Normal view

There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

CrowdStrike Enhances Cloud Detection and Response (CDR) Capabilities to Protect CI/CD Pipeline

21 March 2024 at 16:54

The increase in cloud adoption has been met with a corresponding rise in cybersecurity threats. Cloud intrusions escalated by a staggering 75% in 2023, with cloud-conscious cases increasing by 110%. Amid this surge, eCrime adversaries have become the top threat actors targeting the cloud, accounting for 84% of adversary-attributed cloud-conscious intrusions. 

For large enterprises that want to maintain the agility of the cloud, it’s often difficult to ensure DevOps teams consistently scan images for vulnerabilities before deployment. Unscanned images could potentially leave critical applications exposed to a breach. This gap in security oversight requires a solution capable of assessing containers already deployed, particularly those with unscanned images or without access to the registry information. 

Recognizing this need, cloud security leader CrowdStrike has enhanced its CrowdStrike Falcon® Cloud Security capabilities to ensure organizations can protect their cloud workloads throughout the entire software development lifecycle and effectively combat adversaries targeting the cloud. Today we’re releasing two new features to help security and DevOps teams secure everything they build in the cloud.

Assess Images for Risks Before Deployment

We have released Falcon Cloud Security Image Assessment at Runtime (IAR) along with additional policy and registry customization tools. 

While pre-deployment image scanning is essential, organizations that only focus on this aspect of application development may create a security gap for containers that are deployed without prior scanning or lack registry information. These security gaps are not uncommon and could be exploited if left unaddressed.

IAR will address this issue by offering: 

  • Continuous security posture: By assessing images at runtime, organizations can maintain a continuous security posture throughout the software development lifecycle, identifying and mitigating threats in real time even after containers are deployed.
  • Runtime vulnerability and malware detection: IAR identifies vulnerabilities, malware and secrets, providing a holistic view of the security health of containers. This will help organizations take preventative actions on potential threats to their containers. 
  • Comprehensive coverage: If containers are launched with unscanned images, or if the registry information is unavailable, IAR provides the flexibility to fully secure containers by ensuring that none go unchecked. This enhancement widens the coverage for DevOps teams utilizing image registries, extending CrowdStrike’s robust pre-runtime security capabilities beyond the already supported 16 public registries — the most of any vendor in the market. 

Figure 1. Kubernetes and Containers Inventory Dashboard in the Falcon Cloud Security console (click to enlarge)

 

IAR is developed for organizations with specific data privacy constraints — for example, those with strict regulations around sharing customer data. Recognizing these challenges, IAR provides a local assessment that enables customers to conduct comprehensive image scans within their own environments. This addresses the critical need for privacy and efficiency by allowing organizations to bypass the limitations of cloud-based scanning solutions, which are unable to conduct scans at the local level.

Further, IAR helps boost operational efficiency at times when customers don’t want to modify or update their CI/CD pipelines to accommodate image assessment capabilities. Its runtime vulnerability scanning enhances container security and eliminates the need for direct integration with an organization’s CI/CD pipeline. This ensures organizations can perform immediate vulnerability assessments as containers start up, examining not only operating system flaws but also package and application-level vulnerabilities. This real-time scanning also enables the creation of an up-to-date software bill of materials (SBOM), a comprehensive inventory of all components along with their security posture. 

A Better Approach to Preventing Non-Compliant Containers and Images

Teams rely on the configuration of access controls within registries to effectively manage permissions for cloud resources. Without proper registry filtering, organizations cannot control who has access to specific data or services within their cloud infrastructure. 

Additionally, developer and security teams often lack the flexibility and visibility to understand where and how to find container images that fall out of security compliance when they have specific requirements like temporary exclusions. These problems can stem from using disparate tools and/or lacking customized rule-making and filtering within their cloud security tools. Security teams then must also be able to relay the relevant remediation steps to developer owners to quickly update the image. These security gaps, if left unchecked, can lead to increased risk and slow down DevSecOps productivity.

Figure 2. Image Assessment policy exclusions in the Falcon Cloud Security console (click to enlarge)

 

To that end, we are also announcing new image assessment policies and registry filters to improve the user experience, accelerate team efficiency and stop breaches. 

These enhancements will address issues by offering:

  • Greater control: Enhanced policy exclusion writing tools offer greater control over security policies, allowing organizations to more easily manage access, data and services within their cloud infrastructure while giving the owners of containers and assets the visibility to address areas most critical to them so they can focus on what matters.
  • Faster remediation for developers: Using enhanced image assessment policies, developers will be able to more quickly understand why a policy has failed a container image and be able to rapidly address issues before they can pose a greater security risk. 
  • Maintain Image Integrity: By creating new policies and rules, security administrators will be able to ensure only secure images are built or deployed.    
  • Scalability: As businesses grow and evolve, so do their security needs. CrowdStrike’s customizable cloud policies are designed to scale seamlessly, ensuring security measures remain effective and relevant regardless of organizational size or complexity.

These enhancements are designed to improve container image security, reduce the risks associated with non-compliance, and improve the collaboration and responsiveness of security and developer teams. These changes continue to build on the rapid innovations across Falcon Cloud Security to stop breaches in the cloud.  

Delivered from the AI-native CrowdStrike Falcon Platform

The release of IAR and new policy enhancements are more than just incremental updates — they represent a shift in container security. By integrating security measures throughout the entire lifecycle of a container, from its initial deployment to its active phase in cloud environments, CrowdStrike is not just responding to the needs of the modern DevSecOps landscape but anticipating them, offering a robust, efficient and seamless solution for today’s security challenges. 

Unlike other vendors that may offer disjointed security components, CrowdStrike’s approach integrates elements across the entire cloud infrastructure. From hybrid to multi-cloud environments, everything is managed through a single, intuitive console within the AI-native CrowdStrike Falcon® platform. This unified cloud-native application protection platform (CNAPP) ensures organizations achieve the highest standards of security, effectively shielding against breaches with an industry-leading cloud security solution. The IAR feature, while pivotal, is just one component of this comprehensive CNAPP approach, underscoring CrowdStrike’s commitment to delivering unparalleled security solutions that meet and anticipate the adversaries’ attacks on cloud environments.

Get a free Cloud Security Risk Review and see Falcon Cloud Security in action for yourself.  

During the review, you will engage in a one-on-one session with a cloud security expert, evaluate your current cloud environment, and identify misconfigurations, vulnerabilities and potential cloud threats. 

Additional Resources

5 Best Practices to Secure Azure Resources

18 March 2024 at 14:15

Cloud computing has become the backbone for modern businesses due to its scalability, flexibility and cost-efficiency. As organizations choose cloud service providers to power their technological transformations, they must also properly secure their cloud environments to protect sensitive data, maintain privacy and comply with stringent regulatory requirements. 

Today’s organizations face the complex challenge of outpacing cloud-based threats. Adversaries continue to set their sights on the expansive surface of cloud environments, as evidenced by the 75% increase in cloud intrusions in 2023 recorded in the CrowdStrike 2024 Global Threat Report. This growth in adversary activity highlights the need for organizations to understand how to protect their cloud environment and workloads. 

In light of the frequent breaches of Microsoft’s infrastructure, organizations using Microsoft Azure should take proactive steps to mitigate potential risk. Microsoft’s solutions can be complex, difficult to maintain and configure, and prone to vulnerabilities. It’s the responsibility of organizations using Azure to ensure their cloud environments are properly configured and protected. 

This blog outlines best practices for securing Azure resources to ensure that your cloud infrastructure is fortified against emerging and increasingly sophisticated cyber threats.

Best Practice #1: Require Multifactor Authentication (MFA) and Restrict Access to Source IP Addresses for Both Console and CLI Access

In traditional IT architecture, the security perimeter was clearly defined by the presence of physical network firewalls and endpoint protections, which served as the first line of defense against unauthorized access. In cloud-based environments, this traditional architecture has evolved to include identity, which encompasses user credentials and access management.

This shift amplifies the risk of brute-force attacks or the compromise of user credentials. Particularly in Microsoft environments, the complexity of the identity security framework and inability to consistently apply conditional access policies across the customer estate introduce additional risk. Navigating Microsoft’s security solutions can be daunting, with multiple agents to manage and an array of licenses offering varying levels of protection. The lack of real-time protection and inability to trigger MFA directly through a domain controller further amplify risk. 

Adversaries who manage to procure valid credentials, especially by taking advantage of weak identity security practices, can masquerade as legitimate users. This unauthorized access becomes even more dangerous if the compromised account has elevated privileges. Adversaries can use these accounts to establish persistence and perform data exfiltration, intellectual property theft or other malicious activity that can have devastating impacts on an organization’s operations, reputation and bottom line.

To avoid this, organizations should:

  • Use conditional access: Implement conditional access policies and designate trusted locations.
  • Require MFA: Enforce rules for session times, establish strong password policies and mandate periodic password changes.
  • Monitor MFA connections: Verify that MFA connections originate from a trusted source or IP range. For services that cannot utilize managed identities for Azure resources and must rely on static API keys, a critical best practice is to restrict usage to safe IP addresses when MFA is not an option. However, it’s crucial to understand that broadly trusting IPs from your data centers and offices does not constitute a safe practice. Despite the network location, MFA should always be mandated for all human users to ensure maximum security.

Best Practice #2: Use Caution When Provisioning Elevated Privileges

Privileged accounts have elevated permissions, allowing them to perform tasks or operations that a standard user would not be able to perform. These may include accessing sensitive resources or making critical changes to a system or network. Accounts provisioned with more privileges than needed are appealing to adversaries, driving both the likelihood of compromise and the risk of damage. 

Adversaries often target privileged Azure identities to establish persistence, move laterally and steal data. While high privileges are necessary for IT and systems administrators to accomplish routine tasks, weak security policies on account provisioning can dramatically overexpose an organization to risk. These privileges should be tightly controlled and monitored, and only provisioned when strictly necessary after a security process has been defined and implemented. 

Service accounts add to these challenges. Their limitations represent a troublesome area for Microsoft — for example, the difficulty in discovering and tracking Active Directory-based service accounts and poor visibility into these accounts’ behavior. CrowdStrike automatically differentiates between service accounts and human users to deliver the most appropriate configurations and responses. Further, Microsoft Defender for Identity lacks pre-built detections designed for service accounts — such as identifying stale service accounts or detecting interactive logins by stale accounts — something CrowdStrike customers can easily address. 

To help prevent adversaries’ abuse of privileged accounts, organizations should:

  • Reduce the quantity of privileged users: Only grant privileged role assignments to a limited number of users. Overprovisioning is common and is often done by default by the application.
  • Follow the principle of least privilege: Individuals should only be granted the minimum permissions necessary to perform their required tasks. Regular reviews should be scheduled with a view to downgrading privileges where the need no longer exists.
  • Control access: Restrict cloud access to only trusted IP addresses and services that are genuinely required.
  • Ensure that privileged accounts are cloud-only: Azure privileged accounts should be cloud-only (not synced to a domain), they should require MFA and they should not be used for daily tasks such as email or web browsing.

Best Practice #3: Utilize Key Vaults or a Secrets Management Solution to Store Sensitive Credentials

A surprising amount of digital information is unintentionally stored in public-facing locations that can be accessed by adversaries and then weaponized against an organization. Public code repositories, version control systems or other repositories used by developers can have a high risk of exposing live access keys, which authenticate a trusted user into a cloud service. Exposed access keys allow adversaries to pose as legitimate users and bypass authentication mechanisms into cloud services. 

Adversaries can use access keys, along with metadata and formatting clues, to identify specifics about an environment. Exposed access keys can also be acquired from code snippets, copied from a repository where they are exposed or pulled from compromised systems or logs. Private source code repositories can be compromised, leading to theft of these API keys.

Stolen credentials, whether they’re console usernames and passwords or API key IDs and secret IDs, play an essential role in many incidents. This is evident in the latest Microsoft breach by Russian state actors, which stole cryptographic secrets such as passwords, certificates and authentication keys during the attack. This incident raises a significant concern: If Microsoft, using its own technology and expertise in the environment it owns, struggles to remain secure, how can Microsoft customers confidently protect their own assets? 

To protect against this, security teams should ask themselves:

  • Where do we store access keys?
  • Where are our access keys embedded?
  • How often do we rotate our access keys? 

Having a dedicated secrets management solution to protect and enforce granular access to specific secrets makes it difficult for an adversary or insider threat to steal credentials.

Important note: Proceed with extreme caution when tying administrative or highly privileged access to the key vaults to SSO. If your SSO is subverted through weak MFA management, all of your credentials could be instantly stolen by a threat actor impersonating an existing or new/newly privileged user. Hardware tokens and strong credential reset management is a must for these applications.

Best Practice #4: Don’t Allow Unrestricted Outbound Access to the Internet

One of the most common cloud misconfigurations we see is unrestricted outbound access. This allows for unrestricted communications from internal assets, opening the door for outbound adversary communications and data exfiltration.

Also described as free network egress, unrestricted outbound access is a misconfiguration in which Azure cloud resources like containers, hosts and functions are allowed to communicate externally to any server on the internet with limited controls or oversight. This can be a default misconfiguration, and security teams often have to collaborate with IT or DevOps teams to address it. Because developers or system owners don’t always have full knowledge of the various external services that a workload might depend on — and because they might be accustomed to having unrestricted outbound access in their other work environments — some organizations battle with trying to close this loophole.

Adversaries can exploit this wherever untrusted data is processed by a workload. For example, an adversary may attempt to compromise the underlying software processing web requests, queued messages or uploaded files using remote code execution. This is then followed by payload retrieval or establishing a reverse shell. If outbound access is not permitted, they cannot retrieve the payload and attacks cannot be completed. However, once an initial code execution attack is successful, the adversary has full execution control in the environment.

To address this, organizations can:

  • Configure rules and settings: Define cloud rules to securely control and filter outbound traffic, with provisioned security groups serving as an additional layer of protection.
  • Apply the principle of least privilege: Grant outbound access only to resources or services where it is explicitly required.
  • Control access: Limit cloud access exclusively to trusted IP addresses and services that are genuinely necessary.
  • Add security through a proxy layer: Utilize proxy server tiers to introduce an additional layer of security and depth.

Best Practice #5: Scan Continuously for Shadow IT Resources

It is common for organizations to have IT assets and processes running in Azure tenants that the security teams do not know about. There have been incidents in which threat actors have compromised Azure resources that were unauthorized or were supposed to have been decommissioned. Both nation-state and eCrime adversaries thrive in these environments, where logging and visibility are typically poor and audit/change control is often nonexistent.

Some recommendations to address shadow IT resources include:

  • Implement continuous scanning: Deploy tools and processes to continuously scan for unauthorized or unknown IT resources within Azure environments, ensuring all assets are accounted for and monitored.
  • Establish robust asset management: Adopt a comprehensive cloud asset management solution that can identify, track and manage all IT assets to prevent unauthorized access and use, enhancing overall security posture. This includes Azure enterprise applications and service principals along with their associated privileges and credentials. 
  • Enhance incident response: Strengthen incident response strategies by integrating asset management insights, enabling quick identification and remediation of compromised or rogue assets. These may include unauthorized virtual machines used for activities like crypto mining and enterprise apps and service principals used or repurposed to exfiltrate databases, file shares and internal documentation and email.

CrowdStrike Falcon Cloud Security 

CrowdStrike Falcon® Cloud Security empowers customers to meticulously assess their security posture and compliance across Azure and other cloud platforms, applications and workloads. It delivers effective protection against cloud-based threats, addresses potential misconfigurations and ensures adherence to compliance. These capabilities allow organizations to maintain an integrated, comprehensive overview of all cloud services and their compliance status, pinpointing instances of excessive permissions while proactively detecting and automating the remediation of indicators of attack (IOAs) and cloud misconfigurations. 

This strategic approach not only enhances the security framework but enables developers and security teams to deploy applications in the cloud with increased confidence, speed and efficiency, underscoring CrowdStrike’s commitment to bolstering cloud security and facilitating a safer, more secure digital transformation for businesses leveraging cloud infrastructure.

Evaluate your cloud security posture with a free Cloud Security Risk Review. During the review, you will engage in a one-on-one session with a cloud security expert, evaluate your current cloud environment and identify misconfigurations, vulnerabilities and potential cloud threats. 

Additional Resources

CrowdStrike Launches SEC Readiness Services to Prepare Boardrooms for New Regulations

14 March 2024 at 12:46

CrowdStrike is today debuting CrowdStrike SEC Readiness Services to guide organizations along the path to compliance as they navigate the new SEC cybersecurity disclosure rules. These services, powered by the AI-native CrowdStrike Falcon® XDR platform and industry-leading CrowdStrike Services team, give customers the insight they need to harden defenses, make materiality decisions and navigate the annual disclosure process with confidence.

The new SEC regulations, which went into effect late last year, affect how public companies inform investors of cybersecurity concerns. Under the new requirements, organizations must disclose a material security incident within four days of determining materiality through an 8-K filing with the SEC. They must also annually share their processes for assessing, identifying and managing material risks from cybersecurity threats in their 10-K filing with the SEC.

These requirements are intended to protect investors by requiring greater clarity, consistency and timeliness in how organizations handle cyber risk mitigation. They also elevate security to a top boardroom responsibility and increase the pressure on public companies. Boards of directors and C-suite executives must adapt and prepare accordingly, expand their oversight to include cyber risks and play a direct role in managing their risk and cybersecurity practices.  

This is where we come in. CrowdStrike’s SEC Readiness Services align to both the 8-K and 10-K requirements. We help organizations test their processes for determining materiality alongside other critical incident response processes. Further, we highlight risks that not only help companies gain confidence in their annual risk disclosures but also can help prevent breaches from occurring. 

