Normal view

There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

Compromising Identity Provider Federation

✇CrowdStrike
By: Matt Johnston - Manoj Ahuje - Stephen VanVaerenbergh - Chad Yoder
8 November 2023 at 20:12
  • CrowdStrike’s Incident Response team has seen a recent increase in cases involving adversaries that abuse identity provider federation to gain access to protected services by adding and authorizing rogue domains to federation. From these cases, patterns have emerged that indicate a common attack structure.
  • Monitoring for identity provider abuse can be difficult, given that adversaries do so by leveraging legitimate cloud services, often using compromised accounts for initial access — a reminder that securing identity and authentication services is critical in preventing these attacks.
  • In a recent expansion of CrowdStrike Falcon® Cloud Security detections, CrowdStrike is noting these attacks are prevalent and significant enough to warrant establishing visibility over identity provider management. The indicators of attack discussed in this blog should be considered early indicators that require analysis in context to determine a final verdict on their nature.
  • Since observed attack scenarios predominantly target Microsoft Azure as an identity provider, this blog and the referenced detections focus on that domain.

What Is a Federated Identity Provider? 

A federated identity provider is an outside service provider that has been entrusted by an organization as an authority regarding user authentication and identity management. In the context of a service that leverages single sign-on (SSO), when an individual user requests access to the service, the service contacts the identity provider (IdP) to validate the user’s identity.

This capability enables different identity domains (organized groups of users) to partner with one another in validating users and granting their access to a downstream service, domain or cloud environment without having to replicate or maintain multiple instances of user identities. In this way, if an organization provides a service that has a user population outside of its authentication domain, it can extend access to those outside users by defining a trust relationship with the IdP for that outside user group.

The service provider is trusting that the IdP has performed all relevant authentication actions and verifications, and any subsequent access requests by the user to the service should be considered as authorized.

Okta provides details on federated identity and the role of identity providers in SSO.

The Attack

Adversaries are taking advantage of this architecture by compromising IdPs and modifying them to extend the umbrella of trust to include domains and users controlled directly by the attacker and to expand cross-tenant authentication partnerships. An example attack sequence is depicted in Figure 1.

Figure 1. Illustration of observed IdP compromise (click to enlarge)

Initial Access

The first step in the attack involves establishing access to the IdP’s cloud service provider (CSP) environment at the Control Plane layer with a user account that has permissions to administer resources.

While there are numerous methods that can be used to compromise a user account, CrowdStrike has noted the use of social engineering to obtain credentials as well as using a self-service password reset to take control of an existing account. Some CSPs also add risk analysis indicators to sign-in activity that can also be leveraged to spot signs of initial access.

Once credentials are obtained and authentication is verified, the adversary has been noted to use the CSP command line interface for initial login.

Reconnaissance

Reconnaissance in observed attacks has been focused on obtaining information that can be specifically leveraged to facilitate adding a new domain to federation settings. Observed behaviors during reconnaissance have included:

  • Download users (bulk operation)
  • Download role assignments (bulk operation)
  • Download groups (bulk operation)
  • Get API connectors
  • Get authentication flows policy
  • Get available output claims
  • Get customAuthenticationExtensions
  • Get identity providers
  • Get tenant details
  • Get user flows

It should be noted that CrowdStrike has observed the “get authentication flows policy” action to be extremely common, and by itself, it is not a strong indicator of an attack. It is listed here for reference and is included as part of CrowdStrike Falcon® Cloud Security detection logic as a contributing behavior.

Persistence and Backdoors

Once an attacker has completed their reconnaissance, they move to perform the necessary changes to federation settings to add the domains and user accounts under their control. Actions specifically related to creating a backdoor are listed below:

  • Add unverified domain
  • Add verified domain
  • Verify domain
  • Set domain authentication
  • Update user
  • Set directory feature on tenant

Some attacks may include establishing backdoor access via cross-tenant synchronization, which would be observable via the following:

  • Add a partner to cross-tenant access setting
  • Update a partner cross-tenant access setting
  • Create a partner cross-tenant identity sync setting

Additional actions that have been observed in conjunction with those listed above include the following: 

  • Update named location
  • Add policy
  • Add application
  • Add service principal
  • Add service principal credentials
  • Update application
  • Update service principal
  • Update provisioning setting or credentials
  • Update authorization policy
  • Update authentication flows policy
  • Set company information

As with the behaviors listed as signs of reconnaissance, some of the behaviors CrowdStrike has categorized as persistence and backdoor may also occur in large volume in the normal course of cloud operations. CrowdStrike detections attempt to account for this and only elevate scenarios that resemble a sequence of behaviors that indicate abuse. It is important to evaluate all detections in context before reaching a final verdict.

Actions on Objectives

The primary goal of abusing federated identity providers is to gain access to resources or services that trust the IdP. Abuse of one IdP is likely used to access resources in an external domain, so this scenario should be viewed largely as a method to establish access and maintain persistence via the IdP. 

Some observed actions on objectives related to these attacks include:

  • Creating cloud compute resources or VMs
  • Accessing cloud compute resources and exfiltrating data by exporting virtual disks
  • Obtaining user information from the IdP
  • Accessing data in applications that rely on the IdP access controls
  • Leveraging the Azure run command to deploy other tooling

Why Is It Important to Monitor Changes to Identity Provider Configurations?

Organizations delegate user access controls to outside IdPs, which means the outside IdP is entrusted with maintaining the confidentiality, integrity, and availability of downstream services and data. Identity management and user access control are paramount to information security.

Monitoring for the scenarios outlined above provides customers with early indications of sensitive behaviors — or sequences of behaviors — that CrowdStrike believes warrant awareness and validation. This will give Falcon Cloud Security customers the opportunity to detect these attacks quickly and also obtain evidence that could be useful in incident response activities.  

Falcon Cloud Security Detections

In response to the observed patterns in these attacks, the Falcon Cloud Security team analyzed the prevalence of the noted behaviors and has worked to build detections that attempt to elevate awareness when a matching pattern of activity has occurred. These detections represent a combination of perspectives that warrant awareness and response by security teams.

  1. Configuration changes that rarely occur and have potential for significant abuse
  2. Behaviors that rarely occur in combination with others and may resemble a known attack sequence
  3. Specific behaviors leveraged in these attacks
Detection Name Type Description
User accounts exported from Active Directory Behavior A bulk export was performed of all user accounts in Active Directory. While this could be legitimate Admin behavior, it could also indicate a threat actor is performing reconnaissance of user accounts in an attempt to elevate privileges and move laterally in your tenant. It is recommended this behavior be reviewed to validate the user’s need to export all user accounts and ensure this data is not improperly shared.
User groups exported from Active Directory Behavior A bulk export was performed of all user groups in Active Directory. While this could be legitimate Admin behavior, it could also indicate a threat actor is performing reconnaissance of user groups in an attempt to elevate privileges and move laterally in your tenant. It is recommended this behavior be reviewed to validate the user’s need to export all user groups and ensure this data is not improperly shared.
Role assignments exported from Active Directory Behavior A bulk export was performed of all role assignments in Active Directory. While this could be legitimate Admin behavior, it could also indicate a threat actor is performing reconnaissance of role assignments in an attempt to move laterally and escalate privileges in your tenant. It is recommended this behavior be reviewed to validate the user’s need to export all role assignments and ensure this data is not improperly shared.
New unverified domain added to tenant Behavior A custom domain was added to the Azure Active Directory (Azure AD) tenant. This is often the first step in configuring federated domain authentication. Federated domain authentication is a legitimately used configuration to support using on-premises passwords. Adversaries also leverage this Azure AD feature to create Azure AD persisted backdoors by configuring new federated domains with resources/infrastructure that they control.
Guest users given same permissions to Azure AD resources as member users Behavior Azure Active Directory was updated to give guest users the same access to Azure AD resources as member users. This setting gives guest users the ability to view and interact with Active Directory resources that they may not need access to and should be reviewed to ensure the access is appropriate.
Cross-tenant partner given inbound access Behavior A cross-tenant partner was configured in Azure Active Directory to support automatic user consent for inbound access. Cross-tenant synchronization is a legitimately used configuration to automate creating, updating and deleting Azure AD B2B users across different tenants. Adversaries also leverage this Azure AD feature to create persisted backdoors by adding new cross-tenant partners (controlled by the adversaries) to environments they have compromised.
Cross-tenant partner user syncing enabled Behavior A cross-tenant partner was configured in Azure Active Directory to support inbound user syncing/creation. Cross-tenant synchronization is a legitimately used configuration to automate creating, updating and deleting Azure AD B2B users across different tenants. Adversaries also leverage this Azure AD feature to create persisted backdoors by adding new cross-tenant partners (controlled by the adversaries) to environments they have compromised.
New federated domain added to Azure Active Directory Behavior A domain was configured in Azure Active Directory to support federated authentication. Integrating Azure AD with on-premises Active Directory using Active Directory Federation Services (AD FS) is a legitimately used configuration to support using on-premises passwords. Adversaries also leverage this Azure AD feature to create Azure AD persisted backdoors by configuring new federated domains with resources/infrastructure that they control.
Virtual machine disk exported by user Behavior A virtual machine disk was made available for download/export by a user account. Review the activity and validate the user’s need to export the disk, as this may be a way for an attacker to collect and exfiltrate data stored on the disk.
Default cross-tenant synchronization policy allows outbound automatic user consent Configuration In a breach scenario, an attacker can utilize automatic outbound user consent within a cross-tenant synchronization policy to sync the compromised user account into a partner tenant and grant attacker access using the same initially compromised credentials. It is not recommended to allow automatic outbound user consent.
Partner cross-tenant synchronization policy allows inbound user sync Configuration In a breach scenario, an attacker can utilize inbound identity synchronization within a cross-tenant synchronization policy to sync the compromised user account into a partner tenant and grant attacker access using the same initially compromised credentials. It is not recommended to automatically sync identities into tenants you are not in control of.

Response Recommendations

Because the behaviors outlined in this attack sequence take advantage of normal features of identity provider federation, it is possible that initial setup or routine administrative maintenance may trigger detections. CrowdStrike has considered the potential for producing false positive detections and has concluded that it is worthwhile to maintain vigilant monitoring of these sensitive functions. CrowdStrike recommends that organizations review all changes to IdP settings to verify that:

  1. The user account used to perform the changes is authorized by role and policy to do so.
  2. The user account performing the changes has not been compromised, and endpoints associated with the user are not exhibiting signs of malware.
    1. This should include a review of recent actions performed by the user account to determine if it is being used in an unusual manner.
    2. Consider signs of phishing, social engineering or recent password resets related to the user account.
    3. Consider authentication details for the user account, including source IP address, region and user-agent strings to look for signs it is being accessed from an unusual source.
    4. Review endpoint detections for suspicious activity involving the user account in question.
  3. The observed changes to IdP configurations were authorized through existing governance, risk and compliance (GRC) review and performed in compliance with change management policies and procedures. 
    1. Consider the domains added and their validity in relationship to the business and service context in which they are being used.
    2. Consider the reputation and threat history of new domains.
    3. For suspect domains, review any future login and service access activity originating from the new IdP.

Conclusion

Abuse of federated identity providers appears to be on the rise and represents a significant threat to downstream services, applications and data. 

CrowdStrike has released detections in Falcon Cloud Security that are designed to shed light on administrative behaviors that could represent attempts to compromise this trust architecture so that customers have early warnings an attack may be occurring.

While the attack outlined in this blog shows that adversaries are leveraging legitimate cloud services and configurations to perform their attacks, CrowdStrike’s detections are designed to differentiate normal administrative functions from those with suspect attributes that could indicate an attack in progress.

Due to the nature of this compromise, a timely response is prudent. CrowdStrike recommends taking immediate steps to validate the observed behaviors are authorized and to remediate them if they are not authorized by reversing any changes made. By quickly cutting off access established by an adversary, CrowdStrike customers can disrupt the attack and stop the breach.

Additional Resources

IMPERIAL KITTEN Deploys Novel Malware Families in Middle East-Focused Operations

✇CrowdStrike
By: Counter Adversary Operations
9 November 2023 at 11:47

CrowdStrike Counter Adversary Operations has been investigating a series of cyberattacks and strategic web compromise (SWC) operations targeting organizations in the transportation, logistics and technology sectors that occurred in October 2023. Based on a detailed examination of the malicious tooling used in these attacks, along with additional reporting and industry reports, CrowdStrike Intelligence attributes this activity to the IMPERIAL KITTEN adversary.

Tune in to today’s episode of the Adversary Universe podcast, “Iran’s Rise from Nascent Threat Actor to Global Adversary” and learn about the history of cyber threat activity linked to Iran.

CrowdStrike Intelligence collection has identified that contemporary IMPERIAL KITTEN intrusion chains leverage the following tactics, techniques and procedures:

  • Use of public scanning tools, one-day exploits, SQL injection and stolen VPN credentials for initial access
  • Use of scanning tools, PAExec and credential theft for lateral movement
  • Data exfiltration by leveraging custom and open source malware to target Middle Eastern entities

CrowdStrike Intelligence analyzed several malware samples associated with IMPERIAL KITTEN activity, including:

  • IMAPLoader, which uses email for command and control (C2)
  • A similar sample named StandardKeyboard
  • A malware sample that uses Discord for C2 
  • A Python generic reverse shell delivered via a macro-enabled Excel sheet

This next-stage tooling indicates IMPERIAL KITTEN continues to use email-based C2 mechanisms, similar to those used in their Liderc malware family.

Inside IMPERIAL KITTEN’s Activity

IMPERIAL KITTEN is an Iran-nexus adversary with a suspected connection to the Islamic Revolutionary Guard Corps (IRGC). The adversary, active since at least 2017, likely fulfills Iranian strategic intelligence requirements associated with IRGC operations. Its activity is characterized by its use of social  engineering, particularly job recruitment-themed content, to deliver custom .NET-based implants. Historically, IMPERIAL KITTEN has targeted industries including defense, technology, telecommunications, maritime, energy, and consulting and professional services.

Between early 2022 and 2023, CrowdStrike Intelligence observed IMPERIAL KITTEN conduct SWC operations with a focus on targeting organizations in the transportation, logistics and technology  sectors. In a SWC, the adversary attempts to compromise victims based on their shared interest by luring them to an adversary-controlled website. 

To date, the following adversary-controlled domains have served as redirect locations from compromised (primarily Israeli) websites, as well as locations where information collected to profile visitor systems is sent:

  • cdn.jguery[.]org
  • cdn-analytics[.]co
  • jquery-cdn.online
  • jquery-stack.online
  • cdnpakage[.]com
  • fastanalizer[.]live
  • fastanalytics[.]live
  • hotjar[.]info
  • jquery-code-download[.]online
  • analytics-service[.]cloud
  • analytics-service[.]online
  • prostatistics[.]live

Early 2022 SWC domains used the Matomo analytics service1 to profile users who visited the compromised Israeli websites. Later iterations of SWC domains use a custom script to profile the visitor by collecting their browser information and IP address, which is then sent to a hardcoded domain. Previously reported activity targeted organizations in the Israeli maritime, transportation and technology sectors.

Industry and CrowdStrike Intelligence collection reporting have described a malware family tracked as IMAPLoader, which is the final payload of the SWC operations. An analysis of IMPERIAL KITTEN’s campaigns, including the use of IMAPLoader and additional malware families, is below.

Initial Access

Industry reporting indicates in some instances, the adversary directly serves malware to victims from the SWC.2 Consistent with prior CrowdStrike reporting on credential stealers from 2021, there is some evidence that IMPERIAL KITTEN targets organizations, such as upstream IT service providers, in order to identify and gain access to targets that are of primary interest for data exfiltration. 

There is also evidence indicating their initial access vectors consist of:

  • Use of public one-day exploits
  • Use of stolen credentials to access VPN appliances
  • SQL injection
  • Use of publicly available scanning tools, such as nmap
  • Use of phishing to deliver malicious documents

All assessments around initial access methods not previously documented in connection with IMPERIAL KITTEN activity carry low confidence based on uncorroborated single-source reporting.

Phishing

IMPERIAL KITTEN’s phishing operations reportedly include the use of malicious Microsoft Excel documents. While the sample mentioned in October 2023 industry reporting is not publicly available, CrowdStrike Intelligence acquired a similar version of the delivery document. 

The lure is a macro-enabled Excel sheet, likely created in late  2023 (SHA256 hash: b588058e831d3a8a6c5983b30fc8d8aa5a711b5dfe9a7e816fe0307567073aed).  

Once the victim opens the file and enables macros, the document extracts the files runable.bat, tool.bat, and cln.tmp, and a copy of the Python 3.11 interpreter to the system’s %temp% directory. The batch files create persistence via the registry Run key named StandardPS2Key, and run the main Python payload SHA256 hash: cc7120942edde86e480a961fceff66783e71958684ad1307ffbe0e97070fd4fd in 20-second intervals.

The Python payload is a simple reverse shell that connects to a hardcoded IP address on TCP port 6443. The shell sends a predefined challenge GUID (3d7105f6-7ca1-4557-b48e-6b4c70ee55a6) and expects the C2 to respond with a separate GUID (fdee81e1-b00f-4a73-ae48-4a0ee5dee49a) for authentication. The malware then reads commands in a loop, executes them and returns the result. The analyzed version supports the following commands:

  • cd (change working directory)
  • run (start subprocess with command)
  • set timer to (change beacon interval)

The analyzed sample was configured with x.x.x.x as the C2 server. This is not valid and will result in an error — it is likely the result of a test build or third-party modification.

Lateral Movement

There is information to suggest IMPERIAL KITTEN achieves lateral movement through the use of PAExec (the open-source PsExec alternative) and NetScan, and uses ProcDump to dump the LSASS process memory for credential harvesting. Lastly, IMPERIAL KITTEN likely deploys custom malware or open source tooling, such as MeshAgent,3 for data exfiltration. These assessments are made with low confidence as they rely on single, uncorroborated source reporting. 

Adversary Tooling

IMPERIAL KITTEN operations reportedly leverage multiple tools, including custom implants; IMAPLoader and StandardKeyboard, which both use email for C2; and a remote access tool (RAT), which uses Discord for C2.  

IMAPLoader is a malware family distributed as a dynamic link library (DLL) to be loaded via AppDomainManager injection.4 It uses email for C2 and is configured via static email addresses embedded in the malware. Typographical errors in embedded folder names and log messages indicate the author is likely not a native English speaker. While timestamps are not available in most samples, the oldest version was first observed in the wild on September 1, 2022. 

Table 1 gives an overview of the available samples and configured C2 email addresses. All of them share the same functionality, although the last sample (SHA256 hash: 32c40964f75c3e7b81596d421b5cefd0ac328e01370d0721d7bfac86a2e98827) differs in naming of the IMAP folders and has only one configured C2 address, indicating it is possibly a development version.

The malware disguises itself as StreamingUX Updater and persists through a scheduled task of that name. It connects to imap.yandex[.]com over TLS and uses the built-in .NET IMAP library to create two folders for C2, prefixed with a randomly generated UUID (including a typographical error):

  • <UUID>-Recive
  • <UUID>-Send

IMAPLoader uses attachments in email messages to receive tasking and send replies. It hardcodes creation and modification dates of the attachment to 2018-12-05 and 2019-04-05, respectively.

Hash SHA256 C2 Email
989373f2d295ba1b8750fee7cdc54820aa0cb42321cec269271f0020fa5ea006 leviblum@yandex[.]com

brodyheywood@yandex[.]com
fa54988c11aa1109ff64a2ab7a7e0eeec8e4635e96f6c30950f4fbdcd2bba336 justin.w0od@yandex[.]com

n0ah.harrison@yandex[.]com
5c945a2be61f1f86da618a6225bc9d84f05f2c836b8432415ff5cc13534cfe2e giorgosgreen@yandex[.]com

oliv.morris@yandex[.]com
87ccd1c15adc9ba952a07cd89295e0411b72cd4653b168f9b3f26c7a88d19b91 harri5on.patricia@yandex[.]com

d3nisharris@yandex[.]com
32c40964f75c3e7b81596d421b5cefd0ac328e01370d0721d7bfac86a2e98827 hardi.lorel@yandex[.]com

Table 1. IMAPLoader samples and C2 email addresses

Industry reporting also noted IMPERIAL KITTEN deploys a malware family named StandardKeyboard,5 which shares similarities with the IMAPLoader malware family. StandardKeyboard also uses email for C2 communication, and the malicious code uses the same open source .NET library for communicating with IMAP servers.6 Unlike IMAPLoader, this malware persists on the infected machine as a Windows Service named  Keyboard Service, created by the malicious .NET executable WindowsServiceLive.exe (SHA256 hash: d3677394cb45b0eb7a7f563d2032088a8a10e12048ad74bae5fd9482f0aead01). StandardKeyboard’s main purpose is to execute Base64-encoded commands received in the email body. The results will be sent to the following email addresses:

  • itdep[@]update-platform-check[.]online
  • office[@]update-platform-check[.]online

The email subject contains the MAC address of the infected machine prepended by “From: ”. The body of the email contains Base64-encoded information listed in Figure 1, followed by the string Sender: <MAC Address>.

***Order: <command>
***Time: <unused integer value>
***Response: <command output>
***Exit: <command exit code>
***At: <attachment>

Figure 1. Data sent to the C2 after command execution

Before initiating the email communication with the C2, StandardKeyboard verifies the availability of internet connection by contacting Google DNS using ICMP and sending the string hi there.

Finally, CrowdStrike Intelligence collection identified another related malware family, posing as a CV creator that uses a company in the logistics sector as a lure (SHA256 hash: 1605b2aa6a911debf26b58fd3fa467766e215751377d4f746189566067dd5929). The malware is heavily obfuscated and drops an embedded payload after multiple stages of decryption and deobfuscation. It establishes persistence through a scheduled task named Windows\System\System.   

The final stage (SHA256 hash: 3bba5e32f142ed1c2f9d763765e9395db5e42afe8d0a4a372f1f429118b71446) uses Discord for C2 and is most likely related to a phishing campaign observed in March 2022. It contains a rare prefix in its PDB path field of the PE header, which, aside from this sample, is only present in samples of IMAPLoader in CrowdStrike holdings. 

Assessment

CrowdStrike Intelligence attributes the above activity, including the use of SWC and IMAPLoader and related malware families, to the IMPERIAL KITTEN adversary. This assessment, made with moderate confidence, is based on:

  • The continued use of previously reported SWC infrastructure 
  • The continued use of email-based C2 and Yandex email addresses for C2
  • Overlaps between IMAPLoader and the industry-reported SUGARDUMP malware family that targeted Israel-based transportation sector organizations in 20227
  • Continued focus on targeting Israeli organizations in the transportation, maritime and technology sectors, which is consistent with the adversary’s target scope
  •  Use of job-themed decoy and lure content used in their malware operations 

CrowdStrike Intelligence attributes the described initial access and post-exploitation methods to IMPERIAL KITTEN with low confidence. This assessment carries low confidence as it is based on single-source reporting that has not been corroborated.

MITRE ATT&CK

Tactic Technique Observable
Reconnaissance T1590.005 – Gather Victim Network Information: IP Addresses IMAPLoader beacons the victims public IP address obtained via a web service
Resource Development T1584.006 – Compromise Infrastructure: Web Services IMPERIAL KITTEN SWC is mostly based on compromised websites
Initial Access T1189 – Drive-by Compromise IMPERIAL KITTEN distributes malware through SWC
Execution T1059.003 – Command and Scripting Interpreter: Windows Command Shell IMAPLoader collects system information via cmd.exe scripts
T1059.005 – Command and Scripting Interpreter: Visual Basic IMPERIAL KITTEN installs Python backconnect shell via malicious visual basic scripts in Excel documents
T1059.006 – Command and Scripting Interpreter: Python Malicious Excel documents drop Python-based backconnect shell
Persistence T1037.005 – Boot or Logon Initialization Scripts: Startup Items IMAPLoader persists through the registry Run key
Defense Evasion T1055 – Process Injection IMAPLoader executes via AppDomainManager injection
T1140 – Deobfuscate/Decode Files or Information IMAPLoader and SUGARRUSH obfuscate C2 addresses via integer arrays
Discovery T1518.001 – Software Discovery: Security Software Discovery IMAPLoader enumerates installed antivirus software
Collection T1005 – Data from Local System IMAPLoader beacons local system configuration and username to C2
Command and Control T1071.003 – Application Layer Protocol: Mail Protocols IMAPLoader, StandardKeyboard and SUGARRUSH utilize email for C2
T1095 – Non-Application Layer Protocol The Python-based backconnect shell relies on raw sockets for communication
Exfiltration T1041 – Exfiltration Over C2 Channel All malware in this report exfiltrate data directly over the C2 protocol

Table 2. Mapping to the MITRE ATT&CK® framework

Appendix: IMPERIAL KITTEN Infrastructure

Virtual private server VPS infrastructure recently associated with IMPERIAL KITTEN tooling is included in Table 3. CrowdStrike Intelligence currently attributes this infrastructure to IMPERIAL KITTEN with low confidence based on the aforementioned reporting.

