to EDR or XDR….”
• The Falcon platform was noted as an “attractive endpoint security solution even for small and medium-sized business (SMB) customers.”

Providing a Seamless Transition to XDR

Endpoint security needs to be the foundation of a strong cybersecurity strategy. Nearly 90% of successful attacks start at the endpoint, as adversaries look to gain a foothold to launch identity-based attacks, pivot to cloud infrastructure, exploit vulnerabilities and more. And once adversaries gain entry, they move quickly: the average breakout time is down to only 79 minutes, and the fastest observed time in the last year was a mere 7 minutes.

To match and exceed the speed and sophistication of today’s adversaries, organizations must prioritize endpoint security as a foundation — delivered from a unified platform that provides powerful capabilities beyond traditional endpoint protection and covers the extended attack surface across cloud, identity, data and more.. In the report, Forrester suggests that endpoint security customers should look for providers that “provide a seamless transition to EDR or XDR.” This has long been a top priority for CrowdStrike. 

Since starting as an endpoint security company in 2011, CrowdStrike has continued to innovate and was recognized in the Wave for adding more protection to its dominant endpoint solution and for having a “full set of prevention functions using a single endpoint agent.” Last year, CrowdStrike was named a Leader in The Forrester Wave: Endpoint Detection And Response Providers, Q2 2022 which stated that CrowdStrike “dominates in EDR while building its future in XDR and Zero Trust.”

This year, Forrester gave CrowdStrike the highest score possible in the “vision” criterion in The Forrester Wave: Endpoint Security, Q4 2023, stating: “CrowdStrike’s superior vision focuses on how adversaries will attack the enterprise and how to prevent it from happening, as opposed to cleaning up the mess later, while having the lowest impact on endpoint performance.” 

Empowering Businesses to Do More with Less

The Forrester report recommends that endpoint security customers look for providers that “extend the ability to do more with less,” referencing cybersecurity staffing challenges and the trend toward cybersecurity consolidation.

The Falcon platform’s ability to reduce complexity and make teams faster was recently on display at Fal.Con 2023, the company’s marquee annual event and cybersecurity’s must-attend conference. CrowdStrike showed impressive demonstrations of Charlotte AI, the engine powering the portfolio of generative AI capabilities across the platform utilizing CrowdStrike’s high-fidelity data advantage. Charlotte AI makes security analysts better and faster at their jobs by enabling them to rapidly surface the information they need to make smarter decisions. 

Watch demos of the Falcon platform in action

CrowdStrike also recently announced the Raptor release of the industry-leading Falcon platform, further enabling the petabyte-scale, lightning-fast data collection, search and storage that customers need to stay ahead of rapidly evolving adversary tradecraft and stop breaches. With this update, all CrowdStrike EDR customers now get native XDR to accelerate investigations with comprehensive endpoint, identity, cloud and data protection telemetry from across the Falcon platform.

Engineered for Every Business

The unified, AI-native Falcon platform enables customers to consolidate cybersecurity via one lightweight sensor and command console to secure the entire IT infrastructure. This is particularly useful for businesses looking to reduce cost and complexity while improving security outcomes, including small and medium-sized businesses (SMBs).

Said the Forrester report: “CrowdStrike’s improvements to its protection engines have allowed it to bring its EDR solution to customers who are looking for a solid prevention foundation without needing deep detection investigations. While often thought of as an enterprise-only solution, CrowdStrike’s inclusion of functions like secure configuration management and reporting and extensive attack remediation capabilities has made this an attractive endpoint security solution even for SMB customers.”

Recent Recognition

CrowdStrike is consistently recognized for its leadership and the strength of our foundational endpoint security technology. Below is a roundup of other recent awards and recognition for CrowdStrike’s endpoint solutions: 

• CrowdStrike was named a Customers’ Choice in the 2023 Gartner Peer Insights Voice of the Customer for Endpoint Protection Platforms.
• CrowdStrike was named a Leader in 2022 Gartner® Magic Quadrant for Endpoint Protection Platforms for the third consecutive time.
• CrowdStrike was a named Leader in The Forrester Wave: Endpoint Detection and Response (EDR) Providers, Q2 2022.
• CrowdStrike won Best Endpoint Security in the SC Awards Europe 2023 for the second consecutive year.

Additional Resources

• Download the Forrester Wave: Endpoint Security, Q4 2023 for in-depth analysis and vendor comparisons.
• Watch an on-demand demo of CrowdStrike’s pioneering, cloud-delivered Falcon platform in action.
• Experience the power of next-generation cybersecurity with a 15-day free trial of the Falcon platform.

Twenty years ago, Microsoft introduced the concept of Patch Tuesday to “reduce the burden on IT administrators by adding a level of increased predictability and manageability.” The goal of  Patch Tuesday was to provide needed structure around what was largely an ad hoc process. 

By consolidating the majority of security updates and required patches into a planned release cycle, IT departments and system administrators could better plan and allocate resources to eliminate some of the chaos that followed a patch release. To this day, Patch Tuesday persists. Microsoft still releases security updates on the second Tuesday of every month. 

But while the schedule has remained constant — with exceptions for occasional emergency fixes — the world has changed since October 2003. To support remote work, organizations raced into the digital age by rapidly moving to the cloud and eliminating traditional security perimeters. The number of endpoints, connected devices, applications and cloud estates that need to be managed has skyrocketed, creating a broader surface for vulnerabilities to manifest. 

The Microsoft product ecosystem has also grown dramatically, covering a range of technology, software, applications, cloud offerings and more. This has resulted in a larger number of vulnerabilities spanning the technology stack and an expansion of enterprise risk. The burden of dealing with this massive growth in vulnerabilities — and cyberattacks targeting them — is too often shifted from the vendor to the customer. 

This is why for many security and IT teams, Patch Tuesday is no longer a beacon of hope in the chaos of patching. It has become emblematic of the nightmare they face each month as they race to prioritize patches, understand the downstream impact and act before an adversary can exploit the vulnerabilities putting them at risk. 

20 Years Later: Microsoft’s Vulnerability Problem Has Grown

The ubiquity of Microsoft products and volume of Microsoft vulnerabilities have created a massive attack surface. This shouldn’t be a surprise given the popularity of Microsoft’s operating system and office software. One survey found “Microsoft Windows is the most widely used computer (desktop, tablet and console) operating system (OS) in the world.”

Adversaries constantly seek weak points in potential victims’ environments. And as we’ve seen with the growth of Patch Tuesday over the years, Microsoft vulnerabilities provide a broad landscape for adversaries to target. 

Since Patch Tuesday began, Microsoft has issued more than 10,900 patches, most of them in just the last few years. Since 2016, Microsoft has patched 124 unique zero-day vulnerabilities, 1,200+ unique vulnerabilities classified as Critical and 5,300+ rated as Important in severity. More than 630 exploits exist for Critical and Important vulnerabilities. In 2023 alone, Microsoft has already issued patches for more than 800 vulnerabilities.

These numbers may seem high, but they actually conceal the scale of the problem. If we extrapolate the 1,200+ unique critical vulnerabilities Microsoft has issued patches for since 2016 to account for the same vulnerabilities impacting multiple Microsoft products, the number of total critical vulnerabilities jumps to almost 21,000+. While most Microsoft patches will address multiple affected Microsoft products with a single install, there are always exception cases and specific patching processes may vary.

The massive growth of Microsoft’s vulnerability problem has more than offset efficiencies gained through tinkering with the patching process. For many security and IT teams, Patch Tuesday has become more of a burden. They need to scramble to figure out which vulnerabilities to prioritize, which put them most at risk, which could have downstream impact on IT and which could make or break the business. It often seems that just as the team is figuring what to prioritize, another batch of vulnerabilities drops.

This has a huge impact in terms of time, cost, resources and risk. According to the Infosec Institute, the average time it takes to patch a vulnerability can be anywhere from 60 to 150 days. Some security and IT teams take “at least 38 days to issue a patch.” The pace of patching is no match for the speed of the modern adversary and its ability to exploit vulnerabilities.

If a vulnerability isn’t patched fast enough and a breach occurs, the victim is often blamed for falling short of security practices and failing to patch. This ignores the fact that the sheer scale of Microsoft vulnerabilities has once again shifted the burden back to the customer — a burden that grows as adversaries continue to weaponize vulnerabilities.  

Microsoft Vulnerabilities: The Attack Surface of the Modern Adversary

Microsoft product vulnerabilities have become the de facto attack surface of the modern adversary. It shouldn’t be surprising that adversaries are weaponizing this growing problem.  

According to research published by the Cybersecurity and Infrastructure Security Agency (CISA), four of the 12 Top Routinely Exploited Vulnerabilities are in Microsoft products. CISA also noted Microsoft topped the list of exploited CVEs used in ransomware attacks. More than 40% of the vulnerabilities exploited to deploy ransomware are associated with Microsoft products.

Not only are adversaries exploiting existing flaws, they’re also ushering in a new era of “vulnerability rediscovery.” The CrowdStrike 2023 Global Threat Report found adversaries are modifying or reapplying the same exploit to target other, similarly vulnerable products. They’re also circumventing earlier patches. 

As an example of this activity, the report highlights “… the proxy mechanisms exploited to compromise Microsoft Exchange during ProxyLogon and ProxyShell campaigns in 2021 were targeted again in Q4 2022, this time using an authenticated variation called ProxyNotShell (CVE-2022-41040 and CVE-2022- 41082). ProxyNotShell mitigations were subsequently bypassed when ransomware-affiliated actors used an alternative exploitation vector that abused CVE-2022-41080 to accomplish the same objectives.” 

Modern adversaries are faster, smarter and more ruthless than ever, while the volume of vulnerabilities and the process of testing and patching can slow down teams trying to protect their organizations from attacks.  

Patch Tuesday was supposed to give security and IT teams an advantage against the adversary, but the sheer volume of Microsoft vulnerabilities over the last several years has had the reverse effect. Patching systems, changing configurations and similar actions impact the tools and workflows of business. These changes can have a material impact on productivity. This is compounded by the risk of not patching. The speed at which adversaries are exploiting vulnerabilities continues to increase. 

While Patch Tuesday itself is not the problem, it has become emblematic of the broader vulnerability issue that plagues the industry. Until companies like Microsoft start making more secure products by design and alleviate the burden of patching, organizations must understand the risks they face and take proactive steps to discover and prioritize the vulnerabilities that can cause the most damage. 

When it comes to protection, it’s worth asking: Who do you trust? Can you trust the vendor selling security when it’s also responsible for such a high volume of critical vulnerabilities?  

Additional Resources

• Download the CrowdStrike 2023 Global Threat Report and CrowdStrike 2023 Threat Hunting Report to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
• See how Falcon Spotlight can help you discover and manage vulnerabilities and prioritize patches in your environments. 
• Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards. 
• Test CrowdStrike next-gen AV for yourself with a free trial of CrowdStrike Falcon® Prevent next-generation antivirus.

Mobile devices have become critical endpoints for accessing enterprise applications, systems and data. Adversaries know this all too well, as evidenced by the growing numbers of attacks that target mobile devices. Verizon’s 2022 Mobile Security Index found almost half (45%) of enterprises had recently suffered a mobile-related compromise involving devices in the last 12 months — almost double the amount compared to the year prior. 

High-profile attacks leveraging mobile malware continue to happen, such as the Pegasus Spyware campaign, first observed in 2021 and more recently in September 2023. While this trend impacts every organization, protecting mobile devices from attack has rapidly become a top priority for small and medium-sized businesses (SMBs). A recent survey shows SMBs spend as much as 70% of their security budget on mobile security. 

Mobile threat defense (MTD) refers to the growing technology category aimed at countering security threats on iOS and Android devices. With CrowdStrike Falcon® for Mobile, CrowdStrike’s MTD offering, customers can extend our industry-leading endpoint detection and response (EDR) and extended detection and response (XDR) to Android and iOS devices, enabling them to manage diverse endpoint fleets through a single integrated console. We’re excited to share the following innovations released for Falcon for Mobile aimed at streamlining mobile device enrollment, advancing detection capabilities for mobile-specific adversary tradecraft and accelerating incident response.

Expanded Detection for Advanced Mobile Threats

Custom Indicator of Compromise (IOC) Management 

Falcon for Mobile customers can now author and manage custom indicators of compromise (IOCs). This capability enables our customers to block any domain, IP or subdomain they consider a risk. Many organizations are also using custom IOCs to block traffic to specific apps or browsers, a scenario that has gained prominence with the recent ban of TikTok across government devices. Falcon for Mobile’s custom IOCs can be created and managed via the same CrowdStrike API for traditional endpoints, enabling customers to retrieve, upload and search for IOCs using indicators provided by threat feeds they have access to. 

Accelerating Investigations with Automated App Analysis on Android and the Falcon Platform’s Built-in Sandbox 

To reduce response and investigation times, Falcon for Mobile now automatically sends suspicious Android applications to the CrowdStrike Falcon® platform’s built-in sandbox for analysis, enabling organizations to rapidly identify anti-virtualization techniques or attempts by mobile-first adversaries to activate spyware. IT and device managers can then leverage mobile device management (MDM) solutions to globally remove suspicious or malicious apps from devices in their fleets. 

New Automated Response Integrations   

Automated Response Actions for Mobile Threats

Earlier this year, we launched automated response actions for mobile detections. Enabled via integration with CrowdStrike Falcon® Fusion, CrowdStrike’s integrated security orchestration automation and response (SOAR) framework, Falcon for Mobile customers can now build and customize automated workflows, triggered by mobile detections. This enables organizations of all sizes — especially organizations with smaller security and IT teams — to scale their output by accelerating detection, investigation and response actions, notably in the case of repetitive, manual tasks. 

With Falcon Fusion, incident responders can configure distinct analyst assignments based on unique threat indicators and can further customize how notifications or tickets are sent (e.g., Slack, PagerDuty, Microsoft Teams, email, ServiceNow, Jira). As shown in Figure 3, we can use the example of a new mobile detection triggering multiple workflows, with one alerting select users based on the severity of the threat, and another alerting other groups of users if the impacted endpoint is an iOS device. 

Automated Mitigation via Mobile Network Containment

Customers can mitigate mobile threats by activating a new Network Containment action in the Falcon console for supervised (iOS) or fully managed (Android) devices. This feature expands Falcon for Mobile’s network preventions, enabling customers to respond to mobile threats using the same containment functionality they use for traditional endpoints within the console. 

For other deployment modes, such as unsupervised or Work Profile devices, this mechanism can be used to enforce conditional access for corporate resources, such as blocking access to enterprise apps to protect a customer’s intellectual property. Network Containment can be enabled manually via the host management console as part of active investigations or can be configured to be triggered automatically as part of a Falcon Fusion workflow (Figure 4).  

Falcon for Mobile has also released a new mobile policy to protect devices against man-in-the-middle attacks (MiTM), automating network containment in instances where a user has connected to a rogue WiFi network, as shown in Figure 5. 

Conditional Access for Corporate Assets 

Falcon for Mobile now enables administrators to enforce conditional access to corporate assets. Users can trigger Falcon Fusion workflows using Falcon for Mobile’s custom IOCs to automatically move compromised devices to different host groups. This allows an administrator to configure the specific network resources a device can access, denying access to sensitive resources or systems whenever a device is under an elevated threat level. 

Enabling Greater Ease-of-Use

Zero-Touch Deployment 

Our customers have ever-expanding endpoint fleets, elevating the importance of a fast, simplified deployment and enrollment process. To enable accelerated onboarding, Falcon for Mobile customers can automatically deploy and activate the Falcon agent through many commonly used MDMs, eliminating the need for end users to open the CrowdStrike mobile app. This specific functionality is available for supervised iOS devices and for most supervised/unsupervised Android devices.

Customers can now leverage our new MDM enrollments wizard to retrieve and configure the exact settings they need for the MDM used by their organization. The enrollment wizard provides users with a list of values that then need to be used within the MDM and that are presented along with the option to download a configuration file for supervised iOS devices.

Integrated and Unified Dashboards

To further support accelerated threat hunting and streamlined security operations, CrowdStrike customers can now access Falcon for Mobile dashboards in the UI of the Falcon console. By leveraging a single unified platform to monitor all endpoint classes, customers obtain a holistic understanding of activity that spans devices and identities across their estate. This will enable customers to more easily monitor activity across mobile hosts, including real-time information around OS distribution, platform versions and detections by severity, enabling them to seamlessly drill into activity across their mobile devices as they already do with traditional endpoints. Our intuitively designed dashboards focus analyst attention on critical alerts and surface real-time intelligence to enable accelerated mobile threat hunting.

Moreover, each user will be able to customize their dashboards to surface the information that is most pertinent to their organization, with easy-to-use drag-and-drop tiles that list real-time detections, analyze trends over time and provide visual breakdowns of endpoint classes.

Additional Resources 

• To find out more about CrowdStrike’s industry-leading approach to endpoint detection and response, visit the CrowdStike Falcon® Endpoint Security portfolio page. 
• Request a free trial of the industry-leading CrowdStrike Falcon® platform.
• Learn more about Falcon for Mobile, CrowdStrike’s offering for mobile threat defense (MTD). 

• The CrowdStrike Incident Response Executive Preparation Checklist is a template to help organizations consider the roles of their executives before, during and after an incident.
• CrowdStrike tabletop exercise delivery teams have leveraged this checklist in engagements with Fortune 500 leadership and Boards of Directors.
• The checklist addresses our most common findings from tabletop exercises: undefined responsibilities for executives, lack of out-of-band communications, missing guidance on conducting investigations under privilege, uncertainty around engaging the Board of Directors and failure to call on third-party support at the appropriate times.
• Download the CrowdStrike Incident Response Executive Preparation Checklist.

Within your incident response plan, there typically is (or should be) a trigger to notify your executive team of an impending crisis. While many organizations believe they’ve worked out the logistics of gathering leadership on the phone, getting decisions made, and garnering their support for your proposed response plan, they often find out in the heat of an incident that the leadership team is miles apart in your understanding of what happens next. Does the CFO know to respond to the text notification to join the bridge? Is the CEO willing to accept advice from a breach coach and external counsel? Is the leadership team well-versed on the new U.S. Securities and Exchange Commission (SEC) rules on cybersecurity incidents? 

Of course, this is why you write plans in the first place: to make sure everyone is on the same page about how to respond. But the reality is incident response plans are long, cumbersome documents. If your executives did read the plan, they’re not likely to remember the details by the time an incident rolls around. That’s why many organizations have begun to develop executive checklists or “tear sheets” that briefly summarize major actions and who is responsible. 

Creating a quick reference for executive leaders is one of the most common recommendations CrowdStrike’s Professional Services team makes when conducting tabletop exercises with our customers. So much so that we built a template to share.  

This incident response executive checklist directly speaks to how the security organization can prepare the company’s most influential responders: their C-suite. The ability to engage executives — with their human biases and predispositions — directly affects the success of the security organization during an incident. The checklist draws from our experience both responding to incidents and conducting tabletop exercises with leadership teams. It addresses our most common findings from tabletop exercises: undefined responsibilities for executives, lack of out-of-band communications, missing guidance on conducting investigations under privilege, uncertainty around engaging the Board of Directors and failure to engage third-party support at the appropriate times. The result is a distilled list of key steps we recommend organizations take before, during and after an incident. 

How to Use the Checklist

This checklist provides a starting point. It identifies many of the common crisis management activities business leaders or executives should consider when responding to a cybersecurity incident. It should be updated to focus on the activities that are most important to your organization and should identify the parties responsible for doing them. You may also consider developing checklists specific to each key leadership role to focus on their responsibilities and clarify who does what.

The checklist contains the following sections:

• Before an Incident: The checklist starts with the actions you should be taking now before you’re in an active incident. This section emphasizes the importance of testing and training with regular tabletop exercises and identifying the third parties you plan to call for help, such as a digital forensics and incident response (DFIR) provider.
• During an Incident: Next, the checklist walks you through the actions different leaders must take once an incident has been declared — from the legal team invoking privilege to the compliance team evaluating contractual and regulatory requirements. This section makes sure your teams don’t forget key obligations in the heat of an ongoing investigation. 
• After an Incident: Incidents don’t end once a threat actor is eradicated from the environment. Executives deal with the reputational and financial fallout that often accompanies major breaches. This section describes after-action processes and considerations. 

Your best defense is preparation. How you educate and engage your executive leaders directly impacts the success of your response to an incident. Adapting the CrowdStrike Incident Response Executive Preparation Checklist to your organization — and practicing with regular tabletop exercises — is key to enhancing your readiness. 

Additional Resources

• Discover more about CrowdStrike’s Proactive Services to help you prepare for cybersecurity incidents. 
• Learn how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your organization, workers and data, wherever they are located.
• Visit our Industry Recognition and Technology Validation webpage to see what industry analysts are saying about CrowdStrike and the Falcon platform. 
• Get a full-featured free trial of CrowdStrike Falcon Prevent and see for yourself how true next-gen AV performs against today’s most sophisticated threats.