CrowdStrike’s new SEC Readiness Service helps organizations navigate these new regulations with:

Detailed Risk Management Reviews: CrowdStrike boosts companies’ confidence in their risk disclosures with a two-pronged approach. One component is a technical risk assessment. This leverages the power of the Falcon platform to provide a bottom-up perspective on risks across the environment that can lead to breaches or serve as indicators of potential misalignment between security policies and practices. This assessment provides executives and board members with deep visibility and oversight into an organization’s risk posture and greater confidence the company is doing what it says it does. 

The other component is a programmatic review. This provides a top-down perspective by delving into a company’s risk management, strategy and governance practices, exploring how the security program aligns with the business. Through this assessment, organizations can gain confidence that they have the programs and processes necessary to support their annual disclosures — and identify improvements for better long-term alignment. 

Materiality Tabletop Exercise: The decisions made during incident response have a far-reaching impact on its success or failure. Testing and practicing the decision-making process in a controlled setting helps increase familiarity with the response process and become more prepared to face a breach. CrowdStrike experts design exercises that enable public companies to test their processes for determining if a security incident is material and requires filing an 8-K with the SEC. CrowdStrike tailors real-world scenarios to each organization, allowing them to ensure they have the right people at the table, considering the right information, with the appropriate guidance necessary to know if a public disclosure should take place.

Prepare Your People, Harden Your Environment

Cybersecurity has been a board issue for many years, but the new SEC regulations make it an imperative. Policymakers and regulators want more transparency from companies regarding security incidents and risk management practices. Additionally, the SEC has shown growing willingness to pursue enforcement actions related to cybersecurity.  

Organizations must be prepared to not only comply with new disclosure rules but to do so in a way that limits future liability. CrowdStrike’s SEC Readiness Services strengthen organizations’ confidence in their disclosures and reduce the likelihood of material incidents occurring in the first place. 

CrowdStrike is relentlessly working to ensure our customers are best prepared to navigate their cybersecurity challenges, whether it’s detecting a threat or evolving their strategies to improve their overall security posture. By consolidating their security tools on the industry-leading Falcon platform, layered with world-class experts and unparalleled adversary intelligence, organizations can achieve better security hygiene and risk management to stop adversaries before a breach can happen.

Additional Resources

March 2024 Patch Tuesday: Two Critical Bugs Among 60 Vulnerabilities Patched

12 March 2024 at 22:56

Microsoft has released security updates for 60 vulnerabilities in its March 2024 Patch Tuesday rollout. There are two Critical vulnerabilities patched (CVE-2024-21407 and CVE-2024-21408), both of which affect the Hyper-V hypervisor.

March 2024 Risk Analysis

This month’s leading risk type is elevation of privilege (40%) followed by remote code execution (30%) and a tie between denial of service (10%) and information disclosure (10%).

Figure 1. Breakdown of March 2024 Patch Tuesday attack types

 

Windows products received the most patches this month with 41, followed by Extended Security Update (ESU) with 28 and Azure with 6.

Figure 2. Breakdown of product families affected by March 2024 Patch Tuesday

Critical Vulnerabilities Affect Windows Hyper-V

CVE-2024-21407 is a Critical remote code execution (RCE) vulnerability affecting Microsoft Windows Hyper-V and has a CVSS score of 8.1. Successful exploitation of this vulnerability would allow the attacker to launch code execution on the host server from a Hyper-V guest. This vulnerability would require the attacker to be authenticated on a guest virtual machine and then send specially crafted operation requests aimed at the host. Successful exploitation requires a high level of attack complexity, but can result in code execution on the server and should be patched without delay.

CVE-2024-21408 is a Critical denial of service (DoS) vulnerability affecting Microsoft Windows Hyper-V and has a CVSS score of 5.5. Successful exploitation of this vulnerability allows an attacker to target a Hyper-V guest virtual machine, which can affect the functionality of the Hyper-V host. Because this is a local DoS attack, Microsoft deems exploitation less likely.

Severity CVSS Score CVE Description
Critical 8.1 CVE-2024-21407 Windows Hyper-V Remote Code Execution Vulnerability
Critical 5.5 CVE-2024-21408 Windows Hyper-V Denial of Service Vulnerability

Table 1. Critical vulnerabilities in Windows Hyper-V

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

CrowdStrike a Research Participant in Two Latest Center for Threat-Informed Defense Projects

  • As a global cybersecurity industry leader and a Research Partner for the MITRE Engenuity Center for Threat-Informed Defense, CrowdStrike provided expertise and thought leadership to two of the Center for Threat-Informed Defense’s latest research projects.
  • The Sensor Mappings to ATT&CK project aimed to map sensors and other data sources to the MITRE ATT&CK® framework techniques so SOCs know which tools and capabilities to check for the use of TTPs that would indicate their environment is under attack.
  • The Insider Threat TTP Knowledge Base Version 2 project sought to enhance a repository of tactics, techniques and procedures (TTPs) used by insider attackers by including nontechnical indicators, plus their respective mitigations, helping organizations prevent and defend against insider cybersecurity threats.

Organizations worldwide rely on the MITRE ATT&CK framework as a critical resource for defending against cyberattacks. The MITRE ATT&CK framework is also a key tool for advancing threat research in the cybersecurity industry. However, one of the challenges in using the MITRE ATT&CK framework is mapping the output from logs, sensors and other tools as ATT&CK data sources in the framework. As a result, it’s not always clear to SOCs how to use the tools and services at their disposal to provide visibility into specific adversary behaviors or threats that put their environment at risk.

The MITRE Engenuity Center for Threat-Informed Defense launched the Sensor Mappings to ATT&CK project to address gaps in this area by mapping sensor events to ATT&CK data sources. When complete, this effort will help SOCs understand which of their tools and/or system capabilities they should monitor to spot specific ATT&CK techniques that adversaries use, as well as identify which tools and/or system capabilities the SOC should acquire to address any gaps in coverage. Ultimately, the Sensor Mappings to ATT&CK project will make the MITRE ATT&CK framework even more valuable.

Sometimes, the threat of a cyberattack comes from within an organization rather than from outside adversaries. Insider threats pose a unique challenge to SOCs. They are often difficult to detect — the attacker is already within the network and possesses valid, active credentials to critical resources — and they can do considerable damage. The Center for Threat-Informed Defense’s initial Insider Threat TTP Knowledge Base project identified the most commonly used TTPs for insider attacks across a wide range of industries for inclusion in a repository. The project also included mitigations for these TTPs, providing a method for organizations to take the actions needed to defend their systems against insider threats.

In the recently completed Version 2 of this project, the TTPs were expanded beyond the technical mechanisms used by insiders on IT systems that were identified in Version 1 to include nontechnical indicators. These observable human indicators (OHIs) include facts about a person or their role that might elevate their risk of being an insider threat.

CrowdStrike was a participant in both of these projects — the latest example of our commitment to cybersecurity industry research.

Sensor Mappings to ATT&CK

There are several key deliverables for the Sensor Mappings to ATT&CK project, which has the ultimate goal of extending ATT&CK data sources to link techniques to tools, capabilities and data sources such as sensors that can provide visibility. Achieving this goal will allow SOCs to better understand their current defensive capabilities so they can fill any gaps (through analytics, tools or other means) and more effectively search for threats.

  1. Methodology: Create a document and specification that describes how to map system logs, sensors and capabilities to ATT&CK data sources.
  2. Data Model: Create a new data model or extend existing models to include data source, data components, data elements, relationships and event/telemetry data.
  3. Mappings: Conform to the specification defined in Methodology, including a resource that will host the mappings for the purposes of review, download and analysis of coverage.
  4. Usability: Identify tools, documentation and other resources.
  5. Logs, Sensors and Capabilities: Include coverage of Sysmon (all events), Windows Event Log (any security-related events), Osquery, auditd, Zeek and AWS CloudTrail.

Mapping: Using Data Sources, Data Components, Data Elements, Relationships and Event/Telemetry Data to Detect Specific ATT&CK TTPs

The model below shows how the domains are mapped together through data sources, data components, data elements, relationships and event/telemetry data.

Figure 1. The goal of this project is to better connect the defensive data in ATT&CK with the way operational defenders analyze potential adversaries/behaviors (Source: Center for Threat-Informed Defense)

 

The Sensor Mappings to ATT&CK project includes the creation of a STIX 2 representation of the mappings (providing ease of use for teams that currently use STIX) as well as a command line interface tool.

Insider Threat TTP Knowledge Base Version 2

Insider threats can be employees, former employees, contractors, partners, service providers or anyone who has knowledge about and/or access to an organization’s computer systems and network. Insider threats are particularly challenging for SOCs to detect and defend against. Security solutions are primarily focused on detecting and defending against cyberattacks launched by external adversaries, so what might otherwise be suspicious behavior from within is often assumed to be legitimate use — if it’s detected at all. In addition, insiders often have the advantage of knowing details about the system and network settings and security measures. They may even have knowledge about exploitable security shortcomings or vulnerabilities.

CrowdStrike was a big part of the initial Insider Threat TTP Knowledge Base project, contributing data and expertise (you can read about that effort here). In Version 2 of the project, the primary deliverable is to expand the scope of the original project to include nontechnical OHIs, including:

  • Subject with elevated privileges
  • Monitoring status of subject
  • Telework status of subject
  • Performance improvement plan required
  • Turnover rate of subject’s role
  • Time at company
  • Management level
  • Seniority of subject
  • Government security clearance

CrowdStrike researchers provided insider threat expertise and anonymized instances of insider threats for aggregation by the Center for Threat-Informed Defense team. This data allowed the team to determine the most common tactics and techniques that are employed by inside actors. In addition, our researchers helped define the mitigations for the identified insider threats and provided thought leadership on topics covered by this research, including the concept of OHIs.

Contributing to Center for Threat-Informed Defense Projects: CrowdStrike’s Ongoing Commitment to Cybersecurity Research and Innovation

CrowdStrike’s commitment to cybersecurity research and innovation is reflected in the best-in-class protection of the CrowdStrike Falcon® XDR platform.

Adversaries never stop their relentless march toward more sophisticated tradecraft, but CrowdStrike researchers and threat analysts are always watching and hunting for novel attack techniques — including insider threats. CrowdStrike researchers publish many of their findings, sharing information in the name of improving defenses globally against dangerous new adversary tactics and previously unknown malware. The findings of CrowdStrike researchers also benefit independent cybersecurity testing organizations, which are able to update their tools and evaluation processes to reflect the latest threats and tactics.

Our commitment to research extends to being a Research Partner at the MITRE Engenuity Center for Threat-Informed Defense. The Center for Threat-Informed Defense’s mission — “to advance the state of the art and the state of the practice in threat-informed defense globally” — is an important one that CrowdStike is proud to support. CrowdStrike’s participation in the Center for Threat-Informed Defense’s Sensor Mappings to ATT&CK and Insider Threat TTP Knowledge Base projects capped a 12-month period in which CrowdStrike participated in four major research initiatives with the Center for Threat-Informed Defense. CrowdStrike looks forward to continuing to provide expertise and thought leadership to the Center for Threat-Informed Defense.

You can learn more about the Center for Threat-Informed Defense’s Sensor Mappings to ATT&CK project here and the Insider Threat TTP Knowledge Base Version 2 project here.

Additional Resources

Falcon Cloud Security Supports GKE Autopilot to Secure More GCP Workloads

7 March 2024 at 16:47

In the ever-evolving landscape of cloud security, staying ahead of the curve is paramount. Today, we are announcing an exciting enhancement: CrowdStrike Falcon® Cloud Security now supports Google Kubernetes Engine (GKE) Autopilot. This integration marks an important milestone in our commitment to providing cutting-edge DevSecOps-focused security and solutions for modern cloud environments.

This new capability will greatly expand support — customers who depend on Falcon Cloud Security to protect their Kuberbetes workloads can now deploy them in their clusters using GKE Autopilot, greatly simplifying their Kubernetes deployment process and saving time through automation.

A Paradigm Shift in Kubernetes Management

GKE Autopilot, a fully managed Kubernetes service by Google Cloud Platform (GCP), has revolutionized the way organizations deploy, manage and scale containerized applications. It simplifies the complexities of Kubernetes with unparalleled levels of automation, enabling teams to focus on application development and innovation rather than infrastructure management. As organizations increasingly adopt GKE Autopilot due to its efficiency and ease of use, ensuring the security of these dynamic environments is critical.

Figure 1. K8 asset details in the Falcon Cloud Security dashboard

 

This enhancement to Falcon Cloud Security — known for its industry-leading cloud protection, threat intelligence and security operations capabilities — enables organizations to seamlessly secure their containerized workloads, providing a unified security solution across their cloud infrastructure.

Figure 2. GKE Autopilot cluster details in the Falcon Cloud Security dashboard

 

What are the key benefits for GCP users? Falcon Cloud Security offers real-time detection and response, container security, broad visibility, time-saving automation tools and powerful threat intelligence built into cloud-specific indicators of misconfiguration (IOMs) and indicators of attack (IOAs) — all delivered from a scalable and adaptable platform. Below is a deeper look at some of the ways Falcon Cloud Security is securely powering GCP customers in their Kubernetes deployments.

Key Features and Benefits

  • Real-time Threat Detection and Response:
    • Leverage CrowdStrike’s advanced threat detection capabilities to identify and respond to potential security threats in real time.
    • Gain visibility into containerized workloads running on GKE Autopilot, ensuring comprehensive security coverage.
  • Containerized Workload Protection:
    • Extend Falcon’s protection to containerized environments, ensuring GKE Autopilot workloads are shielded from evolving cyber threats.
    • Implement container-aware security policies to maintain a secure and compliant Kubernetes environment.
  • Automated Security:
    • Take advantage of CrowdStrike’s automation capabilities to streamline security operations in dynamic containerized environments.
    • Automate response actions based on predefined security policies, reducing manual intervention and enhancing overall efficiency.
  • Threat Intelligence Integration:
    • Integrate CrowdStrike Falcon’s threat intelligence feeds to enhance the detection and prevention of known and emerging threats.
    • Stay ahead of attackers with up-to-date intelligence on the latest cyber threats and vulnerabilities.
  • Scalable Security:
    • Adapt security measures dynamically as GKE Autopilot workloads scale, ensuring security grows seamlessly with your containerized applications.
    • Benefit from Falcon Cloud Security’s scalability, supporting the evolving needs of organizations with varying workloads.

Figure 3. GKE Autopilot Container Details in the Falcon Cloud Security dashboard

 

Falcon Cloud Security becoming a trusted allowlist partner for GKE Autopilot builds on CrowdStrike’s growing and exciting partnership with Google. Organizations can confidently embrace the benefits of a fully managed Kubernetes service without compromising on security.

This synergy between leading-edge technologies empowers teams to innovate securely, safeguarding their containerized workloads from the ever-evolving threat landscape. As we continue to advance in the realm of cloud security, this collaboration sets a new standard for protecting modern cloud environments. Another recent collaboration, in addition to GKE Autopilot support, is OSConfig Support Enhancements. CrowdStrike has updated its OSConfig integration to ensure the broadest possible support for OS sensors with Falcon Cloud Security.

To learn more about how CrowdStrike Falcon Cloud Security can enhance the security of your GKE Autopilot workloads, visit our website or contact our sales team.

Additional Resources

CrowdStrike to Acquire Flow Security, Sets the Standard for Modern Cloud Data Security

5 March 2024 at 21:07

I’m thrilled to announce CrowdStrike’s agreement to acquire Flow Security, a pioneer in data security posture management (DSPM) and the industry’s first and only cloud data runtime security solution. With this acquisition, CrowdStrike is setting the standard for modern cloud security with complete real-time data protection spanning endpoint and cloud environments, delivering the only cloud data protection platform that secures data both at rest and in motion.

Businesses now use and create more data than ever before, and much of it increasingly occurs in the cloud. This growing reliance on cloud has led to the dispersion of data across multiple cloud-based services and third-party APIs. Adversaries are more aggressively targeting sensitive data, accelerating their attacks, and growing more adept at exploiting gaps between cloud platforms and point products.

The modern workplace demands a modern approach to protecting data across the entire environment — a unified cloud security platform that natively protects data at rest and in motion as it flows through the cloud, on-premises and within applications. 

Bringing DSPM to the Falcon platform enables us to accelerate and expand our data security innovation with new capabilities to discover, classify and protect data from the risk of exposure wherever it moves or resides. Flow Security’s technology will empower organizations with full visibility into their critical cloud data flows, insight into how their data interacts with applications, and the ability to detect when data is at risk or unintentionally leaving the environment.

In our extensive evaluations of the cloud data security market, Flow Security stood out as the most differentiated technology. While many cloud data security providers offer data discovery and classification, Flow Security goes a step further by providing real-time visibility into risk for data both at rest and in motion. Flow Security provides a perfect complement to CrowdStrike’s industry-leading cloud security offerings by extending runtime level threat analysis to the data layer. 

An organization’s data is among its most valuable assets, and securing it should be a top priority. This acquisition will fuel our innovation in developing the technologies businesses need to protect their most critical data in a cloud-first world.

Adversaries Exploit Cloud Security Gaps

As more organizations move operations to the cloud, adversaries are developing skills to exploit gaps in protection that stitched-together platforms and cloud point products create. The CrowdStrike 2024 Global Threat Report found a 75% increase in cloud intrusions in 2023. Cloud-conscious cases — in which an adversary is aware they have breached a cloud environment and use cloud-specific features to achieve their goals — were up 110%.

Organizations’ most critical information remains adversaries’ primary target. Data theft extortion continues to be an attractive monetization route, as evidenced by the 76% increase in data theft victims named on the dark web. If a ransomware victim won’t pay, or asks for a reduced ransom, the adversary will extort them by threatening to publicly post their stolen data online.

The message is clear: Adversaries are operating in the cloud — and they’re targeting sensitive data. But defending against modern attacks is increasingly difficult for today’s businesses. The accelerating speed of application development contributes to fragmented cloud environments and makes it challenging for security teams to keep up with the number of places their data might reside. Traditional data security tools are simply not built to protect growing data stores. 