Domain IP Address Internet Service Provider
NA 146[.]185.219.220 G-Core Labs S.A.
NA 193[.]182.144.12 Interhost Communication Solutions Ltd.
NA 194[.]62.42.98 Stark Industries Solutions Ltd.
NA 64[.]176.165.70 AS-CHOOPA
NA 95[.]164.61.253 Stark Industries Solutions Ltd.
NA 95[.]164.61.254 Stark Industries Solutions Ltd.
NA 45[.]32.181.118 AS-CHOOPA
NA 193[.]182.144.120 Interhost Communication Solutions Ltd.
NA 64[.]176.164.117 AS-CHOOPA
NA 45[.]155.37.140 SHOCK-1
NA 192[.]71.27.150 Interhost Communication Solutions Ltd.
NA 185[.]212.149.35 Oy Crea Nova Hosting Solution Ltd.
NA 51[.]81.165.110 OVH SAS
NA 82[.]166.160.20 Cellcom Fixed Line Communication L.P.
NA 192[.]52.166.71 ASN-QUADRANET-GLOBAL
NA 162[.]252.175.48 M247 Europe SRL
NA 45[.]93.82.109 LLC Baxet
NA 77[.]91.74.230 Stark Industries Solutions Ltd.
NA 77[.]91.74.21 Stark Industries Solutions Ltd.
NA 195[.]20.17.14 CLOUD LEASE Ltd.
NA 185[.]253.72.206 O.M.C. Computers & Communications Ltd.
NA 185[.]220.206.251 O.M.C. Computers & Communications Ltd.
NA 185[.]241.4.7 O.M.C. Computers & Communications Ltd.
NA 195[.]20.17.198 CLOUD LEASE Ltd.
NA 45[.]93.93.198 O.M.C. Computers & Communications Ltd.
NA 83[.]229.81.175 O.M.C. Computers & Communications Ltd.
NA 146[.]185.219.97 G-Core Labs S.A.
NA 193[.]182.144.175 Interhost Communication Solutions Ltd.
NA 103[.]105.49.108 VMHaus Limited
NA 185[.]105.0.84 G-Core Labs S.A.
NA 45[.]81.226.38 Zomro B.V.
NA 149[.]248.54.40 AS-CHOOPA
NA 194[.]62.42.243 Stark Industries Solutions Ltd.
NA 94[.]131.114.32 Stark Industries Solutions Ltd.
NA 45[.]8.146.37 Stark Industries Solutions Ltd.
NA 45[.]155.37.105 SHOCK-1
NA 163[.]182.144.239 NATURALWIRELESS
NA 64[.]176.172.26 AS-CHOOPA
NA 77[.]91.94.151 Clouvider Limited
NA 95[.]164.18.234 Stark Industries Solutions Ltd.
NA 74[.]119.192.252 Stark Industries Solutions Ltd.
NA 82[.]166.160.26 Cellcom Fixed Line Communication L.P.
NA 64[.]176.165.229 AS-CHOOPA
NA 193[.]182.144.52 Interhost Communication Solutions Ltd.
NA 64[.]176.171.141 AS-CHOOPA
blackcrocodile[.]online 217.195.153[.]114 Shock Hosting
updatenewnet[.]com Prev: 45.155.37.105 Edis Gmbh
link.mymana[.]ir 193.182.144[.]52 Edis Gmbh
NA 193.182.144[.]239 Edis Gmbh
NA 64.176.165[.]229 Choopa
NA 64.176.171[.]141 Choopa
NA 64.176.165[.]70 Choopa
NA 95.164.61[.]253 Stark Industries Solutions Ltd.
NA 95.164.61[.]254 Stark Industries Solutions Ltd.

Table 3. IMPERIAL KITTEN infrastructure

Footnotes

  1. https://github.com/matomo-org/matomo
  2. https[:]//www.pwc[.]com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
  3. https[:]//github[.]com/Ylianst/MeshAgent
  4. https[:]//pentestlaboratories[.]com/2020/05/26/appdomainmanager-injection-and-detection/
  5. https[:]//www.pwc[.]com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
  6. https[:]//github[.]com/smiley22/S22.Imap
  7. https://www.mandiant[.]com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping

Additional Resources

Securing the Generative AI Boom: How CoreWeave Uses CrowdStrike to Secure Its High-Performance Cloud

✇CrowdStrike
By: Gui Alvarenga
13 November 2023 at 16:35

CoreWeave is a specialized GPU cloud provider powering the AI revolution. It delivers the fastest and most consistent solutions for use cases that depend on GPU-accelerated workloads, including VFX, pixel streaming and generative AI. 

CrowdStrike supports CoreWeave with a unified, AI-native cybersecurity platform, protecting  CoreWeave’s architecture by stopping breaches. What follows is a summary of how CoreWeave uses CrowdStrike Falcon Cloud Security to secure both its cloud infrastructure and the cloud workloads of its customers, as shared in a presentation at Fal.Con 2023.

Watch the Fal.Con 2023 recording: How CoreWeave Secured Cloud Infrastructure and AI Applications with Falcon Cloud Security

Complete Visibility and Protection

To meet the growing demand for its cloud services, CoreWeave needed a modern security platform that met two main requirements: It had to be capable of scaling with CoreWeave, and it couldn’t cause any performance slowdowns, as organizations rely on CoreWeave for its highly efficient processing power. 

After a successful proof of concept with CrowdStrike — in which CoreWeave engineers observed no performance impact after deploying the Falcon sensor on a test cluster — CoreWeave licensed the Falcon platform along with several platform modules, including CrowdStrike Falcon® Insight XDR endpoint detection and response, CrowdStrike Falcon® Prevent next-generation AV and Falcon Cloud Security. 

Within two weeks, the Falcon sensor had been deployed across all worker nodes at CoreWeave, providing the visibility and protection needed. 

On stage at Fal.Con 2023, CoreWeave’s CISO talked about the importance of visibility to see every asset, including endpoints, cloud nodes, apps working on the endpoints and services running on cloud nodes. He also discussed the value of a unified cloud-native application protection platform (CNAPP) to provide one console and one platform for managing all of the different areas of a cloud workflow — down to containers, pods and nodes.

For CoreWeave, the foundation of strong cloud security starts by deploying the Falcon sensor at the bottom of its tech stack. 

Figure 1. CoreWeave deployed the Falcon sensor at the bottom of its tech stack (click to enlarge)

Once CoreWeave deploys its systems into the Kubernetes cluster, the Falcon DaemonSet runs across every node. This does two things: Every time CoreWeave powers up a new node and brings it into its fleet, the company automatically gets detection and response capabilities from CrowdStrike. And by having the Falcon sensor at the bottom layer, the company doesn’t have to worry about higher-level networking issues impacting its security.

How CoreWeave Responds to Detections

CoreWeave responds to a Falcon alert in three steps: detect, investigate and triage.

For detections, CoreWeave relies in part on alerts generated by both CrowdStrike® Falcon OverWatch™ — a CrowdStrike service that provides 24/7 managed threat hunting — as well as CoreWeave security staff who monitor Falcon dashboards. 

When an alert comes in, CoreWeave security staff can see the hostname that may have been compromised and the container ID — both of which help determine what triggered that alert. From there, the team can drop that container ID into the search of Falcon Cloud Security to see details such as host ID and container name, allowing it to zero in on where the container is running in the infrastructure. 

This capability allows security teams to quickly identify and remediate the potential threat. Because CoreWeave effectively sells its cloud infrastructure to customers, CoreWeave uses this information to communicate with any customer whose workload was potentially compromised so they can triage it together and stop the threat before any damage is done.

One Platform for Endpoint-to-Cloud Protection

Every Falcon product module CoreWeave uses is deployed on the unified, AI-native Falcon platform. By consolidating its cybersecurity with CrowdStrike, CoreWeave has been able to respond to threats faster, reduce complexity and streamline provisioning. Critically, having one sensor deployed across its entire IT infrastructure — from endpoint to cloud — gives CoreWeave the context needed to respond to potential threats appropriately. 

Figure 2. The Falcon platform centers around a streamlined, single-agent architecture (click to enlarge)

In many cases, the Falcon platform kills the threat automatically. As CoreWeave’s CISO explained, this saves the company hundreds of hours a year in unnecessary triage. 

For instances that require CoreWeave to triage, the team can act decisively based on context provided by the Falcon platform, which collects and analyzes trillions of endpoint events per week from millions of sensors deployed across 176 countries. CoreWeave supplements this information with CrowdStrike threat intelligence to better understand the nature of the situation. 

All told, CrowdStrike’s industry-leading threat intelligence helps CoreWeave understand any adversaries targeting the company and its customers, enabling CoreWeave to stop them.

This encapsulates the value of the Falcon platform for CoreWeave. The company has its host and servers, which are covered with detections. It’s then able to increase the value of those detections with CrowdStrike threat intelligence to figure out what’s happening and how to fix it.

With CrowdStrike, CoreWeave is able to provide a highly performant, scalable and secure cloud infrastructure to power the generative AI boom and beyond. 

Additional Resources

CrowdStrike Brings AI-Powered Cybersecurity to Small and Medium-Sized Businesses

✇CrowdStrike
By: Daniel Bernard
15 November 2023 at 13:36

Cyber risks for small and medium-sized businesses (SMBs) have never been higher. SMBs face a barrage of attacks, including ransomware, malware and variations of phishing/vishing. This is one reason why the Cybersecurity and Infrastructure Security Agency (CISA) states “thousands of SMBs have been harmed by ransomware attacks, with small businesses three times more likely to be targeted by cybercriminals than larger companies.” 

In a desperate attempt to defend themselves, SMBs often turn to traditional antivirus (AV) software and even off-the-shelf consumer AV solutions. But these offerings simply can’t keep up with modern attacks. Referred to as “legacy AV,” these solutions are reactive and only able to defend against known malware or ransomware previously cataloged by the AV provider. This is too slow and reactive to stop modern adversaries. It only takes one attack to slip through legacy defenses to bring a business to a halt, or worse, result in a company-ending event.  

Legacy AV is also difficult to manage, especially with limited IT and security staff. The average deployment of these products is three months. In addition, they require quite a bit of tuning and manual configuration to be fully functional, adding to the operational burden of managing and updating legacy security tools.

Uncertain of which cybersecurity offering to buy and then deploy, many businesses throw up their hands in defeat. One poll shows 60% of SMBs use no cybersecurity measures at all. 

SMBs deserve cybersecurity that’s simple, affordable and effective. Today, we’re announcing a new release of CrowdStrike Falcon® Go to bring our industry-leading, AI-powered cybersecurity protection to SMBs in a package that’s never been easier to purchase, install or operate. 

SMBs Need Cybersecurity That Works

CrowdStrike knows how cybercriminals work and why they target SMBs. We also understand SMBs are often understaffed, resource-constrained and lack in-house security expertise. 

Falcon Go delivers award-winning cybersecurity to protect SMBs against ransomware, malware  and unknown threats. This simple yet powerful solution leverages modern technology, including machine learning, behavioral detection and AI, to deliver best-in-class protection against the cyber threats of today and tomorrow. With Falcon Go, small businesses can get the same enterprise-grade protection trusted by the world’s largest organizations and governments in a simple user experience designed for their needs.

SMBs no longer need to worry about staying ahead of evolving cyber threats. Powering Falcon Go is the world’s leading AI-native CrowdStrike Falcon® platform, which collects and analyzes trillions of endpoint events per week, giving SMBs the power of the crowd in a solution that even non-technical staff can use to keep their business safe. 

While other SMB cybersecurity solutions may offer simplicity, businesses need security that actually stops breaches. The Falcon platform scored 100% ransomware prevention in SE Labs testing, demonstrating that SMB cybersecurity can be both simple and effective.

Frictionless Purchasing and Installation in Seconds

CrowdStrike is making it easy for SMBs to purchase elite protection and quickly protect their company. Starting today, Falcon Go is available on Amazon Business, allowing SMBs to purchase industry-leading cybersecurity from the same website that millions of businesses use to purchase everyday business items.

Once purchased, users can instantly download and install Falcon Go to begin preventing threats with a guided setup wizard that recommends pre-configured protection levels. With Falcon Go, small businesses can immediately see which devices are protected and any threat activity, with guided and automated next steps to resolve security concerns. Falcon Go also makes it easy to expand protection to new devices, allowing the solution to support business growth. 

SMBs need simple, fast, modern cybersecurity to stop breaches at a price they can afford. With the release of Falcon Go, small businesses can get AI-powered, award-winning cybersecurity with easy purchasing, installation and operations to stop modern cyberattacks. 

To get started with a free trial of Falcon Go, visit the CrowdStrike website.

Additional Resources

November 2023 Patch Tuesday: 58 Vulnerabilities Including Three Actively Exploited Zero-Days

✇CrowdStrike
By: Falcon Spotlight Team
15 November 2023 at 17:27

Microsoft has released security updates for 58 vulnerabilities, including five zero-days, three of which are being actively exploited. One of the zero-days (CVE-2023-36025) is a Windows SmartScreen Security Feature Bypass Vulnerability, the second (CVE-2023-36033) is a privilege escalation vulnerability in the Windows DWM Core Library, and the third (CVE-2023-36036) is another privilege escalation vulnerability affecting the Windows Cloud Files Mini Filter Driver. Three of the 58 vulnerabilities addressed today are rated as Critical, and the remaining 55 are rated as Important. 

November 2023 Risk Analysis

This month’s leading risk type is elevation of privilege (28%), followed by remote code execution (26%) and spoofing (17%).

Figure 1. Breakdown of November 2023 Patch Tuesday attack types

The Microsoft Windows product family received the most patches this month (32), followed by Extended Support Updates (17).

Figure 2. Breakdown of product families affected by November 2023 Patch Tuesday

Actively Exploited Zero-Day Vulnerability Enables Windows SmartScreen Security Feature Bypass

Windows SmartScreen has received a patch for CVE-2023-36025. According to Microsoft, by exploiting this vulnerability, “The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts.” This vulnerability requires user interaction — the user would have to click on a specially crafted internet shortcut (.URL) or a hyperlink pointing to an internet shortcut file in order to be compromised by the attacker.

Severity CVSS Score CVE Description
Important 8.8 CVE-2023-36025 Windows SmartScreen Security Feature Bypass

Table 1. Zero-day in Windows SmartScreen Security Feature

Actively Exploited Zero-Day Vulnerability Affects Windows DWM (Desktop Window Manager) Core Library

CVE-2023-36033 is a publicly disclosed vulnerability affecting the Windows DWM Core Library. This vulnerability could allow an attacker to gain SYSTEM privileges.

Rank CVSS Score CVE Description
Important 7.8 CVE-2023-36033 Windows DWM Core Library Elevation of Privilege Vulnerability

Table 2. Zero-day in Windows DWM Core Library

Actively Exploited Zero-Day Affects Windows Cloud Files Mini Filter Driver

CVE-2023-36036 is another vulnerability affecting the Windows Cloud Files Mini Filter Driver being exploited in the wild. Successful exploitation of this flaw could allow an attacker to gain SYSTEM privileges.

Severity CVSS Score CVE Description
Important 7.8 CVE-2023-36036 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Table 3. Zero-day affecting Windows Cloud Files Mini Filter Driver

Critical Vulnerabilities 

CVE-2023-36397, a remote code execution vulnerability rated as Critical, affects Windows Pragmatic General Multicast. To successfully exploit this vulnerability, an attacker would have to send a specifically crafted malicious MSMQ packet to a MSMQ server, leading to remote code execution. This Windows component needs to be enabled for a system to be vulnerable. Microsoft recommends checking if the Message Queuing service is running and TCP port 1801 is listening on the machine; if the service is running and not in use, consider disabling.

CVE-2023-36400, a privilege escalation vulnerability rated as Critical, affects Windows HMAC Key Derivation. If exploited, this could allow an attacker to gain SYSTEM privileges. According to Microsoft, “A successful attack could be performed from a low privilege Hyper-V guest. The attacker could then traverse the guest’s security boundary to execute code on the Hyper-V host execution environment.”

CVE-2023-36052 is a Critical vulnerability affecting Azure CLI commands. An attacker could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions in public repositories. Customers using the affected CLI commands must update their Azure CLI version to 2.53.1 or above to be protected against the risks of this vulnerability, Microsoft says. This also applies to customers with log files created using these commands through Azure DevOps and/or GitHub Actions.

Rank CVSS Score CVE Description
Critical 9.8 CVE-2023-36397 Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability
Critical 8.8 CVE-2023-36400 Microsoft Office Remote Code Execution Vulnerability
Critical 8.6 CVE-2023-36052 Azure CLI REST Command Information Disclosure Vulnerability

Table 4. Critical vulnerabilities in Windows and Azure

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j and ProxyNotShell, not every highly exploitable vulnerability can be easily patched. It’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture. 

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Spotlight can help you quickly and easily discover and prioritize vulnerabilities here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

5 Tips to Defend Against Access Brokers This Holiday Season

✇CrowdStrike
By: Bart Lenaerts-Bergmans
16 November 2023 at 14:58

The holiday season brings a shift in how people and businesses operate: Some companies may partially shut down, leaving only a skeleton crew to manage their IT environments, while others head into their busiest time of year. This seasonal change in staffing and business operations, combined with the general holiday distraction, often creates risk and makes organizations more vulnerable to cybercrime.

Access brokers — the threat actors who gain and sell access to organizations and simplify eCrime for other cybercriminals — are especially active during this time of year. CrowdStrike data reveals spikes in access broker activity toward year’s end. They capitalize on these seasonal shifts to craft holiday social engineering campaigns, steal more information and make more money by selling their findings to threat actors on underground forums.

Here, we discuss how the threat landscape typically changes during the holidays, how access brokers fit into the cybercrime ecosystem and adapt their activity for this busy time of year, and how organizations can prepare for a safe and secure season.

Meet the Access Brokers

Access brokers have become a pivotal part of the eCrime ecosystem by selling victim access to other threat actors and facilitating myriad criminal activities. Their operations continue to grow: CrowdStrike observed a 147% increase in access broker advertisements across criminal underground communities from July 2022 to June 2023.

Many access brokers have relationships with big game hunting (BGH) ransomware operators and affiliates of prolific ransomware-as-a-service (RaaS) programs. The holiday season is a prime opportunity for ransomware operators to launch ransomware campaigns, extort victims and find potential targets. Access brokers support ransomware operators with this last task by capitalizing on holiday changes to breach organizations and sell access to other adversaries.

In order to defend against access brokers, you must first understand how they operate.

Many access brokers carefully study their victims. They analyze organizations’ attack surfaces to find vulnerabilities they can exploit or use sophisticated social engineering techniques to trick employees and steal credentials. Access brokers seek the path of least resistance into an organization and have quickly adapted as endpoint detection and response (EDR) capabilities have evolved to better detect them. The use of custom malware to gain initial access has dropped substantially — 71% of intrusions in 2022 were malware-free — as threat actors favor more subtle attack methods.

Access brokers are highly organized. They advertise access to victims on underground forums, often categorizing their offerings with contextual details such as business vertical, revenue and asset exploitation. This information is especially valuable to big game hunters selecting their next victim. In some cases, access brokers may eliminate upfront costs for downstream ransomware operators using a profit sharing model. These announcements strengthen the collaboration between access brokers and big game hunters, making the eCrime ecosystem a formidable opponent for all organizations.

Why Access Brokers Welcome the Holidays

Over the past year, access broker advertisements peaked right before and after the holiday season. Spikes were also observed the week before Easter as well as the beginning of the new academic year. While this pattern is not set in stone, access brokers seem to be more active during these moments for several reasons:

  • Leaner staff: IT and security teams may have a skeleton staff during the holidays, leaving fewer people to handle detection tuning, threat hunting or patching. As a result, access brokers have more opportunities to break in unnoticed. Dwell time (the time before getting detected) is likely longer during these low-staff moments, giving access brokers a bigger window of opportunity to get in, steal more data and sell it.
  • It’s vacation time: Employees often take time off during this time of year. Some may have forgotten their passwords by the time they come back from a week’s holiday. When requesting new credentials, users are more vulnerable to phishing attacks. Access brokers know when users come back and have greater success when many users request new credentials.
  • More distractions: IT support or help desk teams may cover only the bare essentials, skipping regular security best practices. Access brokers have recently impersonated regular users and opened support calls to obtain access. If the IT team doesn’t properly validate their information, for example, the attacker will have an easier path in.
  • Business is booming: Industries such as the retail, hospitality and travel sectors enter one of their busiest times of the year. They are in a weaker position during the extortion process because they need to keep business running during the busy season and avoid regulatory violations. With this knowledge in mind, access brokers will advertise access to these organizations at the right moment, with adjusted pricing, knowing other adversaries will want to strike.

Let’s take a closer look at the most popular tactics access brokers use to gain entry into victim organizations.

Well-crafted Social Engineering Campaigns

One of the most notorious actors discovered in 2023, known for both access brokerage and big game hunting, used advanced social engineering to harvest credentials. The actor targeted multiple verticals such as consumer goods, telecommunications and real estate. In many cases, ransomware was deployed.

Throughout these incidents, the adversary was consistent in using social engineering tactics to bypass multifactor authentication (MFA). They relied on a combination of credential-harvesting websites, SMS phishing, SIM swapping, MFA push-notification fatigue and social engineering via vishing to obtain initial access. Once inside, the adversary avoided using unique malware, instead favoring a wide range of legitimate remote management tools to maintain persistent access.

This actor succeeded because they very carefully studied their victims and knew how to impersonate them later. During the holidays, when users are more relaxed and staff is short, access brokers using similar tactics can increase their chance of success.

Web Exploitation and Living-off-the-Land

Another common access broker method involves exploitation of public-facing applications and remote code execution vulnerabilities to gain access. Once inside, the threat actor becomes persistent by deploying standard web shell mechanisms to harvest information related to machine identities (SSH keys, RSA keys). Using standard command-line tools, the actor can even clear system logs to evade detection.

How to Defend Against Access Brokers During the Holidays and Beyond

  1. Understand your environment: The age-old adage You can’t protect what you can’t see” has never been so true. Over the past few years, organizations have accelerated  their use of cloud infrastructure, resulting in a larger digital footprint. Security teams must gain an outside-in view of their full enterprise attack surface in order to identify areas of exposure and close security gaps. Don’t wait for the adversary to strike. Map your assets, visualize attack paths and address them.

 

  1. Prioritize identity protection: The rise in malware-free attacks, social engineering and similar attempts to steal and use credentials drives the need for strong identity protection. CISA’s Shields Up initiative urges organizations to enforce MFA and identify and quickly assess unusual network behavior. Conditional risk-based access policies are advised to reduce the burden of MFA for legitimate users.

Social media training is crucial: Don’t announce department shutdowns or IT service changes on social media, and instruct employees to refrain from sharing personal data on social channels. Train staff to avoid sharing credentials in support calls, emails or tickets. And finally, don’t publish executive or IT contact details on the company website — it may aid adversaries in impersonation efforts.

 

  1. Strengthen cloud protection: The number of observed cloud exploitation cases grew by 95% year-over-year in 2022. Adversaries are aggressively targeting cloud infrastructure and using a broad array of tactics, techniques and procedures to compromise critical business data and applications in the cloud. Stopping cloud breaches requires agentless capabilities to protect against misconfigurations, control-plane and identity-based attacks, and also runtime security to protect cloud workloads.

 

  1. Know your adversary: Organizations spend vast amounts of time and money fighting ghosts and noisy alerts, never knowing the “who, why and how” behind cyberattacks. If you don’t understand your adversary, you are poorly prepared to face them.