Like so many legacy technologies, legacy data loss prevention (DLP) tools fail to deliver the protection today’s organizations need. Implementation challenges, visibility gaps and inconsistent policies negatively impact customers and make data breaches far too easy for adversaries.

With U.S. data breach costs averaging a staggering $4.45 million last year, organizations need a way to better secure their data as cloud adoption accelerates and IT environments evolve. But with the continued security talent shortage and a market of ineffective data protection solutions — which struggle even when it comes to compliance — organizations are desperate for a modern alternative. 

This blog post explores where gaps exist in legacy DLP and how CrowdStrike Falcon® Data Protection is redefining the data protection market to stop data breaches.

Where Legacy DLP Solutions Fail to Deliver

If you rely on a legacy DLP product, some of these challenges may sound familiar. 

1. Unstructured data on endpoints is at great risk of misuse or breach.

The vast majority of sensitive data no longer resides in databases. USB devices are increasingly used to move large files and file batches. Likewise, organizations are hosting more of their data in a variety of public cloud services, web apps and online storage repositories. Unstructured data on these and other egress channels have become the nexus for sensitive data loss, yet many legacy DLP solutions fail to detect it.

2. More than a third of DLP deployments fail.

Legacy DLP tools often require large-scale, on-premises software and server installations. These deployments don’t scale without great effort, rarely integrate with other security tools and rely on heavy agents that slow down and crash machines. Due to these inept tools, complex deployments and poor strategies, more than 35% of DLP implementations fail. 

3. Most active DLP tools are in monitor-only mode.

Due to complexity, most organizations turn off prevention features and are simply notified after data walks out the door. Even this monitoring capability is problematic, since visibility gaps grow as your business becomes more distributed. Monitor mode doesn’t prevent a breach, and visibility gaps leave security teams without critical insights needed to swiftly respond to threats.

4. Your data is too complex for legacy DLP tools.

Legacy DLP products overly depend on well-formed data patterns and keywords to detect sensitive data. But organizations now have data with no recognizable content pattern, such as clinical research data, data about business processes and proprietary designs. While security teams can add sensitivity labels to data, that entails a lot of manual work, and any user can change or remove a sensitivity label. It can take security teams a lot of effort to analyze content, which becomes even more frustrating when accuracy is suspect.

5. DLP tools lack context to stop breaches.

Security teams relying on legacy DLP tools lack visibility into real-world data flows, and they don’t have time to play whack-a-mole with protection rules. As a result, many businesses are overwhelmed by alerts, while being exposed to risks they’re not even aware of. Teams need the ability to find, follow and protect sensitive data. They should know where it originated, where it’s been on its journey, how it’s being copied and used, and who interacted with it. Most legacy DLP solutions simply can’t provide this context.

Introducing the Future of Data Protection

Falcon Data Protection offers a modern approach to securing enterprise data. Powered by the unified CrowdStrike Falcon® platform, Falcon Data Protection provides deep, real-time visibility into what’s happening with your sensitive data, including data artifacts, as they move across web sources, endpoints, USBs, web browsers, cloud and SaaS applications.

With data protection, context is everything. Falcon Data Protection inspects file data as it arrives on the endpoint to identify not only the originating source but unique features within data, allowing it to be tracked as it moves between files. When data egresses from an endpoint, it can be identified as sensitive based on its originating source and content, even if it’s a derivative of the content that was first identified. 

Notably, this similarity detection capability includes preventing data leakage through generative AI tools like ChatGPT. With Falcon Data Protection, security teams can enforce policies for all web-based generative AI tools and trace back derivative content as it’s shared across files and SaaS applications, allowing you to stop malicious and accidental exposures in real time.

Say, for example, an account manager copies a piece of information from Salesforce into Google docs. Maybe he does this across multiple hosts and it goes downstream, creating derivative content across multiple users. With Falcon Data Protection, you can track the source of that content through all derivatives and downstream sharing, allowing you to enforce the original policy. While legacy DLP tracks the file, Falcon Data Protection tracks the content tied to context, making it far more effective with high-fidelity detections and stopping data loss.

Delivered from the Unified Falcon Platform

Falcon Data Protection offers ease of administration and immediate time-to-value because it’s deployed on the industry’s only unified, AI-native security platform, providing exceptional data protection from a single agent and command console. 

If you’re a Falcon platform customer, there’s no extra sensor or installation required to use Falcon Data Protection. One CrowdStrike sensor delivers all of your data protection needs, in addition to industry-leading endpoint, cloud and identity threat protection — providing the visibility and context across all attack surfaces to stop modern attacks.

An organization’s data is among its most valuable assets, and safeguarding it should be a high priority. With Falcon Data Protection, CrowdStrike is reinventing yet another broken legacy market to deliver context-driven data protection from the unified Falcon platform. 

To learn more about CrowdStrike’s modern approach to data protection, register for our upcoming virtual event, “Stop Big Game Hunting Adversaries with Modern Data Protection.”

Additional Resources

• Visit the Falcon Data Protection webpage to learn how CrowdStrike is redefining the data protection market.
• Sign up today to experience firsthand the benefits of Falcon Data Protection.
• Read the data sheet for specific features and technical content.
• Learn more about data loss prevention.

Introduction

Today, mobile devices are ubiquitous within enterprise environments. But with their proliferation, it provides adversaries with yet another attack surface with which they can target users and cause a breach.

From phishing attacks to malicious apps, mobile users tend to let their guard down and potentially click on obfuscated links to malicious sites. Falcon for Mobile protects users by preventing connections to malicious sites on both iOS and Android devices. Some examples of sources for these malicious connections are texts, emails, apps, or even QR codes.

Falcon for mobile can block navigating to malicious sites and notifying the user why it was blocked, educating the user and reducing the risk in the future.

Security administrators can also view reports within the Falcon Console to identify individuals within the organization that may require additional phishing training.

Video

Protecting Mobile Users

When the device attempts to connect to a phishing site, we see that it cannot be reached. The user is protected from the malicious site that could be attempting to harvest their credentials or install malicious software.

Falcon for Mobile also provides a notification as to why the site was blocked. The user can expand the notification to see additional details.

The mobile detection screen in the CrowdStrike Falcon Console is structured in a way that provides an easy way to view mobile threats identified within the environment.

Each line shows a high level overview of a detection, presenting information such as the threat name, mobile user, and device impacted.

An info pane on the right provides additional details about the threat, such as a description of the threat or additional host information.

The full details show related threat data such as the domain that was blocked as well as a timeline of activities related to this detection.

An analyst can adjust the case with options such as setting its status, assigning it to another analyst, adding a tag, or adding a comment.

After they’re done, the status will be updated and tracked to ensure resolution of the case.

Conclusion

So as we can see, Falcon for Mobile provides powerful protection that prevents users from unknowingly navigating to malicious sites and accidentally sharing data or credentials .

With phishing attacks being such a common vector for mobile attacks, blocking malicious network connections with Falcon for Mobile helps protect organizations from a breach.

More resources

• CrowdStrike 15-Day Free Trial
• Request a demo
• Guide to AV Replacement
• CrowdStrike Products
• CrowdStrike Cloud Security

• CrowdStrike’s Incident Response team has seen a recent increase in cases involving adversaries that abuse identity provider federation to gain access to protected services by adding and authorizing rogue domains to federation. From these cases, patterns have emerged that indicate a common attack structure.
• Monitoring for identity provider abuse can be difficult, given that adversaries do so by leveraging legitimate cloud services, often using compromised accounts for initial access — a reminder that securing identity and authentication services is critical in preventing these attacks.
• In a recent expansion of CrowdStrike Falcon® Cloud Security detections, CrowdStrike is noting these attacks are prevalent and significant enough to warrant establishing visibility over identity provider management. The indicators of attack discussed in this blog should be considered early indicators that require analysis in context to determine a final verdict on their nature.
• Since observed attack scenarios predominantly target Microsoft Azure as an identity provider, this blog and the referenced detections focus on that domain.

What Is a Federated Identity Provider? 

A federated identity provider is an outside service provider that has been entrusted by an organization as an authority regarding user authentication and identity management. In the context of a service that leverages single sign-on (SSO), when an individual user requests access to the service, the service contacts the identity provider (IdP) to validate the user’s identity.

This capability enables different identity domains (organized groups of users) to partner with one another in validating users and granting their access to a downstream service, domain or cloud environment without having to replicate or maintain multiple instances of user identities. In this way, if an organization provides a service that has a user population outside of its authentication domain, it can extend access to those outside users by defining a trust relationship with the IdP for that outside user group.

The service provider is trusting that the IdP has performed all relevant authentication actions and verifications, and any subsequent access requests by the user to the service should be considered as authorized.

Okta provides details on federated identity and the role of identity providers in SSO.

The Attack

Adversaries are taking advantage of this architecture by compromising IdPs and modifying them to extend the umbrella of trust to include domains and users controlled directly by the attacker and to expand cross-tenant authentication partnerships. An example attack sequence is depicted in Figure 1.

Initial Access

The first step in the attack involves establishing access to the IdP’s cloud service provider (CSP) environment at the Control Plane layer with a user account that has permissions to administer resources.

While there are numerous methods that can be used to compromise a user account, CrowdStrike has noted the use of social engineering to obtain credentials as well as using a self-service password reset to take control of an existing account. Some CSPs also add risk analysis indicators to sign-in activity that can also be leveraged to spot signs of initial access.

Once credentials are obtained and authentication is verified, the adversary has been noted to use the CSP command line interface for initial login.

Reconnaissance

Reconnaissance in observed attacks has been focused on obtaining information that can be specifically leveraged to facilitate adding a new domain to federation settings. Observed behaviors during reconnaissance have included:

• Download users (bulk operation)
• Download role assignments (bulk operation)
• Download groups (bulk operation)
• Get API connectors
• Get authentication flows policy
• Get available output claims
• Get customAuthenticationExtensions
• Get identity providers
• Get tenant details
• Get user flows

It should be noted that CrowdStrike has observed the “get authentication flows policy” action to be extremely common, and by itself, it is not a strong indicator of an attack. It is listed here for reference and is included as part of CrowdStrike Falcon® Cloud Security detection logic as a contributing behavior.

Persistence and Backdoors

Once an attacker has completed their reconnaissance, they move to perform the necessary changes to federation settings to add the domains and user accounts under their control. Actions specifically related to creating a backdoor are listed below:

• Add unverified domain
• Add verified domain
• Verify domain
• Set domain authentication
• Update user
• Set directory feature on tenant

Some attacks may include establishing backdoor access via cross-tenant synchronization, which would be observable via the following:

• Add a partner to cross-tenant access setting
• Update a partner cross-tenant access setting
• Create a partner cross-tenant identity sync setting

Additional actions that have been observed in conjunction with those listed above include the following: 

• Update named location
• Add policy
• Add application
• Add service principal
• Add service principal credentials
• Update application
• Update service principal
• Update provisioning setting or credentials
• Update authorization policy
• Update authentication flows policy
• Set company information

As with the behaviors listed as signs of reconnaissance, some of the behaviors CrowdStrike has categorized as persistence and backdoor may also occur in large volume in the normal course of cloud operations. CrowdStrike detections attempt to account for this and only elevate scenarios that resemble a sequence of behaviors that indicate abuse. It is important to evaluate all detections in context before reaching a final verdict.

Actions on Objectives

The primary goal of abusing federated identity providers is to gain access to resources or services that trust the IdP. Abuse of one IdP is likely used to access resources in an external domain, so this scenario should be viewed largely as a method to establish access and maintain persistence via the IdP. 

Some observed actions on objectives related to these attacks include:

• Creating cloud compute resources or VMs
• Accessing cloud compute resources and exfiltrating data by exporting virtual disks
• Obtaining user information from the IdP
• Accessing data in applications that rely on the IdP access controls
• Leveraging the Azure run command to deploy other tooling

Why Is It Important to Monitor Changes to Identity Provider Configurations?

Organizations delegate user access controls to outside IdPs, which means the outside IdP is entrusted with maintaining the confidentiality, integrity, and availability of downstream services and data. Identity management and user access control are paramount to information security.

Monitoring for the scenarios outlined above provides customers with early indications of sensitive behaviors — or sequences of behaviors — that CrowdStrike believes warrant awareness and validation. This will give Falcon Cloud Security customers the opportunity to detect these attacks quickly and also obtain evidence that could be useful in incident response activities.  

Falcon Cloud Security Detections

In response to the observed patterns in these attacks, the Falcon Cloud Security team analyzed the prevalence of the noted behaviors and has worked to build detections that attempt to elevate awareness when a matching pattern of activity has occurred. These detections represent a combination of perspectives that warrant awareness and response by security teams.

1. Configuration changes that rarely occur and have potential for significant abuse
2. Behaviors that rarely occur in combination with others and may resemble a known attack sequence
3. Specific behaviors leveraged in these attacks

Detection Name	Type	Description
User accounts exported from Active Directory	Behavior	A bulk export was performed of all user accounts in Active Directory. While this could be legitimate Admin behavior, it could also indicate a threat actor is performing reconnaissance of user accounts in an attempt to elevate privileges and move laterally in your tenant. It is recommended this behavior be reviewed to validate the user’s need to export all user accounts and ensure this data is not improperly shared.
User groups exported from Active Directory	Behavior	A bulk export was performed of all user groups in Active Directory. While this could be legitimate Admin behavior, it could also indicate a threat actor is performing reconnaissance of user groups in an attempt to elevate privileges and move laterally in your tenant. It is recommended this behavior be reviewed to validate the user’s need to export all user groups and ensure this data is not improperly shared.
Role assignments exported from Active Directory	Behavior	A bulk export was performed of all role assignments in Active Directory. While this could be legitimate Admin behavior, it could also indicate a threat actor is performing reconnaissance of role assignments in an attempt to move laterally and escalate privileges in your tenant. It is recommended this behavior be reviewed to validate the user’s need to export all role assignments and ensure this data is not improperly shared.
New unverified domain added to tenant	Behavior	A custom domain was added to the Azure Active Directory (Azure AD) tenant. This is often the first step in configuring federated domain authentication. Federated domain authentication is a legitimately used configuration to support using on-premises passwords. Adversaries also leverage this Azure AD feature to create Azure AD persisted backdoors by configuring new federated domains with resources/infrastructure that they control.
Guest users given same permissions to Azure AD resources as member users	Behavior	Azure Active Directory was updated to give guest users the same access to Azure AD resources as member users. This setting gives guest users the ability to view and interact with Active Directory resources that they may not need access to and should be reviewed to ensure the access is appropriate.
Cross-tenant partner given inbound access	Behavior	A cross-tenant partner was configured in Azure Active Directory to support automatic user consent for inbound access. Cross-tenant synchronization is a legitimately used configuration to automate creating, updating and deleting Azure AD B2B users across different tenants. Adversaries also leverage this Azure AD feature to create persisted backdoors by adding new cross-tenant partners (controlled by the adversaries) to environments they have compromised.
Cross-tenant partner user syncing enabled	Behavior	A cross-tenant partner was configured in Azure Active Directory to support inbound user syncing/creation. Cross-tenant synchronization is a legitimately used configuration to automate creating, updating and deleting Azure AD B2B users across different tenants. Adversaries also leverage this Azure AD feature to create persisted backdoors by adding new cross-tenant partners (controlled by the adversaries) to environments they have compromised.
New federated domain added to Azure Active Directory	Behavior	A domain was configured in Azure Active Directory to support federated authentication. Integrating Azure AD with on-premises Active Directory using Active Directory Federation Services (AD FS) is a legitimately used configuration to support using on-premises passwords. Adversaries also leverage this Azure AD feature to create Azure AD persisted backdoors by configuring new federated domains with resources/infrastructure that they control.
Virtual machine disk exported by user	Behavior	A virtual machine disk was made available for download/export by a user account. Review the activity and validate the user’s need to export the disk, as this may be a way for an attacker to collect and exfiltrate data stored on the disk.
Default cross-tenant synchronization policy allows outbound automatic user consent	Configuration	In a breach scenario, an attacker can utilize automatic outbound user consent within a cross-tenant synchronization policy to sync the compromised user account into a partner tenant and grant attacker access using the same initially compromised credentials. It is not recommended to allow automatic outbound user consent.
Partner cross-tenant synchronization policy allows inbound user sync	Configuration	In a breach scenario, an attacker can utilize inbound identity synchronization within a cross-tenant synchronization policy to sync the compromised user account into a partner tenant and grant attacker access using the same initially compromised credentials. It is not recommended to automatically sync identities into tenants you are not in control of.

Response Recommendations

Because the behaviors outlined in this attack sequence take advantage of normal features of identity provider federation, it is possible that initial setup or routine administrative maintenance may trigger detections. CrowdStrike has considered the potential for producing false positive detections and has concluded that it is worthwhile to maintain vigilant monitoring of these sensitive functions. CrowdStrike recommends that organizations review all changes to IdP settings to verify that:

1. The user account used to perform the changes is authorized by role and policy to do so.
2. The user account performing the changes has not been compromised, and endpoints associated with the user are not exhibiting signs of malware.
   1. This should include a review of recent actions performed by the user account to determine if it is being used in an unusual manner.
   2. Consider signs of phishing, social engineering or recent password resets related to the user account.
   3. Consider authentication details for the user account, including source IP address, region and user-agent strings to look for signs it is being accessed from an unusual source.
   4. Review endpoint detections for suspicious activity involving the user account in question.
3. The observed changes to IdP configurations were authorized through existing governance, risk and compliance (GRC) review and performed in compliance with change management policies and procedures. 
   1. Consider the domains added and their validity in relationship to the business and service context in which they are being used.
   2. Consider the reputation and threat history of new domains.
   3. For suspect domains, review any future login and service access activity originating from the new IdP.

Conclusion

Abuse of federated identity providers appears to be on the rise and represents a significant threat to downstream services, applications and data. 

CrowdStrike has released detections in Falcon Cloud Security that are designed to shed light on administrative behaviors that could represent attempts to compromise this trust architecture so that customers have early warnings an attack may be occurring.

While the attack outlined in this blog shows that adversaries are leveraging legitimate cloud services and configurations to perform their attacks, CrowdStrike’s detections are designed to differentiate normal administrative functions from those with suspect attributes that could indicate an attack in progress.

Due to the nature of this compromise, a timely response is prudent. CrowdStrike recommends taking immediate steps to validate the observed behaviors are authorized and to remediate them if they are not authorized by reversing any changes made. By quickly cutting off access established by an adversary, CrowdStrike customers can disrupt the attack and stop the breach.

Additional Resources

• Learn more about how you can stop cloud breaches with CrowdStrike unified cloud security for multi-cloud and hybrid environments — all in one lightweight platform.
• Learn how CrowdStrike’s Proactive Services can help you prepare for cybersecurity incidents. 
• Learn how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your organization, workers and data, wherever they are located.
• See for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats. Start your 15-day free trial today.

CrowdStrike Counter Adversary Operations has been investigating a series of cyberattacks and strategic web compromise (SWC) operations targeting organizations in the transportation, logistics and technology sectors that occurred in October 2023. Based on a detailed examination of the malicious tooling used in these attacks, along with additional reporting and industry reports, CrowdStrike Intelligence attributes this activity to the IMPERIAL KITTEN adversary.

Tune in to today’s episode of the Adversary Universe podcast, “Iran’s Rise from Nascent Threat Actor to Global Adversary” and learn about the history of cyber threat activity linked to Iran.

CrowdStrike Intelligence collection has identified that contemporary IMPERIAL KITTEN intrusion chains leverage the following tactics, techniques and procedures:

• Use of public scanning tools, one-day exploits, SQL injection and stolen VPN credentials for initial access
• Use of scanning tools, PAExec and credential theft for lateral movement
• Data exfiltration by leveraging custom and open source malware to target Middle Eastern entities

CrowdStrike Intelligence analyzed several malware samples associated with IMPERIAL KITTEN activity, including:

• IMAPLoader, which uses email for command and control (C2)
• A similar sample named StandardKeyboard
• A malware sample that uses Discord for C2 
• A Python generic reverse shell delivered via a macro-enabled Excel sheet

This next-stage tooling indicates IMPERIAL KITTEN continues to use email-based C2 mechanisms, similar to those used in their Liderc malware family.

Inside IMPERIAL KITTEN’s Activity

IMPERIAL KITTEN is an Iran-nexus adversary with a suspected connection to the Islamic Revolutionary Guard Corps (IRGC). The adversary, active since at least 2017, likely fulfills Iranian strategic intelligence requirements associated with IRGC operations. Its activity is characterized by its use of social  engineering, particularly job recruitment-themed content, to deliver custom .NET-based implants. Historically, IMPERIAL KITTEN has targeted industries including defense, technology, telecommunications, maritime, energy, and consulting and professional services.