Following the closing of this acquisition, CrowdStrike plans to fully deliver native Flow Security DSPM capabilities in CrowdStrike Falcon® Cloud Security as part of the Falcon platform, enabling customers to consolidate cloud point solutions and gain complete visibility and protection of their entire cloud estate, spanning cloud workload protection, cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), application security posture management (ASPM) and now DSPM. 

A Modern Platform for Modern Businesses

CrowdStrike, the pioneer of cloud-native cybersecurity, was born in the cloud to protect the cloud. We have been consistently recognized for our industry-leading cloud security strategy. This acquisition will further advance our position to give customers the best outcomes with the Falcon platform.

Flow Security is a crucial long-term piece in our holistic data security vision. It offers robust DSPM capabilities for cloud environments, with a differentiated approach to scanning and runtime, to create a full view of risk across cloud infrastructure and application environments.

This acquisition comes shortly after CrowdStrike’s acquisition of Bionic, which enables us to offer our customers the most comprehensive cloud-native application protection platform (CNAPP) in the industry today. It also closely follows our announcement of CrowdStrike Falcon® Data Protection, which provides organizations with full visibility into their data as it moves across endpoints and egress points. We are pioneering the most complete data protection offering, from code to application to device to cloud.

CrowdStrike is committed to protecting our customers’ valuable assets as they continue to grow. We know today’s businesses require data protection on-premises and in the cloud. They need a unified solution to determine where their data resides, how it’s being used and moved, whether they have the necessary policies in place to protect it, and the steps they need to take to ensure those policies are in place. With the acquisition of Flow Security, we are proud to provide that solution. 

Forward-Looking Statements

This blog contains forward-looking statements, including statements regarding the closing and benefits of the proposed acquisition. These statements involve risks and uncertainties, and actual results may differ materially. There are a number of risks which could cause actual results to differ materially, including the satisfaction of the acquisition’s closing conditions, our ability to integrate Flow Security, and other risks described in the filings we make with the Securities and Exchange Commission from time to time.

Does Your MDR Deliver Outcomes — or Homework?

5 March 2024 at 03:10

At CrowdStrike, we’re on a very simple mission: We stop breaches. It’s easy for us to make this claim but challenging to put into practice and maintain day in and day out. Still, we know with absolute confidence that nobody provides managed detection and response (MDR) better than our CrowdStrike Falcon® Complete MDR team. Why? Because we prioritize outcomes above all else, and we never leave customers stranded with extra work.

The Need for Speed

The main challenge in cybersecurity is speed. Today’s adversaries move fast, and we know from years on the front lines that attackers always find ways to keep moving faster. As the newly published CrowdStrike 2024 Global Threat Report reveals, the average eCrime breakout time is down to 62 minutes with the fastest recorded time now clocked at a mere 2 minutes and 7 seconds — compared to an average of 84 minutes the year prior. 

As cybersecurity defenders, we too must move faster. We must run our operations at unprecedented speed and scale to surgically eradicate threats whenever they strike — every minute of every day, 7 days a week and 52 weeks a year.

Cybersecurity Has a People Problem

The problem is we face a serious shortage of cybersecurity talent across the security industry. And despite the elevated attention on cybersecurity in recent years, the talent shortage keeps widening. According to the ISC2 Cyber Workforce Study 2023, the security skills gap ballooned to 4 million additional positions needed (up from approximately 3.3 million in the 2022 study). Today, ISC2 estimates there are about 5.5 million cybersecurity professionals — meaning the number of people in the profession would need to nearly double to be close to capacity. 

Your MDR Must Deliver Outcomes

To overcome today’s talent shortage and successfully combat advanced adversaries, organizations need a trusted team of security experts that protects you around-the-clock — a team that’s outcomes-driven, takes decisive, surgical action and removes entire workcycles from your plate. Falcon Complete MDR first launched six years ago with these very priorities in mind. And we continue to keep them at the forefront of our operations and embed them into every new capability we offer. 

So how do we do this? And how is our MDR service actually different? 

The primary characteristic that sets Falcon Complete apart is simple. We made the decision from the outset that we would own the results. Since practically all customers turn to MDR for the same simple reason — to avoid damaging breaches — our mission is and has always been to provide a security service that tackles this challenge head on. 

This is why from Day One, we included our best-in-class CrowdStrike Breach Prevention Warranty at no additional cost to provide confidence to our customers that we stand strongly behind our claims and the consistent results our Falcon Complete MDR team delivers every day. Proudly, in just over six years of continuous MDR operations, we now protect thousands of organizations worldwide, resolve more than 10,000,000 threats every year, deliver proven 403% ROI, and continue to add new capabilities and services (e.g., managed cloud security, managed identity threat protection and more) to always keep adversaries at bay. 

Since MDR competitors can’t (or won’t) commit to an outcomes-driven MDR service, they break down their pledges into more granular, half-hearted commitments (e.g., how soon their analysts will review and investigate critical alerts). Exacting service-level agreements (SLAs) like this are often laden with fine print — while they can be useful in tracking some aspects of MDR performance, they’re a long way from committing to stopping breaches.

Start from a Position of Strength

Selecting the right security products is never an easy task, and when you need skilled expertise, it can be even more challenging to find a truly differentiated service. Fortunately, Falcon Complete is not your typical MDR service. We strive to always deliver on our mission of stopping breaches with confidence and believe that every MDR service should be based on a strong foundation that will: 

  • Protect you with an army of cybersecurity experts that never sleeps. CrowdStrike Falcon Complete MDR provides layers of always-on expertise and protection with dedicated teams of elite threat hunters, security experts, incident responders and more. This is an army that works around-the-clock on your behalf to identify, investigate and surgically eliminate advanced threats wherever and whenever they strike.
  • Drive security configuration and agent maintenance from the outset. One of the most common ways for an attacker to gain a foothold into an environment is through unprotected or improperly configured systems. But without active management of the customer’s security posture, no MDR service can earnestly commit to stopping breaches because they can’t control this critical component of a proactive defense. This is why we actively manage the security configuration of customers’ managed systems to ensure every endpoint is optimally protected at all times.
  • Proactively hunt for stealthy and novel threats at the earliest possible stage. Most MDR services are structured around SLAs for responding to high-severity alerts but pay little attention to low-severity alerts. This structure helps other MDR services create sustainable, scalable businesses, but it ignores vital, early signs of emerging threats. This is why our Falcon Complete MDR team is much more aggressive with low-signal activity to diligently identify malicious activity as early in the kill chain as possible. And it’s why our CrowdStrike Counter Adversary Operations team is an integral part of our core MDR offering. 
  • Own the entire response while executing surgical remediation end-to-end. Stopping an intrusion before it becomes a breach is a time-sensitive business. Many MDR services know what needs to happen but won’t pull the levers or carry out the remediation steps. Instead, they stop short, offering recommendations and strategic guidance when rapid and decisive action is critically needed. This introduces costly delays and forces the customer security team to waste time receiving, understanding and performing the response themselves. Falcon Complete, on the other hand, conducts the entire response for you: We isolate affected systems from the network, kill actively abused processes, reset accounts and compromised identities, remove persistence mechanisms from file systems and registries, and carry out any number of further mitigating actions.
  • Continuously innovate and optimize to stay ahead of adversaries. At CrowdStrike, we never settle for the status quo. Back when every other managed service relied on inefficient, tiered SOC operating models, we introduced the novel concept of an MDR service run on a flat operating model, where every analyst is on the front lines and can resolve incidents from beginning to end. We aspire to lead the MDR industry forward through continued innovation and meticulous operational hygiene — and demonstrating technical proficiency through frequent independent testing and analyst evaluations.

Work with a Trusted Partner and #1 MDR Leader

With Falcon Complete MDR, we deliver results and never leave customers with homework. Don’t just take our word for it. We know results matter, and industry recognition and technical testing  underscores our leadership. In the past 18 months alone, we’ve been recognized by several independent analyst firms (listed chronologically):

Six years after Falcon Complete launched, the notion that an MDR provider should openly commit to outcomes — not just SLAs — still remains a radical concept in the industry. Nevertheless, our commitment to the mission of stopping breaches remains unchanged, and we are honored by the continued trust that our customers place in us every day.

Additional Resources

Montage Health Consolidates Its Cybersecurity Strategy with CrowdStrike

4 March 2024 at 21:23

When Tahir Ali became CTO and CISO at Montage Health in 2021, he inherited a unique set of cybersecurity challenges. For one, the healthcare sector was getting bombarded with attacks, including distributed denial of service (DDoS), phishing and social engineering attacks

At the same time, the California-based nonprofit healthcare system was integrating more networked medical devices, employee-owned devices, AI applications and cloud services into its infrastructure. While these innovations brought operational efficiencies and a better patient experience, they also expanded the attack surface. 

Against this backdrop, Ali performed a security assessment of his available tools and resources. What he found was a set of non-integrated, legacy security tools that struggled to detect and stop modern attacks. Furthermore, he didn’t have the 24/7 coverage needed to defend against increasingly aggressive threat actors.

Ali began searching for a strategic partner to provide both a modern cybersecurity platform and 24/7 managed detection and response. That’s when he found CrowdStrike. 

Consolidating with CrowdStrike

The search for a strategic cybersecurity partner didn’t take long. Ali compared four vendors and landed on CrowdStrike after a successful proof of concept (POC). 

“One big consideration during the POC was agent performance. We run a lot of virtual desktop infrastructure (VDI), so we didn’t want our endpoint agent slowing down login or boot-up times,” explained Ali. “CrowdStrike was the superstar of the POC, so we bought it.”

Montage Health quickly deployed the lightweight CrowdStrike Falcon® agent to its 5,000+ endpoints, replacing its legacy security software with the AI-native Falcon platform. The modular architecture of the Falcon platform enabled the healthcare system to start with CrowdStrike Falcon® Insight XDR for extended detection and response, then easily add new protections using the same agent and command console.

“Our push was to get to a full security platform from a single vendor, but I wasn’t willing to sell my soul for it,” explained Ali. “Because our CrowdStrike XDR deployment was so successful, we had confidence to move forward with additional Falcon platform modules.” 

Montage Health soon deployed CrowdStrike Falcon® Identity Protection, CrowdStrike Falcon® Discover for IT hygiene, CrowdStrike Falcon® Prevent next-gen antivirus and CrowdStrike Falcon® Intelligence. This suite of innovative solutions gave Montage Health industry-leading protection across critical attack surfaces, plus many other benefits of cybersecurity consolidation, including increased speed, and lower cost and complexity. 



Next-Gen SIEM for Unmatched Speed and Scale

In 2021, Montage Health became an early adopter of CrowdStrike Falcon® LogScale for next-gen SIEM and log management. Built for the speed and scalability requirements of the modern SOC, Falcon LogScale offers real-time alerting, fast search and world-class threat intelligence for up to 80% less cost than legacy log management solutions. 

“It used to take us weeks to investigate an incident. Now it takes us 25 minutes and we know exactly what happened. Queries are faster too … it’s maybe a gazillion times faster,” joked Ali. 

Falcon LogScale is built on a unique, index-free architecture that delivers security logging at petabyte scale. Montage Health started with a small instance of Falcon LogScale and was able to easily scale up once it saw what the solution could do. 

“Before LogScale, it would take us 3 to 4 months to scale our log management capabilities, including all the servers, storage, monitoring and backup needed to grow a few hundred terabytes. With LogScale, we can add 300 to 400 terabytes of additional scalability in days,” said Ali. “From my perspective, LogScale is faster than any other product out there.”

With 20 years of experience in IT and security, Ali has used a number of SIEM and log management solutions throughout his career. For him, Falcon LogScale delivers the optimal mix of performance and interoperability. 

“Falcon LogScale gives us total visibility of our environment. Compared to other SIEMs I’ve used, Falcon LogScale performs better, is more customizable and requires less overhead,” said Ali. “When we switched to Falcon LogScale, the difference was obvious. Plus, it integrates seamlessly with the Falcon platform, which made it that much more attractive to us.” 

Better Security by the Numbers

For Montage Health, having innovative cybersecurity technology is only half the battle. The company also relies on CrowdStrike Falcon® Complete for 24/7 managed detection and response. With Falcon Complete, Montage Health gets both around-the-clock protection and the expertise needed to stop even the most sophisticated cyberattacks. 

All told, the combination of the Falcon platform and Falcon Complete has revolutionized the culture of security at Montage Health, allowing the nonprofit to deliver the same high level of excellence in security as it does in the clinical setting. 

The data bears this out: Monthly investigations have dropped from 102 to 56. Monthly events requiring Montage Health to investigate have dropped from 11 to 2. And the time required to investigate and triage each event dropped from several hours to only 53 seconds.

“I know it sounds crazy but it’s all true,” concluded Ali. “We’re very happy with CrowdStrike.”

Additional Resources

The Anatomy of an ALPHA SPIDER Ransomware Attack

29 February 2024 at 01:15
  • ALPHA SPIDER is the adversary behind the development and operation of the Alphv ransomware as a service (RaaS).
  • Over the last year, ALPHA SPIDER affiliates have been leveraging a variety of novel techniques as part of their ransomware operations.
  • CrowdStrike Services has observed techniques such as the usage of NTFS Alternate Data Streams for hiding a reverse SSH tool, exploitation of multiple vulnerabilities associated with a GNU/Linux-based appliance for initial access and privilege escalation, and bypassing DNS-based filtering and multifactor authentication (MFA) by tampering with network configuration files.
  • Affiliates of ALPHA SPIDER are still conducting successful ransomware operations against victims, and this adversary remains a clear and present threat to any organization.

Over the last two years, CrowdStrike Services has run several incident response (IR) engagements — in both pre- and post-ransomware situations — in which different ALPHA SPIDER affiliates demonstrated novel offensive techniques coupled with more commonly observed techniques. The events described in this blog have been attributed to ALPHA SPIDER affiliates by CrowdStrike Counter Adversary Operations.

Alphv ransomware-as-a-service, which first emerged in December 2021, is notable for being the first written in the Rust programming language. The Alphv RaaS offers a number of features designed to attract sophisticated affiliates, including ransomware variants targeting multiple operating systems; a highly customizable variant that rebuilds itself every hour to evade antivirus tooling; a searchable database on a clear web domain and the adversary’s dedicated leak site (DLS), which enables visitors to search for leaked data; and a Bitcoin mixer integrated to affiliate panels.

Many of the Alphv affiliates CrowdStrike Counter Adversary Operations has observed have proven adept at encrypting victim virtualization infrastructure. Affiliates have used Linux variants of Cobalt Strike and SystemBC to perform reconnaissance of VMware ESXi servers prior to deploying ransomware.

More information can be found in the CrowdStrike Counter Adversary Operations profile in our Adversary Universe: https://www.crowdstrike.com/adversaries/alpha-spider/.

Add the Adversary Universe podcast to your playlist to join our hosts as they unmask the threat actors targeting your organization.

Chaining Vulnerabilities to Obtain Initial Access and Achieve Persistence

In an IR engagement perpetrated by an ALPHA SPIDER affiliate (subsequently referred to in this blog as Threat Actor 1), the adversary used a combination of two software vulnerabilities to gain an initial foothold within the target’s network. First, Threat Actor 1 leveraged an exploit for the vulnerability identified as CVE-2021-44529,1 a code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) that affects the CSA Web Server component and allows an unauthenticated user to execute arbitrary code with limited permission (user nobody). A patch was made available for CVE-2021-44529 before the exploit happened on December 2, 2021. Once they were able to run code on the server, Threat Actor 1 used an exploit for the vulnerability identified as CVE-2021-40347,2 also known as PwnKit, to temporarily obtain root privileges and add a new UID 0 (“root”) account to the system. At this point, Threat Actor 1 installed a reverse-ssh3 executable to connect back to their server. The reverse-ssh was periodically executed by the local Cron daemon to achieve persistence on the compromised system.

See this blog for more information about hunting for PwnKit: Hunting pwnkit Local Privilege Escalation in Linux (CVE-2021-4034).

Noisy Network Discovery and Credential Access

After getting an initial locally privileged foothold into the target network, Threat Actor 1 in the same engagement performed extensive network discovery activities. Threat Actor 1 downloaded Nmap, the infamous network scanning tool, plus additional Nmap scripts. Using Nmap,4 the threat actor conducted system and services discovery and made use of specific Nmap scripts to perform a targeted vulnerability scan of the target’s network.

Following this scan, Threat Actor 1 attempted to use mitm6 5 and responder,6 two offensive security network tools, to gather additional credentials. According to their respective authors, mitm6 is a “pentesting tool that exploits the default configuration of Windows to take over the default DNS server” and responder is an “LLMNR, NBT-NS and MDNS poisoner.”

Threat Actor 1 also attempted to exploit the vulnerability identified as CVE-2021-21972.7 CVE-2021-21972 is a remote code execution vulnerability in a vCenter Server plugin, which a threat actor may exploit to execute commands with unrestricted privileges. Later during this attack, Threat Actor 1 also installed masscan8 on the compromised CSA server to perform additional network reconnaissance activities.

Hunting for Veeam Credentials

In the same IR engagement, Threat Actor 1 targeted the Veeam backup utility9 after performing their initial lateral movements. Veeam user account credentials are a target of choice for ransomware-oriented threat actors that often delete system backups prior to executing their ransomware payload. In this particular engagement, Threat Actor 1 attempted to use KoloVeeam (also known as veeamp) over Windows Remote Management (WinRM) protocol to extract and decrypt stored credentials.

Figure 1. Example of KoloVeeam execution detected by the CrowdStrike Falcon® platform (click to enlarge)

 

KoloVeeam is a simple tool that extracts and decrypts user credentials stored in the VeeamBackup database.