Invest in threat intelligence that exposes the humans behind the attack, as well as their motivation, capabilities and tools. Use threat intelligence that continuously scans underground forums for exposed identities and leaked data, and notifies the security team when company credentials are detected. Monitor for websites or newly created domains that mimic your organization. If you don’t have time or resources, work with a third party to mitigate the risk of these look-alike websites.

 

  1. Practice makes perfect: Encourage an environment that routinely performs tabletop exercises and red/blue teaming to identify gaps and eliminate weaknesses in your cybersecurity practices and response.

Prepare how to outpace the adversary with comprehensive visibility into what’s happening on your endpoints. Hunt for hidden intruders by looking for web shells and remote monitoring tools that may be active in your environment. Seek support from expert teams that know access brokers and their tools to help mitigate hidden threats.

 

Access brokers continue to conduct advanced exploitation, social engineering and spear-phishing attacks to gain and sell credentials throughout the year. The end of the year is an ideal time for them to act: IT support organizations are distracted, security teams have a skeleton staff and users request new credentials when they return. Implement strong defenses and don’t let access brokers stuff their stockings with your credentials during the holidays.

Additional Resources

Endpoint and Identity Security: A Critical Combination to Stop Modern Attacks

✇CrowdStrike
By: Venu Shastri
17 November 2023 at 17:43

Today’s adversaries increasingly use compromised credentials to breach target environments, move laterally and cause damage. When attackers are logging in — not breaking in — legacy  endpoint security offers little help in detecting and stopping breaches.

Exacerbating the problem is an expanding attack surface, largely due to the growth of remote work and evolving supply chains. Today, nearly 25% of modern attacks start at unmanaged hosts such as contractor laptops — parts of the supply chain where organizations often lack direct control over endpoints. 

Download the CrowdStrike ebook, “Stay One Step Ahead of Identity Thieves

Legacy endpoint solutions primarily look for malicious code execution to detect attacks and are unable to detect or stop identity-based threats when the adversary uses valid credentials. Many organizations either don’t have the means to stop identity-based attacks or struggle with multiple point solutions for endpoint and identity security that drive cost and complexity while slowing down response times. 

Read on to learn how unifying endpoint and identity security under the CrowdStrike Falcon® platform can help you stop modern attacks.

Case Study: Land O’Lakes 

Land O’Lakes is an American agricultural cooperative with 9,000 employees and manufacturing operations spanning 60 countries. In the words of Dan Oase, Land O’Lakes Director of Cybersecurity, “That’s a lot of identities to secure.” 

Oase spoke on stage at Fal.Con 2023 about how the company uses CrowdStrike for identity protection: “We think of identities in terms of creating identities, managing identities and securing identities … We use Falcon Identity Protection to safeguard our Active Directory and complement our IAM.”

Watch the Fal.Con 2023 session, “Stop Modern Attacks: Extending Endpoint Security with Identity Protection,” featuring Land O’Lakes

Oase emphasized the importance of speed, citing how cracking an 8-figure password used to take years; now it takes only minutes, thanks in part to advancements in AI. With adversaries getting faster, Land O’Lakes relies on a full suite of Falcon platform modules — including CrowdStrike Falcon® Insight XDR for endpoint detection and response and Falcon Identity Protection — to outpace modern attacks and stop breaches.

“CrowdStrike provides the ‘easy button’ to add identity protection via a single agent and unified platform covering endpoint and identity. This translates into immense value to us as a customer in terms of faster responses, lower costs and better security outcomes,” said Oase.

Oase shared how Falcon Identity Protection delivers real value for Land O’Lakes, compared to before CrowdStrike:

  • 92% faster at investigating and responding to identity-related attacks and anomalies
  • 90% less time spent manually auditing identity hygiene
  • 85% less time prioritizing vulnerabilities
  • 80% reduction in accounts with excessive permissions
  • Consistent removal of stale accounts
  • Immediate and automated response to compromised passwords

As a cybersecurity veteran who’s built world-class security operations at several companies, Oase went deep into the technical aspects of the Falcon identity deployment, covering continuous monitoring, privileged accounts, conditional access policies and other topics. If you’re a security practitioner looking for identity best practices, watch the Fal.Con 2023 session

Making the Case for Unified Endpoint and Identity Security

Identity-related attacks are a serious and growing problem. Consider the numbers:  

  • Over 80% of cyber incidents in 2021 involved the misuse of valid credentials to access an organization’s network, as revealed in the CrowdStrike 2022 Global Threat Report.
  • Kerberoasting attacks, a form of identity-based threat, increased an alarming 583% year-over-year, according to the CrowdStrike 2023 Threat Hunting Report.
  • The same report reveals a 147% increase in access broker advertisements, which often sell compromised credentials, on the dark web.
  • 90% of Fortune 1000 companies rely on Microsoft Active Directory (AD) despite its constant flow of vulnerabilities. 
  • Microsoft AD is a top target due to the access and information it holds. One survey found 50% of organizations have experienced an AD attack in the last couple of years, and 40% of those attacks were successful.

If you’re one of the nearly 75,000 organizations that use AD, combining endpoint and identity security under a single platform can help you stop breaches by providing comprehensive defense against adversaries seeking privileged company data. 

How the Falcon Platform Strengthens Defense

CrowdStrike delivers its market-leading endpoint and identity protection from the AI-native Falcon platform, which uses one lightweight agent to provide:

Comprehensive visibility

CrowdStrike Falcon® Identity Protection offers complete visibility into AD and cloud-based identity solutions, such as Microsoft Entra ID (formerly Azure Active Directory). The Falcon platform uses data collected from on-premises and cloud user directories to create a baseline for normal user behavior and detect anomalous activity across endpoints and identities, eliminating the security gaps created by siloed security tools.

Real-time protection

By deploying CrowdStrike endpoint and identity security solutions together, you can block malicious authentication at the AD level and stop adversaries from gaining access, regardless of whether the endpoint is managed. 

Risk-based response

Falcon Identity Protection continuously monitors user behavior and context based on both identity and endpoint telemetry to compute risk scores, which allows it to dynamically enforce multifactor authentication when the risk level has increased, providing an extra layer of security.

Single Agent, Unified Platform 

These capabilities are difficult to achieve with standalone tools. Organizations are looking to replace point solutions with a unified cybersecurity platform to eliminate gaps between endpoints, identity and cloud workloads, while reducing the number of agents they manage.

CrowdStrike endpoint customers can easily deploy Falcon Identity Protection with no deployment overhead. Simply enable the platform module, and the Falcon sensor immediately starts defending against identity-based attacks.

The Falcon platform is the only adversary-focused AI-powered security platform that brings together endpoint and identity telemetry and correlates it with threat intelligence and the latest adversary tradecraft. This unified platform approach not only provides better and faster detections with full attack-path visibility, it allows you to automate policy-based responses and eliminate manual correlation of threats, thereby improving SOC efficiency.

CrowdStrike endpoint and identity security solutions offer complete coverage of MITRE TTPs

 

The graphic above shows how CrowdStrike’s unified approach to endpoint and identity security fares against MITRE ATT&CK® tactics, techniques and procedures (TTPs). As a market leader in endpoint detection and response (EDR), CrowdStrike has long protected customers from execution, command and control, exfiltration and more. By adding Falcon Identity Protection to their endpoint deployment, customers can benefit from full protection against adversary tactics that leverage valid accounts, such as initial access, lateral movement and privilege escalation.

Put simply: CrowdStrike customers of endpoint and identity security can receive the strongest coverage against adversary TTPs from a single, unified platform.

Get Started with Falcon Identity Protection

Today’s attackers use legitimate credentials to bypass endpoint security solutions. By unifying endpoint and identity security on the Falcon platform, organizations can get robust protections against identity-related attacks, while realizing the other benefits of cybersecurity consolidation.

Get started with Falcon Identity Protection using our complimentary Active Directory Risk Review. This one-on-one session with a CrowdStrike identity expert will delve into your AD hygiene and expose compromised passwords, over-privileged accounts and other best practices to help you stop identity-related attacks

Additional Resources

The Difference Between Securing Custom-Developed vs. Commercial Off-the-Shelf Software

✇CrowdStrike
By: Jacob Garrison
17 November 2023 at 23:33

Modern applications are designed to process, use and store vast amounts of sensitive data. As adversaries seek to infiltrate these applications, IT and security teams must ensure the software they use has the strongest possible security. The first step to implementing strong application security is understanding the type of application you need to protect.

The two types of applications security teams must be familiar with are custom-developed software and commercial off-the-shelf (COTS) software. In this blog, we explain the differences between custom-developed applications and COTS applications and how each type of application is secured.

What Is Custom-Developed Software?

The crucial difference between these two types of applications is who owns the source code — the set of computer instructions that accomplishes some task. Every application is built from source code, and that source code is created by software developers. Modern programming languages you’re likely to encounter in source code include Java, Python, .NET, Node.js and Go.

Custom software consists of proprietary source code, which is typically owned by the developer or company that created it. If you’re interfacing with proprietary source code, then you’re managing custom-developed software — software that is “built in-house” to fulfill a specific business requirement. Companies either sell their custom-developed applications or use them for internal business needs.

Here’s an example. Suppose you work in security at a company called Math Tutors. The company’s developers created the Python code shown below.

Customers have purchased version 1.0.0 of your software, and you’re responsible for ensuring the custom-developed Python code is secure.

One day, you realize your “sum” function leaks proprietary data when the user enters a non-integer. Your developers add error handling to the sum function to secure it. The updated source code is shown below.

After securing your custom-developed software, you release version 1.1.0 of your product. When customers purchase your software, it’s their responsibility to upgrade to the latest version, meaning they must now use version 1.1.0 to ensure they’re using the most secure version of your software.

How Are Custom-Developed Applications Secured?

Securing custom software begins before writing the first line of code. Once functional requirements are defined, architects lay out the initial design. The architecture should then go through a threat model where the likely attack vectors are analyzed. After the initial threat model is complete and design changes implemented, software development begins.

Most modern software teams use some form of Agile software development. With Agile development, the software is iterated over time and updates occur on a regular basis. The scope of work is decomposed into stories, which typically include small feature implementations (building a new capability) or bug fixes (fixing problems in existing code). Stories that are not actively being worked on are placed in the backlog. When the security team needs developers to fix a security issue, they create a story that lives in the backlog until the development team is able to resolve the problem.

With the “shift left” approach to security, vulnerable code detection begins during development through software composition analysis (SCA), static application security testing (SAST) and dynamic application security testing (DAST). These tools are effective at isolating unique instances of vulnerable code.

The most challenging aspect of securing custom software is finding the weaknesses that lurk in production. Common issues that plague application security include:

  • Unauthenticated APIs
  • Unknown sensitive data stores or data flows
  • Internet-facing microservices
  • Third-party communication

What makes this set of issues particularly challenging is they frequently deviate from the original design. This is why having visibility into what’s deployed in production is essential. When the true architecture is unknown, inferred or outdated, it’s difficult to detect and prioritize security weaknesses. This can lead teams to rely solely on security scanning tools, which tend to provide an overwhelming list of vulnerabilities.

The most effective solution to this problem is application security posture management (ASPM). ASPM provides specific remediation advice based on the real-time status of your software architecture. You not only receive a concise list of the highest priority security weaknesses, but you can also speak clearly to engineering teams about the business impact of vulnerabilities.

Figure 1. With its powerful ASPM capabilities, CrowdStrike Falcon® Cloud Security shows a list of all internet-facing microservices that access personally identifiable information (PII) data and contain critical vulnerabilities

 

To learn more about preventing breaches in custom-developed software, check out how CrowdStrike Falcon Cloud Security delivers powerful ASPM capabilities as part of a unified cloud-native application protection platform (CNAPP) to offer full-stack protection for your applications.

What Is Commercial Off-the-Shelf Software?

COTS software is built for commercial use and is readily available for purchase. If you pay for application access but can’t see the source code, you’re working with commercial-off-the-shelf software.

When the application is paid for on a recurring basis, you’re purchasing software as a service (SaaS). SaaS is a revenue model, but the terms COTS and SaaS are often used synonymously.

Now, think back to the Math Tutors example, but this time, imagine you work in security at a different company called Math Learners and you’re using the software that Math Tutors developed. From your perspective, the application is a COTS application. Rather than seeing source code, your view of the application will look like the screen shown below.

When version 1.1.0 of the application is released, your team at Math Learners is responsible for upgrading your systems to ensure the vulnerability is patched and they use the secure version. Even though you don’t notice a visible change, upgrading the version adds security fixes to the software.

Common examples of COTS applications that organizations purchase include Google Workspace, Microsoft Outlook and many others. Each of these applications is considered “custom-developed” by the organizations selling them.

How Are COTS Applications Secured?

Purchasing COTS software introduces several security responsibilities. The steps for initial setup and continuous monitoring are as follows:

  1. Perform a security review of the COTS vendor and application.
  2. Provision access to the necessary members of your organization.
  3. Continuously monitor:
  • Application programming interface (API) connections between internal custom developed applications and the COTS application
  • Individual access permissions and configuration
  • Data transmitted to (and from) the COTS application

From a security perspective, the first step to introducing new COTS software to an organization is to understand the risks. Vendors will not typically share source code, so customers must rely on a limited scope of information. You may consider asking for:

  • A recent penetration test
  • A software bill of materials (SBOM)
  • Documentation on a vendor’s software development lifecycle (SDLC)
  • Certifications such as SOC 2 or ISO
  • Customer references
  • Data access rights in the terms and conditions

Each of these items can give a deeper understanding of the COTS software security posture, but there will always be inherent risk when using another company’s software.

Once the software is approved, the next step is to grant access to the appropriate users. This may be done through role-based access control if entire departments will use the software, or discretionary access control if only certain users need the application.

With access granted, it’s vital to monitor COTS applications continuously. The first area to manage is software-to-software access. This type of access occurs via the APIs that software developers create.

A successful implementation of API management includes an inventory of all API calls to COTS applications. The API inventory should update as software developers create and remove APIs, and note all APIs transmitting sensitive data. ASPM tools automatically generate a comprehensive list of API calls to third-party applications.

Figure 2. A graphical representation of COTS APIs shown in Falcon Cloud Security

 

The second area to manage is user provisioning. Security teams must audit and update user access to COTS applications regularly. Additionally, security teams are responsible for managing the configuration of COTS applications. Both identity access management (IAM) and SaaS security posture management (SSPM) help ensure COTS configurations are correct.

The third area to manage is sensitive data transfer. Detecting and preventing unauthorized data egress requires a data protection solution. The data protection solution should combine content with context to provide deep real-time visibility into what is happening with your sensitive data, including data artifacts, as they move from the source to the destination, which could be COTS applications.

Consider the following scenario, for example:

  1. A sensitive file is downloaded.
  2. The contents are copied to a spreadsheet.
  3. Smaller chunks of the data are copied to another sheet and moved to a personal google drive.

Data protection solutions provide the complete flow, along with who performed the actions and where this data landed.

How CrowdStrike Helps Secure Custom and COTS Software

Both custom and COTS software present unique challenges, but visibility is crucial in both cases. Both custom and COTS software present unique challenges, but visibility is crucial in both cases. With Falcon Cloud Security and CrowdStrike Falcon® Data Protection, you can keep track of your organization’s use of COTS software and prevent data loss.

The CrowdStrike Falcon platform provides insights on both your custom developed applications and third-party software use. To learn more, request a demo.

Additional Resources

Eliminate Repetitive Tasks and Accelerate Response with Falcon Fusion

✇CrowdStrike
By: Paola Miranda
20 November 2023 at 18:38

Adversaries are becoming more sophisticated and faster with their attacks. According to the CrowdStrike 2023 Threat Hunting Report, the average eCrime breakout time is just 79 minutes. This is partly due to adversaries taking advantage of tools that leverage automation like password-cracking tools, exploit kits for web browser vulnerabilities, and marketplaces that sell stolen data. Automation is making their jobs easier and more efficient and is yielding more profitable results, putting security teams at a disadvantage. Attackers use automation — and your team should too.

Inefficient and Manual Processes Are Slowing Down Your Team

Unfortunately, security analysts face more than just threats. Their day-to-day operations are plagued with numerous challenges. It’s not uncommon for security analysts to investigate and respond to a threat with inconsistent processes that include overly manual investigations that force them to correlate data across multiple, disjointed security tools. This leads to lost time, expensive mistakes and overall analyst burnout.

To level up the playing field against attackers, your security team must adopt security tools that harness the power of automation and seamlessly integrate with your ecosystem to enable them to work smarter and faster. By standardizing processes and automating repetitive tasks, your team will increase its productivity, efficiency and accuracy. Not only will they gain back valuable time to focus on higher-value operations, they will be able to respond to threats faster.

The Power of Automation Relies on Well-defined Security Processes

Getting started with security automation can be a daunting task because sometimes processes are not designed for automation. If the business logic is not defined correctly, automated processes can yield erroneous results that only become obvious when they are operational. To start your automation journey, you need to assess how it can streamline your current security operations — based on your organizational goals — by establishing priorities and identifying the repetitive and mundane tasks that hold back your team.

Once these are identified, you are ready to gradually implement automation. Start defining the process by documenting the steps the team must take, determining the information needed and where it resides, and identifying who in your organization has access to it. There are numerous security use cases that are prime candidates for automation given their recurrence and number of repetitive tasks involved, such as phishing, alert enrichments, endpoint incident response, threat hunting and more.

Selecting the right tool for the job will also give your team an advantage. Attacks are evolving fast, making use cases and security tools obsolete quicker, and you want to invest in security and IT tools that can integrate with a flexible security architecture. It can be a challenge for security teams to ensure that configurations of automation tools work with the many different point tools in use — and therefore, native automation capabilities are preferred. To successfully deploy automated workflows and orchestrate investigations and incident response, you need to evaluate tools for their ability to integrate with your current tools and also for their API ecosystem to ensure deep and standardized integrations as you expand into new use cases. 

Accelerate Investigation and Response with Native SOAR Capabilities

If you do a search for the ‘average number of security tools used by a SOC,” you’ll find data that shows companies can use 40, 50 and even as many as 60-70 security tools. Consolidating and integrating tools is a business imperative, reducing the complexity and simplifying the management of tasks and workflows. Consolidating tools not only helps reduce your budget, it allows your security analysts to conduct their day-to-day operations from a single console to reduce swivel-chair syndrome.

The CrowdStrike Falcon® platform offers native security orchestration automation and response (SOAR) capabilities through CrowdStrike Falcon® Fusion, which empowers your security team to build automated workflows to speed up threat investigation and response. Fully integrated with the CrowdStrike Falcon platform and its product modules, Falcon Fusion orchestrates workflows across the platform and with third-party tools such as ticketing systems that enhance collaboration and bridge the gap between security and IT. Your team will have access to high-quality security data, automated workflows, integrations and response actions, all from the unified Falcon platform.

Increase SOC Productivity and Reduce Analyst Burnout with Falcon Fusion

The ability to systematize your incident response plan into automated workflows gives your security analysts the power to increase consistency and accuracy as they resolve threats. The Falcon Fusion no-code interface results in workflow builds in just minutes – teams simply select the trigger, define conditions and configure the actions. It also enables you to orchestrate complex use cases with conditional branching and logic, and to schedule them to run continuously. For common security use cases, Falcon Fusion provides pre-built playbooks to give your security a head start automating your security operations processes, all from the same console that your team already uses. 

With over 61,000 unique workflow definitions, Falcon Fusion gives you limitless opportunities to automate your processes to make them more efficient. By integrating with Falcon Real Time Response, your analysts will be able to import customized scripts, created by them or from the library, to expand the actions that they can perform with their workflows for immediate remediation. And, due to its native integration across Falcon platform modules, Falcon Fusion extends the automation power of each module like CrowdStrike Falcon® Intelligence Recon for digital threat monitoring, CrowdStrike Falcon® Spotlight for automated vulnerability remediation and more.

Security automation is essential to defend your attack surface and give your security team a fighting chance against adversaries. By automating workflows such as investigating incidents faster, scaling vulnerability patching and containing hosts to stop lateral movement, Falcon Fusion will up-level your team to punch above their weight and reduce your mean time to respond (MTTR) to better protect your organization and keep adversaries at bay. 

Additional Resources

CrowdStrike’s View on the New U.S. Policy for Artificial Intelligence

✇CrowdStrike
By: Drew Bagley - Rob Sheldon
21 November 2023 at 20:37

The major news in technology policy circles is this month’s release of the long-anticipated Executive Order (E.O.) on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. While E.O.s govern policy areas within the direct control of the U.S. government’s Executive Branch, they are important broadly because they inform industry best practices and can even potentially inform subsequent laws and regulations in the U.S. and abroad.

Accelerating developments in AI — particularly generative AI — over the past year or so has captured policymakers’ attention. And calls from high-profile industry figures to establish safeguards for artificial general intelligence (AGI) in particular has further heightened attention in Washington, D.C. In that context, the E.O. should be viewed as an early and significant step addressing AI policy rather than a final word.

Given CrowdStrike’s extensive experience with AI since the company’s founding in 2011, we want to highlight a few key topics that relate to innovation, public policy and cybersecurity.

The E.O. in Context

Like the technology it seeks to influence, the E.O. itself has many parameters. Its 13 sections cover a broad cross section of administrative and policy imperatives. These range from policing and biosecurity to consumer protection and the AI workforce. Appropriately, there’s significant attention to the nexus between AI and cybersecurity, which is covered at some length in Section 4.

Before diving into specific cybersecurity provisions, it is important to highlight a few observations on the document’s overall scope and approach. Fundamentally, the document strikes a reasonable balance between exercising caution regarding potential risks and enabling innovation, experimentation and adoption of potentially transformational technologies. In complex policy areas, some stakeholders will always disagree with how to achieve balance, but we’re encouraged by several attributes of the document.

First, in numerous areas of the E.O., agencies are designated as “owners” of specific next steps. This clarifies for stakeholders how to provide feedback and reduces the odds for gaps or duplicative efforts.

Second, the E.O. outlines several opportunities for stakeholder consultation and feedback. These will likely materialize through Request for Comment (RFC) opportunities issued by individual agencies. Further, there are several areas where the E.O. tasks existing — or establishes new — advisory panels to integrate structured stakeholder feedback on AI policy issues.

Third, the E.O. mandates a brisk progression for next steps. Many E.O.s require tasks to be finished in 30- or 60-day windows, which are difficult for agencies to meet at all, let alone in deliberate fashion. This document in many instances provides for 240-day deadlines, which should enable 30- and 60-day engagement periods through RFCs, as outlined above.

Finally, the E.O. states plainly that “as generative AI products become widely available and common in online platforms, agencies are discouraged from imposing broad general bans or blocks on agency use of generative AI.” This should help ensure that government agencies explore positive use cases for leveraging AI for their own mission areas. If history is any guide, it’s easy to imagine a scenario where a talented junior staffer at a given agency identifies a key way to leverage AI at some time next year, that no one could easily forecast this year. It would be unwise to foreclose that possibility, as innovation should be encouraged inside and outside of government.

AI and Cybersecurity Provisions

On cybersecurity specifically, the E.O. touches on a number of key areas. It’s good to see specific callouts to agencies like the National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA) and Office of the National Cyber Director (ONCD) that have significant applied cyber expertise.

One section of the E.O. attempts to reduce risks of synthetic content — that is, generative audio, imagery and text. It’s clear the measures cited here are exploratory in nature rather than rigidly prescriptive. As a community, we’ll need to innovate solutions to this problem set. And with U.S. elections around the corner, we hope to see rapid advancements in this space.

In many instances, the E.O.’s authors paid close attention to enumerating AI policy through established mechanisms, some of which are closely related to ongoing cybersecurity efforts. This includes the direction to align with the AI Risk Management Framework (NIST AI 100-1) and the Secure Software Development Framework. This will reduce risks associated with establishing new processes, while enabling more coherent frameworks for areas where there are only subtle distinctions or boundaries between, for example, software, security and AI.

The document also attempts to leverage sector risk management agencies (SRMAs) to drive better preparedness within critical infrastructure sectors. Specifically, it mandates:

Within 90 days of the date of this order, and at least annually thereafter … relevant SRMAs, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security for consideration of cross-sector risks, shall evaluate and provide to the Secretary of Homeland Security an assessment of potential risks related to the use of AI in critical infrastructure sectors involved, including ways in which deploying AI may make critical infrastructure systems more vulnerable to critical failures, physical attacks, and cyber attacks, and shall consider ways to mitigate these vulnerabilities.