Between early 2022 and 2023, CrowdStrike Intelligence observed IMPERIAL KITTEN conduct SWC operations with a focus on targeting organizations in the transportation, logistics and technology  sectors. In a SWC, the adversary attempts to compromise victims based on their shared interest by luring them to an adversary-controlled website. 

To date, the following adversary-controlled domains have served as redirect locations from compromised (primarily Israeli) websites, as well as locations where information collected to profile visitor systems is sent:

• cdn.jguery[.]org
• cdn-analytics[.]co
• jquery-cdn.online
• jquery-stack.online
• cdnpakage[.]com
• fastanalizer[.]live
• fastanalytics[.]live
• hotjar[.]info
• jquery-code-download[.]online
• analytics-service[.]cloud
• analytics-service[.]online
• prostatistics[.]live

Early 2022 SWC domains used the Matomo analytics service¹ to profile users who visited the compromised Israeli websites. Later iterations of SWC domains use a custom script to profile the visitor by collecting their browser information and IP address, which is then sent to a hardcoded domain. Previously reported activity targeted organizations in the Israeli maritime, transportation and technology sectors.

Industry and CrowdStrike Intelligence collection reporting have described a malware family tracked as IMAPLoader, which is the final payload of the SWC operations. An analysis of IMPERIAL KITTEN’s campaigns, including the use of IMAPLoader and additional malware families, is below.

Initial Access

Industry reporting indicates in some instances, the adversary directly serves malware to victims from the SWC.² Consistent with prior CrowdStrike reporting on credential stealers from 2021, there is some evidence that IMPERIAL KITTEN targets organizations, such as upstream IT service providers, in order to identify and gain access to targets that are of primary interest for data exfiltration. 

There is also evidence indicating their initial access vectors consist of:

• Use of public one-day exploits
• Use of stolen credentials to access VPN appliances
• SQL injection
• Use of publicly available scanning tools, such as nmap
• Use of phishing to deliver malicious documents

All assessments around initial access methods not previously documented in connection with IMPERIAL KITTEN activity carry low confidence based on uncorroborated single-source reporting.

Phishing

IMPERIAL KITTEN’s phishing operations reportedly include the use of malicious Microsoft Excel documents. While the sample mentioned in October 2023 industry reporting is not publicly available, CrowdStrike Intelligence acquired a similar version of the delivery document. 

The lure is a macro-enabled Excel sheet, likely created in late  2023 (SHA256 hash: b588058e831d3a8a6c5983b30fc8d8aa5a711b5dfe9a7e816fe0307567073aed).  

Once the victim opens the file and enables macros, the document extracts the files runable.bat, tool.bat, and cln.tmp, and a copy of the Python 3.11 interpreter to the system’s %temp% directory. The batch files create persistence via the registry Run key named StandardPS2Key, and run the main Python payload SHA256 hash: cc7120942edde86e480a961fceff66783e71958684ad1307ffbe0e97070fd4fd in 20-second intervals.

The Python payload is a simple reverse shell that connects to a hardcoded IP address on TCP port 6443. The shell sends a predefined challenge GUID (3d7105f6-7ca1-4557-b48e-6b4c70ee55a6) and expects the C2 to respond with a separate GUID (fdee81e1-b00f-4a73-ae48-4a0ee5dee49a) for authentication. The malware then reads commands in a loop, executes them and returns the result. The analyzed version supports the following commands:

• cd (change working directory)
• run (start subprocess with command)
• set timer to (change beacon interval)

The analyzed sample was configured with x.x.x.x as the C2 server. This is not valid and will result in an error — it is likely the result of a test build or third-party modification.

Lateral Movement

There is information to suggest IMPERIAL KITTEN achieves lateral movement through the use of PAExec (the open-source PsExec alternative) and NetScan, and uses ProcDump to dump the LSASS process memory for credential harvesting. Lastly, IMPERIAL KITTEN likely deploys custom malware or open source tooling, such as MeshAgent,³ for data exfiltration. These assessments are made with low confidence as they rely on single, uncorroborated source reporting. 

Adversary Tooling

IMPERIAL KITTEN operations reportedly leverage multiple tools, including custom implants; IMAPLoader and StandardKeyboard, which both use email for C2; and a remote access tool (RAT), which uses Discord for C2.  

IMAPLoader is a malware family distributed as a dynamic link library (DLL) to be loaded via AppDomainManager injection.⁴ It uses email for C2 and is configured via static email addresses embedded in the malware. Typographical errors in embedded folder names and log messages indicate the author is likely not a native English speaker. While timestamps are not available in most samples, the oldest version was first observed in the wild on September 1, 2022. 

Table 1 gives an overview of the available samples and configured C2 email addresses. All of them share the same functionality, although the last sample (SHA256 hash: 32c40964f75c3e7b81596d421b5cefd0ac328e01370d0721d7bfac86a2e98827) differs in naming of the IMAP folders and has only one configured C2 address, indicating it is possibly a development version.

The malware disguises itself as StreamingUX Updater and persists through a scheduled task of that name. It connects to imap.yandex[.]com over TLS and uses the built-in .NET IMAP library to create two folders for C2, prefixed with a randomly generated UUID (including a typographical error):

• <UUID>-Recive
• <UUID>-Send

IMAPLoader uses attachments in email messages to receive tasking and send replies. It hardcodes creation and modification dates of the attachment to 2018-12-05 and 2019-04-05, respectively.

Hash SHA256	C2 Email
989373f2d295ba1b8750fee7cdc54820aa0cb42321cec269271f0020fa5ea006	leviblum@yandex[.]com brodyheywood@yandex[.]com
fa54988c11aa1109ff64a2ab7a7e0eeec8e4635e96f6c30950f4fbdcd2bba336	justin.w0od@yandex[.]com n0ah.harrison@yandex[.]com
5c945a2be61f1f86da618a6225bc9d84f05f2c836b8432415ff5cc13534cfe2e	giorgosgreen@yandex[.]com oliv.morris@yandex[.]com
87ccd1c15adc9ba952a07cd89295e0411b72cd4653b168f9b3f26c7a88d19b91	harri5on.patricia@yandex[.]com d3nisharris@yandex[.]com
32c40964f75c3e7b81596d421b5cefd0ac328e01370d0721d7bfac86a2e98827	hardi.lorel@yandex[.]com

Table 1. IMAPLoader samples and C2 email addresses

Industry reporting also noted IMPERIAL KITTEN deploys a malware family named StandardKeyboard,⁵ which shares similarities with the IMAPLoader malware family. StandardKeyboard also uses email for C2 communication, and the malicious code uses the same open source .NET library for communicating with IMAP servers.⁶ Unlike IMAPLoader, this malware persists on the infected machine as a Windows Service named  Keyboard Service, created by the malicious .NET executable WindowsServiceLive.exe (SHA256 hash: d3677394cb45b0eb7a7f563d2032088a8a10e12048ad74bae5fd9482f0aead01). StandardKeyboard’s main purpose is to execute Base64-encoded commands received in the email body. The results will be sent to the following email addresses:

• itdep[@]update-platform-check[.]online
• office[@]update-platform-check[.]online

The email subject contains the MAC address of the infected machine prepended by “From: ”. The body of the email contains Base64-encoded information listed in Figure 1, followed by the string Sender: <MAC Address>.

***Order: <command>
***Time: <unused integer value>
***Response: <command output>
***Exit: <command exit code>
***At: <attachment>

Figure 1. Data sent to the C2 after command execution

Before initiating the email communication with the C2, StandardKeyboard verifies the availability of internet connection by contacting Google DNS using ICMP and sending the string hi there.

Finally, CrowdStrike Intelligence collection identified another related malware family, posing as a CV creator that uses a company in the logistics sector as a lure (SHA256 hash: 1605b2aa6a911debf26b58fd3fa467766e215751377d4f746189566067dd5929). The malware is heavily obfuscated and drops an embedded payload after multiple stages of decryption and deobfuscation. It establishes persistence through a scheduled task named Windows\System\System.   

The final stage (SHA256 hash: 3bba5e32f142ed1c2f9d763765e9395db5e42afe8d0a4a372f1f429118b71446) uses Discord for C2 and is most likely related to a phishing campaign observed in March 2022. It contains a rare prefix in its PDB path field of the PE header, which, aside from this sample, is only present in samples of IMAPLoader in CrowdStrike holdings. 

Assessment

CrowdStrike Intelligence attributes the above activity, including the use of SWC and IMAPLoader and related malware families, to the IMPERIAL KITTEN adversary. This assessment, made with moderate confidence, is based on:

• The continued use of previously reported SWC infrastructure 
• The continued use of email-based C2 and Yandex email addresses for C2
• Overlaps between IMAPLoader and the industry-reported SUGARDUMP malware family that targeted Israel-based transportation sector organizations in 2022⁷
• Continued focus on targeting Israeli organizations in the transportation, maritime and technology sectors, which is consistent with the adversary’s target scope
•  Use of job-themed decoy and lure content used in their malware operations 

CrowdStrike Intelligence attributes the described initial access and post-exploitation methods to IMPERIAL KITTEN with low confidence. This assessment carries low confidence as it is based on single-source reporting that has not been corroborated.

MITRE ATT&CK

Tactic	Technique	Observable
Reconnaissance	T1590.005 – Gather Victim Network Information: IP Addresses	IMAPLoader beacons the victims public IP address obtained via a web service
Resource Development	T1584.006 – Compromise Infrastructure: Web Services	IMPERIAL KITTEN SWC is mostly based on compromised websites
Initial Access	T1189 – Drive-by Compromise	IMPERIAL KITTEN distributes malware through SWC
Execution	T1059.003 – Command and Scripting Interpreter: Windows Command Shell	IMAPLoader collects system information via cmd.exe scripts
	T1059.005 – Command and Scripting Interpreter: Visual Basic	IMPERIAL KITTEN installs Python backconnect shell via malicious visual basic scripts in Excel documents
	T1059.006 – Command and Scripting Interpreter: Python	Malicious Excel documents drop Python-based backconnect shell
Persistence	T1037.005 – Boot or Logon Initialization Scripts: Startup Items	IMAPLoader persists through the registry Run key
Defense Evasion	T1055 – Process Injection	IMAPLoader executes via AppDomainManager injection
	T1140 – Deobfuscate/Decode Files or Information	IMAPLoader and SUGARRUSH obfuscate C2 addresses via integer arrays
Discovery	T1518.001 – Software Discovery: Security Software Discovery	IMAPLoader enumerates installed antivirus software
Collection	T1005 – Data from Local System	IMAPLoader beacons local system configuration and username to C2
Command and Control	T1071.003 – Application Layer Protocol: Mail Protocols	IMAPLoader, StandardKeyboard and SUGARRUSH utilize email for C2
	T1095 – Non-Application Layer Protocol	The Python-based backconnect shell relies on raw sockets for communication
Exfiltration	T1041 – Exfiltration Over C2 Channel	All malware in this report exfiltrate data directly over the C2 protocol

Table 2. Mapping to the MITRE ATT&CK® framework

Appendix: IMPERIAL KITTEN Infrastructure

Virtual private server VPS infrastructure recently associated with IMPERIAL KITTEN tooling is included in Table 3. CrowdStrike Intelligence currently attributes this infrastructure to IMPERIAL KITTEN with low confidence based on the aforementioned reporting.

Domain	IP Address	Internet Service Provider
NA	146[.]185.219.220	G-Core Labs S.A.
NA	193[.]182.144.12	Interhost Communication Solutions Ltd.
NA	194[.]62.42.98	Stark Industries Solutions Ltd.
NA	64[.]176.165.70	AS-CHOOPA
NA	95[.]164.61.253	Stark Industries Solutions Ltd.
NA	95[.]164.61.254	Stark Industries Solutions Ltd.
NA	45[.]32.181.118	AS-CHOOPA
NA	193[.]182.144.120	Interhost Communication Solutions Ltd.
NA	64[.]176.164.117	AS-CHOOPA
NA	45[.]155.37.140	SHOCK-1
NA	192[.]71.27.150	Interhost Communication Solutions Ltd.
NA	185[.]212.149.35	Oy Crea Nova Hosting Solution Ltd.
NA	51[.]81.165.110	OVH SAS
NA	82[.]166.160.20	Cellcom Fixed Line Communication L.P.
NA	192[.]52.166.71	ASN-QUADRANET-GLOBAL
NA	162[.]252.175.48	M247 Europe SRL
NA	45[.]93.82.109	LLC Baxet
NA	77[.]91.74.230	Stark Industries Solutions Ltd.
NA	77[.]91.74.21	Stark Industries Solutions Ltd.
NA	195[.]20.17.14	CLOUD LEASE Ltd.
NA	185[.]253.72.206	O.M.C. Computers & Communications Ltd.
NA	185[.]220.206.251	O.M.C. Computers & Communications Ltd.
NA	185[.]241.4.7	O.M.C. Computers & Communications Ltd.
NA	195[.]20.17.198	CLOUD LEASE Ltd.
NA	45[.]93.93.198	O.M.C. Computers & Communications Ltd.
NA	83[.]229.81.175	O.M.C. Computers & Communications Ltd.
NA	146[.]185.219.97	G-Core Labs S.A.
NA	193[.]182.144.175	Interhost Communication Solutions Ltd.
NA	103[.]105.49.108	VMHaus Limited
NA	185[.]105.0.84	G-Core Labs S.A.
NA	45[.]81.226.38	Zomro B.V.
NA	149[.]248.54.40	AS-CHOOPA
NA	194[.]62.42.243	Stark Industries Solutions Ltd.
NA	94[.]131.114.32	Stark Industries Solutions Ltd.
NA	45[.]8.146.37	Stark Industries Solutions Ltd.
NA	45[.]155.37.105	SHOCK-1
NA	163[.]182.144.239	NATURALWIRELESS
NA	64[.]176.172.26	AS-CHOOPA
NA	77[.]91.94.151	Clouvider Limited
NA	95[.]164.18.234	Stark Industries Solutions Ltd.
NA	74[.]119.192.252	Stark Industries Solutions Ltd.
NA	82[.]166.160.26	Cellcom Fixed Line Communication L.P.
NA	64[.]176.165.229	AS-CHOOPA
NA	193[.]182.144.52	Interhost Communication Solutions Ltd.
NA	64[.]176.171.141	AS-CHOOPA
blackcrocodile[.]online	217.195.153[.]114	Shock Hosting
updatenewnet[.]com	Prev: 45.155.37.105	Edis Gmbh
link.mymana[.]ir	193.182.144[.]52	Edis Gmbh
NA	193.182.144[.]239	Edis Gmbh
NA	64.176.165[.]229	Choopa
NA	64.176.171[.]141	Choopa
NA	64.176.165[.]70	Choopa
NA	95.164.61[.]253	Stark Industries Solutions Ltd.
NA	95.164.61[.]254	Stark Industries Solutions Ltd.

Table 3. IMPERIAL KITTEN infrastructure

Footnotes

1. https://github.com/matomo-org/matomo
2. https[:]//www.pwc[.]com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
3. https[:]//github[.]com/Ylianst/MeshAgent
4. https[:]//pentestlaboratories[.]com/2020/05/26/appdomainmanager-injection-and-detection/
5. https[:]//www.pwc[.]com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
6. https[:]//github[.]com/smiley22/S22.Imap
7. https://www.mandiant[.]com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping

Additional Resources

• Learn more about IMPERIAL KITTEN and the adversaries targeting your business in the CrowdStrike Adversary Universe.
• Did you know? CrowdStrike publishes thousands of intelligence reports similar to this each year. Learn about our threat intelligence and hunting subscriptions.
• Read more about adversaries and their tactics, techniques and procedures in the CrowdStrike 2023 Global Threat Report and in the CrowdStrike 2023 Threat Hunting Report.
• Watch this demo to see CrowdStrike Falcon® Intelligence in action.
• Experience how the industry-leading CrowdStrike Falcon® platform protects against modern threats. Start your 15-day free trial today.

CoreWeave is a specialized GPU cloud provider powering the AI revolution. It delivers the fastest and most consistent solutions for use cases that depend on GPU-accelerated workloads, including VFX, pixel streaming and generative AI. 

CrowdStrike supports CoreWeave with a unified, AI-native cybersecurity platform, protecting  CoreWeave’s architecture by stopping breaches. What follows is a summary of how CoreWeave uses CrowdStrike Falcon Cloud Security to secure both its cloud infrastructure and the cloud workloads of its customers, as shared in a presentation at Fal.Con 2023.

Watch the Fal.Con 2023 recording: How CoreWeave Secured Cloud Infrastructure and AI Applications with Falcon Cloud Security

Complete Visibility and Protection

To meet the growing demand for its cloud services, CoreWeave needed a modern security platform that met two main requirements: It had to be capable of scaling with CoreWeave, and it couldn’t cause any performance slowdowns, as organizations rely on CoreWeave for its highly efficient processing power. 

After a successful proof of concept with CrowdStrike — in which CoreWeave engineers observed no performance impact after deploying the Falcon sensor on a test cluster — CoreWeave licensed the Falcon platform along with several platform modules, including CrowdStrike Falcon® Insight XDR endpoint detection and response, CrowdStrike Falcon® Prevent next-generation AV and Falcon Cloud Security. 

Within two weeks, the Falcon sensor had been deployed across all worker nodes at CoreWeave, providing the visibility and protection needed. 

On stage at Fal.Con 2023, CoreWeave’s CISO talked about the importance of visibility to see every asset, including endpoints, cloud nodes, apps working on the endpoints and services running on cloud nodes. He also discussed the value of a unified cloud-native application protection platform (CNAPP) to provide one console and one platform for managing all of the different areas of a cloud workflow — down to containers, pods and nodes.

For CoreWeave, the foundation of strong cloud security starts by deploying the Falcon sensor at the bottom of its tech stack. 

Once CoreWeave deploys its systems into the Kubernetes cluster, the Falcon DaemonSet runs across every node. This does two things: Every time CoreWeave powers up a new node and brings it into its fleet, the company automatically gets detection and response capabilities from CrowdStrike. And by having the Falcon sensor at the bottom layer, the company doesn’t have to worry about higher-level networking issues impacting its security.

How CoreWeave Responds to Detections

CoreWeave responds to a Falcon alert in three steps: detect, investigate and triage.

For detections, CoreWeave relies in part on alerts generated by both CrowdStrike® Falcon OverWatch — a CrowdStrike service that provides 24/7 managed threat hunting — as well as CoreWeave security staff who monitor Falcon dashboards. 

When an alert comes in, CoreWeave security staff can see the hostname that may have been compromised and the container ID — both of which help determine what triggered that alert. From there, the team can drop that container ID into the search of Falcon Cloud Security to see details such as host ID and container name, allowing it to zero in on where the container is running in the infrastructure. 

This capability allows security teams to quickly identify and remediate the potential threat. Because CoreWeave effectively sells its cloud infrastructure to customers, CoreWeave uses this information to communicate with any customer whose workload was potentially compromised so they can triage it together and stop the threat before any damage is done.

One Platform for Endpoint-to-Cloud Protection

Every Falcon product module CoreWeave uses is deployed on the unified, AI-native Falcon platform. By consolidating its cybersecurity with CrowdStrike, CoreWeave has been able to respond to threats faster, reduce complexity and streamline provisioning. Critically, having one sensor deployed across its entire IT infrastructure — from endpoint to cloud — gives CoreWeave the context needed to respond to potential threats appropriately. 

In many cases, the Falcon platform kills the threat automatically. As CoreWeave’s CISO explained, this saves the company hundreds of hours a year in unnecessary triage. 

For instances that require CoreWeave to triage, the team can act decisively based on context provided by the Falcon platform, which collects and analyzes trillions of endpoint events per week from millions of sensors deployed across 176 countries. CoreWeave supplements this information with CrowdStrike threat intelligence to better understand the nature of the situation. 

All told, CrowdStrike’s industry-leading threat intelligence helps CoreWeave understand any adversaries targeting the company and its customers, enabling CoreWeave to stop them.

This encapsulates the value of the Falcon platform for CoreWeave. The company has its host and servers, which are covered with detections. It’s then able to increase the value of those detections with CrowdStrike threat intelligence to figure out what’s happening and how to fix it.

With CrowdStrike, CoreWeave is able to provide a highly performant, scalable and secure cloud infrastructure to power the generative AI boom and beyond. 

Additional Resources

• Read the CoreWeave case study and watch the video.
• See for yourself how the world’s leading AI-powered platform delivers complete cloud security on the Falcon Cloud Security webpage.
• Take a free Cloud Security Risk Review to visualize misconfigurations and other vulnerabilities in minutes.   

Cyber risks for small and medium-sized businesses (SMBs) have never been higher. SMBs face a barrage of attacks, including ransomware, malware and variations of phishing/vishing. This is one reason why the Cybersecurity and Infrastructure Security Agency (CISA) states “thousands of SMBs have been harmed by ransomware attacks, with small businesses three times more likely to be targeted by cybercriminals than larger companies.” 