Code 1. KoloVeeam decompiled code (click to enlarge)

 

In this particular engagement, as Koloveeam was detected and blocked by the CrowdStrike Falcon® platform, Threat Actor 1 attempted to manually download Microsoft SQL Server Management Studio using the legitimate certutil LOLBIN10 and to decrypt stored passwords using Veeam’s own library, Veeam.Backup.Common.dll.

Figure 2. Example of Falcon platform detection of Microsoft SQL Server Management Studio downloaded using the certutil LOLBIN (click to enlarge)

 

After the initial Veeam credential access techniques were blocked, Threat Actor 1 attempted to execute the following code to manually decrypt previously obtained encrypted credentials. This script was originally shared on Veeam R&D forums.11

Code 2. Veeam credential decryption PowerShell script (click to enlarge)

 

In a different engagement, another ALPHA SPIDER affiliate (subsequently referred to in this blog as Threat Actor 2) leveraged the widely available Veeam Credential Recovery12 PowerShell script (Veeam-Get-Creds.ps1) to extract user credentials from the Veeam database.

Hunting for Leaked Credentials

In addition to targeting Veeam, Threat Actor 1 exported the Terminal Services LocalSessionManager/Operational logs. Threat actors may export logs like these for various reasons, such as:

  • To identify (privileged) user accounts usually logging in to endpoints of interest
  • To identify systems within the network to which the adversary may be able to move laterally
  • To harvest passwords that may have been mistakenly entered into the username field

Code 3. Threat actor exporting Terminal Services LocalSessionManager/Operational logs (click to enlarge)

Multiple Defense Evasion Techniques

Hiding Persistence in NTFS Alternate Data Stream (ADS)

The NTFS file system stores data using “streams.” Files have a default unnamed stream where the contents of the file are normally stored. Folders don’t have any default stream. Alternate data streams are additional streams that can be added to an MFT entry. The Windows operating system uses ADSs for different purposes, with one of the most common use cases being the Zone.Identifier ADS, also known as the Mark-of-the-Web that Windows uses to identify the network source of a file.

In two IR engagements, Threat Actor 1 deployed a reverse-ssh executable on several Windows systems in C:\System and then hid it in a C volume root directory “.” (MFT entry 5) ADS named “Host Process for Windows Service.” Threat Actor 1 then created a malicious service to ensure persistence for their reverse-ssh tool before deleting the executable from the initial location.

Code 4. Malicious ADS and service creation command (click to enlarge)

 

Threat Actor 1 chose a particularly interesting ADS to hide their malicious executable in, as many tools — including the system dir command and common PowerShell cmdlets — would not show an ADS on the root volume, even though these commands would display ADSs on other files and directories.

Figure 3. dir /r displays ADSs on files and directories but not on the root of the volume (click to enlarge)

 

Figure 4. PowerShell 5.1 Get-Item cmdlet displays ADSs on files but not on directories or on the root of the volume (click to enlarge)

 

Figure 5. PowerShell 7.4 Get-Item cmdlet displays ADSs on files and directories but not on the root of the volume (click to enlarge)

 

However, like with other ADSs, this specific ADS creation can be hunted for in Falcon platform data by searching for FileCreate or DirectoryCreate events containing a “:” character in the FileName field.

Figure 6. Falcon platform directory ADS creation event (click to enlarge)

Bypassing DNS Filtering and MFA with Network Configuration Tampering

In two separate incidents, ALPHA SPIDER affiliates (Threat Actor 1 and Threat Actor 2) modified the operating system local name resolution configuration file to bypass security measures such as DNS-based filtering or multifactor authentication (MFA).

On Microsoft Windows operating systems, a local name resolution configuration file is located in C:\Windows\System32\Drivers\etc\hosts. This local configuration file is used by the system to determine the IP address of a domain name. If an entry is present in the hosts file, the system does not perform a DNS request to resolve the domain name. In one IR engagement, Threat Actor 1 modified the hosts file on specific systems to bypass the DNS-based network filtering in place to block access to a well-known file storage website.

Figure 7. Modified Windows hosts file to bypass DNS-based filtering (click to enlarge)

 

In another IR engagement, Threat Actor 2 modified the hosts file to deactivate the MFA and single sign-on (SSO) product in place. According to Duo product documentation,13 “By default, Duo Authentication for Windows Logon will ‘fail open’ and permit the Windows logon to continue if it is unable to contact the Duo service.” This offensive security technique has been documented since at least 2018.14

Code 5. MFA bypass commands (click to enlarge)

Being Persistent at Exfiltration

In one of the IR engagements, Threat Actor 1 persistently attempted to exfiltrate data using three different methods and tools until they succeeded.

First, Threat Actor 1 attempted many times to use Rclone15 to exfiltrate data. Threat Actor 1 tried to masquerade the Rclone executable under different system and legitimate software executable names. Examples of such masquerading were to rename Rclone as svchost.exe and to copy it to an unusual place or to rename it as Ivaniti Cloud Software.exe (Threat Actor 1’s spelling mistake).

Figure 8. Example of Rclone detection by the Falcon platform (click to enlarge)

 

Threat Actor 1 then downloaded FileZilla from the legitimate website.16 FileZilla is freely available FTP software commonly used by threat actors to exfiltrate data over FTP or SFTP; however, this was blocked at the network level.

Finally, Threat Actor 1 downloaded the MEGA17 client software to exfiltrate data to a MEGA cloud account. Threat Actor 1 used the defense evasion previously mentioned to effectively bypass the DNS-based network filtering that was in place in the victim’s network.

Recommendations

ALPHA SPIDER affiliates have demonstrated the ability to perform their operations and act on their objectives in relatively short time frames. Defenders need to acknowledge this fact, invest in a state-of-the-art endpoint protection platform and ensure a proper detection handling process or playbook is in place in their organization. All detections should be thoroughly investigated and responded to in a timely manner to stop breaches.

It is also important to note that threat actors — like ALPHA SPIDER affiliates — have the ability to move to malware-less attacks by leveraging dual-purpose administration tools and legitimate user accounts to perform their malicious activities inside victims’ environments. Human threat hunters like those provided by CrowdStrike Falcon® Adversary OverWatch™ help identify this activity to ensure your organization can respond in a time-critical manner.

Conclusion

ALPHA SPIDER affiliates constantly demonstrate the use of numerous offensive techniques, leverage a large tool set — including various vulnerability exploits — and are extremely persistent at successfully exfiltrating data.

However, it does appear that the different ALPHA SPIDER affiliates who performed the actions described in this blog post have no specific operational security (OPSEC) measures in place to avoid being detected. This lack of OPSEC measures gives defenders numerous opportunities to detect and respond to ALPHA SPIDER affiliates’ operations, as long as they are able to respond in a fast and effective way in the scenario of an ongoing breach.

Additional Resources

Footnotes

  1. https://nvd.nist.gov/vuln/detail/CVE-2021-44529
  2. https://nvd.nist.gov/vuln/detail/CVE-2021-40347
  3. https://github.com/Fahrj/reverse-ssh
  4. https://nmap.org/
  5. https://github.com/dirkjanm/mitm6
  6. https://github.com/lgandx/Responder
  7. https://nvd.nist.gov/vuln/detail/CVE-2021-21972
  8. https://github.com/robertdavidgraham/masscan
  9. https://www.veeam.com/
  10. https://lolbas-project.github.io/lolbas/Binaries/Certutil/
  11. https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
  12. https://github.com/sadshade/veeam-creds
  13. https://help.duo.com/s/article/1081?language=en_US
  14. https://www.pentestpartners.com/security-blog/abusing-duo-2fa/
  15. https://rclone.org/
  16. https://filezilla-project.org/
  17. https://mega.nz/

After Years of Success, State of Wyoming Looks to Expand CrowdStrike Protections Statewide

28 February 2024 at 22:16

With its wild beauty, favorable tax laws and growing tech scene, the State of Wyoming is experiencing a surge in business growth. But with this prosperity comes a rise in cyber risk due to the expanding commerce platforms and digital infrastructure needed to support it.

“We’ve had several large tech companies relocate to Wyoming recently,” explained Jason Strohbehn, Deputy CISO for the State of Wyoming. “With this growth comes a bigger attack surface and more adversary activity to protect against.”

Strohbehn works in the Wyoming Department of Enterprise Technology Services (ETS), where his five-person team is responsible for providing cybersecurity and IT services to 127 state agencies. Back in 2016, ETS began looking for a modern cybersecurity platform to replace its legacy antivirus (AV) solution, which was failing in critical areas. 

“Old tools and techniques don’t work against modern attacks,” said Strohbehn. “Our AV software was missing a lot of detections, plus it was very labor-intensive and process-heavy.”

Today, the State of Wyoming relies on a suite of CrowdStrike products and services to deliver superior cybersecurity across the Wyoming state government. 

24/7 Detection and Remediation

To strengthen its cybersecurity posture, the State of Wyoming went looking for a futureproof cybersecurity platform that’s effective, innovative and able to adapt to ever-evolving attacks. Further, state leadership wanted a strategic partner in the battle against global cybercrime. 

After evaluating several options, the State of Wyoming chose the AI-native CrowdStrike Falcon® XDR platform. Not only was the Falcon platform easily deployed without impacting users, its lightweight agent and AI-powered detection engine delivered the seamless and virtually invisible protection that ETS was looking for.

“We did a proof of concept with CrowdStrike, and by the end, we had department leaders willing to give up line-item budgets in order to procure it,” said Strohbehn. “So many people championed CrowdStrike, it was a no-brainer to go with them.”

With CrowdStrike Falcon® Prevent next-gen antivirus and CrowdStrike Falcon® Insight XDR, the State of Wyoming transformed its endpoint security, replacing its legacy AV with AI-powered protection, and extending industry-leading detection and response across the organization. A few years after the initial implementation, ETS doubled down on CrowdStrike in 2020 with the addition of CrowdStrike Falcon® Complete for 24/7 managed detection and response. 

With Falcon Complete, the State of Wyoming gained a force multiplier for its internal team with around-the-clock expert management, monitoring, proactive threat hunting and end-to-end remediation, delivered by CrowdStrike’s team of dedicated security experts. 

“The constant presence of the Falcon Complete team is like having a 24/7 security operations center. For us to replicate that would require hiring 6-10 employees, plus dealing with all the challenges of fielding such a high-performance team,” said Strohbehn.


Consolidating on the CrowdStrike Falcon Platform

In today’s complex threat landscape, state governments require an array of cybersecurity solutions to detect and stop threats. However, adding new tools and agents is tough on budgets and resource-strapped teams. To add the new protections it needs, the State of Wyoming has embraced cybersecurity consolidation on the Falcon platform.

With the Falcon platform, Strohbehn and his team can easily deploy new protections using the same lightweight agent and command console. Recently, ETS deployed CrowdStrike Falcon® Identity Protection to thwart the growing problem of identity-related attacks. 

“Our team does regular cybersecurity reviews to determine what tools we need to meet the challenge of new attacks. Attackers are now misusing credentials and moving through networks differently,” said Strohbehn. “We were able to deploy CrowdStrike’s identity protection module quickly and without another agent, which is huge for us.” 

Strohbehn acknowledged the synergies of deploying both solutions on the Falcon platform. “CrowdStrike’s endpoint and identity protection solutions are like peanut butter and jelly … they’re good by themselves, but when you put them together, you’ve got something special.” 

The State of Wyoming has realized several benefits from cybersecurity consolidation. “Without the Falcon platform, I’d need a bunch of different tools, which is both hard on my analysts and slows things down. With Falcon, we get the context and enrichment we need to stop attacks without having to draw on multiple solutions.”

Cost savings is another benefit. “If I’m paying for a tool to do something CrowdStrike can do, I can get rid of that tool, which saves us money,” said Strohbehn. “Any time we can replace a product with CrowdStrike, we do. And when we can’t outright replace a tool, we require that any new tools integrate well with CrowdStrike.”

Up Next: Whole-of-State Cybersecurity

To effectively safeguard operations and citizen information, state governments are increasingly looking at a whole-of-state approach to cybersecurity. This involves collaborating across state government, local government and education to protect citizens, data and digital infrastructure.

With full confidence in CrowdStrike based on seven years without a security breach, ETS is working with CrowdStrike to deliver whole-of-state cybersecurity in Wyoming. 

“We’re getting ready to go whole-of-state and provide protections to our cities and counties. We’ve been consulting with CrowdStrike on how to provide cybersecurity down to the local level, while still giving agencies the autonomy to operate independently,” said Strohbehn. 

Strohbehn is bullish on CrowdStrike because, according to him, it just works. 

“We’ve not had a breach since starting with CrowdStrike, so we’ve been very successful,” concluded Strohbehn. “Using CrowdStrike to go whole-of-state is going to be absolutely awesome.”

Additional Resources

CrowdStrike and Intel Research Collaborate to Advance Endpoint Security Through AI and NPU Acceleration

27 February 2024 at 18:20

At CrowdStrike, we are relentlessly researching and developing new technologies to outpace new and sophisticated threats, track adversaries’ behavior and stop breaches. As today’s adversaries continue to become faster and more advanced, the speed of enterprise detection and response is paramount.

It is also a challenge for today’s organizations, which face mounting attack volumes amid a global shortage of cybersecurity practitioners. In today’s evolving threat landscape, the intersection of AI and hardware innovation plays a pivotal role in shaping the future of threat detection and response. For CrowdStrike, a global cybersecurity leader, AI has been fundamental to our approach from the beginning.

Technology collaboration and research are essential to deploy new methods of analysis and defense. When Intel contacted us about the neural processing unit (NPU) in the new Intel® Core™ Ultra processors, we were excited to collaborate and explore new possibilities for enabling AI-based security applications on endpoint PCs, such as Dell’s latest generation of Latitude, the industry’s most secure commercial PC.1

The Challenges of Endpoint AI

The CrowdStrike Falcon® platform is engineered to operate in a transparent and near-zero impact manner, allowing seamless deployment to the endpoint.

Across the cybersecurity industry, the deployment of AI and machine learning (ML) models to the endpoint to perform advanced analytics has been limited — despite the advantages that such a configuration would offer. The reality is that most AI models, particularly neural network models for deep machine learning, simply won’t fit inside the performance envelope of an endpoint product. As a result of this technological challenge, many potential endpoint use cases of deep learning have been considered unworkable.

With the addition of the NPU in the Intel Core Ultra processor, we collaborated with Intel to test the feasibility and system impacts of moving large models from the cloud to the endpoint.

Case Study: Detecting Scripts and Fileless Malware Using an NPU-Enabled Convolutional Neural Network Model

Intel Core Ultra processors include an NPU, a purpose-built AI accelerator ideal for offloading inference of AI workloads, including convolutional neural network (CNN) models. CNN models are instrumental in detecting malicious scripts, which are frequently used in fileless malware — an increasingly common technique used in 75% of cyberattacks that gained initial access in 2023. 

Today, effective CNN models are not practical to deploy on the endpoint due to CPU overhead. Realistically, when used for script analysis, a large CNN model is currently only able to operate in the cloud to avoid disrupting the user experience. This means that applying this model to an endpoint requires the scripts to be uploaded to the cloud for analysis — a severe limitation in its application to endpoint detection.

To assess Intel’s NPU capabilities, we collaborated on a stress test using a large, non-optimized experimental CNN model developed to detect malicious scripts. The aim was to evaluate whether the NPU could effectively minimize CPU overhead in an extreme scenario, providing insights into the viability of deploying smaller production-ready endpoint models. 

The Intel team helped test this experimental model using both CPU only and CPU+NPU directly on an Intel Core Ultra processor. We found that, when running in continuous mode, approximately 20% of systemwide CPU capacity was used running the model in CPU-only mode.2 However, CPU usage drops to less than 1% when using the NPU. This breakthrough highlights the potential for more practical and efficient endpoint AI deployment.

Inference Device CPU Utilization — Maximum Memory Utilization Compiled Model Size Average Inference Time after First
CPU only 20% 1.07 GB 0.9 GB ~86ms
CPU+NPU <1% 1.4 GB 0.5 GB ~23ms

The Benefits of Endpoint AI

The substantial reduction in system impact observed with the utilization of an Intel Core Ultra processor featuring NPU acceleration makes the deployment of a comparable, and likely more compact, model to the endpoint viable. This advancement allows for detections to occur directly on the endpoint. Script analysis can be performed for an initial pass to detect many of the potentially malicious scripts prior to their execution, with cloud-based analysis subsequently doing the heavy lifting for deeper analysis.

With NPU acceleration, there is also a considerable advantage in being able to use AI to filter large quantities of endpoint data before uploading it to the cloud. This significantly reduces the volume of data that is sent.

Finally, the economic reality of running a large-scale, cloud-hosted AI service underscores the importance of optimizing resource allocation by enabling the cloud models to focus exclusively on wider-view and deeper analysis, enhancing efficiency and efficacy.

Figure 1. Illustration of data available on endpoint vs. what is sent to the cloud, where it can be more deeply analyzed (click to enlarge)

The diagram above illustrates the need for a substantial input data set with various parameters to be uploaded to the cloud for successful detection by deep learning models. Hosting the CNN model on the endpoint, with access to the complete set of data, allows for the efficacy of the cloud-hosted model to be augmented using dynamic clouding decisions.

Once input data has been identified as suspicious on the endpoint, it can be more deeply analyzed in the cloud where more resources are available. With advanced AI model deployment to the endpoint now possible using the NPU on Intel Core Ultra processors, the decision of what to send to the cloud can be governed dynamically using the deployed model. This is an extremely powerful capability that offers advantages over the usual approach of using fixed rules to determine what data is uploaded. 

Conclusion: The Road Ahead

The limitations of running AI workloads on the endpoint are undergoing a transformative shift with the integration of the NPU in Intel Core Ultra processors. Previously unattainable endpoint deep learning neural network AI becomes not only feasible but highly practical. The NPU shoulders the majority of the inference work, alleviating the processing burden on the CPU and resulting in minimal impact — essentially running the right workloads on the right execution engines.