This is important, but we also encourage these working groups to consider benefits along with risks. There are many areas where AI can drive better protection of critical assets. When done correctly, AI can rapidly surface hidden threats, accelerate the decision making of less experienced security analysts and simplify a multitude of complex tasks.

At CrowdStrike, AI has been fundamental to our approach from the beginning and has been built natively into the CrowdStrike Falcon® platform. Beyond replacing legacy AV, our platform uses analytics to help prioritize critical vulnerabilities that introduce risk and employs the power of AI to generate and validate new indicators of attack (IOAs). With Charlotte AI, CrowdStrike is harnessing the power of generative AI to make customers faster at detecting and responding to incidents, more productive by automating manual tasks, and more valuable by learning new skills with ease. This type of AI-fueled innovation is fundamental to keep pace with ever-evolving adversaries incorporating AI into their own tactics, techniques and procedures.

In Summary

This E.O. represents a key step in the evolution of U.S. AI policy. It’s also particularly timely. As we described in our recent testimony to the House Judiciary Committee, AI is key to driving better cybersecurity outcomes and is also of increasing interest to cyber threat actors. As a community, we’ll need to continue to work together to ensure defenders realize the leverage AI can provide, while mitigating whatever harms might come from threat actors’ abuse of AI systems.

This article was first published in SC Magazine: The Biden EO on AI: A stepping stone to the cybersecurity benefits of AI

Additional Resources

CrowdStrike Demonstrates Cloud Security Leadership at AWS re:Invent 2023

✇CrowdStrike
By: Brett Shaw
30 November 2023 at 17:13

CrowdStrike is honored to be named Partner of the Year for several 2023 Geo and Global AWS Partner Awards at Amazon Web Services re:Invent 2023, where we are participating this year as a Diamond Sponsor.

We are also proud to be a launch partner for AWS Built-in and achieve two AWS competencies. These accomplishments demonstrate our forward-thinking approach to cloud security and commitment to ensuring CrowdStrike customers have the strongest possible protection as the cloud threat landscape continues to evolve.

Let’s get into this week’s announcements.

CrowdStrike Wins Multiple AWS Partner Awards

CrowdStrike was recognized during AWS re:Invent as a global leader with a key role in helping customers drive innovation and build solutions on AWS. This year, CrowdStrike was selected as the winner of the following AWS Partner Awards:

  • Public Sector Partner of the Year: Recognizes CrowdStrike as the top AWS Public Sector Partner with cloud-based solutions and experience supporting government, space, education and nonprofit organizations around the world.
  • State or Local Government Partner of the Year: Recognizes CrowdStrike as the top AWS Partner with the Government Competency, delivering innovative mission-based wins for state and/or local governments.
  • Non-Profit Organization Partner of the Year: Recognizes CrowdStrike as the top AWS Partner that has delivered innovative mission-based wins for non-profits.

CrowdStrike: An AWS Built-in Launch Partner with Built-In Competency

Businesses are constantly seeking ways to fortify their cloud environments to defend against adversaries increasingly targeting the cloud. They must select the right technologies to protect their cloud-based systems and workloads and deploy these solutions in a seamless, efficient and scalable manner. 

During AWS re:invent 2023, AWS officially launched its AWS Built-in Competency partner program. The goal of this initiative is to accelerate customer success by promoting AWS Independent Software Vendor (ISV) partners delivering cloud security and operational services that integrate closely with AWS native services. 

CrowdStrike achieved the AWS Built-in Competency in the security category by automating cloud security deployment and leveraging the event-driven architecture of cloud services. For example, when new workloads are provisioned — such as the launch of new Amazon EC2 instances or creation of new AWS accounts — that event can be used to trigger specific security actions. These may include automatically deploying the CrowdStrike Falcon® sensor on Amazon EC2 for CrowdStrike Falcon® Cloud Security runtime protection, or registering new accounts for Falcon Cloud Security agentless posture scanning and behavioral analysis.

Falcon Cloud Security provides complete visibility into cloud assets and uncovers risks related to misconfigurations, software package vulnerabilities, hard-coded secrets, malware, insecure identities and more. Combining agent-based and agentless detection in a unified platform empowers Falcon Cloud Security to proactively identify, prioritize and remove critical issues in cloud environments.

The integration between Falcon Cloud Security and AWS Built-In will: 

  • Automate security deployment: Falcon Cloud Security combines several key capabilities that work together to deliver unified cloud security. These include:
  • Cloud security posture management (CSPM): Falcon Cloud Security scans AWS services to uncover misconfigurations that adversaries could use to start or extend an attack, while ingesting AWS service API telemetry to hunt for anomalous activity that may indicate an attack. 
  • Cloud workload protection (CWP): Agent-based CWP provides deep insight and AI-driven adaptive protection for workloads including Amazon EC2 instances and containerized applications.
  • Pre-runtime protection: Pre-runtime container image scanning and infrastructure-as-code (IaC) scanning identify vulnerable packages and high-risk configurations before they are implemented in production. 

Individually, each of these components could require a different deployment mechanism that may delay time-to-value, especially when protecting multiple accounts across multiple regions. CrowdStrike’s built-in solution combines these capabilities in a simple and configurable CloudFormation template. It works with AWS Control Tower to establish a secure multi-account landing zone and can independently and automatically deploy individual components in response to events in the environment, such as the creation of new Amazon EC2 instances or deployment of new accounts in an AWS Control Tower or AWS Organizations landing zone. 

Accelerate the customer’s time-to-value: The need for effective, reliable and quick integration of security tools is paramount. By streamlining the integration process, CrowdStrike empowers customers to fully harness the benefits of foundational AWS-native services while achieving complete cloud security. Our objective is to deliver a unified customer experience by eliminating the complexities of combining disparate software and data sources.

Enhance reliability and efficiency: As businesses look to migrate and expand their operations on AWS, they need a security solution that can deploy at the speed of cloud. With AWS Built-in, customers can seamlessly deploy Falcon Cloud Security and consolidate disjointed point products with the most unified cloud-native application protection platform (CNAPP), built on a combined agent-based and agentless approach for complete visibility and protection.

CrowdStrike Achieves AWS Container Competency

The AWS Container Competency recognizes ISV partners offering software designed to operate seamlessly and cost-effectively in container environments. Container clusters such as Amazon Elastic Kubernetes Service (EKS) may host hundreds, thousands or even tens of thousands of ephemeral containers in a single cluster. They rely on IaC to define automated actions that occur throughout the container and cluster lifecycle. 

Our achievement of the AWS Container Competency marks a significant milestone in our partnership with AWS. This underscores our deep and proven expertise in managing container-based applications, a critical aspect of modern cloud environments. By attaining this competency, CrowdStrike not only demonstrates its commitment to providing robust security solutions for containerized applications but also aligns closely with AWS’ high standards for performance and security.

Falcon Cloud Security’s container environment protection uses Kubernetes-native packaging and deployment features such as Operators and Helm charts to provision cluster resources such as access roles, configuration files and self-healing pod replicas. The Kubernetes Admission Controller feature discovers new cluster objects as they’re created, inspects them for risks and vulnerabilities, and enables the creation of granular policies to block, alert or log specific cluster operations. Falcon Cloud Security is designed to protect a wide range of container environments including CSP-managed and self-managed Kubernetes, Amazon Elastic Container Service (Amazon ECS), Red Hat OpenShift on AWS (ROSA) and individual Docker hosts.

CrowdStrike’s dual achievement of the AWS Built-in Competency and Container Competency is a clear testament to our forward-thinking approach in cloud security. By aligning with AWS’s high standards, we’re both reinforcing our commitment to providing advanced security solutions and ensuring these solutions are seamlessly integrated with AWS’ leading cloud services. This synergy is pivotal in today’s landscape, where the sophistication of cyber threats targeting cloud environments continues to evolve. 

Curious about Falcon Cloud Security? Explore our free, no-obligation Cloud Security Risk Review for instant and complete visibility into your entire cloud estate, provided through agentless scanning. It deploys in minutes with zero impact to your business.

Additional Resources

4 Major Falcon LogScale Next-Gen SIEM Updates That Accelerate Time-to-Insights

✇CrowdStrike
By: Kasey Cross
18 January 2024 at 18:17

To unlock the speed and scalability of CrowdStrike Falcon® LogScale next-gen SIEM, you must first bring your data into the powerful, cloud-native solution. And with log sources multiplying and data volumes skyrocketing, you need an easy way to collect, parse and enrich your data.

Data onboarding can be complex and time-consuming in traditional SIEM tools. Data engineering teams must contend with countless evolving log sources, formats and ingestion methods. Painful setup processes can overwhelm even the most experienced teams and lead to deployment delays, cost overruns and employee burnout.

We’ve recently introduced an array of advancements for Falcon LogScale to help you ease setup, avoid headaches and power faster security insights. Here are the most notable new features.

1. Get Started Faster with New Marketplace Packages

The Falcon LogScale Marketplace lets you fast-track the setup of next-gen SIEM with turnkey packages that include prebuilt parsers, dashboards, alerts, actions and saved queries. Installed in just a few clicks from the Falcon LogScale user interface, packages in the Falcon LogScale Marketplace make it easier than ever to unlock the potential of your entire security ecosystem.

In the last three months, we have launched over 30 new Falcon LogScale packages to help you use new data sources faster. These packages include parsers that normalize data to a common schema based on an OpenTelemetry standard. The schema allows analysts to search data without knowing the specifics of the data format, and hunt across data sources with ease. 

With this rapid release of new Falcon LogScale packages, our vision of delivering a comprehensive marketplace for next-gen SIEM is becoming reality. We plan to publish even more ready-to-use content this year to help ease adoption, scale your SIEM deployments and relieve overburdened staff.

2. Simplify Data Onboarding with CrowdStream

CrowdStream, a native capability of the CrowdStrike Falcon® XDR platform, transforms how you onboard and manage your log data by directly connecting any data source to Falcon LogScale. Sitting between data sources and their destination, CrowdStream provides an elegant and cost-effective way to route data to Falcon LogScale to accelerate the adoption of next-gen SIEM while minimizing the complexity and cost of connecting data sources.

CrowdStream not only accelerates the adoption of Falcon LogScale, it gives you visibility and control over your data. You can granularly mask or truncate sensitive data for compliance purposes. In addition, CrowdStream can enrich data with threat intelligence or geolocation information, and optionally remove extraneous fields, null values and duplicate events.

Leveraging Cribl’s observability pipeline technology, CrowdStream offers out-of-the-box integrations to collect data from a broad set of applications and devices. It can also normalize data into a consistent format before it’s routed to Falcon LogScale, making data immediately actionable for threat hunting and investigations. With CrowdStream, Falcon LogScale provides end-to-end data pipelining and event management to address a broad set of security and compliance use cases with ease.

CrowdStream is available now. Falcon LogScale customers with cloud-native deployments receive 10GB/day of data streaming at no additional cost. Unlimited data streaming is available with the purchase of an additional CrowdStream subscription beginning in February 2024.

3. Easily Extend Detection and Response to Cloud Assets with Amazon S3 Integration

More than 80% of breaches involve data stored in the cloud. As adversaries shift their focus to the cloud, you must expand your realm of visibility and control to your cloud environment.

A perfect place to start is with Amazon Web Services (AWS) data. If your organization is like countless others, you use Amazon S3 object storage to retain your cloud data. You probably store cloud logs, such as AWS CloudTrail, Amazon CloudWatch and VPC Flow Logs, in Amazon S3 buckets. Because many cloud-delivered applications and services can write logs to S3 buckets, you can forward security-relevant logs from a variety of sources to S3 storage and then pull this data into your security and observability tools.

A new Amazon S3 log ingestion feature in Falcon LogScale lets you automatically retrieve logs from S3 buckets for analysis and visualization. Flexible configuration options let you select compression, preprocessing and parser of your choice depending on the format of your data. These step-by-step instructions explain how to set up this powerful new feature in Falcon LogScale and start hunting for cloud threats at blazing-fast speed.

4. Remotely Manage and Monitor a Massive Fleet of Falcon LogScale Collectors

The Falcon LogScale Collector provides a robust, reliable way to forward logs from Linux, Windows and macOS hosts to Falcon LogScale. Gathering data from a variety of sources, including files, command sources, syslog and Windows events, the Falcon LogScale Collector swiftly sends events with sub-second latency between when a line is written on the host and when it is forwarded to Falcon LogScale.

We’ve introduced a number of enhancements that raise the bar for Falcon LogScale Collector management. For example, a new fleet management feature lets you manage Falcon LogScale Collector instances from the Falcon LogScale management interface. The Falcon LogScale Collector also now gathers CPU, memory and disk usage metrics, allowing administrators to identify and troubleshoot issues. Recent optimizations increase agent performance and resilience, and de-duplicate redundant log data.

Experience Next-Gen SIEM 

As the future of log management and next-gen SIEM, Falcon LogScale lets you collect up to 1 petabyte of data per day and query data up to 150x faster than legacy SIEMs. Between the new Marketplace packages, flexible CrowdStream observability pipeline, Amazon S3 ingestion and Falcon LogScale Collector advancements, we’ve taken Falcon LogScale to the next level, enabling you to spend more time stopping threats and less time onboarding data.

We’ve also added in-product tutorials and filter alerts, and elevated the user experience with dashboard widgets, PDF reporting and table drill-down options. For a complete list of features, see the Falcon LogScale release notes.

Our ultimate goal is to offer the world’s most effortless, automated data onboarding across all data sources, and we’re investing inordinate resources to achieve it. The innovations announced in this post are just the beginning.

Additional Resources

Beyond Compliance: Secure Your Business in the Cloud with Falcon Cloud Security

✇CrowdStrike
By: Yang Liang
25 January 2024 at 21:58

Cloud infrastructure is subject to a wide variety of international, federal, state and local security regulations. Organizations must comply with these regulations or face the consequences. 

Due to the dynamic nature of cloud environments, maintaining consistent compliance for regulatory standards such as CIS, NIST, PCI DSS and SOC 2 benchmarks can be difficult, especially for highly regulated industries running hybrid or multi-cloud infrastructures. Challenges vary by industry but often include cloud complexity, data residency, time-consuming audits and keeping up with new regulations. 

Read: “What is Cloud Compliance? A Starter Guide for Security Professionals”

Many organizations are uncertain about their cloud compliance obligations — and who is responsible for them. Cloud security tools such as cloud security posture management (CSPM) and cloud workload protection (CWP) can help organizations meet compliance benchmarks while providing advanced protection against cyberattacks. 

Monitoring your cloud deployments against compliance frameworks provides a base level of controls and best practices. However, these deployments must also be layered with advanced protection. With cloud breaches rampant, this advanced protection is critical, as adversaries continue to evolve their techniques faster than compliance regulations can be updated. 

CrowdStrike Falcon® Cloud Security covers the four major security compliance frameworks, including MITRE ATT&CK®, CIS, NIS and ISO, as well as industry-specific requirements, including GDPR and PCI-DSS for financial services and payments, FedRAMP and FISMA for government, and HIPAA and HITECH for healthcare. 

With Falcon Cloud Security, you can identify risks and security gaps, address misconfigurations and vulnerabilities, and enforce gold-standard policies to meet industry regulations while securing your business in the cloud. 

Here’s the story of how one organization did just that. 

Going Beyond Compliance: Commercial Bank of California

As a bank built for the speed and scale of modern business, Commercial Bank of California (CBC) runs a number of web applications and APIs hosted in AWS and Microsoft Azure. In addition to adhering to federal and state regulations, PCI security standards and NACHA, CBC implements CIS benchmarks to harden its cloud environments. 

Before adopting Falcon Cloud Security, CBC had to manually identify gaps and track remediation. With CrowdStrike, the bank can automatically detect misconfigurations in near real-time and filter them by MITRE ATT&CK and compliance guidelines. Falcon Cloud Security also sorts by severity rating, allowing CBC to prioritize remediation based on risks. 

“We care about our clients’ data and the funds they entrust us to hold. We needed a solution that could both monitor and harden our multi-cloud environment so we can avoid any data loss or potential compromise,” said Kevin Tsuei, SVP Information Security Officer at CBC. “Falcon Cloud Security has been a time-saving resource for us and a valuable tool to enhance our security posture.”

CBC learned it could easily deploy Falcon Cloud Security to protect its cloud environments using the same lightweight CrowdStrike Falcon® sensor it uses to protect its endpoints and other attack surfaces. With Falcon Cloud Security, CBC can go beyond compliance to secure its business in the cloud.

“Falcon Cloud Security helped us harden our cloud environments. We can now quickly identify and fix cloud misconfigurations, secure our containers and protect our Linux servers in both AWS and Azure,” said Tsuei. “With CrowdStrike, we can remediate any cloud intrusion in less than 16 minutes, which puts our minds at ease.”


Making Cloud Compliance Easier

Cloud compliance starts with a robust, well-defined security posture that provides visibility and control with a granular view of infrastructure and workflow traffic. While all cloud security solutions help with compliance to some degree, CrowdStrike delivers comprehensive cloud detection and response, enabling a robust security posture and compliance specific to different industries and regulations. 

CrowdStrike can help you attain compliance for your cloud environment so you can focus on innovating your business. Falcon Cloud Security offers:

  • Unified compliance visibility. Use the compliance dashboard, framework details and drill-down capabilities for simple and consistent compliance auditing and reporting.
  • Compliance management. Enforce compliance of industry regulations and security benchmarks with automated compliance features and customized policies.
  • Simplified reporting. View and export results of assessments mapped to a benchmark or framework requirement. You can also export scheduled or on-demand reports of your compliance posture and non-compliant assets.
  • Remediation. Get remediation steps, alert logic and MITRE ATT&CK information for each policy. Links to related compliance information are available for quick reference throughout the user interface.

The Falcon Cloud Security compliance dashboard makes cloud compliance easier (click to enlarge)

CrowdStrike achieved 100% protection, 100% visibility and 100% analytic detection coverage in the MITRE Engenuity ATT&CK® Evaluations: Enterprise Round 5. Our cloud-native application protection platform (CNAPP) capabilities offer both pre-runtime container image scanning and runtime protection — providing complete protection against cloud breaches.

Watch this short video to see how Falcon Cloud Security makes it easier for organizations to enforce cloud compliance:

Delivered from the AI-native CrowdStrike Falcon Platform

A strong cloud security solution helps you enforce compliance throughout your security operations, while also providing a unified approach to threat prevention, visibility and security posture management to stop breaches.

While some cloud security vendors offer pieces of security, compliance and governance of policies, CrowdStrike goes above and beyond to offer unified security and compliance across the entire infrastructure, from on-premises to the cloud, in a single console and single interface as part of the AI-native CrowdStrike Falcon platform.

The result is an industry-leading cloud security solution that allows organizations to enforce cloud compliance while delivering the strongest protection against breaches.

Additional Resources

CrowdStrike Named a Leader in Forrester Wave for Cloud Workload Security

✇CrowdStrike
By: Raj Rajamani
30 January 2024 at 14:38

Today, we’re proud to announce that Forrester has named CrowdStrike a Leader in The Forrester Wave™: Cloud Workload Security, Q1 2024, stating “CrowdStrike shines in agentless CWP [cloud workload protection] and container runtime protection.”

Forrester identified the 13 most significant vendors in cloud workload security and researched, analyzed and scored them based on the strengths of their current offering, strategy and market presence. Highlights include: 

  • CrowdStrike was positioned as a Leader, with the highest placement of all 13 vendors in the Strategy category, as well as the highest score possible in 10 criteria, including  vision, innovation, partner ecosystem, adoption, and pricing flexibility and transparency. 
  • In the Current Offering category, CrowdStrike received the highest score possible in the criteria of agentless cloud workload protection, container runtime protection, IaC scanning, and detection and response — showcasing, in our opinion, our industry-leading protection from cloud breaches.
  • CrowdStrike received the highest score possible in the Number of Customers criterion, highlighting for us how customers around the world are racing to standardize on the CrowdStrike Falcon® platform for cloud security.

Last year, we added one-click XDR, agentless snapshot scanning for OS vulnerabilities and complete cloud attack path visualization, among countless other industry-leading capabilities to our cloud security technology to help customers simplify security operations and harden their cloud environments. 

And with our acquisition of Bionic, the pioneer of application security posture management (ASPM), CrowdStrike is the first cloud security vendor to natively secure customers in the cloud by providing complete visibility across cloud and app-level risks, delivering the industry’s most complete platform for cloud security, from code to cloud.

Forrester Ranks CrowdStrike a Leader and Highest in Strategy

Forrester gave CrowdStrike the highest score in the Strategy category, which we believe demonstrates how CrowdStrike is building on its strengths to deliver both the present and future of cloud security from the AI-native CrowdStrike Falcon XDR platform. 

Forrester recognizes the range of CrowdStrike’s cloud security capabilities in its report:

“CrowdStrike offers strong agent-based CWP for Linux and Windows and robust container runtime protection. IaC scanning is versatile and effective. Cloud detection and response capabilities are also ahead of the competition.”

To protect against the cloud threats of tomorrow, cloud security must evolve faster than the adversary. We pioneered cloud-native cybersecurity and continue to deliver the innovation needed to extend industry-leading protection across every area of the attack surface. 

“From its agent-based behavioral malware detection roots, CrowdStrike has been expanding on its AI/ML rails into CSPM and IaC scanning. CrowdStrike shows a convincing CWS vision, and its innovation potential as indicated by technical employee staffing is ahead of the competition,” according to Forrester’s report.

ASPM is one area we’re particularly excited about. With Bionic, we will extend the Falcon platform’s unique agent-based and agentless protection of cloud infrastructure with unprecedented visibility into application behavior and vulnerability prioritization for both server-based and serverless infrastructure, without disrupting the development process.

CrowdStrike doesn’t stop at industry-leading technology. We’re the only cloud security vendor with a full range of cloud threat detection and response services including incident response, threat hunting, assessment and 24/7 MDR services for your entire cloud estate.

Cloud Security for Every Organization

CrowdStrike scored a perfect 5/5 in the Number of Customers criterion in this Forrester Wave. Organizations are flocking to CrowdStrike Falcon® Cloud Security for several reasons. 

CrowdStrike’s mission is to stop breaches. To support that mission, we’re delivering a unified cybersecurity platform from endpoint to cloud with both agent-based and agentless support for cloud security. With pre-runtime and runtime protection, and agentless technology, we’re meeting customers wherever they are on their cloud security journey.

In addition, we’ve engineered CrowdStrike Falcon Cloud Security to make security operations easier. We help reduce alert fatigue by correlating cloud risks to apps and services, allowing teams to focus on the vulnerabilities with the most business risk. We also integrate the industry’s best threat intelligence into Falcon Cloud Security to continuously reduce the attack surface and speed up mean time-to-response with auto-remediation and other automations.

Finally, CrowdStrike is a platform cybersecurity company. Our platform provides comprehensive visibility across on-prem and cloud assets, including apps, data and user identity. Every module on the AI-native Falcon platform, including Falcon Cloud Security, is deployed using the same lightweight agent, a strategy that helps customers consolidate point products, eliminate security gaps and reduce operational overhead, while easily adding new protections as threats evolve.

Forrester interviewed a number of CrowdStrike customers for its report, which states: “Reference customers said that the CWP agent is easy to install.” 

This Forrester Wave for Cloud Workload Security is a trustworthy report to help tech buyers choose the right cloud security vendors. With this recognition, we’re poised to help more organizations replace immature cloud security point products and continue building one of the largest and fastest growing cloud security businesses in the industry.

Additional Resources

Falcon Fund in Focus: Aembit Strengthens Security for Workload-to-Workload Access

✇CrowdStrike
By: Gur Talpaz - Aparna Sharma
30 January 2024 at 20:11

The rise of distributed cloud services and the omnipresence of APIs has caused cloud-native application architecture to become highly fragmented. Enforcing secure access is a critical step in strengthening security as IT environments become more complex — but for many organizations, ensuring secure access across this evolving architecture is a constant challenge. 

Existing secure access solutions often fail to scale within customer environments as they largely focus on managing secrets, which becomes more time-consuming and error-prone in modern environments. Employing these legacy solutions can hinder an organization’s ability to scale and secure their cloud-native applications. 

Securing access to company assets is a modern security requirement and must span human and non-human identities. Like users, workloads have distinct identities and evolving security postures. Machine identities are growing exponentially, with workload identities outnumbering human identities 10:1 — a staggering ratio that doubled from 2021 to 2023. The challenges of securing these resources, and the significant losses organizations face, have created a need for a revolutionary approach to securing workload access. 