In a desperate attempt to defend themselves, SMBs often turn to traditional antivirus (AV) software and even off-the-shelf consumer AV solutions. But these offerings simply can’t keep up with modern attacks. Referred to as “legacy AV,” these solutions are reactive and only able to defend against known malware or ransomware previously cataloged by the AV provider. This is too slow and reactive to stop modern adversaries. It only takes one attack to slip through legacy defenses to bring a business to a halt, or worse, result in a company-ending event.  

Legacy AV is also difficult to manage, especially with limited IT and security staff. The average deployment of these products is three months. In addition, they require quite a bit of tuning and manual configuration to be fully functional, adding to the operational burden of managing and updating legacy security tools.

Uncertain of which cybersecurity offering to buy and then deploy, many businesses throw up their hands in defeat. One poll shows 60% of SMBs use no cybersecurity measures at all. 

SMBs deserve cybersecurity that’s simple, affordable and effective. Today, we’re announcing a new release of CrowdStrike Falcon® Go to bring our industry-leading, AI-powered cybersecurity protection to SMBs in a package that’s never been easier to purchase, install or operate. 

SMBs Need Cybersecurity That Works

CrowdStrike knows how cybercriminals work and why they target SMBs. We also understand SMBs are often understaffed, resource-constrained and lack in-house security expertise. 

Falcon Go delivers award-winning cybersecurity to protect SMBs against ransomware, malware  and unknown threats. This simple yet powerful solution leverages modern technology, including machine learning, behavioral detection and AI, to deliver best-in-class protection against the cyber threats of today and tomorrow. With Falcon Go, small businesses can get the same enterprise-grade protection trusted by the world’s largest organizations and governments in a simple user experience designed for their needs.

SMBs no longer need to worry about staying ahead of evolving cyber threats. Powering Falcon Go is the world’s leading AI-native CrowdStrike Falcon® platform, which collects and analyzes trillions of endpoint events per week, giving SMBs the power of the crowd in a solution that even non-technical staff can use to keep their business safe. 

While other SMB cybersecurity solutions may offer simplicity, businesses need security that actually stops breaches. The Falcon platform scored 100% ransomware prevention in SE Labs testing, demonstrating that SMB cybersecurity can be both simple and effective.

Frictionless Purchasing and Installation in Seconds

CrowdStrike is making it easy for SMBs to purchase elite protection and quickly protect their company. Starting today, Falcon Go is available on Amazon Business, allowing SMBs to purchase industry-leading cybersecurity from the same website that millions of businesses use to purchase everyday business items.

Once purchased, users can instantly download and install Falcon Go to begin preventing threats with a guided setup wizard that recommends pre-configured protection levels. With Falcon Go, small businesses can immediately see which devices are protected and any threat activity, with guided and automated next steps to resolve security concerns. Falcon Go also makes it easy to expand protection to new devices, allowing the solution to support business growth. 

SMBs need simple, fast, modern cybersecurity to stop breaches at a price they can afford. With the release of Falcon Go, small businesses can get AI-powered, award-winning cybersecurity with easy purchasing, installation and operations to stop modern cyberattacks. 

To get started with a free trial of Falcon Go, visit the CrowdStrike website.

Additional Resources

• Purchase Falcon Go on Amazon Business.
• Learn more about Falcon Go: affordable cybersecurity designed to protect small businesses.
• Watch this three-minute demo to see Falcon Go in action.

Microsoft has released security updates for 58 vulnerabilities, including five zero-days, three of which are being actively exploited. One of the zero-days (CVE-2023-36025) is a Windows SmartScreen Security Feature Bypass Vulnerability, the second (CVE-2023-36033) is a privilege escalation vulnerability in the Windows DWM Core Library, and the third (CVE-2023-36036) is another privilege escalation vulnerability affecting the Windows Cloud Files Mini Filter Driver. Three of the 58 vulnerabilities addressed today are rated as Critical, and the remaining 55 are rated as Important. 

November 2023 Risk Analysis

This month’s leading risk type is elevation of privilege (28%), followed by remote code execution (26%) and spoofing (17%).

The Microsoft Windows product family received the most patches this month (32), followed by Extended Support Updates (17).

Actively Exploited Zero-Day Vulnerability Enables Windows SmartScreen Security Feature Bypass

Windows SmartScreen has received a patch for CVE-2023-36025. According to Microsoft, by exploiting this vulnerability, “The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts.” This vulnerability requires user interaction — the user would have to click on a specially crafted internet shortcut (.URL) or a hyperlink pointing to an internet shortcut file in order to be compromised by the attacker.

Severity	CVSS Score	CVE	Description
Important	8.8	CVE-2023-36025	Windows SmartScreen Security Feature Bypass

Table 1. Zero-day in Windows SmartScreen Security Feature

Actively Exploited Zero-Day Vulnerability Affects Windows DWM (Desktop Window Manager) Core Library

CVE-2023-36033 is a publicly disclosed vulnerability affecting the Windows DWM Core Library. This vulnerability could allow an attacker to gain SYSTEM privileges.

Rank	CVSS Score	CVE	Description
Important	7.8	CVE-2023-36033	Windows DWM Core Library Elevation of Privilege Vulnerability

Table 2. Zero-day in Windows DWM Core Library

Actively Exploited Zero-Day Affects Windows Cloud Files Mini Filter Driver

CVE-2023-36036 is another vulnerability affecting the Windows Cloud Files Mini Filter Driver being exploited in the wild. Successful exploitation of this flaw could allow an attacker to gain SYSTEM privileges.

Severity	CVSS Score	CVE	Description
Important	7.8	CVE-2023-36036	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Table 3. Zero-day affecting Windows Cloud Files Mini Filter Driver

Critical Vulnerabilities 

CVE-2023-36397, a remote code execution vulnerability rated as Critical, affects Windows Pragmatic General Multicast. To successfully exploit this vulnerability, an attacker would have to send a specifically crafted malicious MSMQ packet to a MSMQ server, leading to remote code execution. This Windows component needs to be enabled for a system to be vulnerable. Microsoft recommends checking if the Message Queuing service is running and TCP port 1801 is listening on the machine; if the service is running and not in use, consider disabling.

CVE-2023-36400, a privilege escalation vulnerability rated as Critical, affects Windows HMAC Key Derivation. If exploited, this could allow an attacker to gain SYSTEM privileges. According to Microsoft, “A successful attack could be performed from a low privilege Hyper-V guest. The attacker could then traverse the guest’s security boundary to execute code on the Hyper-V host execution environment.”

CVE-2023-36052 is a Critical vulnerability affecting Azure CLI commands. An attacker could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions in public repositories. Customers using the affected CLI commands must update their Azure CLI version to 2.53.1 or above to be protected against the risks of this vulnerability, Microsoft says. This also applies to customers with log files created using these commands through Azure DevOps and/or GitHub Actions.

Rank	CVSS Score	CVE	Description
Critical	9.8	CVE-2023-36397	Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability
Critical	8.8	CVE-2023-36400	Microsoft Office Remote Code Execution Vulnerability
Critical	8.6	CVE-2023-36052	Azure CLI REST Command Information Disclosure Vulnerability

Table 4. Critical vulnerabilities in Windows and Azure

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j and ProxyNotShell, not every highly exploitable vulnerability can be easily patched. It’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture. 

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Spotlight can help you quickly and easily discover and prioritize vulnerabilities here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article. 

Additional Resources

• For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
• Download the CrowdStrike 2023 Global Threat Report and CrowdStrike 2023 Threat Hunting Report to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
• See how CrowdStrike Falcon® Spotlight vulnerability management can help you discover and manage vulnerabilities and prioritize patches in your environments. 
• Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards. 
• Test CrowdStrike next-gen AV for yourself with a free trial of CrowdStrike Falcon® Prevent next-generation antivirus.

The holiday season brings a shift in how people and businesses operate: Some companies may partially shut down, leaving only a skeleton crew to manage their IT environments, while others head into their busiest time of year. This seasonal change in staffing and business operations, combined with the general holiday distraction, often creates risk and makes organizations more vulnerable to cybercrime.

Access brokers — the threat actors who gain and sell access to organizations and simplify eCrime for other cybercriminals — are especially active during this time of year. CrowdStrike data reveals spikes in access broker activity toward year’s end. They capitalize on these seasonal shifts to craft holiday social engineering campaigns, steal more information and make more money by selling their findings to threat actors on underground forums.

Here, we discuss how the threat landscape typically changes during the holidays, how access brokers fit into the cybercrime ecosystem and adapt their activity for this busy time of year, and how organizations can prepare for a safe and secure season.

Meet the Access Brokers

Access brokers have become a pivotal part of the eCrime ecosystem by selling victim access to other threat actors and facilitating myriad criminal activities. Their operations continue to grow: CrowdStrike observed a 147% increase in access broker advertisements across criminal underground communities from July 2022 to June 2023.

Many access brokers have relationships with big game hunting (BGH) ransomware operators and affiliates of prolific ransomware-as-a-service (RaaS) programs. The holiday season is a prime opportunity for ransomware operators to launch ransomware campaigns, extort victims and find potential targets. Access brokers support ransomware operators with this last task by capitalizing on holiday changes to breach organizations and sell access to other adversaries.

In order to defend against access brokers, you must first understand how they operate.

Many access brokers carefully study their victims. They analyze organizations’ attack surfaces to find vulnerabilities they can exploit or use sophisticated social engineering techniques to trick employees and steal credentials. Access brokers seek the path of least resistance into an organization and have quickly adapted as endpoint detection and response (EDR) capabilities have evolved to better detect them. The use of custom malware to gain initial access has dropped substantially — 71% of intrusions in 2022 were malware-free — as threat actors favor more subtle attack methods.

Access brokers are highly organized. They advertise access to victims on underground forums, often categorizing their offerings with contextual details such as business vertical, revenue and asset exploitation. This information is especially valuable to big game hunters selecting their next victim. In some cases, access brokers may eliminate upfront costs for downstream ransomware operators using a profit sharing model. These announcements strengthen the collaboration between access brokers and big game hunters, making the eCrime ecosystem a formidable opponent for all organizations.

Why Access Brokers Welcome the Holidays

Over the past year, access broker advertisements peaked right before and after the holiday season. Spikes were also observed the week before Easter as well as the beginning of the new academic year. While this pattern is not set in stone, access brokers seem to be more active during these moments for several reasons:

• Leaner staff: IT and security teams may have a skeleton staff during the holidays, leaving fewer people to handle detection tuning, threat hunting or patching. As a result, access brokers have more opportunities to break in unnoticed. Dwell time (the time before getting detected) is likely longer during these low-staff moments, giving access brokers a bigger window of opportunity to get in, steal more data and sell it.
• It’s vacation time: Employees often take time off during this time of year. Some may have forgotten their passwords by the time they come back from a week’s holiday. When requesting new credentials, users are more vulnerable to phishing attacks. Access brokers know when users come back and have greater success when many users request new credentials.
• More distractions: IT support or help desk teams may cover only the bare essentials, skipping regular security best practices. Access brokers have recently impersonated regular users and opened support calls to obtain access. If the IT team doesn’t properly validate their information, for example, the attacker will have an easier path in.
• Business is booming: Industries such as the retail, hospitality and travel sectors enter one of their busiest times of the year. They are in a weaker position during the extortion process because they need to keep business running during the busy season and avoid regulatory violations. With this knowledge in mind, access brokers will advertise access to these organizations at the right moment, with adjusted pricing, knowing other adversaries will want to strike.

Let’s take a closer look at the most popular tactics access brokers use to gain entry into victim organizations.

Well-crafted Social Engineering Campaigns

One of the most notorious actors discovered in 2023, known for both access brokerage and big game hunting, used advanced social engineering to harvest credentials. The actor targeted multiple verticals such as consumer goods, telecommunications and real estate. In many cases, ransomware was deployed.

Throughout these incidents, the adversary was consistent in using social engineering tactics to bypass multifactor authentication (MFA). They relied on a combination of credential-harvesting websites, SMS phishing, SIM swapping, MFA push-notification fatigue and social engineering via vishing to obtain initial access. Once inside, the adversary avoided using unique malware, instead favoring a wide range of legitimate remote management tools to maintain persistent access.

This actor succeeded because they very carefully studied their victims and knew how to impersonate them later. During the holidays, when users are more relaxed and staff is short, access brokers using similar tactics can increase their chance of success.

Web Exploitation and Living-off-the-Land

Another common access broker method involves exploitation of public-facing applications and remote code execution vulnerabilities to gain access. Once inside, the threat actor becomes persistent by deploying standard web shell mechanisms to harvest information related to machine identities (SSH keys, RSA keys). Using standard command-line tools, the actor can even clear system logs to evade detection.

How to Defend Against Access Brokers During the Holidays and Beyond

1. Understand your environment: The age-old adage “You can’t protect what you can’t see” has never been so true. Over the past few years, organizations have accelerated  their use of cloud infrastructure, resulting in a larger digital footprint. Security teams must gain an outside-in view of their full enterprise attack surface in order to identify areas of exposure and close security gaps. Don’t wait for the adversary to strike. Map your assets, visualize attack paths and address them.

 

2. Prioritize identity protection: The rise in malware-free attacks, social engineering and similar attempts to steal and use credentials drives the need for strong identity protection. CISA’s Shields Up initiative urges organizations to enforce MFA and identify and quickly assess unusual network behavior. Conditional risk-based access policies are advised to reduce the burden of MFA for legitimate users.

Social media training is crucial: Don’t announce department shutdowns or IT service changes on social media, and instruct employees to refrain from sharing personal data on social channels. Train staff to avoid sharing credentials in support calls, emails or tickets. And finally, don’t publish executive or IT contact details on the company website — it may aid adversaries in impersonation efforts.

 

3. Strengthen cloud protection: The number of observed cloud exploitation cases grew by 95% year-over-year in 2022. Adversaries are aggressively targeting cloud infrastructure and using a broad array of tactics, techniques and procedures to compromise critical business data and applications in the cloud. Stopping cloud breaches requires agentless capabilities to protect against misconfigurations, control-plane and identity-based attacks, and also runtime security to protect cloud workloads.

 

4. Know your adversary: Organizations spend vast amounts of time and money fighting ghosts and noisy alerts, never knowing the “who, why and how” behind cyberattacks. If you don’t understand your adversary, you are poorly prepared to face them.

Invest in threat intelligence that exposes the humans behind the attack, as well as their motivation, capabilities and tools. Use threat intelligence that continuously scans underground forums for exposed identities and leaked data, and notifies the security team when company credentials are detected. Monitor for websites or newly created domains that mimic your organization. If you don’t have time or resources, work with a third party to mitigate the risk of these look-alike websites.

 

5. Practice makes perfect: Encourage an environment that routinely performs tabletop exercises and red/blue teaming to identify gaps and eliminate weaknesses in your cybersecurity practices and response.

Prepare how to outpace the adversary with comprehensive visibility into what’s happening on your endpoints. Hunt for hidden intruders by looking for web shells and remote monitoring tools that may be active in your environment. Seek support from expert teams that know access brokers and their tools to help mitigate hidden threats.

 

Access brokers continue to conduct advanced exploitation, social engineering and spear-phishing attacks to gain and sell credentials throughout the year. The end of the year is an ideal time for them to act: IT support organizations are distracted, security teams have a skeleton staff and users request new credentials when they return. Implement strong defenses and don’t let access brokers stuff their stockings with your credentials during the holidays.

Additional Resources

• Learn more about the adversaries targeting your business in the CrowdStrike Adversary Universe.
• Check out the Adversary Universe podcast to listen to “The Rise of Access Brokers.”
• Read more about adversaries and their tactics, techniques and procedures in the CrowdStrike 2023 Global Threat Report and in the CrowdStrike 2023 Threat Hunting Report.
• Watch this demo to see CrowdStrike Falcon® Intelligence in action.

Today’s adversaries increasingly use compromised credentials to breach target environments, move laterally and cause damage. When attackers are logging in — not breaking in — legacy  endpoint security offers little help in detecting and stopping breaches.

Exacerbating the problem is an expanding attack surface, largely due to the growth of remote work and evolving supply chains. Today, nearly 25% of modern attacks start at unmanaged hosts such as contractor laptops — parts of the supply chain where organizations often lack direct control over endpoints. 

Download the CrowdStrike ebook, “Stay One Step Ahead of Identity Thieves”

Legacy endpoint solutions primarily look for malicious code execution to detect attacks and are unable to detect or stop identity-based threats when the adversary uses valid credentials. Many organizations either don’t have the means to stop identity-based attacks or struggle with multiple point solutions for endpoint and identity security that drive cost and complexity while slowing down response times. 

Read on to learn how unifying endpoint and identity security under the CrowdStrike Falcon® platform can help you stop modern attacks.

Case Study: Land O’Lakes 

Land O’Lakes is an American agricultural cooperative with 9,000 employees and manufacturing operations spanning 60 countries. In the words of Dan Oase, Land O’Lakes Director of Cybersecurity, “That’s a lot of identities to secure.” 

Oase spoke on stage at Fal.Con 2023 about how the company uses CrowdStrike for identity protection: “We think of identities in terms of creating identities, managing identities and securing identities … We use Falcon Identity Protection to safeguard our Active Directory and complement our IAM.”

Watch the Fal.Con 2023 session, “Stop Modern Attacks: Extending Endpoint Security with Identity Protection,” featuring Land O’Lakes

Oase emphasized the importance of speed, citing how cracking an 8-figure password used to take years; now it takes only minutes, thanks in part to advancements in AI. With adversaries getting faster, Land O’Lakes relies on a full suite of Falcon platform modules — including CrowdStrike Falcon® Insight XDR for endpoint detection and response and Falcon Identity Protection — to outpace modern attacks and stop breaches.

“CrowdStrike provides the ‘easy button’ to add identity protection via a single agent and unified platform covering endpoint and identity. This translates into immense value to us as a customer in terms of faster responses, lower costs and better security outcomes,” said Oase.

Oase shared how Falcon Identity Protection delivers real value for Land O’Lakes, compared to before CrowdStrike:

• 92% faster at investigating and responding to identity-related attacks and anomalies
• 90% less time spent manually auditing identity hygiene
• 85% less time prioritizing vulnerabilities
• 80% reduction in accounts with excessive permissions
• Consistent removal of stale accounts
• Immediate and automated response to compromised passwords

As a cybersecurity veteran who’s built world-class security operations at several companies, Oase went deep into the technical aspects of the Falcon identity deployment, covering continuous monitoring, privileged accounts, conditional access policies and other topics. If you’re a security practitioner looking for identity best practices, watch the Fal.Con 2023 session. 

Making the Case for Unified Endpoint and Identity Security

Identity-related attacks are a serious and growing problem. Consider the numbers:  

• Over 80% of cyber incidents in 2021 involved the misuse of valid credentials to access an organization’s network, as revealed in the CrowdStrike 2022 Global Threat Report.
• Kerberoasting attacks, a form of identity-based threat, increased an alarming 583% year-over-year, according to the CrowdStrike 2023 Threat Hunting Report.
• The same report reveals a 147% increase in access broker advertisements, which often sell compromised credentials, on the dark web.
• 90% of Fortune 1000 companies rely on Microsoft Active Directory (AD) despite its constant flow of vulnerabilities. 
• Microsoft AD is a top target due to the access and information it holds. One survey found 50% of organizations have experienced an AD attack in the last couple of years, and 40% of those attacks were successful.

If you’re one of the nearly 75,000 organizations that use AD, combining endpoint and identity security under a single platform can help you stop breaches by providing comprehensive defense against adversaries seeking privileged company data. 

How the Falcon Platform Strengthens Defense

CrowdStrike delivers its market-leading endpoint and identity protection from the AI-native Falcon platform, which uses one lightweight agent to provide:

Comprehensive visibility

CrowdStrike Falcon® Identity Protection offers complete visibility into AD and cloud-based identity solutions, such as Microsoft Entra ID (formerly Azure Active Directory). The Falcon platform uses data collected from on-premises and cloud user directories to create a baseline for normal user behavior and detect anomalous activity across endpoints and identities, eliminating the security gaps created by siloed security tools.

Real-time protection

By deploying CrowdStrike endpoint and identity security solutions together, you can block malicious authentication at the AD level and stop adversaries from gaining access, regardless of whether the endpoint is managed. 

Risk-based response

Falcon Identity Protection continuously monitors user behavior and context based on both identity and endpoint telemetry to compute risk scores, which allows it to dynamically enforce multifactor authentication when the risk level has increased, providing an extra layer of security.

Single Agent, Unified Platform 

These capabilities are difficult to achieve with standalone tools. Organizations are looking to replace point solutions with a unified cybersecurity platform to eliminate gaps between endpoints, identity and cloud workloads, while reducing the number of agents they manage.