This breakthrough unlocks a realm of new possibilities, moving endpoint detection closer to the source while sending relevant data to the cloud for better in-depth analysis. Furthermore, the decision to dispatch additional data to the cloud is now AI-driven, replacing fixed rules. This empowers expanded, selective cloud data collection, ensuring scalability and minimizing network traffic.

Leveraging the NPU on Intel Core Ultra processors to deploy CNN models for script and fileless attack detection is an excellent continuation of CrowdStrike and Intel’s joint efforts, in collaboration with Dell, to bring integrated defenses to the deepest levels of the endpoint. However, this is merely one example of an endpoint AI model. Numerous other use cases are conceivable, including endpoint analysis of network traffic, application to data leakage protection and more. We are just beginning to explore the power of pushing AI to the edge for advanced cybersecurity applications using the NPU, aiming to secure the future and stop breaches everywhere.

Co-authors:

This blog was co-authored by Paul Carlson, Lead Data Scientist, Intel; Pramod Pesara, Security Software Architect, Intel

Additional Resources

1. Based on Dell internal analysis, September 2023. Applicable to PCs on Intel processors. Not all features available with all PCs. Additional purchase required for some features.   

2. Technical disclaimers: These results should not be taken with the understanding that the ratio of CPU usage, memory usage, or inference time between CPU only and CPU+NPU will remain the same with a different/smaller model – even one using the same neural architecture as the model under test. This is also not a general claim about the performance of other models on the NPU, even other CNNs. The result should only be taken as an understanding that, for this specific CNN model developed by CrowdStrike, a smaller distilled model of the same design would likely have an average inference time after the first of <= ~25ms and a CPU overhead <= ~1%. Note that featurization/tokenization were not measured as part of this test. The model was tested using the OpenVINO framework. Results that are based on pre-production systems and components as well as results that have been estimated or simulated using an Intel Reference Platform (an internal example new system), internal Intel analysis or architecture simulation or modeling are provided to you for informational purposes only. Results may vary based on future changes to any systems, components, specifications or configurations.

CrowdStrike Is Proud to Sponsor the Mac Admins Foundation

15 February 2024 at 16:50

CrowdStrike is proud to announce its official sponsorship of the Mac Admins Community through its not-for-profit arm, the Mac Admins Foundation. CrowdStrike joins a distinguished list of sponsors at the highest level.

The Mac Admins Foundation serves as a vibrant hub of collaboration, information sharing and professional growth for the Mac Admins Community. Founded in 2015 and with more than 40,000 members, the Mac Admins Foundation provides a “global online community of IT professionals who specialize in Apple hardware and software.” The community is an amazing network of peers committed to helping each other learn and grow when it comes to all things related to macOS devices.

This focus on community aligns perfectly with the CrowdStrike ethos. CrowdStrike is built on the power of the crowd. Our community consists of tens of thousands of customers, partners and  security practitioners around the world dedicated to defeating adversaries, defending our estates and stopping breaches. 

Also aligned with the CrowdStrike ethos is the focus on innovation. Members of the Mac Admins Community are constantly creating — new ideas, businesses and applications — on their machines. CrowdStrike is also relentlessly working to strengthen organizations’ defenses against evolving cyberattacks without getting in the way of great work. We are proud to know today’s innovators are turning to CrowdStrike to secure their best, most critical work. 

We’re excited to join these two powerful communities to learn from and support each other on our shared missions. 

CrowdStrike: Dedicated to Protecting macOS Devices and Stopping Breaches

MacOS has become a frequent target of cyberattacks as it has increased in popularity for business and enterprise applications. While the macOS provides strong security features, adversaries continue to develop malware specifically targeting macOS, including ransomware, backdoors and trojans.

CrowdStrike is dedicated to protecting the macOS community and devices through research and technology. CrowdStrike researchers continue to track a growing number of attacks targeting macOS devices. The CrowdStrike Falcon® platform delivers industry-leading protection against a broad spectrum of attacks targeting macOS — from commodity and zero-day malware, ransomware and exploits to advanced malware-free and fileless attacks. 

CrowdStrike continually participates in third-party testing to demonstrate the efficacy of the Falcon platform in protecting against macOS threats. In 2023, CrowdStrike Falcon® Pro for Mac won the AV-Comparatives Approved Mac Security Product award for the sixth consecutive year.  During testing, Falcon Pro for Mac achieved 100% protection against Mac malware, with zero false positives and with no observable performance reduction on the Macs used for testing.

During the testing, AV-Comparatives collected 309 Mac malware samples that were representative of what the organization detected being used in the wild during the first half of 2023. Testers inserted USB flash drives containing these malware samples into the Macs, providing the first opportunity for security products to detect and protect against the malware. Any samples that were not detected were then copied to the Mac’s system disk and executed. If a security solution did not detect and neutralize by this stage, it was considered a miss.

Of the 309 Mac malware samples employed during testing, Falcon Pro for Mac had zero misses, providing 100% detection and 100% protection. There were zero false positives recorded. The Mac computers used in testing showed no observable performance reduction thanks to the lightweight Falcon sensor. 

Deepening Our Connection to the Mac Community 

As a global leader in cybersecurity, our commitment to the Mac community starts by delivering the device protection required to keep businesses running on macOS devices. And through the sponsorship of the Mac Admins Community, we’re extending our support to the amazing Mac Admins and the people behind the devices.

We believe that open and technical communities like Mac Admins drive the collaboration needed to build and scale the core technologies that power the software and devices that millions of people love and that countless businesses run on. We’re thankful for the hard work of the Mac Admins Community and proud to be a sponsor. 

Additional Resources

Seeing into the Shadows: Tackling ChromeOS Blind Spots with Dell and CrowdStrike

14 February 2024 at 18:23

According to a 2023 Forbes article, 12.7% of U.S. workers work remotely and 28.2% have adopted a hybrid work schedule. As device and usage trends continue to shift, organizations must find ways to secure remote endpoints that could grant adversaries access if left vulnerable. 

Adversaries are moving faster than ever  and enterprise security must detect and respond to attacks at lightning speed. To stay ahead of today’s attackers, it’s critical to gain complete visibility across all of your devices, regardless of their operating system or location. As a growing number of organizations rely on ChromeOS devices to run their businesses, we are working to help them ensure full security coverage and strengthen their security posture against modern threats .

With Dell and CrowdStrike, your team is empowered to work securely using AI-native cybersecurity to bridge security gaps and gain comprehensive visibility into ChromeOS devices on a network. To deliver this, Dell now offers CrowdStrike Falcon® Insight for ChromeOS within the Dell SafeGuard and Response portfolio, helping to reduce the attack surface of your devices and boost cyber resiliency. Organizations can now benefit from CrowdStrike Falcon® Insight XDR’s industry-leading detection and response capabilities to stop adversaries across ChromeOS, Linux, macOS and Windows devices from a single unified console for broad cross-platform coverage.

By activating Falcon Insight for ChromeOS with Dell, you can:

  • Eliminate visibility gaps and accelerate threat detection with one unified view of native ChromeOS event telemetry, ingested directly from Google, alongside your additional endpoint data across Windows, Linux and macOS.
  • Accelerate incident triage and response with automated workflows and notifications based on contextual insights and detections with the built-in CrowdStrike Falcon® Fusion integrated security orchestration automation and response (SOAR).
  • Be up and running in minutes, with no new agents and no device impact, using the flexible and scalable Falcon platform — seamlessly provided by Dell SafeGuard and Response.

CrowdStrike and Dell partner to help you simplify and consolidate your security stack while addressing new threat vectors across your fleet. As modern workplace demands continue to evolve, so will your security needs associated with hybrid work and remote access. By seamlessly delivering the industry-leading, AI-native CrowdStrike Falcon XDR platform with simplified procurement, we provide superior protection and speed, and immediate time-to-value. To learn more about how you can get comprehensive visibility of your fleet across all operating systems, reach out to Dell and CrowdStrike specialists.

Want to learn more? Join our webinar on Feb 29, 2024, for a deep dive on Dell Technologies: CrowdStrike Falcon Insight for ChromeOS.

See CrowdStrike Falcon Insight XDR in action in this short demo.

Additional Resources

CrowdStrike Named the Only Customers’ Choice: 2024 Gartner® “Voice of the Customer” for Vulnerability Assessment

14 February 2024 at 15:29

It is a common refrain in security circles that “nobody loves their vulnerability management tool.”  CrowdStrike may have just proved to be the exception. 

We are proud to announce that CrowdStrike is the only vendor named a Customers’ Choice in the 2024 Gartner “Voice of the Customer” Report for Vulnerability Assessment. In this report, CrowdStrike is the only vendor placed in the upper right quadrant, meaning we received a Customers’ Choice Distinction. This placement indicates we meet or exceed both the average Overall Experience and the average User Interest and Adoption for the segment. 

In addition to the recent IDC MarketScape Report recognizing CrowdStrike as a Leader for Risk-Based Vulnerability Management, we believe this recognition is a validation not only from the analyst community but from those it matters the most: our customers.

At the center of this is Falcon® Exposure Management. We believe the overwhelming customer response to Falcon Exposure Management is one of the reasons for our recognition as a Customers’ Choice in this report. 

Falcon Exposure Management is a comprehensive risk and vulnerability management solution that incorporates all the capabilities of CrowdStrike Falcon® Spotlight vulnerability management, CrowdStrike Falcon® Discover asset management, CrowdStrike Falcon® Surface external attack surface management and much more. 

Legacy VM Tools: A Test in Patience

The enthusiasm around Falcon Exposure Management stems from its ability to address many of the challenges associated with legacy vulnerability management tools, which are often costly and slow to deploy, operationalize and generate results.

Setting up legacy vulnerability management (VM) tools is often an exercise in patience. The network scanners are on-premises appliances that require painstaking sizing and tuning. In order to get a high-fidelity network scan, the VM team needs to obtain and manage credentials to each target system being scanned, with the right privilege, and deal with ongoing password rotation. 

Further, due to the disruptive nature of these scans, scanning windows must be negotiated with various departments and system owners so business doesn’t slow to a crawl. It could be weeks before a complete scan of the entire infrastructure can be finished. This doesn’t take into consideration the process before the scan, which involves updates for new vulnerability signatures or ongoing firewall administration to ensure the scanner can reach every system.  

The complex nature of these tools makes legacy VM extremely difficult to operationalize, which reduces its effectiveness and adds to the total cost of ownership. Rather than managing vulnerabilities, security teams are instead focusing on managing the headache of their VM tool. The worst part is these long scanning cycles unnecessarily expose organizations to critical vulnerabilities and zero-days at a time when adversaries are quickly weaponizing them. 

Why We Believe CrowdStrike Is the Only Customers’ Choice

Falcon Exposure Management, which runs on the same unified, lightweight agent utilized by the CrowdStrike Falcon® platform, is a breeze to deploy. You simply switch it on. There is virtually no maintenance involved. It offers instant vulnerability assessment compared to legacy VM tools, which can take days or weeks.  

The Falcon® platform empowers security teams to bridge data gaps, pivot across rich threat contexts, leverage AI to effectively prioritize vulnerabilities, and quickly zoom in on adversaries to stop breaches. CrowdStrike research has shown Falcon Exposure Management can reduce external attack surface by up to 75%1 while keeping out 95%2 of the vulnerability noise.

Gartner® Peer Insights™ customer reviews share inputs such as:

“The best use of it comes when there is a zero-day release and we have it ready on the console with the impacted machines without spending any effort to scan. The up-to-date vulnerability information has also helped us triage detections and incidents in the best way.”

“You don’t need to deploy an extra agent to have this functionality, the data is already there, and if you are currently using CrowdStrike Falcon as your Endpoint Detection and Response product you only need to enable this and voila! It will work, so having everything in a single pane of glass is always more than welcomed, this will reduce alert fatigue, will help our analysts to take less time on remediation and use that time for investigations.”

Customers overwhelmingly prefer CrowdStrike’s approach to building security tools with its lightweight agent, cloud-native unified platform and powerful AI. Falcon Exposure Management complements CrowdStrike’s leading security solutions with a proactive, easy-to-deploy vulnerability and risk management solution that allows customers to reduce complexity, quickly operationalize and cut down on redundant spending so security teams can do what they do best: get ahead of adversaries and stop breaches.

GARTNER is a registered trademark and service mark, and PEER INSIGHTS is a registered trademark, of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

Additional Resources

  1. Based on Falcon Surface product data.
  2. This number is a project estimate of average benefit based on recorded metrics provided by customers during pre-sale motions that compare the value of CrowdStrike with the customer’s incumbent solution. Actual realized value will depend on individual customer’s module deployment and environment.

February 2024 Patch Tuesday: Two Zero-Days Amid 73 Vulnerabilities

13 February 2024 at 23:27

Microsoft has released security updates for 73 vulnerabilities for its February 2024 Patch Tuesday rollout. These include two actively exploited zero-days (CVE-2024-21412 and CVE-2024-21351), both of which are security feature bypass flaws. Five of the vulnerabilities addressed today are rated Critical while the remaining 68 are rated Important or Moderate.

February 2024 Risk Analysis

This month’s leading risk type is remote code execution (41%) followed by elevation of privilege (22%) and spoofing (14%).

Figure 1. Breakdown of February 2024 Patch Tuesday attack types

 

Windows products received the most patches this month with 44, followed by Extended Security Update (ESU) with 32 and Azure with 9.

Figure 2. Breakdown of product families affected by February 2024 Patch Tuesday

Actively Exploited Zero-Day Vulnerability Affecting Internet Shortcut Files

Internet Shortcut Files has received a patch for CVE-2024-21412, which has a severity of Important and a CVSS score of 8.1. This vulnerability allows an unauthenticated attacker to bypass a security feature called “Mark of the Web” (MotW) warnings on Windows machines. The targeted user would need to be convinced to click on a specially crafted file that is designed to bypass the displayed security checks. According to Microsoft, the proof-of-concept kit for exploiting the vulnerability has not been publicly disclosed.

Severity CVSS Score CVE Description
Important 8.1 CVE-2024-21412 Internet Shortcut Files Security Feature Bypass Vulnerability

Table 1. Zero-day in Internet Shortcut Files

Actively Exploited Zero-Day Vulnerability Affecting Windows SmartScreen

Windows SmartScreen has received a patch for CVE-2024-21351, which has a severity of Moderate and a CVSS score of 7.6. This security feature bypass vulnerability on Windows Defender SmartScreen can potentially lead to partial data exposure and/or issues with system availability. The attacker would need to convince the user to open a malicious file that could bypass SmartScreen and potentially gain code execution. According to Microsoft, the proof-of-concept kit for exploiting the vulnerability has not been publicly disclosed.

Severity CVSS Score CVE Description
Moderate 7.6 CVE-2024-21351 Windows SmartScreen Security Feature Bypass Vulnerability

Table 2. Zero-day in Windows SmartScreen

Critical Vulnerabilities Affecting Microsoft Windows, Extended Security Update, Dynamics, Exchange Server and Microsoft Office

CVE-2024-21410 is a Critical elevation of privilege (EoP) vulnerability affecting Microsoft Exchange Server and has a CVSS score of 9.8. An attacker that successfully exploits this vulnerability can relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange server and be authenticated as that user. NTLM hashes are important for gaining account access due to the use of challenge-response protocols in secure authentication. This vulnerability potentially allows attackers to crack NTLM hashes or deploy an NTLM relay attack.

Prior to the Exchange Server 2019 Cumulative Update 14 (CU14), Exchange Server did not enable relay protections for NTLM credentials (called Extended Protection for Authentication or EPA) by default, which would have protected against one of the attack types mentioned earlier. Microsoft has provided a “Exchange Server Health Checker script” that provides an overview of the Extended Protection status of the customer’s Exchange server.

CVE-2024-21413 is a Critical remote code execution (RCE) vulnerability affecting Microsoft Outlook and has a CVSS score of 9.8. Successful exploitation of this vulnerability allows the attacker to send a maliciously crafted link that bypasses the security feature. This can lead to credential exposure and RCE, enabling attackers to gain privileged functionality.

CVE-2024-21380 is a Critical information disclosure vulnerability affecting Microsoft Dynamics Business Central (formerly known as Dynamics NAV) and has a CVSS score of 8.0. This vulnerability could allow the attacker to gain the ability to interact with other SaaS tenants’ applications and content. The user would have to be convinced by the attacker to click on a specially crafted URL, and the execution would need to win a race condition for a successful exploitation. This can lead to unauthorized access to the victim’s account.

CVE-2024-21357 is a Critical RCE vulnerability affecting Windows Pragmatic General Multicast (PGM) network transport protocol and has a CVSS score of 7.6. The attack complexity is high due to the additional actions a threat actor would need to take for successful exploitation. Exploitation is limited to within the same network or virtual network systems that are connected.

CVE-2024-20684 is a Critical denial of service (DoS) vulnerability affecting Microsoft Windows Hyper-V and has a CVSS score of 6.5. Successful exploitation of this vulnerability allows an attacker to target a Hyper-V guest virtual machine, which can affect the functionality of the Hyper-V host. Because this is a local DoS attack, Microsoft deems exploitation less likely.

Severity CVSS Score CVE Description
Critical 9.8 CVE-2024-21410 Microsoft Exchange Server Elevation of Privilege Vulnerability
Critical 9.8 CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
Critical 8.0 CVE-2024-21380 Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability
Critical 7.5 CVE-2024-21357 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
Critical 6.5 CVE-2024-20684 Windows Hyper-V Denial of Service Vulnerability

Table 3. Critical vulnerabilities in Windows, ESU, Dynamics, Exchange Server and Microsoft Office

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

Additional Resources

  • For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
  • Stay tuned for the CrowdStrike 2024 Global Threat Report — to be released on Feb. 21, 2024 — to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
  • See how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments. 
  • Learn how CrowdStrike’s external attack surface module, CrowdStrike® Falcon Surface™, can discover unknown, exposed and vulnerable internet-facing assets, enabling security teams to stop adversaries in their tracks.
  • Learn how CrowdStrike Falcon® Identity Protection products can stop workforce identity threats faster. 
  • Make prioritization painless and efficient. Watch how CrowdStrike Falcon® Spotlight enables IT staff to improve visibility with custom filters and team dashboards
  • Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™.