Falcon Fund partner Aembit, a workload identity and access management (IAM) platform provider, has announced a new integration with the AI-native CrowdStrike Falcon platform to empower businesses to manage and enforce conditional access policies based on the real-time security posture of their applications and services.

Aembit’s dynamic platform seamlessly identifies and authenticates workloads, authorizes access based on policies including security posture, and logs all accesses and access attempts for auditing and analytics. Aembit Workload IAM is designed to work across clouds, on-premises environments, SaaS services and third-party APIs. 

The platform drives productivity by allowing developers to take a no-code approach to authentication. It provides centralized control and visibility, and replaces outdated secrets manager solutions, shifting the paradigm to managing access — not secrets. The partnership between CrowdStrike and Aembit demonstrates a significant step forward in Aembit’s mission to help organizations make workload-to-workload access more secure and manageable. 

CrowdStrike is excited to build on its strategic investment in Aembit through CrowdStrike Falcon Fund. A key piece of this investment is a multi-faceted partnership between CrowdStrike and Aembit to ensure conditional access policies for secure workload access. Through the initial integration, customers can enforce Zero Trust for workloads with thorough and accurate assessments of workload security posture, policies that grant access based on workload identities, and conditional access dependent on workload health.

How the Integration Works

The Aembit Workload IAM solution checks to see if a CrowdStrike Falcon agent is running on the workload. It leverages CrowdStrike’s workload posture assessment, along with workload identity attestation, to evaluate the workload’s real-time security posture and determine whether workloads should be granted access to applications and data. This process ensures that access originates from a trusted workload. 

With this approach, enterprises can protect their workloads from unauthorized access, even against the backdrop of changing conditions and dynamic access requirements. Additional benefits from this partnership include:

  • Managed workload-to-workload access: Enforce and manage workload access to other applications, SaaS services and third-party APIs based on policies set by the security team, lowering risk.
  • Ease of deployment: Seamlessly integrate the Aembit Workload IAM platform with the Falcon platform in just a few clicks, creating a unified experience for managing workload identities while understanding workload security posture.
  • Zero Trust security model: Adopt a Zero Trust approach, which ensures every access request is verified before access rights are granted. Aembit’s solution enforces the principle of least privilege based on identity, policy and workload security posture. 
  • Visibility and monitoring: Gain in-depth visibility into workload identities and access permissions to drive faster threat detection and response. Monitor and audit access logs based on identity for comprehensive security oversight. 

Please visit the Aembit integration page in the CrowdStrike Marketplace to learn more and request the integration today.

Additional Resources

  • Learn more about Falcon Fund and CrowdStrike’s partnership with innovative companies.
  • See how CrowdStrike gives you comprehensive protection across your organization through our 15-day free trial.
  • Visit the CrowdStrike Marketplace to explore additional partner integrations.

Data Protection Day 2024: As Technology and Threats Evolve, Data Protection Is Paramount

✇CrowdStrike
By: Drew Bagley
31 January 2024 at 20:13

Today’s cybersecurity landscape poses one of the most significant risks to data. This holds true for organizations of all sizes, across all industries, tasked with protecting their most essential data amid an increasingly regulated environment and faster, more innovative adversaries.

Recent years have introduced a steady drumbeat of new data privacy regulations. There are now 14 U.S. states that have passed privacy laws. In July 2023, the Securities and Exchange Commission (SEC) adopted new rules requiring organizations to disclose material cybersecurity incidents, as well as information regarding their risk management, strategy and governance. On a global level, dozens of countries have updated their guidance on data privacy.  

Organizations must now comply with an “alphabet soup” of data protection requirements including GDPR, CCPA, APPI, PDPA and LGPD. Some of these are evolving to incentivize the adoption of stronger security practices. Newly updated regulations in Brazil, for example, give breached organizations a fine reduction of up to 75% if they have state-of-the-art protection in place at the time of a cyberattack. 

The list is growing: In 2024, many organizations will face new requirements stemming from the SEC’s new rules and state privacy laws, including amendments to the CCPA, industry-specific mandates, and those imposed on critical infrastructure by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). These developments include new incident reporting obligations and requirements to implement certain security technologies, as well as demonstrate compliance through cybersecurity audits, risk assessments, public disclosures and other measures. 

These myriad legal requirements broadly raise the bar for “reasonable” security. However, adversaries typically move faster than data protection mandates can keep up. Organizations must pay close attention to how adversaries are evolving their techniques and determine whether they’re prepared to defend their data against modern threats.

Data Extortion and the Defender’s Dilemma 

The emergence of new regulations has been a game-changer for adversaries and defenders alike. Protecting against data breaches has only grown more challenging as threat actors evolve their tradecraft and quickly learn the pressure these regulations put on breached organizations.

Today’s adversaries are working smarter, not harder. This is clear in the growth of data extortion, which has emerged in recent years as an easier, less risky means for adversaries to profit. Threat actors are shifting away from noisy ransomware campaigns, which typically trigger alarm bells in security tools — instead, they are quietly stealing victims’ data and then threatening to leak it if their financial demands aren’t met. 

The rise in data extortion has corresponded with adversaries increasingly targeting identities, a critical threat vector organizations must consider as they build their data protection plans.  Rather than relying on malware-laced phishing emails to breach target organizations, they can use a set of compromised credentials to simply log in. A growing number of access broker advertisements enables the sale of credentials, vulnerability exploits and other forms of illicit access: Last year, CrowdStrike reported a 147% increase in access broker ads on the dark web. Adversaries can now more stealthily infiltrate organizations, take valuable data and demand their price, putting victims in a tough position.

Data protection regulations change the calculus for organizations hit with data extortion — and adversaries know it. When threat actors steal information and tell their victims they’re in violation of HIPAA, GDPR, CCPA or other regulations, the stakes are higher. They know exactly how much an extortion attack will cost a business once it’s disclosed to regulators, and they can use this to coerce organizations into paying them instead. This may be a false choice, as many disclosure requirements apply regardless, but the coercion is real.

There are other ways adversaries use regulation consciousness to their advantage. In one 2023 case, a ransomware gang filed an SEC whistleblower complaint directed at one of its victims. The complaint, filed before the new SEC rules actually went into effect, attempted to claim that the victim was in violation of its duty to disclose a material cyber incident. 

Organizations must be incentivized to protect their data from modern threats. They should not feel stuck between the fear of reporting a breach and the pressure to meet adversaries’ ransom demands. With the right safeguards in place, businesses can protect their data from adversaries’ evolving attempts to access it. This is where CrowdStrike comes in. 

How CrowdStrike Can Help 

As we recognize Data Protection Day 2024, it is essential we consider what data protection involves and how critical cybersecurity is — not only for compliance, but for protecting privacy. Organizations must adopt best practices to protect their data in addition to achieving compliance requirements. 

Visibility is essential to maintain regulatory compliance and protect sensitive data from today’s adversaries. If you don’t have visibility into your data flows, your credentials or the sensitive data your organization holds, how can you know whether that data is at risk? 

An organization’s data is among its most valuable assets — and adversaries are after it. Protecting that data should be a top priority. CrowdStrike Falcon® Data Protection provides deep, real-time visibility into what’s happening with your sensitive data as it flows across endpoints, cloud, web browsers and SaaS applications. As the modern approach to data protection, our technology ensures compliance with minimal configuration and provides comprehensive protection against modern threats. 

It is more important than ever for organizations to understand data protection and data security are interdependent and cannot be considered in isolation. Both are critical in protecting privacy. Moreover, if personal data is stolen in a cyberattack, those affected can claim damages — but certain jurisdictions provide fine and liability mitigations where the breached organization can prove its cybersecurity protections were reasonable and state-of-the-art.

In this threat landscape and regulatory environment, Data Protection Day provides an opportunity for privacy and security teams to align on modern threats to privacy, risks of non-compliance and the best technical and organizational means to protect data.

Additional Resources

Architecture Drift: What It Is and How It Leads to Breaches

✇CrowdStrike
By: Jacob Garrison
2 February 2024 at 17:21

Cybercriminals work around the clock to discover new tactics to breach systems. Each time a digital ecosystem changes, it can introduce a weakness for a threat actor to quickly discover and exploit. As technological innovation progresses rapidly, and organizations expand their infrastructure, this weakness may take shape in the form of architecture drift. 

Today, we explore the concept of architecture drift: what it is, why it matters and how application security posture management (ASPM) can help.

Why Architecture Drift Is a Problem for DevSecOps

The rise of continuous integration and continuous delivery (CI/CD) and infrastructure-as-code (IaC) means apps, clusters and environments are constantly changing across organizations. Architecture drift occurs when an app, microservice or infrastructure “drifts” out of its intended configuration or approved operating boundaries.

Drift is difficult to detect and it introduces risk, which often isn’t seen or managed until something serious happens, such as an outage, incident or breach. It can happen in a variety of places, including:

  • Infrastructure
  • Network
  • Container orchestration
  • Application runtime
  • Business logic
  • Data flow

Architecture drift may affect infrastructure, for example, when IaC scripts such as Terraform or CloudFormation get out of sync with what’s running in the environments. For example, a development team might use a CloudFormation script to provision a new environment that declares all EC2 instances should be “t2.small.” Meanwhile, an engineer decides to manually add a “c4.large” instance to the same environment. Because C4 compute instances cost significantly more than T2 instances, this change will increase the company’s cloud bill and possibly create problems with reliability and performance.

Business Logic and Data Flows Can Drift Too

Continuous development means code, business logic, data flows and application architecture can change hourly in your environments. Depending on the level of automation and guardrails in your CI/CD pipelines, engineers might deploy code changes on demand or be required to follow a review process should a change be significant. These code changes can cause assets to drift, potentially interacting with one another and creating new risks.

A single code change can introduce new:

  • Services
  • APIs
  • Dependencies
  • Libraries
  • Third-party service calls
  • Datastore or database connections
  • Data flows
  • Risks you might not have considered or thought about

Even tiny changes can have a big impact. For example, several years ago, a small code change resulted in a personally identifiable information (PII) exposure at an enterprise. The risk made its way into production because the engineer who committed the code change didn’t know their code touched PII and stated this in their change request questionnaire. As a result, they caused code to drift and interfere with data it shouldn’t have been near, unintentionally exposing the sensitive data.

We detect and observe drift frequently among customers of Bionic, a CrowdStrike company. More often than not, that drift is related to business logic, architecture and data flows. You can’t eliminate all risks in applications or the business, but you can start to go beyond what you know and think differently about what could impact your business.

Applications are complex beasts to tame, encompassing hundreds or thousands of components and dependencies. Every code change introduces potential risk. The question is: Do you see these risks and know their potential impact?

How to Detect Architecture Drift

With application security posture management, you can detect and manage application drift in real time. ASPM allows teams to quickly baseline and lock in their application architectures, so they have drift policies that can notify them in real time, should an architecture change. For example, ASPM can detect things like new services, APIs, new libraries, ports, connections, dependencies or even data flows that an application might start to exhibit following CI/CD deployments or code changes.

ASPM flags these drifts and provides full business and application context so your teams can prioritize the cruciality of critical services or data flows that are impacted. They can also visualize where each drift is occurring so teams see the full picture and catch drift before it causes a problem.

ASPM at CrowdStrike

CrowdStrike acquired Bionic in September 2023 to bring market-leading application security to CrowdStrike’s leading cloud-native application protection platform (CNAPP). With ASPM, CrowdStrike delivers comprehensive risk visibility and protection across the entire cloud estate, from cloud infrastructure to the applications and services running inside of them.

Stay tuned for more educational blogs on this important topic! 

Additional Resources

CrowdStrike Defends Against Azure Cross-Tenant Synchronization Attacks

✇CrowdStrike
By: Manoj Ahuje - Matt Johnston
5 February 2024 at 21:52
  • Azure cross-tenant synchronization (CTS) was made generally available on May 30, 2023, and introduced a new attack surface on Microsoft Entra ID (formerly Azure Active Directory) where attackers can move laterally to a partner tenant or create a backdoor on an existing tenant.
  • CrowdStrike showcases two observed attack paths to outline how adversaries can abuse CTS
  • CrowdStrike Falcon® Cloud Security protects against cloud-aware hacktivists, eCrime adversaries and nation-state actors that might use these techniques to compromise your organization.

As Microsoft Azure continues to gain market share in the cloud infrastructure space, it has garnered attention from adversaries ranging from hacktivist and eCrime threat actors to nation-state adversaries. Recent attacks on Microsoft by cloud-focused threat actors like COZY BEAR are becoming more frequent and garnering huge attention. 

Adversaries are using novel cloud-focused techniques and tactics to achieve their goals. CrowdStrike has previously disclosed campaigns — for example, StellarParticle — that show the abuse of assets including Microsoft identities, Office 365 and more. Today, we will dive into one such adversary technique that abuses Microsoft Azure Active Directory (now called Entra ID) cross-tenant synchronization. We will show two observed attack paths to outline the impact. Let’s begin.

Ready to get instant visibility into your Active Directory? Set up a complimentary CrowdStrike AD Risk Review and stop identity-based threats today.

What Is Azure Cross-Tenant Synchronization?

Introduced by Microsoft in May 2023, cross-tenant synchronization (CTS) stands as a pivotal feature designed to streamline the automation of creating, updating and deleting B2B users/groups across tenants. This functionality empowers users and groups created through CTS to seamlessly access a spectrum of applications, ranging from Microsoft applications like Teams and SharePoint to non-Microsoft counterparts.

CTS uses a simple push operation on the “source” tenant to facilitate the synchronization of users/groups to the “target” tenant. Administrators in the target tenant retain control, with the ability to halt synchronization at their discretion or remove a source tenant by adjusting the configuration of their cross-tenant access (CTA) policy. This flexibility ensures efficient management and oversight over the cross-tenant synchronization process.

Abusing Cross-Tenant Synchronization

To abuse CTS within a Microsoft environment, attackers need specific roles that grant them the necessary privileges to create or modify CTS policy settings. Once attackers compromise a tenant, they can use existing CTS policies to move laterally to a partner tenant or add a backdoor into the tenant using CTS. 

Access to the following roles is required to abuse CTS: 

  1. Each user being synchronized needs a Microsoft Entra ID P1 license in the source tenant
  2. The attacker needs the following roles in the compromised tenant to establish persistent access:
    1. Global Administrator role to make all changes required for the attack
    2. Security Administrator role to configure CTA settings
    3. Hybrid Identity Administrator role to configure CTS
    4. Cloud Application Administrator or Application Administrator role to assign users to a configuration and delete a configuration

With the required access, attackers can take two attack paths to abuse the CTS feature:

  1. A lateral movement using CTS
  2. An identity backdoor on a compromised tenant using CTS

Figure 1 below delves into the details of both attack paths. Initially, an attacker compromises a (source) tenant and gains the necessary privileges. From there, the attacker can enumerate partner tenants with configured CTA and ensure CTS is enabled with the required inbound or outbound CTA policy. After enumeration, the attacker can leverage an already synchronized user identity to move laterally to the target tenant, thereby gaining access to the applications and services associated with that tenant. 

If the attacker wants to establish persistence on a compromised tenant, they can add an attacker-controlled tenant as a partner in a compromised tenant by creating a CTA policy with automatic user invitation redemption and enabling inbound synchronization. Subsequently, an attacker-controlled tenant can initiate the push of user accounts to compromised tenants and establish persistence by abusing CTS. The following section will dive into each attack path in detail.

Figure 1. Attack path details

Attack Path 1: Lateral Movement Using Cross-Tenant Synchronization

Adversaries can achieve initial foothold by compromising Azure tenants in multiple ways, including but not limited to vulnerabilities in public-facing applications or APIs, leaked credentials, stolen identities and zero-day exploits. Once attackers acquire the necessary access and privileges defined in the earlier section, then attackers are positioned to abuse CTS.

Figure 2. Moving laterally using CTS

 

Figure 2 shows the general flow of the attack. The attacker takes the following steps to achieve lateral movement to the target tenant:

  1. Initially, an attacker compromises a source tenant acquiring the necessary privileges. It enables an attacker to gather crucial information for lateral movement. This could be executed through various means, such as leveraging a command-line interface or console. For our purposes, this blog uses Microsoft Graph API endpoints to illustrate the attack.
  2. Subsequently, the attacker uses Microsoft Graph API to enumerate the CrossTenantAccessPolicy to find the target tenants (partner tenants) already available on the compromised tenant. The attacker tries to locate target tenant IDs where AutomaticUserConsentSettings set to outboundAllowed: true. As shown in Figure 3, the found tenant ID can potentially be abused by the attacker.

Figure 3. Attacker enumerates the CTA policy to find target tenants (partner tenants)

 

  1. Following the discovery of tenant IDs, the attacker proceeds to identify a synchronization application servicePrincipal that pushes users/groups to the target tenant. Fortunately, there is no readily available API to do this easily. This step can be broken into the following:
    1. List all servicePrincipals on compromised tenant 
      GET https://graph.microsoft.com/v1.0/servicePrincipals
    2. Use each servicePrincipal to find a synchronization application used for a target tenant. The following query can be used to automate this process. If the query is successful (200 OK), then that servicePrincipal is used to create a synchronization application for a given target tenant. Figure 4 shows a successful query.
POST https://graph.microsoft.com/beta/servicePrincipals/{id}/synchronization/jobs/validateCredentials
Content-Type: application/json
 
{
  "useSavedCredentials": false,
  "templateId": "Azure2Azure",
  "credentials": [
    {
      "key": "CompanyId",
      "value": "{TargetTenantId}"
    },
    {
      "key": "AuthenticationType",
      "value": "SyncPolicy"
    }
  ]
}

Figure 4. Successfully locating the servicePrincipal used in a synchronization application

 

  1. Now, the attacker employs the query depicted in Figure 5 to identify users/groups being synced to the target tenant using servicePrincipal found in an earlier step. Figure 5 also shows the username “abc” being synced to the target tenant.

Figure 5. User “abc” being synced to the target tenant

 

  1. At this juncture, the attacker has a few options to move laterally to the target tenant:
    1. The attacker can opt for an existing user that is already synced to the target tenant. This is a very stealthy method, as the attacker doesn’t need to modify a compromised tenant to move laterally to the target tenant.
    2. The attacker can add a new user to sync into the target tenant and use the credentials associated with it to attack the target tenant if CTS is properly configured and operational.
    3. The attacker can also add a new user to a group that is already synced into the target tenant if CTS is properly configured and operational.
  2. Upon successful login with the chosen user, the attacker gets access to the target tenant. Furthermore, this access extends to Microsoft or third-party applications associated with the target tenants, enhancing the attacker’s potential for exploitation.

Attack Path 2: Identity Backdoor on Compromised Tenant Using Cross-Tenant Synchronization

Once an attacker successfully compromises a tenant and acquires the necessary privileges, the establishment of persistence becomes a paramount objective. Let’s delve into the details on how an attacker might establish and maintain persistence within a compromised tenant.

Figure 6. Identity backdoor in compromised tenant using CTS

 

Figure 6 provides a visual representation of the attack flow for establishing persistent access to compromised tenants. We now break down the attack into two distinct steps:

  1. On Compromised Tenant
  2. On Attacker-Controlled Tenant

A. On Compromised Tenant

  1. The attacker needs to obtain the required access as described in the earlier section.
  2. Having obtained the necessary access, the attacker proceeds to create a new CTA incorporating the attacker-controlled tenant ID. Essentially, this action establishes the attacker-controlled tenant as a partner within the compromised tenant. Figure 7 shows Microsoft Entra ID audit logs for this maneuver.

Figure 7. Partner tenant ID addition in CTA

 

  1. Subsequently, the attacker makes further modifications by adjusting the inbound CTA settings to enable AutomaticUserConsent. Specifically, by setting “inboundAllowed”:true. This enables automatic user invitation redemption, as shown in Figure 8.

Figure 8. CTA modification to allow inbound automatic user invitation redemption

 

  1. Continuing with the attack sequence, the attacker proceeds to another modification of inbound CTA, but this time, setting “IsSyncAllowed”:true. This particular configuration allows the attacker to push user accounts into the compromised tenant, a critical step highlighted in Figure 9. With the successful completion of this step, the attacker effectively establishes a backdoor within the compromised tenant.

Figure 9. CTA modification to allow inbound synchronization

B. On Attacker-Controlled Tenant

In the realm of the attacker-controlled tenant, the actions orchestrated by the attacker remain beyond monitoring, as this tenant operates external to the organization. Consequently, we won’t add logs or API requests to show this activity. The general steps for an attacker to configure CTS are as following: 

  1. The attacker needs a tenant that has the required Microsoft Entra ID premium license.
  2. Continuing the course, the attacker proceeds to create a new CTA policy within the attacker-controlled tenant. This involves the addition of a compromised Tenant ID, effectively integrating the compromised tenant as a partner within the attacker-controlled environment.
  3. The attacker then modifies outbound CTA settings to enable AutomaticUserConsent by setting “outboundAllowed”:true. This enables an automatic user invitation redemption policy matching the compromised tenant.
  4. Subsequently, the attacker creates a CTS synchronization application and proceeds to add chosen users or groups to the CTS synchronization application.
  5. At this point, the attacker creates an automatic provisioning job to push these users and groups to the compromised tenant.
  6. The synchronization job uses the push operation to achieve the objective. This job can be forced to run on demand to push chosen users/groups to compromised tenants.
  7. With the successful push of malicious users and groups, the attacker gains an entry point into the compromised tenant. This access can extend beyond the compromised tenant, enabling the attacker to seamlessly log into Microsoft or third-party applications associated with the compromised environment.

CrowdStrike Falcon Cloud Security Detections

CrowdStrike Falcon Cloud Security unifies cloud security in a single unified platform to deliver comprehensive protection to customers against attacks on public cloud infrastructure. Falcon Cloud Security monitors attacker behavior in Azure tenants and uncovers indicators of attack (IOAs) showing abuse of Azure services and features. In this attack, Falcon Cloud Security monitors the addition of vulnerable CTS policies where an attacker either tries to move laterally or uses them as a backdoor in a tenant. Figure 10 shows a triggered IOA where a CTS policy was added with inbound user sync.

Figure 10. Falcon Cloud Security detects the addition of a vulnerable CTS policy

 

Additionally, Falcon Cloud Security provides the following IOAs and identifies misconfigurations affecting CTA policies, which helps users identify and remediate any security risks.

Cross-tenant partner given inbound access Behavior A cross-tenant partner was configured in Microsoft Entra ID to support automatic user consent for inbound access.
Cross-tenant partner user syncing enabled Behavior A cross-tenant policy was configured in Microsoft Entra ID that enabled automatic user sync.
Default cross-tenant synchronization policy allows outbound automatic user consent Configuration A cross-tenant access policy was configured with automatic outbound user consent.
Partner cross-tenant synchronization policy allows inbound user sync Configuration A cross-tenant access policy was configured with automatic inbound user consent.

CrowdStrike Best Practice Recommendation

To safeguard your Azure tenant from potential abuse of CTA and maintain a robust security posture, it’s imperative to adhere to best practices. Consider the following recommendations:

  1. Monitor external identities invited or synced into your tenant. Limit the privileges on such identities to control the blast radius.
  2. Monitor CTA policies being created on the tenant and validate any inbound or outbound settings that are modified to create exposure in the tenant.
  3. Monitor partner accounts added into tenants using CTA policies, and use a naming convention to differentiate each user from different partners synchronized into the tenant.
  4. Use secure default inbound and outbound access policies. Insecure default policies can create exposure to the tenant.
  5. Don’t trust multifactor authentication (MFA) from the source tenant for identities.
  6. Closely monitor administrator roles for any suspicious activities with respect to CTS.

Conclusion

The abuse of cloud provider services is a common technique utilized by many cloud-aware adversaries. New cloud provider features — like CTS — typically become unexplored attack surfaces for attackers as well as researchers. More often than not, new features need to gather feedback from users. This feedback often necessitates a change in design, visibility and security. This opens up a window of opportunity for adversaries to abuse the feature and find vulnerabilities.

Entra ID CTS is a feature that focuses on the ease of doing business and collaboration but is being abused by cloud-aware threat actors. Hence, cloud security practitioners need to be aware of the tactics, techniques and procedures used in this attack, where an attacker attempts to move laterally into different organization tenants or to create and maintain a backdoor in compromised tenants. CrowdStrike Falcon Cloud Security provides the necessary visibility to protect users from adversaries who might utilize these techniques to abuse CTS.