CrowdStrike endpoint customers can easily deploy Falcon Identity Protection with no deployment overhead. Simply enable the platform module, and the Falcon sensor immediately starts defending against identity-based attacks.

The Falcon platform is the only adversary-focused AI-powered security platform that brings together endpoint and identity telemetry and correlates it with threat intelligence and the latest adversary tradecraft. This unified platform approach not only provides better and faster detections with full attack-path visibility, it allows you to automate policy-based responses and eliminate manual correlation of threats, thereby improving SOC efficiency.

 

The graphic above shows how CrowdStrike’s unified approach to endpoint and identity security fares against MITRE ATT&CK® tactics, techniques and procedures (TTPs). As a market leader in endpoint detection and response (EDR), CrowdStrike has long protected customers from execution, command and control, exfiltration and more. By adding Falcon Identity Protection to their endpoint deployment, customers can benefit from full protection against adversary tactics that leverage valid accounts, such as initial access, lateral movement and privilege escalation.

Put simply: CrowdStrike customers of endpoint and identity security can receive the strongest coverage against adversary TTPs from a single, unified platform.

Get Started with Falcon Identity Protection

Today’s attackers use legitimate credentials to bypass endpoint security solutions. By unifying endpoint and identity security on the Falcon platform, organizations can get robust protections against identity-related attacks, while realizing the other benefits of cybersecurity consolidation.

Get started with Falcon Identity Protection using our complimentary Active Directory Risk Review. This one-on-one session with a CrowdStrike identity expert will delve into your AD hygiene and expose compromised passwords, over-privileged accounts and other best practices to help you stop identity-related attacks. 

Additional Resources

• Download the ebook, “Stay One Step Ahead of Identity Thieves,” to discover the adversaries targeting your endpoints and identities.
• Watch the Fal.Con 2023 session, “Stop Modern Attacks: Extending Endpoint Security with Identity Protection,” featuring Dan Oase from Land O’Lakes.
• Explore the full range of CrowdStrike identity solutions delivered from the unified, AI-native Falcon platform.
• Register for a free AD risk review.
• Try CrowdStrike free for 15 days. 

Modern applications are designed to process, use and store vast amounts of sensitive data. As adversaries seek to infiltrate these applications, IT and security teams must ensure the software they use has the strongest possible security. The first step to implementing strong application security is understanding the type of application you need to protect.

The two types of applications security teams must be familiar with are custom-developed software and commercial off-the-shelf (COTS) software. In this blog, we explain the differences between custom-developed applications and COTS applications and how each type of application is secured.

What Is Custom-Developed Software?

The crucial difference between these two types of applications is who owns the source code — the set of computer instructions that accomplishes some task. Every application is built from source code, and that source code is created by software developers. Modern programming languages you’re likely to encounter in source code include Java, Python, .NET, Node.js and Go.

Custom software consists of proprietary source code, which is typically owned by the developer or company that created it. If you’re interfacing with proprietary source code, then you’re managing custom-developed software — software that is “built in-house” to fulfill a specific business requirement. Companies either sell their custom-developed applications or use them for internal business needs.

Here’s an example. Suppose you work in security at a company called Math Tutors. The company’s developers created the Python code shown below.

Customers have purchased version 1.0.0 of your software, and you’re responsible for ensuring the custom-developed Python code is secure.

One day, you realize your “sum” function leaks proprietary data when the user enters a non-integer. Your developers add error handling to the sum function to secure it. The updated source code is shown below.

After securing your custom-developed software, you release version 1.1.0 of your product. When customers purchase your software, it’s their responsibility to upgrade to the latest version, meaning they must now use version 1.1.0 to ensure they’re using the most secure version of your software.

How Are Custom-Developed Applications Secured?

Securing custom software begins before writing the first line of code. Once functional requirements are defined, architects lay out the initial design. The architecture should then go through a threat model where the likely attack vectors are analyzed. After the initial threat model is complete and design changes implemented, software development begins.

Most modern software teams use some form of Agile software development. With Agile development, the software is iterated over time and updates occur on a regular basis. The scope of work is decomposed into stories, which typically include small feature implementations (building a new capability) or bug fixes (fixing problems in existing code). Stories that are not actively being worked on are placed in the backlog. When the security team needs developers to fix a security issue, they create a story that lives in the backlog until the development team is able to resolve the problem.

With the “shift left” approach to security, vulnerable code detection begins during development through software composition analysis (SCA), static application security testing (SAST) and dynamic application security testing (DAST). These tools are effective at isolating unique instances of vulnerable code.

The most challenging aspect of securing custom software is finding the weaknesses that lurk in production. Common issues that plague application security include:

• Unauthenticated APIs
• Unknown sensitive data stores or data flows
• Internet-facing microservices
• Third-party communication

What makes this set of issues particularly challenging is they frequently deviate from the original design. This is why having visibility into what’s deployed in production is essential. When the true architecture is unknown, inferred or outdated, it’s difficult to detect and prioritize security weaknesses. This can lead teams to rely solely on security scanning tools, which tend to provide an overwhelming list of vulnerabilities.

The most effective solution to this problem is application security posture management (ASPM). ASPM provides specific remediation advice based on the real-time status of your software architecture. You not only receive a concise list of the highest priority security weaknesses, but you can also speak clearly to engineering teams about the business impact of vulnerabilities.

 

To learn more about preventing breaches in custom-developed software, check out how CrowdStrike Falcon Cloud Security delivers powerful ASPM capabilities as part of a unified cloud-native application protection platform (CNAPP) to offer full-stack protection for your applications.

What Is Commercial Off-the-Shelf Software?

COTS software is built for commercial use and is readily available for purchase. If you pay for application access but can’t see the source code, you’re working with commercial-off-the-shelf software.

When the application is paid for on a recurring basis, you’re purchasing software as a service (SaaS). SaaS is a revenue model, but the terms COTS and SaaS are often used synonymously.

Now, think back to the Math Tutors example, but this time, imagine you work in security at a different company called Math Learners and you’re using the software that Math Tutors developed. From your perspective, the application is a COTS application. Rather than seeing source code, your view of the application will look like the screen shown below.

When version 1.1.0 of the application is released, your team at Math Learners is responsible for upgrading your systems to ensure the vulnerability is patched and they use the secure version. Even though you don’t notice a visible change, upgrading the version adds security fixes to the software.

Common examples of COTS applications that organizations purchase include Google Workspace, Microsoft Outlook and many others. Each of these applications is considered “custom-developed” by the organizations selling them.

How Are COTS Applications Secured?

Purchasing COTS software introduces several security responsibilities. The steps for initial setup and continuous monitoring are as follows:

1. Perform a security review of the COTS vendor and application.
2. Provision access to the necessary members of your organization.
3. Continuously monitor:

• Application programming interface (API) connections between internal custom developed applications and the COTS application
• Individual access permissions and configuration
• Data transmitted to (and from) the COTS application

From a security perspective, the first step to introducing new COTS software to an organization is to understand the risks. Vendors will not typically share source code, so customers must rely on a limited scope of information. You may consider asking for:

• A recent penetration test
• A software bill of materials (SBOM)
• Documentation on a vendor’s software development lifecycle (SDLC)
• Certifications such as SOC 2 or ISO
• Customer references
• Data access rights in the terms and conditions

Each of these items can give a deeper understanding of the COTS software security posture, but there will always be inherent risk when using another company’s software.

Once the software is approved, the next step is to grant access to the appropriate users. This may be done through role-based access control if entire departments will use the software, or discretionary access control if only certain users need the application.

With access granted, it’s vital to monitor COTS applications continuously. The first area to manage is software-to-software access. This type of access occurs via the APIs that software developers create.

A successful implementation of API management includes an inventory of all API calls to COTS applications. The API inventory should update as software developers create and remove APIs, and note all APIs transmitting sensitive data. ASPM tools automatically generate a comprehensive list of API calls to third-party applications.

 

The second area to manage is user provisioning. Security teams must audit and update user access to COTS applications regularly. Additionally, security teams are responsible for managing the configuration of COTS applications. Both identity access management (IAM) and SaaS security posture management (SSPM) help ensure COTS configurations are correct.

The third area to manage is sensitive data transfer. Detecting and preventing unauthorized data egress requires a data protection solution. The data protection solution should combine content with context to provide deep real-time visibility into what is happening with your sensitive data, including data artifacts, as they move from the source to the destination, which could be COTS applications.

Consider the following scenario, for example:

1. A sensitive file is downloaded.
2. The contents are copied to a spreadsheet.
3. Smaller chunks of the data are copied to another sheet and moved to a personal google drive.

Data protection solutions provide the complete flow, along with who performed the actions and where this data landed.

How CrowdStrike Helps Secure Custom and COTS Software

Both custom and COTS software present unique challenges, but visibility is crucial in both cases. Both custom and COTS software present unique challenges, but visibility is crucial in both cases. With Falcon Cloud Security and CrowdStrike Falcon® Data Protection, you can keep track of your organization’s use of COTS software and prevent data loss.

The CrowdStrike Falcon platform provides insights on both your custom developed applications and third-party software use. To learn more, request a demo.

Additional Resources

• Learn more about the world’s leading AI-native platform for complete cloud security.
• Take a free Cloud Security Risk Review to visualize misconfigurations and other vulnerabilities in minutes.

Adversaries are becoming more sophisticated and faster with their attacks. According to the CrowdStrike 2023 Threat Hunting Report, the average eCrime breakout time is just 79 minutes. This is partly due to adversaries taking advantage of tools that leverage automation like password-cracking tools, exploit kits for web browser vulnerabilities, and marketplaces that sell stolen data. Automation is making their jobs easier and more efficient and is yielding more profitable results, putting security teams at a disadvantage. Attackers use automation — and your team should too.

Inefficient and Manual Processes Are Slowing Down Your Team

Unfortunately, security analysts face more than just threats. Their day-to-day operations are plagued with numerous challenges. It’s not uncommon for security analysts to investigate and respond to a threat with inconsistent processes that include overly manual investigations that force them to correlate data across multiple, disjointed security tools. This leads to lost time, expensive mistakes and overall analyst burnout.

To level up the playing field against attackers, your security team must adopt security tools that harness the power of automation and seamlessly integrate with your ecosystem to enable them to work smarter and faster. By standardizing processes and automating repetitive tasks, your team will increase its productivity, efficiency and accuracy. Not only will they gain back valuable time to focus on higher-value operations, they will be able to respond to threats faster.

The Power of Automation Relies on Well-defined Security Processes

Getting started with security automation can be a daunting task because sometimes processes are not designed for automation. If the business logic is not defined correctly, automated processes can yield erroneous results that only become obvious when they are operational. To start your automation journey, you need to assess how it can streamline your current security operations — based on your organizational goals — by establishing priorities and identifying the repetitive and mundane tasks that hold back your team.

Once these are identified, you are ready to gradually implement automation. Start defining the process by documenting the steps the team must take, determining the information needed and where it resides, and identifying who in your organization has access to it. There are numerous security use cases that are prime candidates for automation given their recurrence and number of repetitive tasks involved, such as phishing, alert enrichments, endpoint incident response, threat hunting and more.

Selecting the right tool for the job will also give your team an advantage. Attacks are evolving fast, making use cases and security tools obsolete quicker, and you want to invest in security and IT tools that can integrate with a flexible security architecture. It can be a challenge for security teams to ensure that configurations of automation tools work with the many different point tools in use — and therefore, native automation capabilities are preferred. To successfully deploy automated workflows and orchestrate investigations and incident response, you need to evaluate tools for their ability to integrate with your current tools and also for their API ecosystem to ensure deep and standardized integrations as you expand into new use cases. 

Accelerate Investigation and Response with Native SOAR Capabilities

If you do a search for the ‘average number of security tools used by a SOC,” you’ll find data that shows companies can use 40, 50 and even as many as 60-70 security tools. Consolidating and integrating tools is a business imperative, reducing the complexity and simplifying the management of tasks and workflows. Consolidating tools not only helps reduce your budget, it allows your security analysts to conduct their day-to-day operations from a single console to reduce swivel-chair syndrome.

The CrowdStrike Falcon® platform offers native security orchestration automation and response (SOAR) capabilities through CrowdStrike Falcon® Fusion, which empowers your security team to build automated workflows to speed up threat investigation and response. Fully integrated with the CrowdStrike Falcon platform and its product modules, Falcon Fusion orchestrates workflows across the platform and with third-party tools such as ticketing systems that enhance collaboration and bridge the gap between security and IT. Your team will have access to high-quality security data, automated workflows, integrations and response actions, all from the unified Falcon platform.

Increase SOC Productivity and Reduce Analyst Burnout with Falcon Fusion

The ability to systematize your incident response plan into automated workflows gives your security analysts the power to increase consistency and accuracy as they resolve threats. The Falcon Fusion no-code interface results in workflow builds in just minutes – teams simply select the trigger, define conditions and configure the actions. It also enables you to orchestrate complex use cases with conditional branching and logic, and to schedule them to run continuously. For common security use cases, Falcon Fusion provides pre-built playbooks to give your security a head start automating your security operations processes, all from the same console that your team already uses. 

With over 61,000 unique workflow definitions, Falcon Fusion gives you limitless opportunities to automate your processes to make them more efficient. By integrating with Falcon Real Time Response, your analysts will be able to import customized scripts, created by them or from the library, to expand the actions that they can perform with their workflows for immediate remediation. And, due to its native integration across Falcon platform modules, Falcon Fusion extends the automation power of each module like CrowdStrike Falcon® Intelligence Recon for digital threat monitoring, CrowdStrike Falcon® Spotlight for automated vulnerability remediation and more.

Security automation is essential to defend your attack surface and give your security team a fighting chance against adversaries. By automating workflows such as investigating incidents faster, scaling vulnerability patching and containing hosts to stop lateral movement, Falcon Fusion will up-level your team to punch above their weight and reduce your mean time to respond (MTTR) to better protect your organization and keep adversaries at bay. 

Additional Resources

• Want to learn more about Falcon Fusion? Visit the Falcon Fusion product page.
• Download the Falcon Fusion data sheet to learn about our integrated SOAR capabilities.
• Start a Free trial of the Falcon platform and start building workflows with Falcon Fusion.
• Sign up to attend our Next-Gen SIEM Showcase.

The major news in technology policy circles is this month’s release of the long-anticipated Executive Order (E.O.) on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. While E.O.s govern policy areas within the direct control of the U.S. government’s Executive Branch, they are important broadly because they inform industry best practices and can even potentially inform subsequent laws and regulations in the U.S. and abroad.

Accelerating developments in AI — particularly generative AI — over the past year or so has captured policymakers’ attention. And calls from high-profile industry figures to establish safeguards for artificial general intelligence (AGI) in particular has further heightened attention in Washington, D.C. In that context, the E.O. should be viewed as an early and significant step addressing AI policy rather than a final word.

Given CrowdStrike’s extensive experience with AI since the company’s founding in 2011, we want to highlight a few key topics that relate to innovation, public policy and cybersecurity.

The E.O. in Context

Like the technology it seeks to influence, the E.O. itself has many parameters. Its 13 sections cover a broad cross section of administrative and policy imperatives. These range from policing and biosecurity to consumer protection and the AI workforce. Appropriately, there’s significant attention to the nexus between AI and cybersecurity, which is covered at some length in Section 4.

Before diving into specific cybersecurity provisions, it is important to highlight a few observations on the document’s overall scope and approach. Fundamentally, the document strikes a reasonable balance between exercising caution regarding potential risks and enabling innovation, experimentation and adoption of potentially transformational technologies. In complex policy areas, some stakeholders will always disagree with how to achieve balance, but we’re encouraged by several attributes of the document.

First, in numerous areas of the E.O., agencies are designated as “owners” of specific next steps. This clarifies for stakeholders how to provide feedback and reduces the odds for gaps or duplicative efforts.

Second, the E.O. outlines several opportunities for stakeholder consultation and feedback. These will likely materialize through Request for Comment (RFC) opportunities issued by individual agencies. Further, there are several areas where the E.O. tasks existing — or establishes new — advisory panels to integrate structured stakeholder feedback on AI policy issues.

Third, the E.O. mandates a brisk progression for next steps. Many E.O.s require tasks to be finished in 30- or 60-day windows, which are difficult for agencies to meet at all, let alone in deliberate fashion. This document in many instances provides for 240-day deadlines, which should enable 30- and 60-day engagement periods through RFCs, as outlined above.

Finally, the E.O. states plainly that “as generative AI products become widely available and common in online platforms, agencies are discouraged from imposing broad general bans or blocks on agency use of generative AI.” This should help ensure that government agencies explore positive use cases for leveraging AI for their own mission areas. If history is any guide, it’s easy to imagine a scenario where a talented junior staffer at a given agency identifies a key way to leverage AI at some time next year, that no one could easily forecast this year. It would be unwise to foreclose that possibility, as innovation should be encouraged inside and outside of government.

AI and Cybersecurity Provisions

On cybersecurity specifically, the E.O. touches on a number of key areas. It’s good to see specific callouts to agencies like the National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA) and Office of the National Cyber Director (ONCD) that have significant applied cyber expertise.

One section of the E.O. attempts to reduce risks of synthetic content — that is, generative audio, imagery and text. It’s clear the measures cited here are exploratory in nature rather than rigidly prescriptive. As a community, we’ll need to innovate solutions to this problem set. And with U.S. elections around the corner, we hope to see rapid advancements in this space.

In many instances, the E.O.’s authors paid close attention to enumerating AI policy through established mechanisms, some of which are closely related to ongoing cybersecurity efforts. This includes the direction to align with the AI Risk Management Framework (NIST AI 100-1) and the Secure Software Development Framework. This will reduce risks associated with establishing new processes, while enabling more coherent frameworks for areas where there are only subtle distinctions or boundaries between, for example, software, security and AI.

The document also attempts to leverage sector risk management agencies (SRMAs) to drive better preparedness within critical infrastructure sectors. Specifically, it mandates:

Within 90 days of the date of this order, and at least annually thereafter … relevant SRMAs, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security for consideration of cross-sector risks, shall evaluate and provide to the Secretary of Homeland Security an assessment of potential risks related to the use of AI in critical infrastructure sectors involved, including ways in which deploying AI may make critical infrastructure systems more vulnerable to critical failures, physical attacks, and cyber attacks, and shall consider ways to mitigate these vulnerabilities.

This is important, but we also encourage these working groups to consider benefits along with risks. There are many areas where AI can drive better protection of critical assets. When done correctly, AI can rapidly surface hidden threats, accelerate the decision making of less experienced security analysts and simplify a multitude of complex tasks.

At CrowdStrike, AI has been fundamental to our approach from the beginning and has been built natively into the CrowdStrike Falcon® platform. Beyond replacing legacy AV, our platform uses analytics to help prioritize critical vulnerabilities that introduce risk and employs the power of AI to generate and validate new indicators of attack (IOAs). With Charlotte AI, CrowdStrike is harnessing the power of generative AI to make customers faster at detecting and responding to incidents, more productive by automating manual tasks, and more valuable by learning new skills with ease. This type of AI-fueled innovation is fundamental to keep pace with ever-evolving adversaries incorporating AI into their own tactics, techniques and procedures.

In Summary

This E.O. represents a key step in the evolution of U.S. AI policy. It’s also particularly timely. As we described in our recent testimony to the House Judiciary Committee, AI is key to driving better cybersecurity outcomes and is also of increasing interest to cyber threat actors. As a community, we’ll need to continue to work together to ensure defenders realize the leverage AI can provide, while mitigating whatever harms might come from threat actors’ abuse of AI systems.

This article was first published in SC Magazine: The Biden EO on AI: A stepping stone to the cybersecurity benefits of AI

Additional Resources

• Keep up-to-date with cybersecurity policy developments in the CrowdStrike Public Policy Resource Center.
• Learn more about the powerful CrowdStrike Falcon® platform by visiting the webpage.
• Get more information on how CrowdStrike protects federal government agencies: CrowdStrike for the Federal Government FAQ.

CrowdStrike is honored to be named Partner of the Year for several 2023 Geo and Global AWS Partner Awards at Amazon Web Services re:Invent 2023, where we are participating this year as a Diamond Sponsor.

We are also proud to be a launch partner for AWS Built-in and achieve two AWS competencies. These accomplishments demonstrate our forward-thinking approach to cloud security and commitment to ensuring CrowdStrike customers have the strongest possible protection as the cloud threat landscape continues to evolve.

Let’s get into this week’s announcements.

CrowdStrike Wins Multiple AWS Partner Awards

CrowdStrike was recognized during AWS re:Invent as a global leader with a key role in helping customers drive innovation and build solutions on AWS. This year, CrowdStrike was selected as the winner of the following AWS Partner Awards:

• Public Sector Partner of the Year: Recognizes CrowdStrike as the top AWS Public Sector Partner with cloud-based solutions and experience supporting government, space, education and nonprofit organizations around the world.
• State or Local Government Partner of the Year: Recognizes CrowdStrike as the top AWS Partner with the Government Competency, delivering innovative mission-based wins for state and/or local governments.
• Non-Profit Organization Partner of the Year: Recognizes CrowdStrike as the top AWS Partner that has delivered innovative mission-based wins for non-profits.