Key Findings from CrowdStrike’s 2024 State of Application Security Report

13 February 2024 at 13:49

As organizations shift their applications and operations to the cloud and increasingly drive revenues through software, cloud-native applications and APIs have emerged among the greatest areas of modern security risk. 

According to publicly available data, eight of the top 10 data breaches of 2023 were related to application attack surfaces.1 These eight breaches alone exposed almost 1.7 billion records, illustrating the potential for tremendous data loss if applications are poorly configured and lack effective protection. 

Application security has quickly become one of the most essential forms of security for the modern enterprise. That’s why we set out to understand how organizations are securing their applications today and the challenges they face in doing so. Our research team surveyed 400 application security professionals in the United States to learn how they are securing applications, the tools and processes they are using and how effective their work is. 

Here are some of our key findings. 

AppSec Tools Aren’t Helping Enough

You can’t protect what you can’t see. Organizations require visibility into their growing number of cloud applications and the data these applications hold in order to determine their areas of risk. They also must have the ability to prioritize and remediate application vulnerabilities and security alerts as they learn about them.

Both of these are top challenges among survey respondents: 60% said prioritization is among their top three obstacles in securing applications, while 57% said they struggle to gain full visibility into their applications and APIs to see what’s at risk. 

These challenges could be caused by an onslaught of security tools. Nearly 90% of respondents reported using at least three tools to detect and prioritize application vulnerabilities and threats. Despite using multiple tools, organizations struggle most with prioritizing application vulnerabilities and threats and gaining visibility into their applications — the same challenges for which they are seeking solutions.

Traditional Security Reviews Don’t Scale

As organizations develop and deploy more applications, they increase the chance of producing vulnerable code that could be exploited in an attack. Mitigating the risk of application vulnerabilities requires oversight not only when code is first deployed but as it’s updated over time. It is standard best practice to conduct a comprehensive security review before code is pushed to production. 

However, many application security teams aren’t taking this critical step. Our survey respondents estimated that, on average, only 54% of major code changes undergo a full security review before they’re deployed to production. This means almost half of major application code changes don’t undergo full security reviews. If major code changes aren’t vetted thoroughly, organizations run the risk of exposing their software to vulnerabilities that adversaries can exploit. 

It’s difficult to scale the traditional review process to meet modern application security needs. Our data shows that traditional security reviews are time-consuming and expensive. Most (81%) of respondents said a security review takes more than one business day, and 35% said it takes more than three.

Below is an overview of the additional information you can find in the CrowdStrike 2024 State of Application Security Report.  

Rethinking Your Approach to Application Security

Custom applications are complex and changing. Security must keep up. In this report, you’ll learn about eight critical areas of application security and gain insight into the issues challenging application security teams today. With this knowledge, you will be able to develop a more effective and comprehensive approach to securing your applications. 

Download the full report for more valuable insight including: 

  • The average number of programming languages organizations use 
  • How organizations inventory and catalog application microservices and APIs
  • The estimated mean time to remediation for critical application security issues 
  • The individual(s) and/or team(s) considered responsible for application security — and how this varies across organizations of different sizes

Our findings confirm: The current state of application security isn’t effective enough to stop today’s threats. Today’s application security lacks the automation and efficiency needed to support modern applications and the teams that protect them. 

CrowdStrike is committed to helping our customers stop breaches by securing cloud-native applications. Our acquisition of application security posture management (ASPM) pioneer Bionic is one critical step toward revolutionizing a cloud-native application protection platform (CNAPP). With the addition of ASPM, CrowdStrike Falcon® Cloud Security is now the only CNAPP to protect everything from code to cloud.

Additional Resources

 

  1. IT Governance, “List of Data Breaches and Cyber Attacks in 2023,” https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-2023

How to Secure Business-Critical Applications

9 February 2024 at 21:23

As organizations move more of their business-critical applications to the cloud, adversaries are shifting their tactics accordingly. And within the cloud, it’s clear that cybercriminals are setting their sights on software applications: In fact, industry data shows 8 out of the top 10 breaches in 2023 were related to applications.

The most valuable of these, known as business-critical applications, typically process large amounts of sensitive data including customer information, intellectual property and other critical data. These often have vulnerabilities or are poorly configured, leaving important information exposed to threat actors. Adversaries know this; as a result, many cybercrime groups focus their attacks on this type of software.

In this blog, we detail the steps to protecting your custom-developed business-critical applications to prevent your sensitive data from getting into the wrong hands.

Identify Your Business-Critical Applications

Business-critical applications are fundamental to a company’s operations. They typically process large amounts of sensitive information while creating revenue for the business.  

If a business-critical application is breached, the parent company will be forced to deal with fines, data loss, reputational damage, loss of customers and other concerns. Additionally, the company may see revenue fall if the software goes offline unexpectedly and customers cannot transact on the platform.

Common examples of critical applications include stock trading applications, e-commerce sites, healthcare software, and any other custom software that processes private information or business-critical data. Once custom-developed applications are deemed “business-critical,” they should be considered a top priority for security monitoring and reviews. 

Configure a Secure Digital Infrastructure

Protecting the machines that run business-critical applications is a complex task with many moving pieces. Consider each of the following infrastructure needs:

  • Network segmentation
  • Firewalls
  • Operating system and virtual machine (VM) patching
  • Cryptography
  • Secrets management

Restricting an attacker’s ability to move laterally through the network goes a long way in stopping breaches. By isolating digital assets and requiring authorization to access critical applications, the likelihood of a successful attack is reduced. Furthermore, network packets can be rejected by access control lists and firewalls, including web application firewalls.

Operating systems and VMs must be patched regularly. These underlying systems provide the backbone on which all other software runs; as a result, they are appealing adversary targets and new vulnerabilities must be patched as they are found and disclosed. 

In some cloud configurations, known as “platform as a service” (PaaS), the cloud provider will automatically update the OS and VM to patch vulnerabilities. With on-premise deployments and other cloud configurations, known as “infrastructure as a service” (IaaS), the end user is responsible for patching their own systems.

Data can be stored securely to further protect it in the event of a breach. Ensuring sensitive data is encrypted, both at rest and in transit, and passwords are hashed both reduce the likelihood an attacker extracts valuable information. Additionally, secrets such as SSH keys and certificates must be protected. A secure digital infrastructure creates a safe environment to run business-critical applications. 

Restrict Access Permissions to Required Individuals

Most successful cyberattacks begin with stolen credentials. By limiting both general and administrative access to individuals with a business need for it, you can greatly reduce the risk of compromise. 

The nature of an application determines this access strategy. Internal business applications often use role-based access control (RBAC) to allow or disallow branches of an organization to access an application. For a business-to-consumer application, the access strategy is different. Applications serving a wide audience often grant access to any user who chooses to sign up. 

Regardless of who can access the application as a whole, in all cases it’s crucial to ensure users can only access portions of the application relevant to them. Often, common features are available to all users while specialized features are available to a limited audience. For example, administrative functions may be restricted to a small subset of people who work in the IT department and the parent organization. Business-critical applications should regularly revoke access from users who no longer require access to the system, such as terminated employees.

Once users are authenticated, they are typically provided an application access token. These tokens uniquely identify an individual and allow the software to authorize user requests, rather than repeatedly requiring a username and password. Attackers attempt to steal access tokens so they can impersonate valid users and steal sensitive data from software. Special care must be taken to protect access tokens from attackers. Requiring HTTPS connections for token issue and enforcing token expiration are common defense mechanisms.

Additionally, user permissions should be tested at every server request. Every application programming interface (API) should require that the user’s identity is authenticated and they’re authorized to access the requested information. Establishing effective access permissions for business-critical applications is essential to prevent unwanted users in software and stop breaches.

Proactively Monitor for Suspicious Activity

Business-critical applications have great appeal to adversaries. Implementing a robust monitoring solution to detect attacks and stop suspicious data access is essential.

Every software application is hosted somewhere. By adding a runtime protection agent to servers that run business-critical applications, security teams can halt dangerous activity. Common indicators of attack such as persistence, lateral movement and enumeration should trigger alerts to the organization. Real-time insights allow detection and response teams to intercept suspicious activity before data exfiltration occurs. On-premises software benefits from endpoint detection and response solutions, while cloud-native applications use cloud workload protection to stop attacks in real time.

Improve Security Testing in the Software Development Pipeline

Implementing security controls early in the development process helps reduce risk in production. By “shifting security left” and integrating vulnerability scanners in the software development pipeline, development teams can find and fix security bugs early. Security teams that already measure security posture in production can quantify how efforts to shift left reduce risk to the business over time. Integrating vulnerability scanning tools is particularly useful in net-new development, since vulnerabilities are easier to mitigate during initial development.

Custom software applications contain native code and third-party code, often known as “open source.” The owner of the custom software is always responsible for ensuring imported packages do not contain common vulnerabilities and exposures (CVEs). Additionally, the development team can introduce vulnerabilities in their code built in-house. It is the organization’s responsibility to ensure their developers are shipping secure code regardless of deployment location.

Resolve Immediate Risks in Production

Application risk posture is a combination of infrastructure misconfigurations, security vulnerabilities, trust boundaries, business logic and data sensitivity. Analyzing the current risk posture of business-critical applications should be a priority. 

Misconfigurations and vulnerabilities are distinct from one another but introduce similar security concerns. Misconfigurations are insecure infrastructure settings that increase the likelihood of unwanted access. Common misconfigurations include default credentials, unrestricted inbound traffic, public storage buckets and plaintext SSH keys. Software vulnerabilities, on the other hand, are security flaws in code that an attacker can exploit. 

Weakness must be paired with accessibility to be exploitable. For example, a CVE enabling remote code execution is substantially more dangerous when it exists in a public-facing microservice. Trust boundaries, which are theoretical “boundaries,” define where incoming data from an unreliable source appears. Business-critical applications are more likely to be exploited when their vulnerabilities exist on the edge of a trust boundary. Production risk increases where applications communicate with the public internet or a third-party-owned software.

Understanding data flows and APIs is crucial when quantifying business risk. Security teams can make more informed decisions when they understand the data processed at various stages of a business-critical application. APIs transmitting sensitive payloads are a bigger concern than those without sensitive data. Similarly, databases with personally identifiable information present a greater risk than those without. Correlating business logic with sensitive data allows security teams to make more informed decisions.

Monitor Changes to Production

As code changes alter custom applications, it’s imperative to track changes to their risk posture. 

Newly introduced dataflows and APIs can have a massive influence on the likelihood of sensitive data exposure. Even more challenging to manage are changes to existing data flows and APIs — small updates can present massive risk, such as accidentally removing authentication from an API or returning sensitive data in an API’s payload for the first time.

Most code is not created in-house. In fact, open source software accounts for more than 80% of the lines of code in modern software applications. As library versions change, and new libraries are imported for the first time, the CVEs present in an application will change. Understanding both the business impact and likelihood of exploitation for each CVE in production allows security teams to prioritize their efforts.

Maintaining a constant measurement of the production risk posture empowers security teams to stay in sync with their software development counterparts and respond to dangerous changes quickly.

How CrowdStrike Helps Secure Business-Critical Applications

Business-critical applications are valuable assets that require a comprehensive protection plan. The AI-native CrowdStrike Falcon® platform helps you at every step of the journey, from cloud misconfiguration detection to application security posture management and runtime protection.

To learn more, request a demo.

Additional Resources

HijackLoader Expands Techniques to Improve Defense Evasion

7 February 2024 at 13:48
  • HijackLoader continues to become increasingly popular among adversaries for deploying additional payloads and tooling
  • A recent HijackLoader variant employs sophisticated techniques to enhance its complexity and defense evasion
  • CrowdStrike detects this new HijackLoader variant using machine learning and behavior-based detection capabilities 

CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities. 

In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach has the potential to make defense evasion stealthier. 

The second technique variation involved an uncommon combination of process doppelgänging and process hollowing techniques. This variation increases the complexity of analysis and the defense evasion capabilities of HijackLoader. Researchers also observed additional unhooking techniques used to hide malicious activity.

This blog focuses on the various evasion techniques employed by HijackLoader at multiple stages of the malware.

HijackLoader Analysis

Infection Chain Overview

The HijackLoader sample CrowdStrike analyzed implements complex multi-stage behavior in which the first-stage executable (streaming_client.exe) deobfuscates an embedded configuration partially used for dynamic API resolution (using PEB_LDR_DATA structure without other API usage) to harden against static analysis.

Afterward, the malware uses WinHTTP APIs to check if the system has an active internet connection by connecting to https[:]//nginx[.]org. If the initial connectivity check succeeds, then execution continues, and it connects to a remote address to download the second-stage configuration blob. If the first URL indicated below fails, the malware iterates through the following list:

  • https[:]//gcdnb[.]pbrd[.]co/images/62DGoPumeB5P.png?o=1
  • https[:]//i[.]imgur[.]com/gyMFSuy.png;
  • https[:]//bitbucket[.]org/bugga-oma1/sispa/downloads/574327927.png

Upon successfully retrieving the second-stage configuration, the malware iterates over the downloaded buffer, checking for the initial bytes of a PNG header. It then proceeds to search for the magic value  C6 A5 79 EA, which precedes the XOR key (32 B3 21 A5 in this sample) used to decrypt the rest of the configuration blob.

Figure 1. HijackLoader key retrieving and decrypting (click to enlarge)

 

Following XOR decryption, the configuration undergoes decompression using the RtlDecompressBuffer API with COMPRESSION_FORMAT_LZNT1. After decompressing the configuration, the malware loads a legitimate Windows DLL specified in the configuration blob (in this sample, C:\Windows\SysWOW64\mshtml.dll).

The second-stage, position-independent shellcode retrieved from the configuration blob is written to the .text section of the newly loaded DLL before being executed. The HijackLoader second-stage, position-independent shellcode then performs some evasion activities (further detailed below) to bypass user mode hooks using Heaven’s Gate and injects subsequent shellcode into cmd.exe.The injection of the third-stage shellcode is accomplished via a variation of process hollowing that results in an injected hollowed mshtml.dll into the newly spawned cmd.exe child process.

The third-stage shellcode implements a user mode hook bypass before injecting the final payload (a Cobalt Strike beacon for this sample) into the child process logagent.exe. The injection mechanism used by the third-stage shellcode leverages the following techniques:

  • Process Doppelgänging Primitives: This technique is used to hollow a Transacted Section (mshtml.dll) in the remote process to contain the final payload.
  • Process/DLL Hollowing: This technique is used to inject the fourth-stage shellcode that is responsible for performing evasion prior to passing execution to the final payload within the transacted section from the previous step.

Figure 2 details the attack path exhibited by this HijackLoader variant.

Figure 2. HijackLoader — infection chain (click to enlarge)

Main Evasion Techniques Used by HijackLoader and Shellcode

The primary evasion techniques employed by HijackLoader include hook bypass methods such as Heaven’s Gate and unhooking by remapping system DLLs monitored by security products. Additionally, the malware implements variations of process hollowing and an injection technique that leverages transacted hollowing, which combines the transacted section and process doppelgänging techniques with DLL hollowing.

Hook Bypass: Heaven’s Gate and Unhooking

Like other variants of HijackLoader, this sample implements a user mode hook bypass using Heaven’s Gate (when run in SysWOW64) — this is similar to existing (x64_Syscall function) implementations.

This implementation of Heaven’s Gate is a powerful technique that leads to evading user mode hooks placed in SysWOW64 ntdll.dll by directly calling the syscall instruction in the x64 version of ntdll.

Each call to Heaven’s Gate uses the following as arguments: 

  • The syscall number
  • The number of parameters of the syscall
  • The parameters (according to the syscall)

This variation of the shellcode incorporates an additional hook bypass mechanism to elude any user mode hooks that security products may have placed in the x64 ntdll. These hooks are typically used for monitoring both the x32 and x64 ntdll.

During this stage, the malware remaps the .text section of x64 ntdll by using Heaven’s Gate to call NtWriteVirtualMemory and NtProtectVirtualMemory to replace the in-memory mapped ntdll with the .text from a fresh ntdll read from the file C:\windows\system32\ntdll.dll. This unhooking technique is also used on the process hosting the final Cobalt Strike payload (logagent.exe) in a final attempt to evade detection.

Process Hollowing Variation

To inject the subsequent shellcode into the child process cmd.exe, the malware utilizes common process hollowing techniques. This involves mapping the legitimate Windows DLL mshtml.dll into the target process and then replacing its .text section with shellcode. An additional step necessary to trigger the execution of the remote shellcode is detailed in a later section.   

To set up the hollowing, the sample creates two pipes that are used to redirect the Standard Input and the Standard Output of the child process (specified in the aforementioned configuration blob, C:\windows\syswow64\cmd.exe) by placing the pipes’ handles in a STARTUPINFOW structure spawned with CreateProcessW API. 

One key distinction between this implementation and the typical “standard” process hollowing can be observed here: In standard process hollowing, the child process is usually created in a suspended state. In this case, the child is not explicitly created in a suspended state, making it appear less suspicious. Since the child process is waiting for an input from the pipe created previously, its execution is hanging on receiving data from it. Essentially, we can call this an interactive process hollowing variation. 

As a result, the newly spawned cmd.exe will read input from the STDIN pipe, effectively waiting for new commands. At this point, its EIP (Extended Instruction Pointer) is directed toward the return from the NtReadFile syscall. 

The following section details the steps taken by the second-stage shellcode to set up the child process cmd.exe ultimately used to perform the subsequent injections used to execute the final payload.