Is your cloud secure? A FREE CrowdStrike Cloud Security Risk Review quickly enables you to determine how to protect your cloud environment with a lightweight assessment that shows full threat visibility, misconfigurations and vulnerability risks, and how to detect and stop breaches from endpoint to cloud.

Additional Resources

HijackLoader Expands Techniques to Improve Defense Evasion

✇CrowdStrike
By: Donato Onofri - Emanuele Calvelli
7 February 2024 at 13:48
  • HijackLoader continues to become increasingly popular among adversaries for deploying additional payloads and tooling
  • A recent HijackLoader variant employs sophisticated techniques to enhance its complexity and defense evasion
  • CrowdStrike detects this new HijackLoader variant using machine learning and behavior-based detection capabilities 

CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities. 

In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach has the potential to make defense evasion stealthier. 

The second technique variation involved an uncommon combination of process doppelgänging and process hollowing techniques. This variation increases the complexity of analysis and the defense evasion capabilities of HijackLoader. Researchers also observed additional unhooking techniques used to hide malicious activity.

This blog focuses on the various evasion techniques employed by HijackLoader at multiple stages of the malware.

HijackLoader Analysis

Infection Chain Overview

The HijackLoader sample CrowdStrike analyzed implements complex multi-stage behavior in which the first-stage executable (streaming_client.exe) deobfuscates an embedded configuration partially used for dynamic API resolution (using PEB_LDR_DATA structure without other API usage) to harden against static analysis.

Afterward, the malware uses WinHTTP APIs to check if the system has an active internet connection by connecting to https[:]//nginx[.]org. If the initial connectivity check succeeds, then execution continues, and it connects to a remote address to download the second-stage configuration blob. If the first URL indicated below fails, the malware iterates through the following list:

  • https[:]//gcdnb[.]pbrd[.]co/images/62DGoPumeB5P.png?o=1
  • https[:]//i[.]imgur[.]com/gyMFSuy.png;
  • https[:]//bitbucket[.]org/bugga-oma1/sispa/downloads/574327927.png

Upon successfully retrieving the second-stage configuration, the malware iterates over the downloaded buffer, checking for the initial bytes of a PNG header. It then proceeds to search for the magic value  C6 A5 79 EA, which precedes the XOR key (32 B3 21 A5 in this sample) used to decrypt the rest of the configuration blob.

Figure 1. HijackLoader key retrieving and decrypting (click to enlarge)

 

Following XOR decryption, the configuration undergoes decompression using the RtlDecompressBuffer API with COMPRESSION_FORMAT_LZNT1. After decompressing the configuration, the malware loads a legitimate Windows DLL specified in the configuration blob (in this sample, C:\Windows\SysWOW64\mshtml.dll).

The second-stage, position-independent shellcode retrieved from the configuration blob is written to the .text section of the newly loaded DLL before being executed. The HijackLoader second-stage, position-independent shellcode then performs some evasion activities (further detailed below) to bypass user mode hooks using Heaven’s Gate and injects subsequent shellcode into cmd.exe.The injection of the third-stage shellcode is accomplished via a variation of process hollowing that results in an injected hollowed mshtml.dll into the newly spawned cmd.exe child process.

The third-stage shellcode implements a user mode hook bypass before injecting the final payload (a Cobalt Strike beacon for this sample) into the child process logagent.exe. The injection mechanism used by the third-stage shellcode leverages the following techniques:

  • Process Doppelgänging Primitives: This technique is used to hollow a Transacted Section (mshtml.dll) in the remote process to contain the final payload.
  • Process/DLL Hollowing: This technique is used to inject the fourth-stage shellcode that is responsible for performing evasion prior to passing execution to the final payload within the transacted section from the previous step.

Figure 2 details the attack path exhibited by this HijackLoader variant.

Figure 2. HijackLoader — infection chain (click to enlarge)

Main Evasion Techniques Used by HijackLoader and Shellcode

The primary evasion techniques employed by HijackLoader include hook bypass methods such as Heaven’s Gate and unhooking by remapping system DLLs monitored by security products. Additionally, the malware implements variations of process hollowing and an injection technique that leverages transacted hollowing, which combines the transacted section and process doppelgänging techniques with DLL hollowing.

Hook Bypass: Heaven’s Gate and Unhooking

Like other variants of HijackLoader, this sample implements a user mode hook bypass using Heaven’s Gate (when run in SysWOW64) — this is similar to existing (x64_Syscall function) implementations.

This implementation of Heaven’s Gate is a powerful technique that leads to evading user mode hooks placed in SysWOW64 ntdll.dll by directly calling the syscall instruction in the x64 version of ntdll.

Each call to Heaven’s Gate uses the following as arguments: 

  • The syscall number
  • The number of parameters of the syscall
  • The parameters (according to the syscall)

This variation of the shellcode incorporates an additional hook bypass mechanism to elude any user mode hooks that security products may have placed in the x64 ntdll. These hooks are typically used for monitoring both the x32 and x64 ntdll.

During this stage, the malware remaps the .text section of x64 ntdll by using Heaven’s Gate to call NtWriteVirtualMemory and NtProtectVirtualMemory to replace the in-memory mapped ntdll with the .text from a fresh ntdll read from the file C:\windows\system32\ntdll.dll. This unhooking technique is also used on the process hosting the final Cobalt Strike payload (logagent.exe) in a final attempt to evade detection.

Process Hollowing Variation

To inject the subsequent shellcode into the child process cmd.exe, the malware utilizes common process hollowing techniques. This involves mapping the legitimate Windows DLL mshtml.dll into the target process and then replacing its .text section with shellcode. An additional step necessary to trigger the execution of the remote shellcode is detailed in a later section.   

To set up the hollowing, the sample creates two pipes that are used to redirect the Standard Input and the Standard Output of the child process (specified in the aforementioned configuration blob, C:\windows\syswow64\cmd.exe) by placing the pipes’ handles in a STARTUPINFOW structure spawned with CreateProcessW API. 

One key distinction between this implementation and the typical “standard” process hollowing can be observed here: In standard process hollowing, the child process is usually created in a suspended state. In this case, the child is not explicitly created in a suspended state, making it appear less suspicious. Since the child process is waiting for an input from the pipe created previously, its execution is hanging on receiving data from it. Essentially, we can call this an interactive process hollowing variation. 

As a result, the newly spawned cmd.exe will read input from the STDIN pipe, effectively waiting for new commands. At this point, its EIP (Extended Instruction Pointer) is directed toward the return from the NtReadFile syscall. 

The following section details the steps taken by the second-stage shellcode to set up the child process cmd.exe ultimately used to perform the subsequent injections used to execute the final payload.

The parent process streaming_client.exe initiates an NtDelayExecution to sleep, waiting for cmd.exe to finish loading. Afterward, it reads the legitimate Windows DLL mshtml.dll from the file system and proceeds to load this library into cmd.exe as a shared section. This is accomplished using the Heaven’s Gate technique for: 

  • Creating a shared section object using NtCreateSection  
  • Mapping that section in the remote cmd.exe using NtMapViewOfSection  

It then replaces the .text section of the mshtml DLL with malicious shellcode by using:

  • Heaven’s Gate to call NtProtectVirtualMemory on cmd.exe to set RWX permissions on the .text section of the previously mapped section mshtml.dll
  • Heaven’s Gate to call NtWriteVirtualMemory on the DLL’s .text section to stomp the module and write the third-stage shellcode 

Finally, to trigger the execution of the remote injected shellcode, the malware uses:

  • Heaven’s Gate to suspend (NtSuspendThread) the remote main thread 
  • A new CONTEXT (by using NtGetContextThread and NtSetContextThread) to modify the EIP to point to the previously written shellcode
  • Heaven’s Gate to resume (NtResumeThread) the remote main thread of cmd.exe

However, because cmd.exe is waiting for user input from the STDINPUT pipe, the injected shellcode in the new process isn’t actually executed upon the resumption of the thread. The loader must take an additional step: 

  • The parent process streaming_client.exe needs to write (WriteFile) \r\n string to the STDINPUT pipe created previously to send an input to cmd.exe after calling NtResumeThread. This effectively resumes execution of the primary thread at the shellcode’s entry point in the child process cmd.exe.

Interactive Process Hollowing Variation: Tradecraft Analysis

We have successfully replicated the threadless process hollowing technique to understand how the pipes trigger it. Once the shellcode has been written as described, it needs to be activated. This activation is based on the concept that when a program makes a syscall, the thread waits for the kernel to return a value. 

In essence, the interactive process hollowing technique involves the following steps:

  • CreateProcess: This step involves spawning the cmd.exe process to inject the malicious code by redirecting STDIN and STDOUT to pipes. Notably, this process isn’t suspended, making it appear less suspicious. Waiting to read input from the pipe, the NtReadFile syscall sets its main thread’s state to Waiting and _KWAIT_REASON to Executive, signifying that it’s awaiting the execution of kernel code operations and their return.   
  • WriteProcessMemory: This is where the shellcode is written into the cmd.exe child process.
  • SetThreadContext: In this phase, the parent sets the conditions to redirect the execution flow of the cmd.exe child process to the previously written shellcode’s address by modifying the EIP/RIP in the remote thread CONTEXT.
  • WriteFile: Here, data is written to the STDIN pipe, sending an input to the cmd.exe process. This action resumes the execution of the child process from the NtReadFile operation, thus triggering the execution of the shellcode. Before returning to user space, the kernel is reading and restoring the values saved in the _KTRAP_FRAME structure (containing the EIP/RIP register value) to resume from where the syscall was called. By modifying the CONTEXT in the previous step, the loader hijacks the resuming of the execution toward the shellcode address without the need to suspend and resume the thread, which this technique usually requires.

Transacted Hollowing² (Transacted Section/Doppelgänger + Hollowing)

The malware writes the final payload in the child process logagent.exe spawned by the third-stage shellcode in cmd.exe by creating a transacted section to be mapped in the remote process. Subsequently, the malware injects fourth-stage shellcode into logagent.exe by loading and hollowing another instance of mshtml.dll into the target process. The injected fourth-stage shellcode performs the aforementioned hook bypass technique before executing the final payload previously allocated by the transacted section.

Transacted Section Hollowing

Similarly to process doppelgänging, the goal of a transacted section is to create a stealthy malicious section inside a remote process by overwriting the memory of the legitimate process with a transaction.

In this sample, the third-stage shellcode executed inside cmd.exe places a malicious transacted section used to host the final payload in the target child process logagent.exe. The shellcode uses the following:

  • NtCreateTransaction to create a transaction
  • RtlSetCurrentTransaction and CreateFileW with a dummy file name to replace the documented  CreateFileTransactedW
  • Heaven’s Gate to call NtWriteFile in a loop, writing the final shellcode to the file in 1,024-byte chunks
  • Creation of a section backed by that file (Heaven’s Gate call NtCreateSection)
  • A rollback of the previously created section by using Heaven’s Gate to call  NtRollbackTransaction

Existing similar implementations have publicly been observed in this project that implements transaction hollowing.

Once the transacted section has been created, the shellcode generates a function stub at runtime to hide from static analysis. This stub contains a call to the CreateProcessW API to spawn a suspended child process logagent.exe (c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8) that was previously dropped by cmd.exe  under the %TEMP% folder.

After the target process has been created, the sample uses Heaven’s Gate to:

  • Read its PEB by calling NtReadVirtualMemory to retrieve its base address (0x400000
  • Unmap the logagent.exe image in the logagent.exe process by using NtUnMapViewofSection 
  • Hollow the previously created transacted section inside the remote process by remapping the section at the same base address (0x400000) with NtMapViewofSection 

Process Hollowing

After the third-stage shellcode within cmd.exe injects the final Cobalt Strike payload inside the transacted section of the logagent.exe process, it continues by process hollowing the target process to write the fourth shellcode stage ultimately used to execute the final payload (loaded in the transacted section) in the remote process. The third-stage shellcode maps the legitimate Windows DLL C:\Windows\SysWOW64\mshtml.dll in the target process prior to replacing its .text with the fourth-stage shellcode and executing it via NtResumeThread. 

This additional fourth-stage shellcode written to logagent.exe performs similar evasion activities to the third-stage shellcode executed in cmd.exe (as indicated in the hook bypass section) before passing execution to the final payload.

CrowdStrike Falcon Coverage

CrowdStrike employs a layered approach for malware detection using machine learning and indicators of attack (IOAs). As shown in Figure 3, the CrowdStrike Falcon® sensor’s machine learning capabilities can automatically detect and prevent HijackLoader in the initial stages of the attack chain; i.e., as soon as the malware is downloaded onto the victim’s machine. Behavior-based detection capabilities (IOAs) can recognize malicious behavior at various stages of the attack chain, including when employing tactics like process injection attempts. 

Figure 3. CrowdStrike Falcon platform machine learning and IOA coverage for the HijackLoader sample (click to enlarge)

Indicators of Compromise (IOCs)

File SHA256
streaming_client.exe 6f345b9fda1ceb9fe4cf58b33337bb9f820550ba08ae07c782c2e142f7323748

MITRE ATT&CK Framework

The following table maps reported HijackLoader tactics, techniques and procedures (TTPs) to the MITRE ATT&CK® framework.

ID Technique Description
T1204.002 User Execution: Malicious File The sample is a backdoored version of streaming_client.exe, with the Entry Point redirected to a malicious stub.
T1027.007 Obfuscated Files or Information: Dynamic API Resolution HijackLoader and its stages hide some of the important imports from the IAT by dynamically retrieving kernel32 and ntdll API addresses. It does this by parsing PEB->PEB_LDR_DATA  and retrieving the function addresses.
T1016.001 System Network Configuration Discovery: Internet Connection Discovery This variant of HijackLoader connects to a remote server to check if the machine is connected to the internet by using the WinHttp API (WinHttpOpenRequest and WinHttpSendRequest).
T1140 Deobfuscate/Decode Files or Information HijackLoader utilizes XOR mechanisms to decrypt the downloaded stage.
T1140 Deobfuscate/Decode Files or Information HijackLoader utilizes RtlDecompressBuffer to LZ decompress the downloaded stage.
T1027 Obfuscated Files or Information HijackLoader drops XOR encrypted files to the %APPDATA% subfolders to store the downloaded stages.
T1620 Reflective Code Loading HijackLoader reflectively loads the downloaded shellcode in the running process by loading and stomping the mshtml.dll module using the LoadLibraryW and VirtualProtect APIs.
T1106 Native API HijackLoader uses direct syscalls and the following APIs to perform bypasses and injections: WriteFileW, ReadFile, CreateFileW, LoadLibraryW, GetProcAddress, NtDelayExecution, RtlDecompressBuffer, CreateProcessW, GetModuleHandleW, CopyFileW, VirtualProtect, NtProtectVirtualMemory, NtWriteVirtualMemory, NtResumeThread, NtSuspendThread, NtGetContextThread, NtSetContextThread, NtCreateTransaction, RtlSetCurrentTransaction, NtRollbackTransaction, NtCreateSection, NtMapViewOfSection, NtUnMapViewOfSection, NtWriteFile, NtReadFile, NtCreateFile and CreatePipe.
T1562.001 Impair Defenses: Disable or Modify Tools HijackLoader and its stages use Heaven’s Gate and remap x64 ntdll to bypass user space hooks.
T1055.012 Process Injection: Process Hollowing HijackLoader and its stages implement a process hollowing technique variation to inject in cmd.exe and logagent.exe.
T1055.013 Process Injection: Process Doppelgänging The HijackLoader shellcode implements a process doppelgänging technique variation (transacted section hollowing) to load the final stage in logagent.exe.

Additional Resources

How to Secure Business-Critical Applications

✇CrowdStrike
By: Jacob Garrison
9 February 2024 at 21:23

As organizations move more of their business-critical applications to the cloud, adversaries are shifting their tactics accordingly. And within the cloud, it’s clear that cybercriminals are setting their sights on software applications: In fact, industry data shows 8 out of the top 10 breaches in 2023 were related to applications.

The most valuable of these, known as business-critical applications, typically process large amounts of sensitive data including customer information, intellectual property and other critical data. These often have vulnerabilities or are poorly configured, leaving important information exposed to threat actors. Adversaries know this; as a result, many cybercrime groups focus their attacks on this type of software.

In this blog, we detail the steps to protecting your custom-developed business-critical applications to prevent your sensitive data from getting into the wrong hands.

Identify Your Business-Critical Applications

Business-critical applications are fundamental to a company’s operations. They typically process large amounts of sensitive information while creating revenue for the business.  

If a business-critical application is breached, the parent company will be forced to deal with fines, data loss, reputational damage, loss of customers and other concerns. Additionally, the company may see revenue fall if the software goes offline unexpectedly and customers cannot transact on the platform.

Common examples of critical applications include stock trading applications, e-commerce sites, healthcare software, and any other custom software that processes private information or business-critical data. Once custom-developed applications are deemed “business-critical,” they should be considered a top priority for security monitoring and reviews. 

Configure a Secure Digital Infrastructure

Protecting the machines that run business-critical applications is a complex task with many moving pieces. Consider each of the following infrastructure needs:

  • Network segmentation
  • Firewalls
  • Operating system and virtual machine (VM) patching
  • Cryptography
  • Secrets management

Restricting an attacker’s ability to move laterally through the network goes a long way in stopping breaches. By isolating digital assets and requiring authorization to access critical applications, the likelihood of a successful attack is reduced. Furthermore, network packets can be rejected by access control lists and firewalls, including web application firewalls.

Operating systems and VMs must be patched regularly. These underlying systems provide the backbone on which all other software runs; as a result, they are appealing adversary targets and new vulnerabilities must be patched as they are found and disclosed. 

In some cloud configurations, known as “platform as a service” (PaaS), the cloud provider will automatically update the OS and VM to patch vulnerabilities. With on-premise deployments and other cloud configurations, known as “infrastructure as a service” (IaaS), the end user is responsible for patching their own systems.

Data can be stored securely to further protect it in the event of a breach. Ensuring sensitive data is encrypted, both at rest and in transit, and passwords are hashed both reduce the likelihood an attacker extracts valuable information. Additionally, secrets such as SSH keys and certificates must be protected. A secure digital infrastructure creates a safe environment to run business-critical applications. 

Restrict Access Permissions to Required Individuals

Most successful cyberattacks begin with stolen credentials. By limiting both general and administrative access to individuals with a business need for it, you can greatly reduce the risk of compromise. 

The nature of an application determines this access strategy. Internal business applications often use role-based access control (RBAC) to allow or disallow branches of an organization to access an application. For a business-to-consumer application, the access strategy is different. Applications serving a wide audience often grant access to any user who chooses to sign up. 

Regardless of who can access the application as a whole, in all cases it’s crucial to ensure users can only access portions of the application relevant to them. Often, common features are available to all users while specialized features are available to a limited audience. For example, administrative functions may be restricted to a small subset of people who work in the IT department and the parent organization. Business-critical applications should regularly revoke access from users who no longer require access to the system, such as terminated employees.

Once users are authenticated, they are typically provided an application access token. These tokens uniquely identify an individual and allow the software to authorize user requests, rather than repeatedly requiring a username and password. Attackers attempt to steal access tokens so they can impersonate valid users and steal sensitive data from software. Special care must be taken to protect access tokens from attackers. Requiring HTTPS connections for token issue and enforcing token expiration are common defense mechanisms.

Additionally, user permissions should be tested at every server request. Every application programming interface (API) should require that the user’s identity is authenticated and they’re authorized to access the requested information. Establishing effective access permissions for business-critical applications is essential to prevent unwanted users in software and stop breaches.

Proactively Monitor for Suspicious Activity

Business-critical applications have great appeal to adversaries. Implementing a robust monitoring solution to detect attacks and stop suspicious data access is essential.

Every software application is hosted somewhere. By adding a runtime protection agent to servers that run business-critical applications, security teams can halt dangerous activity. Common indicators of attack such as persistence, lateral movement and enumeration should trigger alerts to the organization. Real-time insights allow detection and response teams to intercept suspicious activity before data exfiltration occurs. On-premises software benefits from endpoint detection and response solutions, while cloud-native applications use cloud workload protection to stop attacks in real time.

Improve Security Testing in the Software Development Pipeline

Implementing security controls early in the development process helps reduce risk in production. By “shifting security left” and integrating vulnerability scanners in the software development pipeline, development teams can find and fix security bugs early. Security teams that already measure security posture in production can quantify how efforts to shift left reduce risk to the business over time. Integrating vulnerability scanning tools is particularly useful in net-new development, since vulnerabilities are easier to mitigate during initial development.

Custom software applications contain native code and third-party code, often known as “open source.” The owner of the custom software is always responsible for ensuring imported packages do not contain common vulnerabilities and exposures (CVEs). Additionally, the development team can introduce vulnerabilities in their code built in-house. It is the organization’s responsibility to ensure their developers are shipping secure code regardless of deployment location.

Resolve Immediate Risks in Production

Application risk posture is a combination of infrastructure misconfigurations, security vulnerabilities, trust boundaries, business logic and data sensitivity. Analyzing the current risk posture of business-critical applications should be a priority. 

Misconfigurations and vulnerabilities are distinct from one another but introduce similar security concerns. Misconfigurations are insecure infrastructure settings that increase the likelihood of unwanted access. Common misconfigurations include default credentials, unrestricted inbound traffic, public storage buckets and plaintext SSH keys. Software vulnerabilities, on the other hand, are security flaws in code that an attacker can exploit. 

Weakness must be paired with accessibility to be exploitable. For example, a CVE enabling remote code execution is substantially more dangerous when it exists in a public-facing microservice. Trust boundaries, which are theoretical “boundaries,” define where incoming data from an unreliable source appears. Business-critical applications are more likely to be exploited when their vulnerabilities exist on the edge of a trust boundary. Production risk increases where applications communicate with the public internet or a third-party-owned software.

Understanding data flows and APIs is crucial when quantifying business risk. Security teams can make more informed decisions when they understand the data processed at various stages of a business-critical application. APIs transmitting sensitive payloads are a bigger concern than those without sensitive data. Similarly, databases with personally identifiable information present a greater risk than those without. Correlating business logic with sensitive data allows security teams to make more informed decisions.

Monitor Changes to Production

As code changes alter custom applications, it’s imperative to track changes to their risk posture. 

Newly introduced dataflows and APIs can have a massive influence on the likelihood of sensitive data exposure. Even more challenging to manage are changes to existing data flows and APIs — small updates can present massive risk, such as accidentally removing authentication from an API or returning sensitive data in an API’s payload for the first time.

Most code is not created in-house. In fact, open source software accounts for more than 80% of the lines of code in modern software applications. As library versions change, and new libraries are imported for the first time, the CVEs present in an application will change. Understanding both the business impact and likelihood of exploitation for each CVE in production allows security teams to prioritize their efforts.

Maintaining a constant measurement of the production risk posture empowers security teams to stay in sync with their software development counterparts and respond to dangerous changes quickly.

How CrowdStrike Helps Secure Business-Critical Applications

Business-critical applications are valuable assets that require a comprehensive protection plan. The AI-native CrowdStrike Falcon® platform helps you at every step of the journey, from cloud misconfiguration detection to application security posture management and runtime protection.

To learn more, request a demo.

Additional Resources

Key Findings from CrowdStrike’s 2024 State of Application Security Report

✇CrowdStrike
By: Jamie Gale
13 February 2024 at 13:49

As organizations shift their applications and operations to the cloud and increasingly drive revenues through software, cloud-native applications and APIs have emerged among the greatest areas of modern security risk. 

According to publicly available data, eight of the top 10 data breaches of 2023 were related to application attack surfaces.1 These eight breaches alone exposed almost 1.7 billion records, illustrating the potential for tremendous data loss if applications are poorly configured and lack effective protection. 

Application security has quickly become one of the most essential forms of security for the modern enterprise. That’s why we set out to understand how organizations are securing their applications today and the challenges they face in doing so. Our research team surveyed 400 application security professionals in the United States to learn how they are securing applications, the tools and processes they are using and how effective their work is. 

Here are some of our key findings. 

AppSec Tools Aren’t Helping Enough

You can’t protect what you can’t see. Organizations require visibility into their growing number of cloud applications and the data these applications hold in order to determine their areas of risk. They also must have the ability to prioritize and remediate application vulnerabilities and security alerts as they learn about them.