CrowdStrike: An AWS Built-in Launch Partner with Built-In Competency

Businesses are constantly seeking ways to fortify their cloud environments to defend against adversaries increasingly targeting the cloud. They must select the right technologies to protect their cloud-based systems and workloads and deploy these solutions in a seamless, efficient and scalable manner. 

During AWS re:invent 2023, AWS officially launched its AWS Built-in Competency partner program. The goal of this initiative is to accelerate customer success by promoting AWS Independent Software Vendor (ISV) partners delivering cloud security and operational services that integrate closely with AWS native services. 

CrowdStrike achieved the AWS Built-in Competency in the security category by automating cloud security deployment and leveraging the event-driven architecture of cloud services. For example, when new workloads are provisioned — such as the launch of new Amazon EC2 instances or creation of new AWS accounts — that event can be used to trigger specific security actions. These may include automatically deploying the CrowdStrike Falcon® sensor on Amazon EC2 for CrowdStrike Falcon® Cloud Security runtime protection, or registering new accounts for Falcon Cloud Security agentless posture scanning and behavioral analysis.

Falcon Cloud Security provides complete visibility into cloud assets and uncovers risks related to misconfigurations, software package vulnerabilities, hard-coded secrets, malware, insecure identities and more. Combining agent-based and agentless detection in a unified platform empowers Falcon Cloud Security to proactively identify, prioritize and remove critical issues in cloud environments.

The integration between Falcon Cloud Security and AWS Built-In will: 

• Automate security deployment: Falcon Cloud Security combines several key capabilities that work together to deliver unified cloud security. These include:
• Cloud security posture management (CSPM): Falcon Cloud Security scans AWS services to uncover misconfigurations that adversaries could use to start or extend an attack, while ingesting AWS service API telemetry to hunt for anomalous activity that may indicate an attack. 
• Cloud workload protection (CWP): Agent-based CWP provides deep insight and AI-driven adaptive protection for workloads including Amazon EC2 instances and containerized applications.
• Pre-runtime protection: Pre-runtime container image scanning and infrastructure-as-code (IaC) scanning identify vulnerable packages and high-risk configurations before they are implemented in production. 

Individually, each of these components could require a different deployment mechanism that may delay time-to-value, especially when protecting multiple accounts across multiple regions. CrowdStrike’s built-in solution combines these capabilities in a simple and configurable CloudFormation template. It works with AWS Control Tower to establish a secure multi-account landing zone and can independently and automatically deploy individual components in response to events in the environment, such as the creation of new Amazon EC2 instances or deployment of new accounts in an AWS Control Tower or AWS Organizations landing zone. 

Accelerate the customer’s time-to-value: The need for effective, reliable and quick integration of security tools is paramount. By streamlining the integration process, CrowdStrike empowers customers to fully harness the benefits of foundational AWS-native services while achieving complete cloud security. Our objective is to deliver a unified customer experience by eliminating the complexities of combining disparate software and data sources.

Enhance reliability and efficiency: As businesses look to migrate and expand their operations on AWS, they need a security solution that can deploy at the speed of cloud. With AWS Built-in, customers can seamlessly deploy Falcon Cloud Security and consolidate disjointed point products with the most unified cloud-native application protection platform (CNAPP), built on a combined agent-based and agentless approach for complete visibility and protection.

CrowdStrike Achieves AWS Container Competency

The AWS Container Competency recognizes ISV partners offering software designed to operate seamlessly and cost-effectively in container environments. Container clusters such as Amazon Elastic Kubernetes Service (EKS) may host hundreds, thousands or even tens of thousands of ephemeral containers in a single cluster. They rely on IaC to define automated actions that occur throughout the container and cluster lifecycle. 

Our achievement of the AWS Container Competency marks a significant milestone in our partnership with AWS. This underscores our deep and proven expertise in managing container-based applications, a critical aspect of modern cloud environments. By attaining this competency, CrowdStrike not only demonstrates its commitment to providing robust security solutions for containerized applications but also aligns closely with AWS’ high standards for performance and security.

Falcon Cloud Security’s container environment protection uses Kubernetes-native packaging and deployment features such as Operators and Helm charts to provision cluster resources such as access roles, configuration files and self-healing pod replicas. The Kubernetes Admission Controller feature discovers new cluster objects as they’re created, inspects them for risks and vulnerabilities, and enables the creation of granular policies to block, alert or log specific cluster operations. Falcon Cloud Security is designed to protect a wide range of container environments including CSP-managed and self-managed Kubernetes, Amazon Elastic Container Service (Amazon ECS), Red Hat OpenShift on AWS (ROSA) and individual Docker hosts.

CrowdStrike’s dual achievement of the AWS Built-in Competency and Container Competency is a clear testament to our forward-thinking approach in cloud security. By aligning with AWS’s high standards, we’re both reinforcing our commitment to providing advanced security solutions and ensuring these solutions are seamlessly integrated with AWS’ leading cloud services. This synergy is pivotal in today’s landscape, where the sophistication of cyber threats targeting cloud environments continues to evolve. 

Curious about Falcon Cloud Security? Explore our free, no-obligation Cloud Security Risk Review for instant and complete visibility into your entire cloud estate, provided through agentless scanning. It deploys in minutes with zero impact to your business.

Additional Resources

• Learn more about the world’s leading AI-native platform for complete cloud security.
• Learn more about how CrowdStrike protects AWS workloads: Falcon for AWS webpage.
• Learn how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your organization, workers and data, wherever they are located.
• See for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats. Start your 15-day free trial today.

To unlock the speed and scalability of CrowdStrike Falcon® LogScale next-gen SIEM, you must first bring your data into the powerful, cloud-native solution. And with log sources multiplying and data volumes skyrocketing, you need an easy way to collect, parse and enrich your data.

Data onboarding can be complex and time-consuming in traditional SIEM tools. Data engineering teams must contend with countless evolving log sources, formats and ingestion methods. Painful setup processes can overwhelm even the most experienced teams and lead to deployment delays, cost overruns and employee burnout.

We’ve recently introduced an array of advancements for Falcon LogScale to help you ease setup, avoid headaches and power faster security insights. Here are the most notable new features.

1. Get Started Faster with New Marketplace Packages

The Falcon LogScale Marketplace lets you fast-track the setup of next-gen SIEM with turnkey packages that include prebuilt parsers, dashboards, alerts, actions and saved queries. Installed in just a few clicks from the Falcon LogScale user interface, packages in the Falcon LogScale Marketplace make it easier than ever to unlock the potential of your entire security ecosystem.

In the last three months, we have launched over 30 new Falcon LogScale packages to help you use new data sources faster. These packages include parsers that normalize data to a common schema based on an OpenTelemetry standard. The schema allows analysts to search data without knowing the specifics of the data format, and hunt across data sources with ease. 

With this rapid release of new Falcon LogScale packages, our vision of delivering a comprehensive marketplace for next-gen SIEM is becoming reality. We plan to publish even more ready-to-use content this year to help ease adoption, scale your SIEM deployments and relieve overburdened staff.

2. Simplify Data Onboarding with CrowdStream

CrowdStream, a native capability of the CrowdStrike Falcon® XDR platform, transforms how you onboard and manage your log data by directly connecting any data source to Falcon LogScale. Sitting between data sources and their destination, CrowdStream provides an elegant and cost-effective way to route data to Falcon LogScale to accelerate the adoption of next-gen SIEM while minimizing the complexity and cost of connecting data sources.

CrowdStream not only accelerates the adoption of Falcon LogScale, it gives you visibility and control over your data. You can granularly mask or truncate sensitive data for compliance purposes. In addition, CrowdStream can enrich data with threat intelligence or geolocation information, and optionally remove extraneous fields, null values and duplicate events.

Leveraging Cribl’s observability pipeline technology, CrowdStream offers out-of-the-box integrations to collect data from a broad set of applications and devices. It can also normalize data into a consistent format before it’s routed to Falcon LogScale, making data immediately actionable for threat hunting and investigations. With CrowdStream, Falcon LogScale provides end-to-end data pipelining and event management to address a broad set of security and compliance use cases with ease.

CrowdStream is available now. Falcon LogScale customers with cloud-native deployments receive 10GB/day of data streaming at no additional cost. Unlimited data streaming is available with the purchase of an additional CrowdStream subscription beginning in February 2024.

3. Easily Extend Detection and Response to Cloud Assets with Amazon S3 Integration

More than 80% of breaches involve data stored in the cloud. As adversaries shift their focus to the cloud, you must expand your realm of visibility and control to your cloud environment.

A perfect place to start is with Amazon Web Services (AWS) data. If your organization is like countless others, you use Amazon S3 object storage to retain your cloud data. You probably store cloud logs, such as AWS CloudTrail, Amazon CloudWatch and VPC Flow Logs, in Amazon S3 buckets. Because many cloud-delivered applications and services can write logs to S3 buckets, you can forward security-relevant logs from a variety of sources to S3 storage and then pull this data into your security and observability tools.

A new Amazon S3 log ingestion feature in Falcon LogScale lets you automatically retrieve logs from S3 buckets for analysis and visualization. Flexible configuration options let you select compression, preprocessing and parser of your choice depending on the format of your data. These step-by-step instructions explain how to set up this powerful new feature in Falcon LogScale and start hunting for cloud threats at blazing-fast speed.

4. Remotely Manage and Monitor a Massive Fleet of Falcon LogScale Collectors

The Falcon LogScale Collector provides a robust, reliable way to forward logs from Linux, Windows and macOS hosts to Falcon LogScale. Gathering data from a variety of sources, including files, command sources, syslog and Windows events, the Falcon LogScale Collector swiftly sends events with sub-second latency between when a line is written on the host and when it is forwarded to Falcon LogScale.

We’ve introduced a number of enhancements that raise the bar for Falcon LogScale Collector management. For example, a new fleet management feature lets you manage Falcon LogScale Collector instances from the Falcon LogScale management interface. The Falcon LogScale Collector also now gathers CPU, memory and disk usage metrics, allowing administrators to identify and troubleshoot issues. Recent optimizations increase agent performance and resilience, and de-duplicate redundant log data.

Experience Next-Gen SIEM 

As the future of log management and next-gen SIEM, Falcon LogScale lets you collect up to 1 petabyte of data per day and query data up to 150x faster than legacy SIEMs. Between the new Marketplace packages, flexible CrowdStream observability pipeline, Amazon S3 ingestion and Falcon LogScale Collector advancements, we’ve taken Falcon LogScale to the next level, enabling you to spend more time stopping threats and less time onboarding data.

We’ve also added in-product tutorials and filter alerts, and elevated the user experience with dashboard widgets, PDF reporting and table drill-down options. For a complete list of features, see the Falcon LogScale release notes.

Our ultimate goal is to offer the world’s most effortless, automated data onboarding across all data sources, and we’re investing inordinate resources to achieve it. The innovations announced in this post are just the beginning.

Additional Resources

• Start a 15-day free trial of Falcon LogScale to experience the future of log management and next-gen SIEM.
• Join our next biweekly next-gen SIEM showcase to view a live demo of Falcon LogScale.
• Download the CrowdStrike eBook, 8 Things Your Next SIEM Must Do, to understand the critical capabilities to look for when evaluating SIEM solutions.
• See Falcon LogScale in action by watching this fast-paced demo.

Cloud infrastructure is subject to a wide variety of international, federal, state and local security regulations. Organizations must comply with these regulations or face the consequences. 

Due to the dynamic nature of cloud environments, maintaining consistent compliance for regulatory standards such as CIS, NIST, PCI DSS and SOC 2 benchmarks can be difficult, especially for highly regulated industries running hybrid or multi-cloud infrastructures. Challenges vary by industry but often include cloud complexity, data residency, time-consuming audits and keeping up with new regulations. 

Read: “What is Cloud Compliance? A Starter Guide for Security Professionals”

Many organizations are uncertain about their cloud compliance obligations — and who is responsible for them. Cloud security tools such as cloud security posture management (CSPM) and cloud workload protection (CWP) can help organizations meet compliance benchmarks while providing advanced protection against cyberattacks. 

Monitoring your cloud deployments against compliance frameworks provides a base level of controls and best practices. However, these deployments must also be layered with advanced protection. With cloud breaches rampant, this advanced protection is critical, as adversaries continue to evolve their techniques faster than compliance regulations can be updated. 

CrowdStrike Falcon® Cloud Security covers the four major security compliance frameworks, including MITRE ATT&CK®, CIS, NIS and ISO, as well as industry-specific requirements, including GDPR and PCI-DSS for financial services and payments, FedRAMP and FISMA for government, and HIPAA and HITECH for healthcare. 

With Falcon Cloud Security, you can identify risks and security gaps, address misconfigurations and vulnerabilities, and enforce gold-standard policies to meet industry regulations while securing your business in the cloud. 

Here’s the story of how one organization did just that. 

Going Beyond Compliance: Commercial Bank of California

As a bank built for the speed and scale of modern business, Commercial Bank of California (CBC) runs a number of web applications and APIs hosted in AWS and Microsoft Azure. In addition to adhering to federal and state regulations, PCI security standards and NACHA, CBC implements CIS benchmarks to harden its cloud environments. 

Before adopting Falcon Cloud Security, CBC had to manually identify gaps and track remediation. With CrowdStrike, the bank can automatically detect misconfigurations in near real-time and filter them by MITRE ATT&CK and compliance guidelines. Falcon Cloud Security also sorts by severity rating, allowing CBC to prioritize remediation based on risks. 

“We care about our clients’ data and the funds they entrust us to hold. We needed a solution that could both monitor and harden our multi-cloud environment so we can avoid any data loss or potential compromise,” said Kevin Tsuei, SVP Information Security Officer at CBC. “Falcon Cloud Security has been a time-saving resource for us and a valuable tool to enhance our security posture.”

CBC learned it could easily deploy Falcon Cloud Security to protect its cloud environments using the same lightweight CrowdStrike Falcon® sensor it uses to protect its endpoints and other attack surfaces. With Falcon Cloud Security, CBC can go beyond compliance to secure its business in the cloud.

“Falcon Cloud Security helped us harden our cloud environments. We can now quickly identify and fix cloud misconfigurations, secure our containers and protect our Linux servers in both AWS and Azure,” said Tsuei. “With CrowdStrike, we can remediate any cloud intrusion in less than 16 minutes, which puts our minds at ease.”

Making Cloud Compliance Easier

Cloud compliance starts with a robust, well-defined security posture that provides visibility and control with a granular view of infrastructure and workflow traffic. While all cloud security solutions help with compliance to some degree, CrowdStrike delivers comprehensive cloud detection and response, enabling a robust security posture and compliance specific to different industries and regulations. 

CrowdStrike can help you attain compliance for your cloud environment so you can focus on innovating your business. Falcon Cloud Security offers:

• Unified compliance visibility. Use the compliance dashboard, framework details and drill-down capabilities for simple and consistent compliance auditing and reporting.
  
• Compliance management. Enforce compliance of industry regulations and security benchmarks with automated compliance features and customized policies.
  
• Simplified reporting. View and export results of assessments mapped to a benchmark or framework requirement. You can also export scheduled or on-demand reports of your compliance posture and non-compliant assets.
  
• Remediation. Get remediation steps, alert logic and MITRE ATT&CK information for each policy. Links to related compliance information are available for quick reference throughout the user interface.

CrowdStrike achieved 100% protection, 100% visibility and 100% analytic detection coverage in the MITRE Engenuity ATT&CK® Evaluations: Enterprise Round 5. Our cloud-native application protection platform (CNAPP) capabilities offer both pre-runtime container image scanning and runtime protection — providing complete protection against cloud breaches.

Watch this short video to see how Falcon Cloud Security makes it easier for organizations to enforce cloud compliance:

Delivered from the AI-native CrowdStrike Falcon Platform

A strong cloud security solution helps you enforce compliance throughout your security operations, while also providing a unified approach to threat prevention, visibility and security posture management to stop breaches.

While some cloud security vendors offer pieces of security, compliance and governance of policies, CrowdStrike goes above and beyond to offer unified security and compliance across the entire infrastructure, from on-premises to the cloud, in a single console and single interface as part of the AI-native CrowdStrike Falcon platform.

The result is an industry-leading cloud security solution that allows organizations to enforce cloud compliance while delivering the strongest protection against breaches.

Additional Resources

• Request a free cloud security risk review. 
• Learn more about how Falcon Cloud Security can help you with cloud compliance.
• Read the Commercial Bank of California case study.

Today, we’re proud to announce that Forrester has named CrowdStrike a Leader in The Forrester Wave: Cloud Workload Security, Q1 2024, stating “CrowdStrike shines in agentless CWP [cloud workload protection] and container runtime protection.”

Forrester identified the 13 most significant vendors in cloud workload security and researched, analyzed and scored them based on the strengths of their current offering, strategy and market presence. Highlights include: 

• CrowdStrike was positioned as a Leader, with the highest placement of all 13 vendors in the Strategy category, as well as the highest score possible in 10 criteria, including  vision, innovation, partner ecosystem, adoption, and pricing flexibility and transparency. 
• In the Current Offering category, CrowdStrike received the highest score possible in the criteria of agentless cloud workload protection, container runtime protection, IaC scanning, and detection and response — showcasing, in our opinion, our industry-leading protection from cloud breaches.
• CrowdStrike received the highest score possible in the Number of Customers criterion, highlighting for us how customers around the world are racing to standardize on the CrowdStrike Falcon® platform for cloud security.

Last year, we added one-click XDR, agentless snapshot scanning for OS vulnerabilities and complete cloud attack path visualization, among countless other industry-leading capabilities to our cloud security technology to help customers simplify security operations and harden their cloud environments. 

And with our acquisition of Bionic, the pioneer of application security posture management (ASPM), CrowdStrike is the first cloud security vendor to natively secure customers in the cloud by providing complete visibility across cloud and app-level risks, delivering the industry’s most complete platform for cloud security, from code to cloud.

Forrester Ranks CrowdStrike a Leader and Highest in Strategy

Forrester gave CrowdStrike the highest score in the Strategy category, which we believe demonstrates how CrowdStrike is building on its strengths to deliver both the present and future of cloud security from the AI-native CrowdStrike Falcon XDR platform. 

Forrester recognizes the range of CrowdStrike’s cloud security capabilities in its report:

“CrowdStrike offers strong agent-based CWP for Linux and Windows and robust container runtime protection. IaC scanning is versatile and effective. Cloud detection and response capabilities are also ahead of the competition.”

To protect against the cloud threats of tomorrow, cloud security must evolve faster than the adversary. We pioneered cloud-native cybersecurity and continue to deliver the innovation needed to extend industry-leading protection across every area of the attack surface. 

“From its agent-based behavioral malware detection roots, CrowdStrike has been expanding on its AI/ML rails into CSPM and IaC scanning. CrowdStrike shows a convincing CWS vision, and its innovation potential as indicated by technical employee staffing is ahead of the competition,” according to Forrester’s report.

ASPM is one area we’re particularly excited about. With Bionic, we will extend the Falcon platform’s unique agent-based and agentless protection of cloud infrastructure with unprecedented visibility into application behavior and vulnerability prioritization for both server-based and serverless infrastructure, without disrupting the development process.

CrowdStrike doesn’t stop at industry-leading technology. We’re the only cloud security vendor with a full range of cloud threat detection and response services including incident response, threat hunting, assessment and 24/7 MDR services for your entire cloud estate.

Cloud Security for Every Organization

CrowdStrike scored a perfect 5/5 in the Number of Customers criterion in this Forrester Wave. Organizations are flocking to CrowdStrike Falcon® Cloud Security for several reasons. 

CrowdStrike’s mission is to stop breaches. To support that mission, we’re delivering a unified cybersecurity platform from endpoint to cloud with both agent-based and agentless support for cloud security. With pre-runtime and runtime protection, and agentless technology, we’re meeting customers wherever they are on their cloud security journey.

In addition, we’ve engineered CrowdStrike Falcon Cloud Security to make security operations easier. We help reduce alert fatigue by correlating cloud risks to apps and services, allowing teams to focus on the vulnerabilities with the most business risk. We also integrate the industry’s best threat intelligence into Falcon Cloud Security to continuously reduce the attack surface and speed up mean time-to-response with auto-remediation and other automations.

Finally, CrowdStrike is a platform cybersecurity company. Our platform provides comprehensive visibility across on-prem and cloud assets, including apps, data and user identity. Every module on the AI-native Falcon platform, including Falcon Cloud Security, is deployed using the same lightweight agent, a strategy that helps customers consolidate point products, eliminate security gaps and reduce operational overhead, while easily adding new protections as threats evolve.