The parent process streaming_client.exe initiates an NtDelayExecution to sleep, waiting for cmd.exe to finish loading. Afterward, it reads the legitimate Windows DLL mshtml.dll from the file system and proceeds to load this library into cmd.exe as a shared section. This is accomplished using the Heaven’s Gate technique for: 

  • Creating a shared section object using NtCreateSection  
  • Mapping that section in the remote cmd.exe using NtMapViewOfSection  

It then replaces the .text section of the mshtml DLL with malicious shellcode by using:

  • Heaven’s Gate to call NtProtectVirtualMemory on cmd.exe to set RWX permissions on the .text section of the previously mapped section mshtml.dll
  • Heaven’s Gate to call NtWriteVirtualMemory on the DLL’s .text section to stomp the module and write the third-stage shellcode 

Finally, to trigger the execution of the remote injected shellcode, the malware uses:

  • Heaven’s Gate to suspend (NtSuspendThread) the remote main thread 
  • A new CONTEXT (by using NtGetContextThread and NtSetContextThread) to modify the EIP to point to the previously written shellcode
  • Heaven’s Gate to resume (NtResumeThread) the remote main thread of cmd.exe

However, because cmd.exe is waiting for user input from the STDINPUT pipe, the injected shellcode in the new process isn’t actually executed upon the resumption of the thread. The loader must take an additional step: 

  • The parent process streaming_client.exe needs to write (WriteFile) \r\n string to the STDINPUT pipe created previously to send an input to cmd.exe after calling NtResumeThread. This effectively resumes execution of the primary thread at the shellcode’s entry point in the child process cmd.exe.

Interactive Process Hollowing Variation: Tradecraft Analysis

We have successfully replicated the threadless process hollowing technique to understand how the pipes trigger it. Once the shellcode has been written as described, it needs to be activated. This activation is based on the concept that when a program makes a syscall, the thread waits for the kernel to return a value. 

In essence, the interactive process hollowing technique involves the following steps:

  • CreateProcess: This step involves spawning the cmd.exe process to inject the malicious code by redirecting STDIN and STDOUT to pipes. Notably, this process isn’t suspended, making it appear less suspicious. Waiting to read input from the pipe, the NtReadFile syscall sets its main thread’s state to Waiting and _KWAIT_REASON to Executive, signifying that it’s awaiting the execution of kernel code operations and their return.   
  • WriteProcessMemory: This is where the shellcode is written into the cmd.exe child process.
  • SetThreadContext: In this phase, the parent sets the conditions to redirect the execution flow of the cmd.exe child process to the previously written shellcode’s address by modifying the EIP/RIP in the remote thread CONTEXT.
  • WriteFile: Here, data is written to the STDIN pipe, sending an input to the cmd.exe process. This action resumes the execution of the child process from the NtReadFile operation, thus triggering the execution of the shellcode. Before returning to user space, the kernel is reading and restoring the values saved in the _KTRAP_FRAME structure (containing the EIP/RIP register value) to resume from where the syscall was called. By modifying the CONTEXT in the previous step, the loader hijacks the resuming of the execution toward the shellcode address without the need to suspend and resume the thread, which this technique usually requires.

Transacted Hollowing² (Transacted Section/Doppelgänger + Hollowing)

The malware writes the final payload in the child process logagent.exe spawned by the third-stage shellcode in cmd.exe by creating a transacted section to be mapped in the remote process. Subsequently, the malware injects fourth-stage shellcode into logagent.exe by loading and hollowing another instance of mshtml.dll into the target process. The injected fourth-stage shellcode performs the aforementioned hook bypass technique before executing the final payload previously allocated by the transacted section.

Transacted Section Hollowing

Similarly to process doppelgänging, the goal of a transacted section is to create a stealthy malicious section inside a remote process by overwriting the memory of the legitimate process with a transaction.

In this sample, the third-stage shellcode executed inside cmd.exe places a malicious transacted section used to host the final payload in the target child process logagent.exe. The shellcode uses the following:

  • NtCreateTransaction to create a transaction
  • RtlSetCurrentTransaction and CreateFileW with a dummy file name to replace the documented  CreateFileTransactedW
  • Heaven’s Gate to call NtWriteFile in a loop, writing the final shellcode to the file in 1,024-byte chunks
  • Creation of a section backed by that file (Heaven’s Gate call NtCreateSection)
  • A rollback of the previously created section by using Heaven’s Gate to call  NtRollbackTransaction

Existing similar implementations have publicly been observed in this project that implements transaction hollowing.

Once the transacted section has been created, the shellcode generates a function stub at runtime to hide from static analysis. This stub contains a call to the CreateProcessW API to spawn a suspended child process logagent.exe (c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8) that was previously dropped by cmd.exe  under the %TEMP% folder.

After the target process has been created, the sample uses Heaven’s Gate to:

  • Read its PEB by calling NtReadVirtualMemory to retrieve its base address (0x400000
  • Unmap the logagent.exe image in the logagent.exe process by using NtUnMapViewofSection 
  • Hollow the previously created transacted section inside the remote process by remapping the section at the same base address (0x400000) with NtMapViewofSection 

Process Hollowing

After the third-stage shellcode within cmd.exe injects the final Cobalt Strike payload inside the transacted section of the logagent.exe process, it continues by process hollowing the target process to write the fourth shellcode stage ultimately used to execute the final payload (loaded in the transacted section) in the remote process. The third-stage shellcode maps the legitimate Windows DLL C:\Windows\SysWOW64\mshtml.dll in the target process prior to replacing its .text with the fourth-stage shellcode and executing it via NtResumeThread. 

This additional fourth-stage shellcode written to logagent.exe performs similar evasion activities to the third-stage shellcode executed in cmd.exe (as indicated in the hook bypass section) before passing execution to the final payload.

CrowdStrike Falcon Coverage

CrowdStrike employs a layered approach for malware detection using machine learning and indicators of attack (IOAs). As shown in Figure 3, the CrowdStrike Falcon® sensor’s machine learning capabilities can automatically detect and prevent HijackLoader in the initial stages of the attack chain; i.e., as soon as the malware is downloaded onto the victim’s machine. Behavior-based detection capabilities (IOAs) can recognize malicious behavior at various stages of the attack chain, including when employing tactics like process injection attempts. 

Figure 3. CrowdStrike Falcon platform machine learning and IOA coverage for the HijackLoader sample (click to enlarge)

Indicators of Compromise (IOCs)

File SHA256
streaming_client.exe 6f345b9fda1ceb9fe4cf58b33337bb9f820550ba08ae07c782c2e142f7323748

MITRE ATT&CK Framework

The following table maps reported HijackLoader tactics, techniques and procedures (TTPs) to the MITRE ATT&CK® framework.

ID Technique Description
T1204.002 User Execution: Malicious File The sample is a backdoored version of streaming_client.exe, with the Entry Point redirected to a malicious stub.
T1027.007 Obfuscated Files or Information: Dynamic API Resolution HijackLoader and its stages hide some of the important imports from the IAT by dynamically retrieving kernel32 and ntdll API addresses. It does this by parsing PEB->PEB_LDR_DATA  and retrieving the function addresses.
T1016.001 System Network Configuration Discovery: Internet Connection Discovery This variant of HijackLoader connects to a remote server to check if the machine is connected to the internet by using the WinHttp API (WinHttpOpenRequest and WinHttpSendRequest).
T1140 Deobfuscate/Decode Files or Information HijackLoader utilizes XOR mechanisms to decrypt the downloaded stage.
T1140 Deobfuscate/Decode Files or Information HijackLoader utilizes RtlDecompressBuffer to LZ decompress the downloaded stage.
T1027 Obfuscated Files or Information HijackLoader drops XOR encrypted files to the %APPDATA% subfolders to store the downloaded stages.
T1620 Reflective Code Loading HijackLoader reflectively loads the downloaded shellcode in the running process by loading and stomping the mshtml.dll module using the LoadLibraryW and VirtualProtect APIs.
T1106 Native API HijackLoader uses direct syscalls and the following APIs to perform bypasses and injections: WriteFileW, ReadFile, CreateFileW, LoadLibraryW, GetProcAddress, NtDelayExecution, RtlDecompressBuffer, CreateProcessW, GetModuleHandleW, CopyFileW, VirtualProtect, NtProtectVirtualMemory, NtWriteVirtualMemory, NtResumeThread, NtSuspendThread, NtGetContextThread, NtSetContextThread, NtCreateTransaction, RtlSetCurrentTransaction, NtRollbackTransaction, NtCreateSection, NtMapViewOfSection, NtUnMapViewOfSection, NtWriteFile, NtReadFile, NtCreateFile and CreatePipe.
T1562.001 Impair Defenses: Disable or Modify Tools HijackLoader and its stages use Heaven’s Gate and remap x64 ntdll to bypass user space hooks.
T1055.012 Process Injection: Process Hollowing HijackLoader and its stages implement a process hollowing technique variation to inject in cmd.exe and logagent.exe.
T1055.013 Process Injection: Process Doppelgänging The HijackLoader shellcode implements a process doppelgänging technique variation (transacted section hollowing) to load the final stage in logagent.exe.

Additional Resources

CrowdStrike Defends Against Azure Cross-Tenant Synchronization Attacks

5 February 2024 at 21:52
  • Azure cross-tenant synchronization (CTS) was made generally available on May 30, 2023, and introduced a new attack surface on Microsoft Entra ID (formerly Azure Active Directory) where attackers can move laterally to a partner tenant or create a backdoor on an existing tenant.
  • CrowdStrike showcases two observed attack paths to outline how adversaries can abuse CTS
  • CrowdStrike Falcon® Cloud Security protects against cloud-aware hacktivists, eCrime adversaries and nation-state actors that might use these techniques to compromise your organization.

As Microsoft Azure continues to gain market share in the cloud infrastructure space, it has garnered attention from adversaries ranging from hacktivist and eCrime threat actors to nation-state adversaries. Recent attacks on Microsoft by cloud-focused threat actors like COZY BEAR are becoming more frequent and garnering huge attention. 

Adversaries are using novel cloud-focused techniques and tactics to achieve their goals. CrowdStrike has previously disclosed campaigns — for example, StellarParticle — that show the abuse of assets including Microsoft identities, Office 365 and more. Today, we will dive into one such adversary technique that abuses Microsoft Azure Active Directory (now called Entra ID) cross-tenant synchronization. We will show two observed attack paths to outline the impact. Let’s begin.

Ready to get instant visibility into your Active Directory? Set up a complimentary CrowdStrike AD Risk Review and stop identity-based threats today.

What Is Azure Cross-Tenant Synchronization?

Introduced by Microsoft in May 2023, cross-tenant synchronization (CTS) stands as a pivotal feature designed to streamline the automation of creating, updating and deleting B2B users/groups across tenants. This functionality empowers users and groups created through CTS to seamlessly access a spectrum of applications, ranging from Microsoft applications like Teams and SharePoint to non-Microsoft counterparts.

CTS uses a simple push operation on the “source” tenant to facilitate the synchronization of users/groups to the “target” tenant. Administrators in the target tenant retain control, with the ability to halt synchronization at their discretion or remove a source tenant by adjusting the configuration of their cross-tenant access (CTA) policy. This flexibility ensures efficient management and oversight over the cross-tenant synchronization process.

Abusing Cross-Tenant Synchronization

To abuse CTS within a Microsoft environment, attackers need specific roles that grant them the necessary privileges to create or modify CTS policy settings. Once attackers compromise a tenant, they can use existing CTS policies to move laterally to a partner tenant or add a backdoor into the tenant using CTS. 

Access to the following roles is required to abuse CTS: 

  1. Each user being synchronized needs a Microsoft Entra ID P1 license in the source tenant
  2. The attacker needs the following roles in the compromised tenant to establish persistent access:
    1. Global Administrator role to make all changes required for the attack
    2. Security Administrator role to configure CTA settings
    3. Hybrid Identity Administrator role to configure CTS
    4. Cloud Application Administrator or Application Administrator role to assign users to a configuration and delete a configuration

With the required access, attackers can take two attack paths to abuse the CTS feature:

  1. A lateral movement using CTS
  2. An identity backdoor on a compromised tenant using CTS

Figure 1 below delves into the details of both attack paths. Initially, an attacker compromises a (source) tenant and gains the necessary privileges. From there, the attacker can enumerate partner tenants with configured CTA and ensure CTS is enabled with the required inbound or outbound CTA policy. After enumeration, the attacker can leverage an already synchronized user identity to move laterally to the target tenant, thereby gaining access to the applications and services associated with that tenant. 

If the attacker wants to establish persistence on a compromised tenant, they can add an attacker-controlled tenant as a partner in a compromised tenant by creating a CTA policy with automatic user invitation redemption and enabling inbound synchronization. Subsequently, an attacker-controlled tenant can initiate the push of user accounts to compromised tenants and establish persistence by abusing CTS. The following section will dive into each attack path in detail.

Figure 1. Attack path details

Attack Path 1: Lateral Movement Using Cross-Tenant Synchronization

Adversaries can achieve initial foothold by compromising Azure tenants in multiple ways, including but not limited to vulnerabilities in public-facing applications or APIs, leaked credentials, stolen identities and zero-day exploits. Once attackers acquire the necessary access and privileges defined in the earlier section, then attackers are positioned to abuse CTS.

Figure 2. Moving laterally using CTS

 

Figure 2 shows the general flow of the attack. The attacker takes the following steps to achieve lateral movement to the target tenant:

  1. Initially, an attacker compromises a source tenant acquiring the necessary privileges. It enables an attacker to gather crucial information for lateral movement. This could be executed through various means, such as leveraging a command-line interface or console. For our purposes, this blog uses Microsoft Graph API endpoints to illustrate the attack.
  2. Subsequently, the attacker uses Microsoft Graph API to enumerate the CrossTenantAccessPolicy to find the target tenants (partner tenants) already available on the compromised tenant. The attacker tries to locate target tenant IDs where AutomaticUserConsentSettings set to outboundAllowed: true. As shown in Figure 3, the found tenant ID can potentially be abused by the attacker.

Figure 3. Attacker enumerates the CTA policy to find target tenants (partner tenants)

 

  1. Following the discovery of tenant IDs, the attacker proceeds to identify a synchronization application servicePrincipal that pushes users/groups to the target tenant. Fortunately, there is no readily available API to do this easily. This step can be broken into the following:
    1. List all servicePrincipals on compromised tenant
      GET https://graph.microsoft.com/v1.0/servicePrincipals
    2. Use each servicePrincipal to find a synchronization application used for a target tenant. The following query can be used to automate this process. If the query is successful (200 OK), then that servicePrincipal is used to create a synchronization application for a given target tenant. Figure 4 shows a successful query.
POST https://graph.microsoft.com/beta/servicePrincipals/{id}/synchronization/jobs/validateCredentials
Content-Type: application/json
 
{
  "useSavedCredentials": false,
  "templateId": "Azure2Azure",
  "credentials": [
    {
      "key": "CompanyId",
      "value": "{TargetTenantId}"
    },
    {
      "key": "AuthenticationType",
      "value": "SyncPolicy"
    }
  ]
}

Figure 4. Successfully locating the servicePrincipal used in a synchronization application

 

  1. Now, the attacker employs the query depicted in Figure 5 to identify users/groups being synced to the target tenant using servicePrincipal found in an earlier step. Figure 5 also shows the username “abc” being synced to the target tenant.

Figure 5. User “abc” being synced to the target tenant

 

  1. At this juncture, the attacker has a few options to move laterally to the target tenant:
    1. The attacker can opt for an existing user that is already synced to the target tenant. This is a very stealthy method, as the attacker doesn’t need to modify a compromised tenant to move laterally to the target tenant.
    2. The attacker can add a new user to sync into the target tenant and use the credentials associated with it to attack the target tenant if CTS is properly configured and operational.
    3. The attacker can also add a new user to a group that is already synced into the target tenant if CTS is properly configured and operational.
  2. Upon successful login with the chosen user, the attacker gets access to the target tenant. Furthermore, this access extends to Microsoft or third-party applications associated with the target tenants, enhancing the attacker’s potential for exploitation.

Attack Path 2: Identity Backdoor on Compromised Tenant Using Cross-Tenant Synchronization

Once an attacker successfully compromises a tenant and acquires the necessary privileges, the establishment of persistence becomes a paramount objective. Let’s delve into the details on how an attacker might establish and maintain persistence within a compromised tenant.

Figure 6. Identity backdoor in compromised tenant using CTS

 

Figure 6 provides a visual representation of the attack flow for establishing persistent access to compromised tenants. We now break down the attack into two distinct steps:

  1. On Compromised Tenant
  2. On Attacker-Controlled Tenant

A. On Compromised Tenant

  1. The attacker needs to obtain the required access as described in the earlier section.
  2. Having obtained the necessary access, the attacker proceeds to create a new CTA incorporating the attacker-controlled tenant ID. Essentially, this action establishes the attacker-controlled tenant as a partner within the compromised tenant. Figure 7 shows Microsoft Entra ID audit logs for this maneuver.

Figure 7. Partner tenant ID addition in CTA

 

  1. Subsequently, the attacker makes further modifications by adjusting the inbound CTA settings to enable AutomaticUserConsent. Specifically, by setting “inboundAllowed”:true. This enables automatic user invitation redemption, as shown in Figure 8.

Figure 8. CTA modification to allow inbound automatic user invitation redemption

 

  1. Continuing with the attack sequence, the attacker proceeds to another modification of inbound CTA, but this time, setting “IsSyncAllowed”:true. This particular configuration allows the attacker to push user accounts into the compromised tenant, a critical step highlighted in Figure 9. With the successful completion of this step, the attacker effectively establishes a backdoor within the compromised tenant.