Both of these are top challenges among survey respondents: 60% said prioritization is among their top three obstacles in securing applications, while 57% said they struggle to gain full visibility into their applications and APIs to see what’s at risk. 

These challenges could be caused by an onslaught of security tools. Nearly 90% of respondents reported using at least three tools to detect and prioritize application vulnerabilities and threats. Despite using multiple tools, organizations struggle most with prioritizing application vulnerabilities and threats and gaining visibility into their applications — the same challenges for which they are seeking solutions.

Traditional Security Reviews Don’t Scale

As organizations develop and deploy more applications, they increase the chance of producing vulnerable code that could be exploited in an attack. Mitigating the risk of application vulnerabilities requires oversight not only when code is first deployed but as it’s updated over time. It is standard best practice to conduct a comprehensive security review before code is pushed to production. 

However, many application security teams aren’t taking this critical step. Our survey respondents estimated that, on average, only 54% of major code changes undergo a full security review before they’re deployed to production. This means almost half of major application code changes don’t undergo full security reviews. If major code changes aren’t vetted thoroughly, organizations run the risk of exposing their software to vulnerabilities that adversaries can exploit. 

It’s difficult to scale the traditional review process to meet modern application security needs. Our data shows that traditional security reviews are time-consuming and expensive. Most (81%) of respondents said a security review takes more than one business day, and 35% said it takes more than three.

Below is an overview of the additional information you can find in the CrowdStrike 2024 State of Application Security Report.  

Rethinking Your Approach to Application Security

Custom applications are complex and changing. Security must keep up. In this report, you’ll learn about eight critical areas of application security and gain insight into the issues challenging application security teams today. With this knowledge, you will be able to develop a more effective and comprehensive approach to securing your applications. 

Download the full report for more valuable insight including: 

  • The average number of programming languages organizations use 
  • How organizations inventory and catalog application microservices and APIs
  • The estimated mean time to remediation for critical application security issues 
  • The individual(s) and/or team(s) considered responsible for application security — and how this varies across organizations of different sizes

Our findings confirm: The current state of application security isn’t effective enough to stop today’s threats. Today’s application security lacks the automation and efficiency needed to support modern applications and the teams that protect them. 

CrowdStrike is committed to helping our customers stop breaches by securing cloud-native applications. Our acquisition of application security posture management (ASPM) pioneer Bionic is one critical step toward revolutionizing a cloud-native application protection platform (CNAPP). With the addition of ASPM, CrowdStrike Falcon® Cloud Security is now the only CNAPP to protect everything from code to cloud.

Additional Resources

 

  1. IT Governance, “List of Data Breaches and Cyber Attacks in 2023,” https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-2023

February 2024 Patch Tuesday: Two Zero-Days Amid 73 Vulnerabilities

✇CrowdStrike
By: Falcon Exposure Management Team
13 February 2024 at 23:27

Microsoft has released security updates for 73 vulnerabilities for its February 2024 Patch Tuesday rollout. These include two actively exploited zero-days (CVE-2024-21412 and CVE-2024-21351), both of which are security feature bypass flaws. Five of the vulnerabilities addressed today are rated Critical while the remaining 68 are rated Important or Moderate.

February 2024 Risk Analysis

This month’s leading risk type is remote code execution (41%) followed by elevation of privilege (22%) and spoofing (14%).

Figure 1. Breakdown of February 2024 Patch Tuesday attack types

 

Windows products received the most patches this month with 44, followed by Extended Security Update (ESU) with 32 and Azure with 9.

Figure 2. Breakdown of product families affected by February 2024 Patch Tuesday

Actively Exploited Zero-Day Vulnerability Affecting Internet Shortcut Files

Internet Shortcut Files has received a patch for CVE-2024-21412, which has a severity of Important and a CVSS score of 8.1. This vulnerability allows an unauthenticated attacker to bypass a security feature called “Mark of the Web” (MotW) warnings on Windows machines. The targeted user would need to be convinced to click on a specially crafted file that is designed to bypass the displayed security checks. According to Microsoft, the proof-of-concept kit for exploiting the vulnerability has not been publicly disclosed.

Severity CVSS Score CVE Description
Important 8.1 CVE-2024-21412 Internet Shortcut Files Security Feature Bypass Vulnerability

Table 1. Zero-day in Internet Shortcut Files

Actively Exploited Zero-Day Vulnerability Affecting Windows SmartScreen

Windows SmartScreen has received a patch for CVE-2024-21351, which has a severity of Moderate and a CVSS score of 7.6. This security feature bypass vulnerability on Windows Defender SmartScreen can potentially lead to partial data exposure and/or issues with system availability. The attacker would need to convince the user to open a malicious file that could bypass SmartScreen and potentially gain code execution. According to Microsoft, the proof-of-concept kit for exploiting the vulnerability has not been publicly disclosed.

Severity CVSS Score CVE Description
Moderate 7.6 CVE-2024-21351 Windows SmartScreen Security Feature Bypass Vulnerability

Table 2. Zero-day in Windows SmartScreen

Critical Vulnerabilities Affecting Microsoft Windows, Extended Security Update, Dynamics, Exchange Server and Microsoft Office

CVE-2024-21410 is a Critical elevation of privilege (EoP) vulnerability affecting Microsoft Exchange Server and has a CVSS score of 9.8. An attacker that successfully exploits this vulnerability can relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange server and be authenticated as that user. NTLM hashes are important for gaining account access due to the use of challenge-response protocols in secure authentication. This vulnerability potentially allows attackers to crack NTLM hashes or deploy an NTLM relay attack.

Prior to the Exchange Server 2019 Cumulative Update 14 (CU14), Exchange Server did not enable relay protections for NTLM credentials (called Extended Protection for Authentication or EPA) by default, which would have protected against one of the attack types mentioned earlier. Microsoft has provided a “Exchange Server Health Checker script” that provides an overview of the Extended Protection status of the customer’s Exchange server.

CVE-2024-21413 is a Critical remote code execution (RCE) vulnerability affecting Microsoft Outlook and has a CVSS score of 9.8. Successful exploitation of this vulnerability allows the attacker to send a maliciously crafted link that bypasses the security feature. This can lead to credential exposure and RCE, enabling attackers to gain privileged functionality.

CVE-2024-21380 is a Critical information disclosure vulnerability affecting Microsoft Dynamics Business Central (formerly known as Dynamics NAV) and has a CVSS score of 8.0. This vulnerability could allow the attacker to gain the ability to interact with other SaaS tenants’ applications and content. The user would have to be convinced by the attacker to click on a specially crafted URL, and the execution would need to win a race condition for a successful exploitation. This can lead to unauthorized access to the victim’s account.

CVE-2024-21357 is a Critical RCE vulnerability affecting Windows Pragmatic General Multicast (PGM) network transport protocol and has a CVSS score of 7.6. The attack complexity is high due to the additional actions a threat actor would need to take for successful exploitation. Exploitation is limited to within the same network or virtual network systems that are connected.

CVE-2024-20684 is a Critical denial of service (DoS) vulnerability affecting Microsoft Windows Hyper-V and has a CVSS score of 6.5. Successful exploitation of this vulnerability allows an attacker to target a Hyper-V guest virtual machine, which can affect the functionality of the Hyper-V host. Because this is a local DoS attack, Microsoft deems exploitation less likely.

Severity CVSS Score CVE Description
Critical 9.8 CVE-2024-21410 Microsoft Exchange Server Elevation of Privilege Vulnerability
Critical 9.8 CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
Critical 8.0 CVE-2024-21380 Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability
Critical 7.5 CVE-2024-21357 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
Critical 6.5 CVE-2024-20684 Windows Hyper-V Denial of Service Vulnerability

Table 3. Critical vulnerabilities in Windows, ESU, Dynamics, Exchange Server and Microsoft Office

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

Additional Resources

  • For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
  • Stay tuned for the CrowdStrike 2024 Global Threat Report — to be released on Feb. 21, 2024 — to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
  • See how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments. 
  • Learn how CrowdStrike’s external attack surface module, CrowdStrike® Falcon Surface™, can discover unknown, exposed and vulnerable internet-facing assets, enabling security teams to stop adversaries in their tracks.
  • Learn how CrowdStrike Falcon® Identity Protection products can stop workforce identity threats faster. 
  • Make prioritization painless and efficient. Watch how CrowdStrike Falcon® Spotlight enables IT staff to improve visibility with custom filters and team dashboards
  • Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™.

CrowdStrike Named the Only Customers’ Choice: 2024 Gartner® “Voice of the Customer” for Vulnerability Assessment

✇CrowdStrike
By: Bei Wang - David Bruce
14 February 2024 at 15:29

It is a common refrain in security circles that “nobody loves their vulnerability management tool.”  CrowdStrike may have just proved to be the exception. 

We are proud to announce that CrowdStrike is the only vendor named a Customers’ Choice in the 2024 Gartner “Voice of the Customer” Report for Vulnerability Assessment. In this report, CrowdStrike is the only vendor placed in the upper right quadrant, meaning we received a Customers’ Choice Distinction. This placement indicates we meet or exceed both the average Overall Experience and the average User Interest and Adoption for the segment. 

In addition to the recent IDC MarketScape Report recognizing CrowdStrike as a Leader for Risk-Based Vulnerability Management, we believe this recognition is a validation not only from the analyst community but from those it matters the most: our customers.

At the center of this is Falcon® Exposure Management. We believe the overwhelming customer response to Falcon Exposure Management is one of the reasons for our recognition as a Customers’ Choice in this report. 

Falcon Exposure Management is a comprehensive risk and vulnerability management solution that incorporates all the capabilities of CrowdStrike Falcon® Spotlight vulnerability management, CrowdStrike Falcon® Discover asset management, CrowdStrike Falcon® Surface external attack surface management and much more. 

Legacy VM Tools: A Test in Patience

The enthusiasm around Falcon Exposure Management stems from its ability to address many of the challenges associated with legacy vulnerability management tools, which are often costly and slow to deploy, operationalize and generate results.

Setting up legacy vulnerability management (VM) tools is often an exercise in patience. The network scanners are on-premises appliances that require painstaking sizing and tuning. In order to get a high-fidelity network scan, the VM team needs to obtain and manage credentials to each target system being scanned, with the right privilege, and deal with ongoing password rotation. 

Further, due to the disruptive nature of these scans, scanning windows must be negotiated with various departments and system owners so business doesn’t slow to a crawl. It could be weeks before a complete scan of the entire infrastructure can be finished. This doesn’t take into consideration the process before the scan, which involves updates for new vulnerability signatures or ongoing firewall administration to ensure the scanner can reach every system.  

The complex nature of these tools makes legacy VM extremely difficult to operationalize, which reduces its effectiveness and adds to the total cost of ownership. Rather than managing vulnerabilities, security teams are instead focusing on managing the headache of their VM tool. The worst part is these long scanning cycles unnecessarily expose organizations to critical vulnerabilities and zero-days at a time when adversaries are quickly weaponizing them. 

Why We Believe CrowdStrike Is the Only Customers’ Choice

Falcon Exposure Management, which runs on the same unified, lightweight agent utilized by the CrowdStrike Falcon® platform, is a breeze to deploy. You simply switch it on. There is virtually no maintenance involved. It offers instant vulnerability assessment compared to legacy VM tools, which can take days or weeks.  

The Falcon® platform empowers security teams to bridge data gaps, pivot across rich threat contexts, leverage AI to effectively prioritize vulnerabilities, and quickly zoom in on adversaries to stop breaches. CrowdStrike research has shown Falcon Exposure Management can reduce external attack surface by up to 75%1 while keeping out 95%2 of the vulnerability noise.

Gartner® Peer Insights™ customer reviews share inputs such as:

“The best use of it comes when there is a zero-day release and we have it ready on the console with the impacted machines without spending any effort to scan. The up-to-date vulnerability information has also helped us triage detections and incidents in the best way.”

“You don’t need to deploy an extra agent to have this functionality, the data is already there, and if you are currently using CrowdStrike Falcon as your Endpoint Detection and Response product you only need to enable this and voila! It will work, so having everything in a single pane of glass is always more than welcomed, this will reduce alert fatigue, will help our analysts to take less time on remediation and use that time for investigations.”

Customers overwhelmingly prefer CrowdStrike’s approach to building security tools with its lightweight agent, cloud-native unified platform and powerful AI. Falcon Exposure Management complements CrowdStrike’s leading security solutions with a proactive, easy-to-deploy vulnerability and risk management solution that allows customers to reduce complexity, quickly operationalize and cut down on redundant spending so security teams can do what they do best: get ahead of adversaries and stop breaches.

GARTNER is a registered trademark and service mark, and PEER INSIGHTS is a registered trademark, of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

Additional Resources

  1. Based on Falcon Surface product data.
  2. This number is a project estimate of average benefit based on recorded metrics provided by customers during pre-sale motions that compare the value of CrowdStrike with the customer’s incumbent solution. Actual realized value will depend on individual customer’s module deployment and environment.

Seeing into the Shadows: Tackling ChromeOS Blind Spots with Dell and CrowdStrike

✇CrowdStrike
By: Janani Nagarajan
14 February 2024 at 18:23

According to a 2023 Forbes article, 12.7% of U.S. workers work remotely and 28.2% have adopted a hybrid work schedule. As device and usage trends continue to shift, organizations must find ways to secure remote endpoints that could grant adversaries access if left vulnerable. 

Adversaries are moving faster than ever  and enterprise security must detect and respond to attacks at lightning speed. To stay ahead of today’s attackers, it’s critical to gain complete visibility across all of your devices, regardless of their operating system or location. As a growing number of organizations rely on ChromeOS devices to run their businesses, we are working to help them ensure full security coverage and strengthen their security posture against modern threats .

With Dell and CrowdStrike, your team is empowered to work securely using AI-native cybersecurity to bridge security gaps and gain comprehensive visibility into ChromeOS devices on a network. To deliver this, Dell now offers CrowdStrike Falcon® Insight for ChromeOS within the Dell SafeGuard and Response portfolio, helping to reduce the attack surface of your devices and boost cyber resiliency. Organizations can now benefit from CrowdStrike Falcon® Insight XDR’s industry-leading detection and response capabilities to stop adversaries across ChromeOS, Linux, macOS and Windows devices from a single unified console for broad cross-platform coverage.

By activating Falcon Insight for ChromeOS with Dell, you can:

  • Eliminate visibility gaps and accelerate threat detection with one unified view of native ChromeOS event telemetry, ingested directly from Google, alongside your additional endpoint data across Windows, Linux and macOS.
  • Accelerate incident triage and response with automated workflows and notifications based on contextual insights and detections with the built-in CrowdStrike Falcon® Fusion integrated security orchestration automation and response (SOAR).
  • Be up and running in minutes, with no new agents and no device impact, using the flexible and scalable Falcon platform — seamlessly provided by Dell SafeGuard and Response.

CrowdStrike and Dell partner to help you simplify and consolidate your security stack while addressing new threat vectors across your fleet. As modern workplace demands continue to evolve, so will your security needs associated with hybrid work and remote access. By seamlessly delivering the industry-leading, AI-native CrowdStrike Falcon XDR platform with simplified procurement, we provide superior protection and speed, and immediate time-to-value. To learn more about how you can get comprehensive visibility of your fleet across all operating systems, reach out to Dell and CrowdStrike specialists.

Want to learn more? Join our webinar on Feb 29, 2024, for a deep dive on Dell Technologies: CrowdStrike Falcon Insight for ChromeOS.

See CrowdStrike Falcon Insight XDR in action in this short demo.

Additional Resources

CrowdStrike Is Proud to Sponsor the Mac Admins Foundation

✇CrowdStrike
By: Daniel Bernard
15 February 2024 at 16:50

CrowdStrike is proud to announce its official sponsorship of the Mac Admins Community through its not-for-profit arm, the Mac Admins Foundation. CrowdStrike joins a distinguished list of sponsors at the highest level.

The Mac Admins Foundation serves as a vibrant hub of collaboration, information sharing and professional growth for the Mac Admins Community. Founded in 2015 and with more than 40,000 members, the Mac Admins Foundation provides a “global online community of IT professionals who specialize in Apple hardware and software.” The community is an amazing network of peers committed to helping each other learn and grow when it comes to all things related to macOS devices.

This focus on community aligns perfectly with the CrowdStrike ethos. CrowdStrike is built on the power of the crowd. Our community consists of tens of thousands of customers, partners and  security practitioners around the world dedicated to defeating adversaries, defending our estates and stopping breaches. 

Also aligned with the CrowdStrike ethos is the focus on innovation. Members of the Mac Admins Community are constantly creating — new ideas, businesses and applications — on their machines. CrowdStrike is also relentlessly working to strengthen organizations’ defenses against evolving cyberattacks without getting in the way of great work. We are proud to know today’s innovators are turning to CrowdStrike to secure their best, most critical work. 

We’re excited to join these two powerful communities to learn from and support each other on our shared missions. 

CrowdStrike: Dedicated to Protecting macOS Devices and Stopping Breaches

MacOS has become a frequent target of cyberattacks as it has increased in popularity for business and enterprise applications. While the macOS provides strong security features, adversaries continue to develop malware specifically targeting macOS, including ransomware, backdoors and trojans.

CrowdStrike is dedicated to protecting the macOS community and devices through research and technology. CrowdStrike researchers continue to track a growing number of attacks targeting macOS devices. The CrowdStrike Falcon® platform delivers industry-leading protection against a broad spectrum of attacks targeting macOS — from commodity and zero-day malware, ransomware and exploits to advanced malware-free and fileless attacks. 

CrowdStrike continually participates in third-party testing to demonstrate the efficacy of the Falcon platform in protecting against macOS threats. In 2023, CrowdStrike Falcon® Pro for Mac won the AV-Comparatives Approved Mac Security Product award for the sixth consecutive year.  During testing, Falcon Pro for Mac achieved 100% protection against Mac malware, with zero false positives and with no observable performance reduction on the Macs used for testing.

During the testing, AV-Comparatives collected 309 Mac malware samples that were representative of what the organization detected being used in the wild during the first half of 2023. Testers inserted USB flash drives containing these malware samples into the Macs, providing the first opportunity for security products to detect and protect against the malware. Any samples that were not detected were then copied to the Mac’s system disk and executed. If a security solution did not detect and neutralize by this stage, it was considered a miss.

Of the 309 Mac malware samples employed during testing, Falcon Pro for Mac had zero misses, providing 100% detection and 100% protection. There were zero false positives recorded. The Mac computers used in testing showed no observable performance reduction thanks to the lightweight Falcon sensor. 

Deepening Our Connection to the Mac Community 

As a global leader in cybersecurity, our commitment to the Mac community starts by delivering the device protection required to keep businesses running on macOS devices. And through the sponsorship of the Mac Admins Community, we’re extending our support to the amazing Mac Admins and the people behind the devices.

We believe that open and technical communities like Mac Admins drive the collaboration needed to build and scale the core technologies that power the software and devices that millions of people love and that countless businesses run on. We’re thankful for the hard work of the Mac Admins Community and proud to be a sponsor. 

Additional Resources

CrowdStrike and Intel Research Collaborate to Advance Endpoint Security Through AI and NPU Acceleration

✇CrowdStrike
By: Greg Dalcher
27 February 2024 at 18:20

At CrowdStrike, we are relentlessly researching and developing new technologies to outpace new and sophisticated threats, track adversaries’ behavior and stop breaches. As today’s adversaries continue to become faster and more advanced, the speed of enterprise detection and response is paramount.

It is also a challenge for today’s organizations, which face mounting attack volumes amid a global shortage of cybersecurity practitioners. In today’s evolving threat landscape, the intersection of AI and hardware innovation plays a pivotal role in shaping the future of threat detection and response. For CrowdStrike, a global cybersecurity leader, AI has been fundamental to our approach from the beginning.

Technology collaboration and research are essential to deploy new methods of analysis and defense. When Intel contacted us about the neural processing unit (NPU) in the new Intel® Core™ Ultra processors, we were excited to collaborate and explore new possibilities for enabling AI-based security applications on endpoint PCs, such as Dell’s latest generation of Latitude, the industry’s most secure commercial PC.1

The Challenges of Endpoint AI

The CrowdStrike Falcon® platform is engineered to operate in a transparent and near-zero impact manner, allowing seamless deployment to the endpoint.

Across the cybersecurity industry, the deployment of AI and machine learning (ML) models to the endpoint to perform advanced analytics has been limited — despite the advantages that such a configuration would offer. The reality is that most AI models, particularly neural network models for deep machine learning, simply won’t fit inside the performance envelope of an endpoint product. As a result of this technological challenge, many potential endpoint use cases of deep learning have been considered unworkable.

With the addition of the NPU in the Intel Core Ultra processor, we collaborated with Intel to test the feasibility and system impacts of moving large models from the cloud to the endpoint.

Case Study: Detecting Scripts and Fileless Malware Using an NPU-Enabled Convolutional Neural Network Model

Intel Core Ultra processors include an NPU, a purpose-built AI accelerator ideal for offloading inference of AI workloads, including convolutional neural network (CNN) models. CNN models are instrumental in detecting malicious scripts, which are frequently used in fileless malware — an increasingly common technique used in 75% of cyberattacks that gained initial access in 2023. 

Today, effective CNN models are not practical to deploy on the endpoint due to CPU overhead. Realistically, when used for script analysis, a large CNN model is currently only able to operate in the cloud to avoid disrupting the user experience. This means that applying this model to an endpoint requires the scripts to be uploaded to the cloud for analysis — a severe limitation in its application to endpoint detection.

To assess Intel’s NPU capabilities, we collaborated on a stress test using a large, non-optimized experimental CNN model developed to detect malicious scripts. The aim was to evaluate whether the NPU could effectively minimize CPU overhead in an extreme scenario, providing insights into the viability of deploying smaller production-ready endpoint models. 

The Intel team helped test this experimental model using both CPU only and CPU+NPU directly on an Intel Core Ultra processor. We found that, when running in continuous mode, approximately 20% of systemwide CPU capacity was used running the model in CPU-only mode.2 However, CPU usage drops to less than 1% when using the NPU. This breakthrough highlights the potential for more practical and efficient endpoint AI deployment.

Inference Device CPU Utilization — Maximum Memory Utilization Compiled Model Size Average Inference Time after First
CPU only 20% 1.07 GB 0.9 GB ~86ms
CPU+NPU <1% 1.4 GB 0.5 GB ~23ms

The Benefits of Endpoint AI

The substantial reduction in system impact observed with the utilization of an Intel Core Ultra processor featuring NPU acceleration makes the deployment of a comparable, and likely more compact, model to the endpoint viable. This advancement allows for detections to occur directly on the endpoint. Script analysis can be performed for an initial pass to detect many of the potentially malicious scripts prior to their execution, with cloud-based analysis subsequently doing the heavy lifting for deeper analysis.

With NPU acceleration, there is also a considerable advantage in being able to use AI to filter large quantities of endpoint data before uploading it to the cloud. This significantly reduces the volume of data that is sent.

Finally, the economic reality of running a large-scale, cloud-hosted AI service underscores the importance of optimizing resource allocation by enabling the cloud models to focus exclusively on wider-view and deeper analysis, enhancing efficiency and efficacy.

Figure 1. Illustration of data available on endpoint vs. what is sent to the cloud, where it can be more deeply analyzed (click to enlarge)

The diagram above illustrates the need for a substantial input data set with various parameters to be uploaded to the cloud for successful detection by deep learning models. Hosting the CNN model on the endpoint, with access to the complete set of data, allows for the efficacy of the cloud-hosted model to be augmented using dynamic clouding decisions.

Once input data has been identified as suspicious on the endpoint, it can be more deeply analyzed in the cloud where more resources are available. With advanced AI model deployment to the endpoint now possible using the NPU on Intel Core Ultra processors, the decision of what to send to the cloud can be governed dynamically using the deployed model. This is an extremely powerful capability that offers advantages over the usual approach of using fixed rules to determine what data is uploaded. 

Conclusion: The Road Ahead

The limitations of running AI workloads on the endpoint are undergoing a transformative shift with the integration of the NPU in Intel Core Ultra processors. Previously unattainable endpoint deep learning neural network AI becomes not only feasible but highly practical. The NPU shoulders the majority of the inference work, alleviating the processing burden on the CPU and resulting in minimal impact — essentially running the right workloads on the right execution engines.