Forrester interviewed a number of CrowdStrike customers for its report, which states: “Reference customers said that the CWP agent is easy to install.” 

This Forrester Wave for Cloud Workload Security is a trustworthy report to help tech buyers choose the right cloud security vendors. With this recognition, we’re poised to help more organizations replace immature cloud security point products and continue building one of the largest and fastest growing cloud security businesses in the industry.

Additional Resources

• Read the press release to learn more.
• Download the full report, The Forrester Wave: Cloud Workload Security, Q1 2024.
• Learn how you can stop cloud breaches with Falcon Cloud Security.
• Check out these CrowdStrike customer case studies and videos on cloud security. 

The rise of distributed cloud services and the omnipresence of APIs has caused cloud-native application architecture to become highly fragmented. Enforcing secure access is a critical step in strengthening security as IT environments become more complex — but for many organizations, ensuring secure access across this evolving architecture is a constant challenge. 

Existing secure access solutions often fail to scale within customer environments as they largely focus on managing secrets, which becomes more time-consuming and error-prone in modern environments. Employing these legacy solutions can hinder an organization’s ability to scale and secure their cloud-native applications. 

Securing access to company assets is a modern security requirement and must span human and non-human identities. Like users, workloads have distinct identities and evolving security postures. Machine identities are growing exponentially, with workload identities outnumbering human identities 10:1 — a staggering ratio that doubled from 2021 to 2023. The challenges of securing these resources, and the significant losses organizations face, have created a need for a revolutionary approach to securing workload access. 

Falcon Fund partner Aembit, a workload identity and access management (IAM) platform provider, has announced a new integration with the AI-native CrowdStrike Falcon platform to empower businesses to manage and enforce conditional access policies based on the real-time security posture of their applications and services.

Aembit’s dynamic platform seamlessly identifies and authenticates workloads, authorizes access based on policies including security posture, and logs all accesses and access attempts for auditing and analytics. Aembit Workload IAM is designed to work across clouds, on-premises environments, SaaS services and third-party APIs. 

The platform drives productivity by allowing developers to take a no-code approach to authentication. It provides centralized control and visibility, and replaces outdated secrets manager solutions, shifting the paradigm to managing access — not secrets. The partnership between CrowdStrike and Aembit demonstrates a significant step forward in Aembit’s mission to help organizations make workload-to-workload access more secure and manageable. 

CrowdStrike is excited to build on its strategic investment in Aembit through CrowdStrike Falcon Fund. A key piece of this investment is a multi-faceted partnership between CrowdStrike and Aembit to ensure conditional access policies for secure workload access. Through the initial integration, customers can enforce Zero Trust for workloads with thorough and accurate assessments of workload security posture, policies that grant access based on workload identities, and conditional access dependent on workload health.

How the Integration Works

The Aembit Workload IAM solution checks to see if a CrowdStrike Falcon agent is running on the workload. It leverages CrowdStrike’s workload posture assessment, along with workload identity attestation, to evaluate the workload’s real-time security posture and determine whether workloads should be granted access to applications and data. This process ensures that access originates from a trusted workload. 

With this approach, enterprises can protect their workloads from unauthorized access, even against the backdrop of changing conditions and dynamic access requirements. Additional benefits from this partnership include:

• Managed workload-to-workload access: Enforce and manage workload access to other applications, SaaS services and third-party APIs based on policies set by the security team, lowering risk.
• Ease of deployment: Seamlessly integrate the Aembit Workload IAM platform with the Falcon platform in just a few clicks, creating a unified experience for managing workload identities while understanding workload security posture.
• Zero Trust security model: Adopt a Zero Trust approach, which ensures every access request is verified before access rights are granted. Aembit’s solution enforces the principle of least privilege based on identity, policy and workload security posture. 
• Visibility and monitoring: Gain in-depth visibility into workload identities and access permissions to drive faster threat detection and response. Monitor and audit access logs based on identity for comprehensive security oversight. 

Please visit the Aembit integration page in the CrowdStrike Marketplace to learn more and request the integration today.

Additional Resources

• Learn more about Falcon Fund and CrowdStrike’s partnership with innovative companies.
• See how CrowdStrike gives you comprehensive protection across your organization through our 15-day free trial.
• Visit the CrowdStrike Marketplace to explore additional partner integrations.

Today’s cybersecurity landscape poses one of the most significant risks to data. This holds true for organizations of all sizes, across all industries, tasked with protecting their most essential data amid an increasingly regulated environment and faster, more innovative adversaries.

Recent years have introduced a steady drumbeat of new data privacy regulations. There are now 14 U.S. states that have passed privacy laws. In July 2023, the Securities and Exchange Commission (SEC) adopted new rules requiring organizations to disclose material cybersecurity incidents, as well as information regarding their risk management, strategy and governance. On a global level, dozens of countries have updated their guidance on data privacy.  

Organizations must now comply with an “alphabet soup” of data protection requirements including GDPR, CCPA, APPI, PDPA and LGPD. Some of these are evolving to incentivize the adoption of stronger security practices. Newly updated regulations in Brazil, for example, give breached organizations a fine reduction of up to 75% if they have state-of-the-art protection in place at the time of a cyberattack. 

The list is growing: In 2024, many organizations will face new requirements stemming from the SEC’s new rules and state privacy laws, including amendments to the CCPA, industry-specific mandates, and those imposed on critical infrastructure by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). These developments include new incident reporting obligations and requirements to implement certain security technologies, as well as demonstrate compliance through cybersecurity audits, risk assessments, public disclosures and other measures. 

These myriad legal requirements broadly raise the bar for “reasonable” security. However, adversaries typically move faster than data protection mandates can keep up. Organizations must pay close attention to how adversaries are evolving their techniques and determine whether they’re prepared to defend their data against modern threats.

Data Extortion and the Defender’s Dilemma 

The emergence of new regulations has been a game-changer for adversaries and defenders alike. Protecting against data breaches has only grown more challenging as threat actors evolve their tradecraft and quickly learn the pressure these regulations put on breached organizations.

Today’s adversaries are working smarter, not harder. This is clear in the growth of data extortion, which has emerged in recent years as an easier, less risky means for adversaries to profit. Threat actors are shifting away from noisy ransomware campaigns, which typically trigger alarm bells in security tools — instead, they are quietly stealing victims’ data and then threatening to leak it if their financial demands aren’t met. 

The rise in data extortion has corresponded with adversaries increasingly targeting identities, a critical threat vector organizations must consider as they build their data protection plans.  Rather than relying on malware-laced phishing emails to breach target organizations, they can use a set of compromised credentials to simply log in. A growing number of access broker advertisements enables the sale of credentials, vulnerability exploits and other forms of illicit access: Last year, CrowdStrike reported a 147% increase in access broker ads on the dark web. Adversaries can now more stealthily infiltrate organizations, take valuable data and demand their price, putting victims in a tough position.

Data protection regulations change the calculus for organizations hit with data extortion — and adversaries know it. When threat actors steal information and tell their victims they’re in violation of HIPAA, GDPR, CCPA or other regulations, the stakes are higher. They know exactly how much an extortion attack will cost a business once it’s disclosed to regulators, and they can use this to coerce organizations into paying them instead. This may be a false choice, as many disclosure requirements apply regardless, but the coercion is real.

There are other ways adversaries use regulation consciousness to their advantage. In one 2023 case, a ransomware gang filed an SEC whistleblower complaint directed at one of its victims. The complaint, filed before the new SEC rules actually went into effect, attempted to claim that the victim was in violation of its duty to disclose a material cyber incident. 

Organizations must be incentivized to protect their data from modern threats. They should not feel stuck between the fear of reporting a breach and the pressure to meet adversaries’ ransom demands. With the right safeguards in place, businesses can protect their data from adversaries’ evolving attempts to access it. This is where CrowdStrike comes in. 

How CrowdStrike Can Help 

As we recognize Data Protection Day 2024, it is essential we consider what data protection involves and how critical cybersecurity is — not only for compliance, but for protecting privacy. Organizations must adopt best practices to protect their data in addition to achieving compliance requirements. 

Visibility is essential to maintain regulatory compliance and protect sensitive data from today’s adversaries. If you don’t have visibility into your data flows, your credentials or the sensitive data your organization holds, how can you know whether that data is at risk? 

An organization’s data is among its most valuable assets — and adversaries are after it. Protecting that data should be a top priority. CrowdStrike Falcon® Data Protection provides deep, real-time visibility into what’s happening with your sensitive data as it flows across endpoints, cloud, web browsers and SaaS applications. As the modern approach to data protection, our technology ensures compliance with minimal configuration and provides comprehensive protection against modern threats. 

It is more important than ever for organizations to understand data protection and data security are interdependent and cannot be considered in isolation. Both are critical in protecting privacy. Moreover, if personal data is stolen in a cyberattack, those affected can claim damages — but certain jurisdictions provide fine and liability mitigations where the breached organization can prove its cybersecurity protections were reasonable and state-of-the-art.

In this threat landscape and regulatory environment, Data Protection Day provides an opportunity for privacy and security teams to align on modern threats to privacy, risks of non-compliance and the best technical and organizational means to protect data.

Additional Resources

• Keep up-to-date with cybersecurity policy developments at the CrowdStrike Public Policy Resource Center.
• For an overview of the GDPR and how it may affect your organization, download The General Data Protection Regulation (GDPR) and Cybersecurity.
• Learn more about the unified, AI-native CrowdStrike Falcon® platform by visiting the webpage.
• Get a full-featured free trial of CrowdStrike Falcon® Prevent and see how true next-gen AV performs against today’s most sophisticated threats.

Cybercriminals work around the clock to discover new tactics to breach systems. Each time a digital ecosystem changes, it can introduce a weakness for a threat actor to quickly discover and exploit. As technological innovation progresses rapidly, and organizations expand their infrastructure, this weakness may take shape in the form of architecture drift. 

Today, we explore the concept of architecture drift: what it is, why it matters and how application security posture management (ASPM) can help.

Why Architecture Drift Is a Problem for DevSecOps

The rise of continuous integration and continuous delivery (CI/CD) and infrastructure-as-code (IaC) means apps, clusters and environments are constantly changing across organizations. Architecture drift occurs when an app, microservice or infrastructure “drifts” out of its intended configuration or approved operating boundaries.

Drift is difficult to detect and it introduces risk, which often isn’t seen or managed until something serious happens, such as an outage, incident or breach. It can happen in a variety of places, including:

• Infrastructure
• Network
• Container orchestration
• Application runtime
• Business logic
• Data flow

Architecture drift may affect infrastructure, for example, when IaC scripts such as Terraform or CloudFormation get out of sync with what’s running in the environments. For example, a development team might use a CloudFormation script to provision a new environment that declares all EC2 instances should be “t2.small.” Meanwhile, an engineer decides to manually add a “c4.large” instance to the same environment. Because C4 compute instances cost significantly more than T2 instances, this change will increase the company’s cloud bill and possibly create problems with reliability and performance.

Business Logic and Data Flows Can Drift Too

Continuous development means code, business logic, data flows and application architecture can change hourly in your environments. Depending on the level of automation and guardrails in your CI/CD pipelines, engineers might deploy code changes on demand or be required to follow a review process should a change be significant. These code changes can cause assets to drift, potentially interacting with one another and creating new risks.

A single code change can introduce new:

• Services
• APIs
• Dependencies
• Libraries
• Third-party service calls
• Datastore or database connections
• Data flows
• Risks you might not have considered or thought about

Even tiny changes can have a big impact. For example, several years ago, a small code change resulted in a personally identifiable information (PII) exposure at an enterprise. The risk made its way into production because the engineer who committed the code change didn’t know their code touched PII and stated this in their change request questionnaire. As a result, they caused code to drift and interfere with data it shouldn’t have been near, unintentionally exposing the sensitive data.

We detect and observe drift frequently among customers of Bionic, a CrowdStrike company. More often than not, that drift is related to business logic, architecture and data flows. You can’t eliminate all risks in applications or the business, but you can start to go beyond what you know and think differently about what could impact your business.

Applications are complex beasts to tame, encompassing hundreds or thousands of components and dependencies. Every code change introduces potential risk. The question is: Do you see these risks and know their potential impact?

How to Detect Architecture Drift

With application security posture management, you can detect and manage application drift in real time. ASPM allows teams to quickly baseline and lock in their application architectures, so they have drift policies that can notify them in real time, should an architecture change. For example, ASPM can detect things like new services, APIs, new libraries, ports, connections, dependencies or even data flows that an application might start to exhibit following CI/CD deployments or code changes.

ASPM flags these drifts and provides full business and application context so your teams can prioritize the cruciality of critical services or data flows that are impacted. They can also visualize where each drift is occurring so teams see the full picture and catch drift before it causes a problem.

ASPM at CrowdStrike

CrowdStrike acquired Bionic in September 2023 to bring market-leading application security to CrowdStrike’s leading cloud-native application protection platform (CNAPP). With ASPM, CrowdStrike delivers comprehensive risk visibility and protection across the entire cloud estate, from cloud infrastructure to the applications and services running inside of them.

Stay tuned for more educational blogs on this important topic! 

Additional Resources

• Learn how Bionic, a CrowdStrike company, can expose threats on every application attack surface.
• Read the press release on CrowdStrike’s acquisition of Bionic.
• See why Forrester named CrowdStrike a Leader in The Forrester Wave: Cloud Workload Security, Q1 2024. 

• Azure cross-tenant synchronization (CTS) was made generally available on May 30, 2023, and introduced a new attack surface on Microsoft Entra ID (formerly Azure Active Directory) where attackers can move laterally to a partner tenant or create a backdoor on an existing tenant.
• CrowdStrike showcases two observed attack paths to outline how adversaries can abuse CTS
• CrowdStrike Falcon® Cloud Security protects against cloud-aware hacktivists, eCrime adversaries and nation-state actors that might use these techniques to compromise your organization.

As Microsoft Azure continues to gain market share in the cloud infrastructure space, it has garnered attention from adversaries ranging from hacktivist and eCrime threat actors to nation-state adversaries. Recent attacks on Microsoft by cloud-focused threat actors like COZY BEAR are becoming more frequent and garnering huge attention. 

Adversaries are using novel cloud-focused techniques and tactics to achieve their goals. CrowdStrike has previously disclosed campaigns — for example, StellarParticle — that show the abuse of assets including Microsoft identities, Office 365 and more. Today, we will dive into one such adversary technique that abuses Microsoft Azure Active Directory (now called Entra ID) cross-tenant synchronization. We will show two observed attack paths to outline the impact. Let’s begin.

Ready to get instant visibility into your Active Directory? Set up a complimentary CrowdStrike AD Risk Review and stop identity-based threats today.

What Is Azure Cross-Tenant Synchronization?

Introduced by Microsoft in May 2023, cross-tenant synchronization (CTS) stands as a pivotal feature designed to streamline the automation of creating, updating and deleting B2B users/groups across tenants. This functionality empowers users and groups created through CTS to seamlessly access a spectrum of applications, ranging from Microsoft applications like Teams and SharePoint to non-Microsoft counterparts.

CTS uses a simple push operation on the “source” tenant to facilitate the synchronization of users/groups to the “target” tenant. Administrators in the target tenant retain control, with the ability to halt synchronization at their discretion or remove a source tenant by adjusting the configuration of their cross-tenant access (CTA) policy. This flexibility ensures efficient management and oversight over the cross-tenant synchronization process.

Abusing Cross-Tenant Synchronization

To abuse CTS within a Microsoft environment, attackers need specific roles that grant them the necessary privileges to create or modify CTS policy settings. Once attackers compromise a tenant, they can use existing CTS policies to move laterally to a partner tenant or add a backdoor into the tenant using CTS. 

Access to the following roles is required to abuse CTS: 

1. Each user being synchronized needs a Microsoft Entra ID P1 license in the source tenant
2. The attacker needs the following roles in the compromised tenant to establish persistent access:
   1. Global Administrator role to make all changes required for the attack
   2. Security Administrator role to configure CTA settings
   3. Hybrid Identity Administrator role to configure CTS
   4. Cloud Application Administrator or Application Administrator role to assign users to a configuration and delete a configuration

With the required access, attackers can take two attack paths to abuse the CTS feature:

1. A lateral movement using CTS
2. An identity backdoor on a compromised tenant using CTS

Figure 1 below delves into the details of both attack paths. Initially, an attacker compromises a (source) tenant and gains the necessary privileges. From there, the attacker can enumerate partner tenants with configured CTA and ensure CTS is enabled with the required inbound or outbound CTA policy. After enumeration, the attacker can leverage an already synchronized user identity to move laterally to the target tenant, thereby gaining access to the applications and services associated with that tenant. 

If the attacker wants to establish persistence on a compromised tenant, they can add an attacker-controlled tenant as a partner in a compromised tenant by creating a CTA policy with automatic user invitation redemption and enabling inbound synchronization. Subsequently, an attacker-controlled tenant can initiate the push of user accounts to compromised tenants and establish persistence by abusing CTS. The following section will dive into each attack path in detail.

Attack Path 1: Lateral Movement Using Cross-Tenant Synchronization

Adversaries can achieve initial foothold by compromising Azure tenants in multiple ways, including but not limited to vulnerabilities in public-facing applications or APIs, leaked credentials, stolen identities and zero-day exploits. Once attackers acquire the necessary access and privileges defined in the earlier section, then attackers are positioned to abuse CTS.

 

Figure 2 shows the general flow of the attack. The attacker takes the following steps to achieve lateral movement to the target tenant:

1. Initially, an attacker compromises a source tenant acquiring the necessary privileges. It enables an attacker to gather crucial information for lateral movement. This could be executed through various means, such as leveraging a command-line interface or console. For our purposes, this blog uses Microsoft Graph API endpoints to illustrate the attack.
2. Subsequently, the attacker uses Microsoft Graph API to enumerate the CrossTenantAccessPolicy to find the target tenants (partner tenants) already available on the compromised tenant. The attacker tries to locate target tenant IDs where AutomaticUserConsentSettings set to outboundAllowed: true. As shown in Figure 3, the found tenant ID can potentially be abused by the attacker.

 

3. Following the discovery of tenant IDs, the attacker proceeds to identify a synchronization application servicePrincipal that pushes users/groups to the target tenant. Fortunately, there is no readily available API to do this easily. This step can be broken into the following:
   1. List all servicePrincipals on compromised tenant

      GET https://graph.microsoft.com/v1.0/servicePrincipals

   2. Use each servicePrincipal to find a synchronization application used for a target tenant. The following query can be used to automate this process. If the query is successful (200 OK), then that servicePrincipal is used to create a synchronization application for a given target tenant. Figure 4 shows a successful query.

POST https://graph.microsoft.com/beta/servicePrincipals/{id}/synchronization/jobs/validateCredentials
Content-Type: application/json
 
{
  "useSavedCredentials": false,
  "templateId": "Azure2Azure",
  "credentials": [
    {
      "key": "CompanyId",
      "value": "{TargetTenantId}"
    },
    {
      "key": "AuthenticationType",
      "value": "SyncPolicy"
    }
  ]
}

 

4. Now, the attacker employs the query depicted in Figure 5 to identify users/groups being synced to the target tenant using servicePrincipal found in an earlier step. Figure 5 also shows the username “abc” being synced to the target tenant.

 

5. At this juncture, the attacker has a few options to move laterally to the target tenant:
   1. The attacker can opt for an existing user that is already synced to the target tenant. This is a very stealthy method, as the attacker doesn’t need to modify a compromised tenant to move laterally to the target tenant.
   2. The attacker can add a new user to sync into the target tenant and use the credentials associated with it to attack the target tenant if CTS is properly configured and operational.
   3. The attacker can also add a new user to a group that is already synced into the target tenant if CTS is properly configured and operational.
6. Upon successful login with the chosen user, the attacker gets access to the target tenant. Furthermore, this access extends to Microsoft or third-party applications associated with the target tenants, enhancing the attacker’s potential for exploitation.

Attack Path 2: Identity Backdoor on Compromised Tenant Using Cross-Tenant Synchronization

Once an attacker successfully compromises a tenant and acquires the necessary privileges, the establishment of persistence becomes a paramount objective. Let’s delve into the details on how an attacker might establish and maintain persistence within a compromised tenant.

 

Figure 6 provides a visual representation of the attack flow for establishing persistent access to compromised tenants. We now break down the attack into two distinct steps:

1. On Compromised Tenant
2. On Attacker-Controlled Tenant

A. On Compromised Tenant

1. The attacker needs to obtain the required access as described in the earlier section.
2. Having obtained the necessary access, the attacker proceeds to create a new CTA incorporating the attacker-controlled tenant ID. Essentially, this action establishes the attacker-controlled tenant as a partner within the compromised tenant. Figure 7 shows Microsoft Entra ID audit logs for this maneuver.