This breakthrough unlocks a realm of new possibilities, moving endpoint detection closer to the source while sending relevant data to the cloud for better in-depth analysis. Furthermore, the decision to dispatch additional data to the cloud is now AI-driven, replacing fixed rules. This empowers expanded, selective cloud data collection, ensuring scalability and minimizing network traffic.

Leveraging the NPU on Intel Core Ultra processors to deploy CNN models for script and fileless attack detection is an excellent continuation of CrowdStrike and Intel’s joint efforts, in collaboration with Dell, to bring integrated defenses to the deepest levels of the endpoint. However, this is merely one example of an endpoint AI model. Numerous other use cases are conceivable, including endpoint analysis of network traffic, application to data leakage protection and more. We are just beginning to explore the power of pushing AI to the edge for advanced cybersecurity applications using the NPU, aiming to secure the future and stop breaches everywhere.

Co-authors:

This blog was co-authored by Paul Carlson, Lead Data Scientist, Intel; Pramod Pesara, Security Software Architect, Intel

Additional Resources

1. Based on Dell internal analysis, September 2023. Applicable to PCs on Intel processors. Not all features available with all PCs. Additional purchase required for some features.   

2. Technical disclaimers: These results should not be taken with the understanding that the ratio of CPU usage, memory usage, or inference time between CPU only and CPU+NPU will remain the same with a different/smaller model – even one using the same neural architecture as the model under test. This is also not a general claim about the performance of other models on the NPU, even other CNNs. The result should only be taken as an understanding that, for this specific CNN model developed by CrowdStrike, a smaller distilled model of the same design would likely have an average inference time after the first of <= ~25ms and a CPU overhead <= ~1%. Note that featurization/tokenization were not measured as part of this test. The model was tested using the OpenVINO framework. Results that are based on pre-production systems and components as well as results that have been estimated or simulated using an Intel Reference Platform (an internal example new system), internal Intel analysis or architecture simulation or modeling are provided to you for informational purposes only. Results may vary based on future changes to any systems, components, specifications or configurations.

After Years of Success, State of Wyoming Looks to Expand CrowdStrike Protections Statewide

✇CrowdStrike
By: Chris Prall
28 February 2024 at 22:16

With its wild beauty, favorable tax laws and growing tech scene, the State of Wyoming is experiencing a surge in business growth. But with this prosperity comes a rise in cyber risk due to the expanding commerce platforms and digital infrastructure needed to support it.

“We’ve had several large tech companies relocate to Wyoming recently,” explained Jason Strohbehn, Deputy CISO for the State of Wyoming. “With this growth comes a bigger attack surface and more adversary activity to protect against.”

Strohbehn works in the Wyoming Department of Enterprise Technology Services (ETS), where his five-person team is responsible for providing cybersecurity and IT services to 127 state agencies. Back in 2016, ETS began looking for a modern cybersecurity platform to replace its legacy antivirus (AV) solution, which was failing in critical areas. 

“Old tools and techniques don’t work against modern attacks,” said Strohbehn. “Our AV software was missing a lot of detections, plus it was very labor-intensive and process-heavy.”

Today, the State of Wyoming relies on a suite of CrowdStrike products and services to deliver superior cybersecurity across the Wyoming state government. 

24/7 Detection and Remediation

To strengthen its cybersecurity posture, the State of Wyoming went looking for a futureproof cybersecurity platform that’s effective, innovative and able to adapt to ever-evolving attacks. Further, state leadership wanted a strategic partner in the battle against global cybercrime. 

After evaluating several options, the State of Wyoming chose the AI-native CrowdStrike Falcon® XDR platform. Not only was the Falcon platform easily deployed without impacting users, its lightweight agent and AI-powered detection engine delivered the seamless and virtually invisible protection that ETS was looking for.

“We did a proof of concept with CrowdStrike, and by the end, we had department leaders willing to give up line-item budgets in order to procure it,” said Strohbehn. “So many people championed CrowdStrike, it was a no-brainer to go with them.”

With CrowdStrike Falcon® Prevent next-gen antivirus and CrowdStrike Falcon® Insight XDR, the State of Wyoming transformed its endpoint security, replacing its legacy AV with AI-powered protection, and extending industry-leading detection and response across the organization. A few years after the initial implementation, ETS doubled down on CrowdStrike in 2020 with the addition of CrowdStrike Falcon® Complete for 24/7 managed detection and response. 

With Falcon Complete, the State of Wyoming gained a force multiplier for its internal team with around-the-clock expert management, monitoring, proactive threat hunting and end-to-end remediation, delivered by CrowdStrike’s team of dedicated security experts. 

“The constant presence of the Falcon Complete team is like having a 24/7 security operations center. For us to replicate that would require hiring 6-10 employees, plus dealing with all the challenges of fielding such a high-performance team,” said Strohbehn.


Consolidating on the CrowdStrike Falcon Platform

In today’s complex threat landscape, state governments require an array of cybersecurity solutions to detect and stop threats. However, adding new tools and agents is tough on budgets and resource-strapped teams. To add the new protections it needs, the State of Wyoming has embraced cybersecurity consolidation on the Falcon platform.

With the Falcon platform, Strohbehn and his team can easily deploy new protections using the same lightweight agent and command console. Recently, ETS deployed CrowdStrike Falcon® Identity Protection to thwart the growing problem of identity-related attacks. 

“Our team does regular cybersecurity reviews to determine what tools we need to meet the challenge of new attacks. Attackers are now misusing credentials and moving through networks differently,” said Strohbehn. “We were able to deploy CrowdStrike’s identity protection module quickly and without another agent, which is huge for us.” 

Strohbehn acknowledged the synergies of deploying both solutions on the Falcon platform. “CrowdStrike’s endpoint and identity protection solutions are like peanut butter and jelly … they’re good by themselves, but when you put them together, you’ve got something special.” 

The State of Wyoming has realized several benefits from cybersecurity consolidation. “Without the Falcon platform, I’d need a bunch of different tools, which is both hard on my analysts and slows things down. With Falcon, we get the context and enrichment we need to stop attacks without having to draw on multiple solutions.”

Cost savings is another benefit. “If I’m paying for a tool to do something CrowdStrike can do, I can get rid of that tool, which saves us money,” said Strohbehn. “Any time we can replace a product with CrowdStrike, we do. And when we can’t outright replace a tool, we require that any new tools integrate well with CrowdStrike.”

Up Next: Whole-of-State Cybersecurity

To effectively safeguard operations and citizen information, state governments are increasingly looking at a whole-of-state approach to cybersecurity. This involves collaborating across state government, local government and education to protect citizens, data and digital infrastructure.

With full confidence in CrowdStrike based on seven years without a security breach, ETS is working with CrowdStrike to deliver whole-of-state cybersecurity in Wyoming. 

“We’re getting ready to go whole-of-state and provide protections to our cities and counties. We’ve been consulting with CrowdStrike on how to provide cybersecurity down to the local level, while still giving agencies the autonomy to operate independently,” said Strohbehn. 

Strohbehn is bullish on CrowdStrike because, according to him, it just works. 

“We’ve not had a breach since starting with CrowdStrike, so we’ve been very successful,” concluded Strohbehn. “Using CrowdStrike to go whole-of-state is going to be absolutely awesome.”

Additional Resources

The Anatomy of an ALPHA SPIDER Ransomware Attack

✇CrowdStrike
By: Jean-Philippe Teissier
29 February 2024 at 01:15
  • ALPHA SPIDER is the adversary behind the development and operation of the Alphv ransomware as a service (RaaS).
  • Over the last year, ALPHA SPIDER affiliates have been leveraging a variety of novel techniques as part of their ransomware operations.
  • CrowdStrike Services has observed techniques such as the usage of NTFS Alternate Data Streams for hiding a reverse SSH tool, exploitation of multiple vulnerabilities associated with a GNU/Linux-based appliance for initial access and privilege escalation, and bypassing DNS-based filtering and multifactor authentication (MFA) by tampering with network configuration files.
  • Affiliates of ALPHA SPIDER are still conducting successful ransomware operations against victims, and this adversary remains a clear and present threat to any organization.

Over the last two years, CrowdStrike Services has run several incident response (IR) engagements — in both pre- and post-ransomware situations — in which different ALPHA SPIDER affiliates demonstrated novel offensive techniques coupled with more commonly observed techniques. The events described in this blog have been attributed to ALPHA SPIDER affiliates by CrowdStrike Counter Adversary Operations.

Alphv ransomware-as-a-service, which first emerged in December 2021, is notable for being the first written in the Rust programming language. The Alphv RaaS offers a number of features designed to attract sophisticated affiliates, including ransomware variants targeting multiple operating systems; a highly customizable variant that rebuilds itself every hour to evade antivirus tooling; a searchable database on a clear web domain and the adversary’s dedicated leak site (DLS), which enables visitors to search for leaked data; and a Bitcoin mixer integrated to affiliate panels.

Many of the Alphv affiliates CrowdStrike Counter Adversary Operations has observed have proven adept at encrypting victim virtualization infrastructure. Affiliates have used Linux variants of Cobalt Strike and SystemBC to perform reconnaissance of VMware ESXi servers prior to deploying ransomware.

More information can be found in the CrowdStrike Counter Adversary Operations profile in our Adversary Universe: https://www.crowdstrike.com/adversaries/alpha-spider/.

Add the Adversary Universe podcast to your playlist to join our hosts as they unmask the threat actors targeting your organization.

Chaining Vulnerabilities to Obtain Initial Access and Achieve Persistence

In an IR engagement perpetrated by an ALPHA SPIDER affiliate (subsequently referred to in this blog as Threat Actor 1), the adversary used a combination of two software vulnerabilities to gain an initial foothold within the target’s network. First, Threat Actor 1 leveraged an exploit for the vulnerability identified as CVE-2021-44529,1 a code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) that affects the CSA Web Server component and allows an unauthenticated user to execute arbitrary code with limited permission (user nobody). A patch was made available for CVE-2021-44529 before the exploit happened on December 2, 2021. Once they were able to run code on the server, Threat Actor 1 used an exploit for the vulnerability identified as CVE-2021-40347,2 also known as PwnKit, to temporarily obtain root privileges and add a new UID 0 (“root”) account to the system. At this point, Threat Actor 1 installed a reverse-ssh3 executable to connect back to their server. The reverse-ssh was periodically executed by the local Cron daemon to achieve persistence on the compromised system.

See this blog for more information about hunting for PwnKit: Hunting pwnkit Local Privilege Escalation in Linux (CVE-2021-4034).

Noisy Network Discovery and Credential Access

After getting an initial locally privileged foothold into the target network, Threat Actor 1 in the same engagement performed extensive network discovery activities. Threat Actor 1 downloaded Nmap, the infamous network scanning tool, plus additional Nmap scripts. Using Nmap,4 the threat actor conducted system and services discovery and made use of specific Nmap scripts to perform a targeted vulnerability scan of the target’s network.

Following this scan, Threat Actor 1 attempted to use mitm6 5 and responder,6 two offensive security network tools, to gather additional credentials. According to their respective authors, mitm6 is a “pentesting tool that exploits the default configuration of Windows to take over the default DNS server” and responder is an “LLMNR, NBT-NS and MDNS poisoner.”

Threat Actor 1 also attempted to exploit the vulnerability identified as CVE-2021-21972.7 CVE-2021-21972 is a remote code execution vulnerability in a vCenter Server plugin, which a threat actor may exploit to execute commands with unrestricted privileges. Later during this attack, Threat Actor 1 also installed masscan8 on the compromised CSA server to perform additional network reconnaissance activities.

Hunting for Veeam Credentials

In the same IR engagement, Threat Actor 1 targeted the Veeam backup utility9 after performing their initial lateral movements. Veeam user account credentials are a target of choice for ransomware-oriented threat actors that often delete system backups prior to executing their ransomware payload. In this particular engagement, Threat Actor 1 attempted to use KoloVeeam (also known as veeamp) over Windows Remote Management (WinRM) protocol to extract and decrypt stored credentials.

Figure 1. Example of KoloVeeam execution detected by the CrowdStrike Falcon® platform (click to enlarge)

 

KoloVeeam is a simple tool that extracts and decrypts user credentials stored in the VeeamBackup database.

Code 1. KoloVeeam decompiled code (click to enlarge)

 

In this particular engagement, as Koloveeam was detected and blocked by the CrowdStrike Falcon® platform, Threat Actor 1 attempted to manually download Microsoft SQL Server Management Studio using the legitimate certutil LOLBIN10 and to decrypt stored passwords using Veeam’s own library, Veeam.Backup.Common.dll.

Figure 2. Example of Falcon platform detection of Microsoft SQL Server Management Studio downloaded using the certutil LOLBIN (click to enlarge)

 

After the initial Veeam credential access techniques were blocked, Threat Actor 1 attempted to execute the following code to manually decrypt previously obtained encrypted credentials. This script was originally shared on Veeam R&D forums.11

Code 2. Veeam credential decryption PowerShell script (click to enlarge)

 

In a different engagement, another ALPHA SPIDER affiliate (subsequently referred to in this blog as Threat Actor 2) leveraged the widely available Veeam Credential Recovery12 PowerShell script (Veeam-Get-Creds.ps1) to extract user credentials from the Veeam database.

Hunting for Leaked Credentials

In addition to targeting Veeam, Threat Actor 1 exported the Terminal Services LocalSessionManager/Operational logs. Threat actors may export logs like these for various reasons, such as:

  • To identify (privileged) user accounts usually logging in to endpoints of interest
  • To identify systems within the network to which the adversary may be able to move laterally
  • To harvest passwords that may have been mistakenly entered into the username field

Code 3. Threat actor exporting Terminal Services LocalSessionManager/Operational logs (click to enlarge)

Multiple Defense Evasion Techniques

Hiding Persistence in NTFS Alternate Data Stream (ADS)

The NTFS file system stores data using “streams.” Files have a default unnamed stream where the contents of the file are normally stored. Folders don’t have any default stream. Alternate data streams are additional streams that can be added to an MFT entry. The Windows operating system uses ADSs for different purposes, with one of the most common use cases being the Zone.Identifier ADS, also known as the Mark-of-the-Web that Windows uses to identify the network source of a file.

In two IR engagements, Threat Actor 1 deployed a reverse-ssh executable on several Windows systems in C:\System and then hid it in a C volume root directory “.” (MFT entry 5) ADS named “Host Process for Windows Service.” Threat Actor 1 then created a malicious service to ensure persistence for their reverse-ssh tool before deleting the executable from the initial location.

Code 4. Malicious ADS and service creation command (click to enlarge)

 

Threat Actor 1 chose a particularly interesting ADS to hide their malicious executable in, as many tools — including the system dir command and common PowerShell cmdlets — would not show an ADS on the root volume, even though these commands would display ADSs on other files and directories.

Figure 3. dir /r displays ADSs on files and directories but not on the root of the volume (click to enlarge)

 

Figure 4. PowerShell 5.1 Get-Item cmdlet displays ADSs on files but not on directories or on the root of the volume (click to enlarge)

 

Figure 5. PowerShell 7.4 Get-Item cmdlet displays ADSs on files and directories but not on the root of the volume (click to enlarge)

 

However, like with other ADSs, this specific ADS creation can be hunted for in Falcon platform data by searching for FileCreate or DirectoryCreate events containing a “:” character in the FileName field.

Figure 6. Falcon platform directory ADS creation event (click to enlarge)

Bypassing DNS Filtering and MFA with Network Configuration Tampering

In two separate incidents, ALPHA SPIDER affiliates (Threat Actor 1 and Threat Actor 2) modified the operating system local name resolution configuration file to bypass security measures such as DNS-based filtering or multifactor authentication (MFA).

On Microsoft Windows operating systems, a local name resolution configuration file is located in C:\Windows\System32\Drivers\etc\hosts. This local configuration file is used by the system to determine the IP address of a domain name. If an entry is present in the hosts file, the system does not perform a DNS request to resolve the domain name. In one IR engagement, Threat Actor 1 modified the hosts file on specific systems to bypass the DNS-based network filtering in place to block access to a well-known file storage website.

Figure 7. Modified Windows hosts file to bypass DNS-based filtering (click to enlarge)

 

In another IR engagement, Threat Actor 2 modified the hosts file to deactivate the MFA and single sign-on (SSO) product in place. According to Duo product documentation,13 “By default, Duo Authentication for Windows Logon will ‘fail open’ and permit the Windows logon to continue if it is unable to contact the Duo service.” This offensive security technique has been documented since at least 2018.14

Code 5. MFA bypass commands (click to enlarge)

Being Persistent at Exfiltration

In one of the IR engagements, Threat Actor 1 persistently attempted to exfiltrate data using three different methods and tools until they succeeded.

First, Threat Actor 1 attempted many times to use Rclone15 to exfiltrate data. Threat Actor 1 tried to masquerade the Rclone executable under different system and legitimate software executable names. Examples of such masquerading were to rename Rclone as svchost.exe and to copy it to an unusual place or to rename it as Ivaniti Cloud Software.exe (Threat Actor 1’s spelling mistake).

Figure 8. Example of Rclone detection by the Falcon platform (click to enlarge)

 

Threat Actor 1 then downloaded FileZilla from the legitimate website.16 FileZilla is freely available FTP software commonly used by threat actors to exfiltrate data over FTP or SFTP; however, this was blocked at the network level.

Finally, Threat Actor 1 downloaded the MEGA17 client software to exfiltrate data to a MEGA cloud account. Threat Actor 1 used the defense evasion previously mentioned to effectively bypass the DNS-based network filtering that was in place in the victim’s network.

Recommendations

ALPHA SPIDER affiliates have demonstrated the ability to perform their operations and act on their objectives in relatively short time frames. Defenders need to acknowledge this fact, invest in a state-of-the-art endpoint protection platform and ensure a proper detection handling process or playbook is in place in their organization. All detections should be thoroughly investigated and responded to in a timely manner to stop breaches.

It is also important to note that threat actors — like ALPHA SPIDER affiliates — have the ability to move to malware-less attacks by leveraging dual-purpose administration tools and legitimate user accounts to perform their malicious activities inside victims’ environments. Human threat hunters like those provided by CrowdStrike Falcon® Adversary OverWatch™ help identify this activity to ensure your organization can respond in a time-critical manner.

Conclusion

ALPHA SPIDER affiliates constantly demonstrate the use of numerous offensive techniques, leverage a large tool set — including various vulnerability exploits — and are extremely persistent at successfully exfiltrating data.

However, it does appear that the different ALPHA SPIDER affiliates who performed the actions described in this blog post have no specific operational security (OPSEC) measures in place to avoid being detected. This lack of OPSEC measures gives defenders numerous opportunities to detect and respond to ALPHA SPIDER affiliates’ operations, as long as they are able to respond in a fast and effective way in the scenario of an ongoing breach.

Additional Resources

Footnotes

  1. https://nvd.nist.gov/vuln/detail/CVE-2021-44529
  2. https://nvd.nist.gov/vuln/detail/CVE-2021-40347
  3. https://github.com/Fahrj/reverse-ssh
  4. https://nmap.org/
  5. https://github.com/dirkjanm/mitm6
  6. https://github.com/lgandx/Responder
  7. https://nvd.nist.gov/vuln/detail/CVE-2021-21972
  8. https://github.com/robertdavidgraham/masscan
  9. https://www.veeam.com/
  10. https://lolbas-project.github.io/lolbas/Binaries/Certutil/
  11. https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
  12. https://github.com/sadshade/veeam-creds
  13. https://help.duo.com/s/article/1081?language=en_US
  14. https://www.pentestpartners.com/security-blog/abusing-duo-2fa/
  15. https://rclone.org/
  16. https://filezilla-project.org/
  17. https://mega.nz/

Montage Health Consolidates Its Cybersecurity Strategy with CrowdStrike

✇CrowdStrike
By: Kasey Cross
4 March 2024 at 21:23

When Tahir Ali became CTO and CISO at Montage Health in 2021, he inherited a unique set of cybersecurity challenges. For one, the healthcare sector was getting bombarded with attacks, including distributed denial of service (DDoS), phishing and social engineering attacks

At the same time, the California-based nonprofit healthcare system was integrating more networked medical devices, employee-owned devices, AI applications and cloud services into its infrastructure. While these innovations brought operational efficiencies and a better patient experience, they also expanded the attack surface. 

Against this backdrop, Ali performed a security assessment of his available tools and resources. What he found was a set of non-integrated, legacy security tools that struggled to detect and stop modern attacks. Furthermore, he didn’t have the 24/7 coverage needed to defend against increasingly aggressive threat actors.

Ali began searching for a strategic partner to provide both a modern cybersecurity platform and 24/7 managed detection and response. That’s when he found CrowdStrike. 

Consolidating with CrowdStrike

The search for a strategic cybersecurity partner didn’t take long. Ali compared four vendors and landed on CrowdStrike after a successful proof of concept (POC). 

“One big consideration during the POC was agent performance. We run a lot of virtual desktop infrastructure (VDI), so we didn’t want our endpoint agent slowing down login or boot-up times,” explained Ali. “CrowdStrike was the superstar of the POC, so we bought it.”

Montage Health quickly deployed the lightweight CrowdStrike Falcon® agent to its 5,000+ endpoints, replacing its legacy security software with the AI-native Falcon platform. The modular architecture of the Falcon platform enabled the healthcare system to start with CrowdStrike Falcon® Insight XDR for extended detection and response, then easily add new protections using the same agent and command console.

“Our push was to get to a full security platform from a single vendor, but I wasn’t willing to sell my soul for it,” explained Ali. “Because our CrowdStrike XDR deployment was so successful, we had confidence to move forward with additional Falcon platform modules.” 

Montage Health soon deployed CrowdStrike Falcon® Identity Protection, CrowdStrike Falcon® Discover for IT hygiene, CrowdStrike Falcon® Prevent next-gen antivirus and CrowdStrike Falcon® Intelligence. This suite of innovative solutions gave Montage Health industry-leading protection across critical attack surfaces, plus many other benefits of cybersecurity consolidation, including increased speed, and lower cost and complexity. 



Next-Gen SIEM for Unmatched Speed and Scale

In 2021, Montage Health became an early adopter of CrowdStrike Falcon® LogScale for next-gen SIEM and log management. Built for the speed and scalability requirements of the modern SOC, Falcon LogScale offers real-time alerting, fast search and world-class threat intelligence for up to 80% less cost than legacy log management solutions. 

“It used to take us weeks to investigate an incident. Now it takes us 25 minutes and we know exactly what happened. Queries are faster too … it’s maybe a gazillion times faster,” joked Ali. 

Falcon LogScale is built on a unique, index-free architecture that delivers security logging at petabyte scale. Montage Health started with a small instance of Falcon LogScale and was able to easily scale up once it saw what the solution could do. 

“Before LogScale, it would take us 3 to 4 months to scale our log management capabilities, including all the servers, storage, monitoring and backup needed to grow a few hundred terabytes. With LogScale, we can add 300 to 400 terabytes of additional scalability in days,” said Ali. “From my perspective, LogScale is faster than any other product out there.”

With 20 years of experience in IT and security, Ali has used a number of SIEM and log management solutions throughout his career. For him, Falcon LogScale delivers the optimal mix of performance and interoperability. 

“Falcon LogScale gives us total visibility of our environment. Compared to other SIEMs I’ve used, Falcon LogScale performs better, is more customizable and requires less overhead,” said Ali. “When we switched to Falcon LogScale, the difference was obvious. Plus, it integrates seamlessly with the Falcon platform, which made it that much more attractive to us.” 

Better Security by the Numbers

For Montage Health, having innovative cybersecurity technology is only half the battle. The company also relies on CrowdStrike Falcon® Complete for 24/7 managed detection and response. With Falcon Complete, Montage Health gets both around-the-clock protection and the expertise needed to stop even the most sophisticated cyberattacks. 

All told, the combination of the Falcon platform and Falcon Complete has revolutionized the culture of security at Montage Health, allowing the nonprofit to deliver the same high level of excellence in security as it does in the clinical setting. 

The data bears this out: Monthly investigations have dropped from 102 to 56. Monthly events requiring Montage Health to investigate have dropped from 11 to 2. And the time required to investigate and triage each event dropped from several hours to only 53 seconds.

“I know it sounds crazy but it’s all true,” concluded Ali. “We’re very happy with CrowdStrike.”

Additional Resources

❌
❌