 

3. Subsequently, the attacker makes further modifications by adjusting the inbound CTA settings to enable AutomaticUserConsent. Specifically, by setting “inboundAllowed”:true. This enables automatic user invitation redemption, as shown in Figure 8.

 

4. Continuing with the attack sequence, the attacker proceeds to another modification of inbound CTA, but this time, setting “IsSyncAllowed”:true. This particular configuration allows the attacker to push user accounts into the compromised tenant, a critical step highlighted in Figure 9. With the successful completion of this step, the attacker effectively establishes a backdoor within the compromised tenant.

B. On Attacker-Controlled Tenant

In the realm of the attacker-controlled tenant, the actions orchestrated by the attacker remain beyond monitoring, as this tenant operates external to the organization. Consequently, we won’t add logs or API requests to show this activity. The general steps for an attacker to configure CTS are as following: 

1. The attacker needs a tenant that has the required Microsoft Entra ID premium license.
2. Continuing the course, the attacker proceeds to create a new CTA policy within the attacker-controlled tenant. This involves the addition of a compromised Tenant ID, effectively integrating the compromised tenant as a partner within the attacker-controlled environment.
3. The attacker then modifies outbound CTA settings to enable AutomaticUserConsent by setting “outboundAllowed”:true. This enables an automatic user invitation redemption policy matching the compromised tenant.
4. Subsequently, the attacker creates a CTS synchronization application and proceeds to add chosen users or groups to the CTS synchronization application.
5. At this point, the attacker creates an automatic provisioning job to push these users and groups to the compromised tenant.
6. The synchronization job uses the push operation to achieve the objective. This job can be forced to run on demand to push chosen users/groups to compromised tenants.
7. With the successful push of malicious users and groups, the attacker gains an entry point into the compromised tenant. This access can extend beyond the compromised tenant, enabling the attacker to seamlessly log into Microsoft or third-party applications associated with the compromised environment.

CrowdStrike Falcon Cloud Security Detections

CrowdStrike Falcon Cloud Security unifies cloud security in a single unified platform to deliver comprehensive protection to customers against attacks on public cloud infrastructure. Falcon Cloud Security monitors attacker behavior in Azure tenants and uncovers indicators of attack (IOAs) showing abuse of Azure services and features. In this attack, Falcon Cloud Security monitors the addition of vulnerable CTS policies where an attacker either tries to move laterally or uses them as a backdoor in a tenant. Figure 10 shows a triggered IOA where a CTS policy was added with inbound user sync.

 

Additionally, Falcon Cloud Security provides the following IOAs and identifies misconfigurations affecting CTA policies, which helps users identify and remediate any security risks.

Cross-tenant partner given inbound access	Behavior	A cross-tenant partner was configured in Microsoft Entra ID to support automatic user consent for inbound access.
Cross-tenant partner user syncing enabled	Behavior	A cross-tenant policy was configured in Microsoft Entra ID that enabled automatic user sync.
Default cross-tenant synchronization policy allows outbound automatic user consent	Configuration	A cross-tenant access policy was configured with automatic outbound user consent.
Partner cross-tenant synchronization policy allows inbound user sync	Configuration	A cross-tenant access policy was configured with automatic inbound user consent.

CrowdStrike Best Practice Recommendation

To safeguard your Azure tenant from potential abuse of CTA and maintain a robust security posture, it’s imperative to adhere to best practices. Consider the following recommendations:

1. Monitor external identities invited or synced into your tenant. Limit the privileges on such identities to control the blast radius.
2. Monitor CTA policies being created on the tenant and validate any inbound or outbound settings that are modified to create exposure in the tenant.
3. Monitor partner accounts added into tenants using CTA policies, and use a naming convention to differentiate each user from different partners synchronized into the tenant.
4. Use secure default inbound and outbound access policies. Insecure default policies can create exposure to the tenant.
5. Don’t trust multifactor authentication (MFA) from the source tenant for identities.
6. Closely monitor administrator roles for any suspicious activities with respect to CTS.

Conclusion

The abuse of cloud provider services is a common technique utilized by many cloud-aware adversaries. New cloud provider features — like CTS — typically become unexplored attack surfaces for attackers as well as researchers. More often than not, new features need to gather feedback from users. This feedback often necessitates a change in design, visibility and security. This opens up a window of opportunity for adversaries to abuse the feature and find vulnerabilities.

Entra ID CTS is a feature that focuses on the ease of doing business and collaboration but is being abused by cloud-aware threat actors. Hence, cloud security practitioners need to be aware of the tactics, techniques and procedures used in this attack, where an attacker attempts to move laterally into different organization tenants or to create and maintain a backdoor in compromised tenants. CrowdStrike Falcon Cloud Security provides the necessary visibility to protect users from adversaries who might utilize these techniques to abuse CTS.

Is your cloud secure? A FREE CrowdStrike Cloud Security Risk Review quickly enables you to determine how to protect your cloud environment with a lightweight assessment that shows full threat visibility, misconfigurations and vulnerability risks, and how to detect and stop breaches from endpoint to cloud.

Additional Resources

• Forrester named CrowdStrike a Leader in The Forrester Wave: Cloud Workload Security, Q1 2024, stating “CrowdStrike shines in agentless CWP [cloud workload protection] and container runtime protection.” Read more in this blog post.
• Learn why Commercial Bank of California trusts CrowdStrike to meet compliance regulations while going above and beyond to secure client data in the cloud.
• Check out more CrowdStrike customer case studies and videos on cloud security. 
• See for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats. Start your 15-day free trial today.

• HijackLoader continues to become increasingly popular among adversaries for deploying additional payloads and tooling
• A recent HijackLoader variant employs sophisticated techniques to enhance its complexity and defense evasion
• CrowdStrike detects this new HijackLoader variant using machine learning and behavior-based detection capabilities 

CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities. 

In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach has the potential to make defense evasion stealthier. 

The second technique variation involved an uncommon combination of process doppelgänging and process hollowing techniques. This variation increases the complexity of analysis and the defense evasion capabilities of HijackLoader. Researchers also observed additional unhooking techniques used to hide malicious activity.

This blog focuses on the various evasion techniques employed by HijackLoader at multiple stages of the malware.

HijackLoader Analysis

Infection Chain Overview

The HijackLoader sample CrowdStrike analyzed implements complex multi-stage behavior in which the first-stage executable (streaming_client.exe) deobfuscates an embedded configuration partially used for dynamic API resolution (using PEB_LDR_DATA structure without other API usage) to harden against static analysis.

Afterward, the malware uses WinHTTP APIs to check if the system has an active internet connection by connecting to https[:]//nginx[.]org. If the initial connectivity check succeeds, then execution continues, and it connects to a remote address to download the second-stage configuration blob. If the first URL indicated below fails, the malware iterates through the following list:

• https[:]//gcdnb[.]pbrd[.]co/images/62DGoPumeB5P.png?o=1
• https[:]//i[.]imgur[.]com/gyMFSuy.png;
• https[:]//bitbucket[.]org/bugga-oma1/sispa/downloads/574327927.png

Upon successfully retrieving the second-stage configuration, the malware iterates over the downloaded buffer, checking for the initial bytes of a PNG header. It then proceeds to search for the magic value  C6 A5 79 EA, which precedes the XOR key (32 B3 21 A5 in this sample) used to decrypt the rest of the configuration blob.

 

Following XOR decryption, the configuration undergoes decompression using the RtlDecompressBuffer API with COMPRESSION_FORMAT_LZNT1. After decompressing the configuration, the malware loads a legitimate Windows DLL specified in the configuration blob (in this sample, C:\Windows\SysWOW64\mshtml.dll).

The second-stage, position-independent shellcode retrieved from the configuration blob is written to the .text section of the newly loaded DLL before being executed. The HijackLoader second-stage, position-independent shellcode then performs some evasion activities (further detailed below) to bypass user mode hooks using Heaven’s Gate and injects subsequent shellcode into cmd.exe.The injection of the third-stage shellcode is accomplished via a variation of process hollowing that results in an injected hollowed mshtml.dll into the newly spawned cmd.exe child process.

The third-stage shellcode implements a user mode hook bypass before injecting the final payload (a Cobalt Strike beacon for this sample) into the child process logagent.exe. The injection mechanism used by the third-stage shellcode leverages the following techniques:

• Process Doppelgänging Primitives: This technique is used to hollow a Transacted Section (mshtml.dll) in the remote process to contain the final payload.
• Process/DLL Hollowing: This technique is used to inject the fourth-stage shellcode that is responsible for performing evasion prior to passing execution to the final payload within the transacted section from the previous step.

Figure 2 details the attack path exhibited by this HijackLoader variant.

Main Evasion Techniques Used by HijackLoader and Shellcode

The primary evasion techniques employed by HijackLoader include hook bypass methods such as Heaven’s Gate and unhooking by remapping system DLLs monitored by security products. Additionally, the malware implements variations of process hollowing and an injection technique that leverages transacted hollowing, which combines the transacted section and process doppelgänging techniques with DLL hollowing.

Hook Bypass: Heaven’s Gate and Unhooking

Like other variants of HijackLoader, this sample implements a user mode hook bypass using Heaven’s Gate (when run in SysWOW64) — this is similar to existing (x64_Syscall function) implementations.

This implementation of Heaven’s Gate is a powerful technique that leads to evading user mode hooks placed in SysWOW64 ntdll.dll by directly calling the syscall instruction in the x64 version of ntdll.

Each call to Heaven’s Gate uses the following as arguments: 

• The syscall number
• The number of parameters of the syscall
• The parameters (according to the syscall)

This variation of the shellcode incorporates an additional hook bypass mechanism to elude any user mode hooks that security products may have placed in the x64 ntdll. These hooks are typically used for monitoring both the x32 and x64 ntdll.

During this stage, the malware remaps the .text section of x64 ntdll by using Heaven’s Gate to call NtWriteVirtualMemory and NtProtectVirtualMemory to replace the in-memory mapped ntdll with the .text from a fresh ntdll read from the file C:\windows\system32\ntdll.dll. This unhooking technique is also used on the process hosting the final Cobalt Strike payload (logagent.exe) in a final attempt to evade detection.

Process Hollowing Variation

To inject the subsequent shellcode into the child process cmd.exe, the malware utilizes common process hollowing techniques. This involves mapping the legitimate Windows DLL mshtml.dll into the target process and then replacing its .text section with shellcode. An additional step necessary to trigger the execution of the remote shellcode is detailed in a later section.   

To set up the hollowing, the sample creates two pipes that are used to redirect the Standard Input and the Standard Output of the child process (specified in the aforementioned configuration blob, C:\windows\syswow64\cmd.exe) by placing the pipes’ handles in a STARTUPINFOW structure spawned with CreateProcessW API. 

One key distinction between this implementation and the typical “standard” process hollowing can be observed here: In standard process hollowing, the child process is usually created in a suspended state. In this case, the child is not explicitly created in a suspended state, making it appear less suspicious. Since the child process is waiting for an input from the pipe created previously, its execution is hanging on receiving data from it. Essentially, we can call this an interactive process hollowing variation. 

As a result, the newly spawned cmd.exe will read input from the STDIN pipe, effectively waiting for new commands. At this point, its EIP (Extended Instruction Pointer) is directed toward the return from the NtReadFile syscall. 

The following section details the steps taken by the second-stage shellcode to set up the child process cmd.exe ultimately used to perform the subsequent injections used to execute the final payload.

The parent process streaming_client.exe initiates an NtDelayExecution to sleep, waiting for cmd.exe to finish loading. Afterward, it reads the legitimate Windows DLL mshtml.dll from the file system and proceeds to load this library into cmd.exe as a shared section. This is accomplished using the Heaven’s Gate technique for: 

• Creating a shared section object using NtCreateSection  
• Mapping that section in the remote cmd.exe using NtMapViewOfSection  

It then replaces the .text section of the mshtml DLL with malicious shellcode by using:

• Heaven’s Gate to call NtProtectVirtualMemory on cmd.exe to set RWX permissions on the .text section of the previously mapped section mshtml.dll
• Heaven’s Gate to call NtWriteVirtualMemory on the DLL’s .text section to stomp the module and write the third-stage shellcode 

Finally, to trigger the execution of the remote injected shellcode, the malware uses:

• Heaven’s Gate to suspend (NtSuspendThread) the remote main thread 
• A new CONTEXT (by using NtGetContextThread and NtSetContextThread) to modify the EIP to point to the previously written shellcode
• Heaven’s Gate to resume (NtResumeThread) the remote main thread of cmd.exe

However, because cmd.exe is waiting for user input from the STDINPUT pipe, the injected shellcode in the new process isn’t actually executed upon the resumption of the thread. The loader must take an additional step: 

• The parent process streaming_client.exe needs to write (WriteFile) \r\n string to the STDINPUT pipe created previously to send an input to cmd.exe after calling NtResumeThread. This effectively resumes execution of the primary thread at the shellcode’s entry point in the child process cmd.exe.

Interactive Process Hollowing Variation: Tradecraft Analysis

We have successfully replicated the threadless process hollowing technique to understand how the pipes trigger it. Once the shellcode has been written as described, it needs to be activated. This activation is based on the concept that when a program makes a syscall, the thread waits for the kernel to return a value. 

In essence, the interactive process hollowing technique involves the following steps:

• CreateProcess: This step involves spawning the cmd.exe process to inject the malicious code by redirecting STDIN and STDOUT to pipes. Notably, this process isn’t suspended, making it appear less suspicious. Waiting to read input from the pipe, the NtReadFile syscall sets its main thread’s state to Waiting and _KWAIT_REASON to Executive, signifying that it’s awaiting the execution of kernel code operations and their return.   
• WriteProcessMemory: This is where the shellcode is written into the cmd.exe child process.
• SetThreadContext: In this phase, the parent sets the conditions to redirect the execution flow of the cmd.exe child process to the previously written shellcode’s address by modifying the EIP/RIP in the remote thread CONTEXT.
• WriteFile: Here, data is written to the STDIN pipe, sending an input to the cmd.exe process. This action resumes the execution of the child process from the NtReadFile operation, thus triggering the execution of the shellcode. Before returning to user space, the kernel is reading and restoring the values saved in the _KTRAP_FRAME structure (containing the EIP/RIP register value) to resume from where the syscall was called. By modifying the CONTEXT in the previous step, the loader hijacks the resuming of the execution toward the shellcode address without the need to suspend and resume the thread, which this technique usually requires.

Transacted Hollowing² (Transacted Section/Doppelgänger + Hollowing)

The malware writes the final payload in the child process logagent.exe spawned by the third-stage shellcode in cmd.exe by creating a transacted section to be mapped in the remote process. Subsequently, the malware injects fourth-stage shellcode into logagent.exe by loading and hollowing another instance of mshtml.dll into the target process. The injected fourth-stage shellcode performs the aforementioned hook bypass technique before executing the final payload previously allocated by the transacted section.

Transacted Section Hollowing

Similarly to process doppelgänging, the goal of a transacted section is to create a stealthy malicious section inside a remote process by overwriting the memory of the legitimate process with a transaction.

In this sample, the third-stage shellcode executed inside cmd.exe places a malicious transacted section used to host the final payload in the target child process logagent.exe. The shellcode uses the following:

• NtCreateTransaction to create a transaction
• RtlSetCurrentTransaction and CreateFileW with a dummy file name to replace the documented  CreateFileTransactedW
• Heaven’s Gate to call NtWriteFile in a loop, writing the final shellcode to the file in 1,024-byte chunks
• Creation of a section backed by that file (Heaven’s Gate call NtCreateSection)
• A rollback of the previously created section by using Heaven’s Gate to call  NtRollbackTransaction

Existing similar implementations have publicly been observed in this project that implements transaction hollowing.

Once the transacted section has been created, the shellcode generates a function stub at runtime to hide from static analysis. This stub contains a call to the CreateProcessW API to spawn a suspended child process logagent.exe (c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8) that was previously dropped by cmd.exe  under the %TEMP% folder.

After the target process has been created, the sample uses Heaven’s Gate to:

• Read its PEB by calling NtReadVirtualMemory to retrieve its base address (0x400000) 
• Unmap the logagent.exe image in the logagent.exe process by using NtUnMapViewofSection 
• Hollow the previously created transacted section inside the remote process by remapping the section at the same base address (0x400000) with NtMapViewofSection 

Process Hollowing

After the third-stage shellcode within cmd.exe injects the final Cobalt Strike payload inside the transacted section of the logagent.exe process, it continues by process hollowing the target process to write the fourth shellcode stage ultimately used to execute the final payload (loaded in the transacted section) in the remote process. The third-stage shellcode maps the legitimate Windows DLL C:\Windows\SysWOW64\mshtml.dll in the target process prior to replacing its .text with the fourth-stage shellcode and executing it via NtResumeThread. 

This additional fourth-stage shellcode written to logagent.exe performs similar evasion activities to the third-stage shellcode executed in cmd.exe (as indicated in the hook bypass section) before passing execution to the final payload.

CrowdStrike Falcon Coverage

CrowdStrike employs a layered approach for malware detection using machine learning and indicators of attack (IOAs). As shown in Figure 3, the CrowdStrike Falcon® sensor’s machine learning capabilities can automatically detect and prevent HijackLoader in the initial stages of the attack chain; i.e., as soon as the malware is downloaded onto the victim’s machine. Behavior-based detection capabilities (IOAs) can recognize malicious behavior at various stages of the attack chain, including when employing tactics like process injection attempts. 

Indicators of Compromise (IOCs)

File	SHA256
streaming_client.exe	6f345b9fda1ceb9fe4cf58b33337bb9f820550ba08ae07c782c2e142f7323748

MITRE ATT&CK Framework

The following table maps reported HijackLoader tactics, techniques and procedures (TTPs) to the MITRE ATT&CK® framework.

ID	Technique	Description
T1204.002	User Execution: Malicious File	The sample is a backdoored version of streaming_client.exe, with the Entry Point redirected to a malicious stub.
T1027.007	Obfuscated Files or Information: Dynamic API Resolution	HijackLoader and its stages hide some of the important imports from the IAT by dynamically retrieving kernel32 and ntdll API addresses. It does this by parsing PEB->PEB_LDR_DATA  and retrieving the function addresses.
T1016.001	System Network Configuration Discovery: Internet Connection Discovery	This variant of HijackLoader connects to a remote server to check if the machine is connected to the internet by using the WinHttp API (WinHttpOpenRequest and WinHttpSendRequest).
T1140	Deobfuscate/Decode Files or Information	HijackLoader utilizes XOR mechanisms to decrypt the downloaded stage.
T1140	Deobfuscate/Decode Files or Information	HijackLoader utilizes RtlDecompressBuffer to LZ decompress the downloaded stage.
T1027	Obfuscated Files or Information	HijackLoader drops XOR encrypted files to the %APPDATA% subfolders to store the downloaded stages.
T1620	Reflective Code Loading	HijackLoader reflectively loads the downloaded shellcode in the running process by loading and stomping the mshtml.dll module using the LoadLibraryW and VirtualProtect APIs.
T1106	Native API	HijackLoader uses direct syscalls and the following APIs to perform bypasses and injections: WriteFileW, ReadFile, CreateFileW, LoadLibraryW, GetProcAddress, NtDelayExecution, RtlDecompressBuffer, CreateProcessW, GetModuleHandleW, CopyFileW, VirtualProtect, NtProtectVirtualMemory, NtWriteVirtualMemory, NtResumeThread, NtSuspendThread, NtGetContextThread, NtSetContextThread, NtCreateTransaction, RtlSetCurrentTransaction, NtRollbackTransaction, NtCreateSection, NtMapViewOfSection, NtUnMapViewOfSection, NtWriteFile, NtReadFile, NtCreateFile and CreatePipe.
T1562.001	Impair Defenses: Disable or Modify Tools	HijackLoader and its stages use Heaven’s Gate and remap x64 ntdll to bypass user space hooks.
T1055.012	Process Injection: Process Hollowing	HijackLoader and its stages implement a process hollowing technique variation to inject in cmd.exe and logagent.exe.
T1055.013	Process Injection: Process Doppelgänging	The HijackLoader shellcode implements a process doppelgänging technique variation (transacted section hollowing) to load the final stage in logagent.exe.

Additional Resources

• The CrowdStrike Falcon® platform achieved 100% protection, 100% visibility and 100% analytic detection across all steps in the MITRE Engenuity ATT&CK® Evaluations: Enterprise, Round 5. Learn more in this blog post.
• CrowdStrike was named a Leader in the 2023 Gartner® Magic Quadrant for Endpoint Protection Platforms — furthest right in Vision and highest in Ability to Execute. Read about it here. 
• Find out how the Falcon platform stops breaches, saves time and saves money in this IDC analysis: The Business Value of the CrowdStrike Falcon XDR Platform.
• See the Falcon platform in action — sign up for a free demo today.