Figure 9. CTA modification to allow inbound synchronization

B. On Attacker-Controlled Tenant

In the realm of the attacker-controlled tenant, the actions orchestrated by the attacker remain beyond monitoring, as this tenant operates external to the organization. Consequently, we won’t add logs or API requests to show this activity. The general steps for an attacker to configure CTS are as following: 

  1. The attacker needs a tenant that has the required Microsoft Entra ID premium license.
  2. Continuing the course, the attacker proceeds to create a new CTA policy within the attacker-controlled tenant. This involves the addition of a compromised Tenant ID, effectively integrating the compromised tenant as a partner within the attacker-controlled environment.
  3. The attacker then modifies outbound CTA settings to enable AutomaticUserConsent by setting “outboundAllowed”:true. This enables an automatic user invitation redemption policy matching the compromised tenant.
  4. Subsequently, the attacker creates a CTS synchronization application and proceeds to add chosen users or groups to the CTS synchronization application.
  5. At this point, the attacker creates an automatic provisioning job to push these users and groups to the compromised tenant.
  6. The synchronization job uses the push operation to achieve the objective. This job can be forced to run on demand to push chosen users/groups to compromised tenants.
  7. With the successful push of malicious users and groups, the attacker gains an entry point into the compromised tenant. This access can extend beyond the compromised tenant, enabling the attacker to seamlessly log into Microsoft or third-party applications associated with the compromised environment.

CrowdStrike Falcon Cloud Security Detections

CrowdStrike Falcon Cloud Security unifies cloud security in a single unified platform to deliver comprehensive protection to customers against attacks on public cloud infrastructure. Falcon Cloud Security monitors attacker behavior in Azure tenants and uncovers indicators of attack (IOAs) showing abuse of Azure services and features. In this attack, Falcon Cloud Security monitors the addition of vulnerable CTS policies where an attacker either tries to move laterally or uses them as a backdoor in a tenant. Figure 10 shows a triggered IOA where a CTS policy was added with inbound user sync.

Figure 10. Falcon Cloud Security detects the addition of a vulnerable CTS policy

 

Additionally, Falcon Cloud Security provides the following IOAs and identifies misconfigurations affecting CTA policies, which helps users identify and remediate any security risks.

Cross-tenant partner given inbound access Behavior A cross-tenant partner was configured in Microsoft Entra ID to support automatic user consent for inbound access.
Cross-tenant partner user syncing enabled Behavior A cross-tenant policy was configured in Microsoft Entra ID that enabled automatic user sync.
Default cross-tenant synchronization policy allows outbound automatic user consent Configuration A cross-tenant access policy was configured with automatic outbound user consent.
Partner cross-tenant synchronization policy allows inbound user sync Configuration A cross-tenant access policy was configured with automatic inbound user consent.

CrowdStrike Best Practice Recommendation

To safeguard your Azure tenant from potential abuse of CTA and maintain a robust security posture, it’s imperative to adhere to best practices. Consider the following recommendations:

  1. Monitor external identities invited or synced into your tenant. Limit the privileges on such identities to control the blast radius.
  2. Monitor CTA policies being created on the tenant and validate any inbound or outbound settings that are modified to create exposure in the tenant.
  3. Monitor partner accounts added into tenants using CTA policies, and use a naming convention to differentiate each user from different partners synchronized into the tenant.
  4. Use secure default inbound and outbound access policies. Insecure default policies can create exposure to the tenant.
  5. Don’t trust multifactor authentication (MFA) from the source tenant for identities.
  6. Closely monitor administrator roles for any suspicious activities with respect to CTS.

Conclusion

The abuse of cloud provider services is a common technique utilized by many cloud-aware adversaries. New cloud provider features — like CTS — typically become unexplored attack surfaces for attackers as well as researchers. More often than not, new features need to gather feedback from users. This feedback often necessitates a change in design, visibility and security. This opens up a window of opportunity for adversaries to abuse the feature and find vulnerabilities.

Entra ID CTS is a feature that focuses on the ease of doing business and collaboration but is being abused by cloud-aware threat actors. Hence, cloud security practitioners need to be aware of the tactics, techniques and procedures used in this attack, where an attacker attempts to move laterally into different organization tenants or to create and maintain a backdoor in compromised tenants. CrowdStrike Falcon Cloud Security provides the necessary visibility to protect users from adversaries who might utilize these techniques to abuse CTS.

Is your cloud secure? A FREE CrowdStrike Cloud Security Risk Review quickly enables you to determine how to protect your cloud environment with a lightweight assessment that shows full threat visibility, misconfigurations and vulnerability risks, and how to detect and stop breaches from endpoint to cloud.

Additional Resources

Architecture Drift: What It Is and How It Leads to Breaches

2 February 2024 at 17:21

Cybercriminals work around the clock to discover new tactics to breach systems. Each time a digital ecosystem changes, it can introduce a weakness for a threat actor to quickly discover and exploit. As technological innovation progresses rapidly, and organizations expand their infrastructure, this weakness may take shape in the form of architecture drift. 

Today, we explore the concept of architecture drift: what it is, why it matters and how application security posture management (ASPM) can help.

Why Architecture Drift Is a Problem for DevSecOps

The rise of continuous integration and continuous delivery (CI/CD) and infrastructure-as-code (IaC) means apps, clusters and environments are constantly changing across organizations. Architecture drift occurs when an app, microservice or infrastructure “drifts” out of its intended configuration or approved operating boundaries.

Drift is difficult to detect and it introduces risk, which often isn’t seen or managed until something serious happens, such as an outage, incident or breach. It can happen in a variety of places, including:

  • Infrastructure
  • Network
  • Container orchestration
  • Application runtime
  • Business logic
  • Data flow

Architecture drift may affect infrastructure, for example, when IaC scripts such as Terraform or CloudFormation get out of sync with what’s running in the environments. For example, a development team might use a CloudFormation script to provision a new environment that declares all EC2 instances should be “t2.small.” Meanwhile, an engineer decides to manually add a “c4.large” instance to the same environment. Because C4 compute instances cost significantly more than T2 instances, this change will increase the company’s cloud bill and possibly create problems with reliability and performance.

Business Logic and Data Flows Can Drift Too

Continuous development means code, business logic, data flows and application architecture can change hourly in your environments. Depending on the level of automation and guardrails in your CI/CD pipelines, engineers might deploy code changes on demand or be required to follow a review process should a change be significant. These code changes can cause assets to drift, potentially interacting with one another and creating new risks.

A single code change can introduce new:

  • Services
  • APIs
  • Dependencies
  • Libraries
  • Third-party service calls
  • Datastore or database connections
  • Data flows
  • Risks you might not have considered or thought about

Even tiny changes can have a big impact. For example, several years ago, a small code change resulted in a personally identifiable information (PII) exposure at an enterprise. The risk made its way into production because the engineer who committed the code change didn’t know their code touched PII and stated this in their change request questionnaire. As a result, they caused code to drift and interfere with data it shouldn’t have been near, unintentionally exposing the sensitive data.

We detect and observe drift frequently among customers of Bionic, a CrowdStrike company. More often than not, that drift is related to business logic, architecture and data flows. You can’t eliminate all risks in applications or the business, but you can start to go beyond what you know and think differently about what could impact your business.

Applications are complex beasts to tame, encompassing hundreds or thousands of components and dependencies. Every code change introduces potential risk. The question is: Do you see these risks and know their potential impact?

How to Detect Architecture Drift

With application security posture management, you can detect and manage application drift in real time. ASPM allows teams to quickly baseline and lock in their application architectures, so they have drift policies that can notify them in real time, should an architecture change. For example, ASPM can detect things like new services, APIs, new libraries, ports, connections, dependencies or even data flows that an application might start to exhibit following CI/CD deployments or code changes.

ASPM flags these drifts and provides full business and application context so your teams can prioritize the cruciality of critical services or data flows that are impacted. They can also visualize where each drift is occurring so teams see the full picture and catch drift before it causes a problem.

ASPM at CrowdStrike

CrowdStrike acquired Bionic in September 2023 to bring market-leading application security to CrowdStrike’s leading cloud-native application protection platform (CNAPP). With ASPM, CrowdStrike delivers comprehensive risk visibility and protection across the entire cloud estate, from cloud infrastructure to the applications and services running inside of them.

Stay tuned for more educational blogs on this important topic! 

Additional Resources

Data Protection Day 2024: As Technology and Threats Evolve, Data Protection Is Paramount

31 January 2024 at 20:13

Today’s cybersecurity landscape poses one of the most significant risks to data. This holds true for organizations of all sizes, across all industries, tasked with protecting their most essential data amid an increasingly regulated environment and faster, more innovative adversaries.

Recent years have introduced a steady drumbeat of new data privacy regulations. There are now 14 U.S. states that have passed privacy laws. In July 2023, the Securities and Exchange Commission (SEC) adopted new rules requiring organizations to disclose material cybersecurity incidents, as well as information regarding their risk management, strategy and governance. On a global level, dozens of countries have updated their guidance on data privacy.  

Organizations must now comply with an “alphabet soup” of data protection requirements including GDPR, CCPA, APPI, PDPA and LGPD. Some of these are evolving to incentivize the adoption of stronger security practices. Newly updated regulations in Brazil, for example, give breached organizations a fine reduction of up to 75% if they have state-of-the-art protection in place at the time of a cyberattack. 

The list is growing: In 2024, many organizations will face new requirements stemming from the SEC’s new rules and state privacy laws, including amendments to the CCPA, industry-specific mandates, and those imposed on critical infrastructure by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). These developments include new incident reporting obligations and requirements to implement certain security technologies, as well as demonstrate compliance through cybersecurity audits, risk assessments, public disclosures and other measures. 

These myriad legal requirements broadly raise the bar for “reasonable” security. However, adversaries typically move faster than data protection mandates can keep up. Organizations must pay close attention to how adversaries are evolving their techniques and determine whether they’re prepared to defend their data against modern threats.

Data Extortion and the Defender’s Dilemma 

The emergence of new regulations has been a game-changer for adversaries and defenders alike. Protecting against data breaches has only grown more challenging as threat actors evolve their tradecraft and quickly learn the pressure these regulations put on breached organizations.

Today’s adversaries are working smarter, not harder. This is clear in the growth of data extortion, which has emerged in recent years as an easier, less risky means for adversaries to profit. Threat actors are shifting away from noisy ransomware campaigns, which typically trigger alarm bells in security tools — instead, they are quietly stealing victims’ data and then threatening to leak it if their financial demands aren’t met. 

The rise in data extortion has corresponded with adversaries increasingly targeting identities, a critical threat vector organizations must consider as they build their data protection plans.  Rather than relying on malware-laced phishing emails to breach target organizations, they can use a set of compromised credentials to simply log in. A growing number of access broker advertisements enables the sale of credentials, vulnerability exploits and other forms of illicit access: Last year, CrowdStrike reported a 147% increase in access broker ads on the dark web. Adversaries can now more stealthily infiltrate organizations, take valuable data and demand their price, putting victims in a tough position.

Data protection regulations change the calculus for organizations hit with data extortion — and adversaries know it. When threat actors steal information and tell their victims they’re in violation of HIPAA, GDPR, CCPA or other regulations, the stakes are higher. They know exactly how much an extortion attack will cost a business once it’s disclosed to regulators, and they can use this to coerce organizations into paying them instead. This may be a false choice, as many disclosure requirements apply regardless, but the coercion is real.

There are other ways adversaries use regulation consciousness to their advantage. In one 2023 case, a ransomware gang filed an SEC whistleblower complaint directed at one of its victims. The complaint, filed before the new SEC rules actually went into effect, attempted to claim that the victim was in violation of its duty to disclose a material cyber incident. 

Organizations must be incentivized to protect their data from modern threats. They should not feel stuck between the fear of reporting a breach and the pressure to meet adversaries’ ransom demands. With the right safeguards in place, businesses can protect their data from adversaries’ evolving attempts to access it. This is where CrowdStrike comes in. 

How CrowdStrike Can Help 

As we recognize Data Protection Day 2024, it is essential we consider what data protection involves and how critical cybersecurity is — not only for compliance, but for protecting privacy. Organizations must adopt best practices to protect their data in addition to achieving compliance requirements. 

Visibility is essential to maintain regulatory compliance and protect sensitive data from today’s adversaries. If you don’t have visibility into your data flows, your credentials or the sensitive data your organization holds, how can you know whether that data is at risk? 

An organization’s data is among its most valuable assets — and adversaries are after it. Protecting that data should be a top priority. CrowdStrike Falcon® Data Protection provides deep, real-time visibility into what’s happening with your sensitive data as it flows across endpoints, cloud, web browsers and SaaS applications. As the modern approach to data protection, our technology ensures compliance with minimal configuration and provides comprehensive protection against modern threats. 

It is more important than ever for organizations to understand data protection and data security are interdependent and cannot be considered in isolation. Both are critical in protecting privacy. Moreover, if personal data is stolen in a cyberattack, those affected can claim damages — but certain jurisdictions provide fine and liability mitigations where the breached organization can prove its cybersecurity protections were reasonable and state-of-the-art.

In this threat landscape and regulatory environment, Data Protection Day provides an opportunity for privacy and security teams to align on modern threats to privacy, risks of non-compliance and the best technical and organizational means to protect data.

Additional Resources

Falcon Fund in Focus: Aembit Strengthens Security for Workload-to-Workload Access

30 January 2024 at 20:11

The rise of distributed cloud services and the omnipresence of APIs has caused cloud-native application architecture to become highly fragmented. Enforcing secure access is a critical step in strengthening security as IT environments become more complex — but for many organizations, ensuring secure access across this evolving architecture is a constant challenge. 

Existing secure access solutions often fail to scale within customer environments as they largely focus on managing secrets, which becomes more time-consuming and error-prone in modern environments. Employing these legacy solutions can hinder an organization’s ability to scale and secure their cloud-native applications. 

Securing access to company assets is a modern security requirement and must span human and non-human identities. Like users, workloads have distinct identities and evolving security postures. Machine identities are growing exponentially, with workload identities outnumbering human identities 10:1 — a staggering ratio that doubled from 2021 to 2023. The challenges of securing these resources, and the significant losses organizations face, have created a need for a revolutionary approach to securing workload access. 

Falcon Fund partner Aembit, a workload identity and access management (IAM) platform provider, has announced a new integration with the AI-native CrowdStrike Falcon platform to empower businesses to manage and enforce conditional access policies based on the real-time security posture of their applications and services.

Aembit’s dynamic platform seamlessly identifies and authenticates workloads, authorizes access based on policies including security posture, and logs all accesses and access attempts for auditing and analytics. Aembit Workload IAM is designed to work across clouds, on-premises environments, SaaS services and third-party APIs. 

The platform drives productivity by allowing developers to take a no-code approach to authentication. It provides centralized control and visibility, and replaces outdated secrets manager solutions, shifting the paradigm to managing access — not secrets. The partnership between CrowdStrike and Aembit demonstrates a significant step forward in Aembit’s mission to help organizations make workload-to-workload access more secure and manageable. 

CrowdStrike is excited to build on its strategic investment in Aembit through CrowdStrike Falcon Fund. A key piece of this investment is a multi-faceted partnership between CrowdStrike and Aembit to ensure conditional access policies for secure workload access. Through the initial integration, customers can enforce Zero Trust for workloads with thorough and accurate assessments of workload security posture, policies that grant access based on workload identities, and conditional access dependent on workload health.

How the Integration Works

The Aembit Workload IAM solution checks to see if a CrowdStrike Falcon agent is running on the workload. It leverages CrowdStrike’s workload posture assessment, along with workload identity attestation, to evaluate the workload’s real-time security posture and determine whether workloads should be granted access to applications and data. This process ensures that access originates from a trusted workload. 

With this approach, enterprises can protect their workloads from unauthorized access, even against the backdrop of changing conditions and dynamic access requirements. Additional benefits from this partnership include:

  • Managed workload-to-workload access: Enforce and manage workload access to other applications, SaaS services and third-party APIs based on policies set by the security team, lowering risk.
  • Ease of deployment: Seamlessly integrate the Aembit Workload IAM platform with the Falcon platform in just a few clicks, creating a unified experience for managing workload identities while understanding workload security posture.
  • Zero Trust security model: Adopt a Zero Trust approach, which ensures every access request is verified before access rights are granted. Aembit’s solution enforces the principle of least privilege based on identity, policy and workload security posture. 
  • Visibility and monitoring: Gain in-depth visibility into workload identities and access permissions to drive faster threat detection and response. Monitor and audit access logs based on identity for comprehensive security oversight. 

Please visit the Aembit integration page in the CrowdStrike Marketplace to learn more and request the integration today.

Additional Resources

  • Learn more about Falcon Fund and CrowdStrike’s partnership with innovative companies.
  • See how CrowdStrike gives you comprehensive protection across your organization through our 15-day free trial.
  • Visit the CrowdStrike Marketplace to explore additional partner integrations.

CrowdStrike Named a Leader in Forrester Wave for Cloud Workload Security

30 January 2024 at 14:38

Today, we’re proud to announce that Forrester has named CrowdStrike a Leader in The Forrester Wave™: Cloud Workload Security, Q1 2024, stating “CrowdStrike shines in agentless CWP [cloud workload protection] and container runtime protection.”

Forrester identified the 13 most significant vendors in cloud workload security and researched, analyzed and scored them based on the strengths of their current offering, strategy and market presence. Highlights include: 

  • CrowdStrike was positioned as a Leader, with the highest placement of all 13 vendors in the Strategy category, as well as the highest score possible in 10 criteria, including  vision, innovation, partner ecosystem, adoption, and pricing flexibility and transparency. 
  • In the Current Offering category, CrowdStrike received the highest score possible in the criteria of agentless cloud workload protection, container runtime protection, IaC scanning, and detection and response — showcasing, in our opinion, our industry-leading protection from cloud breaches.
  • CrowdStrike received the highest score possible in the Number of Customers criterion, highlighting for us how customers around the world are racing to standardize on the CrowdStrike Falcon® platform for cloud security.

Last year, we added one-click XDR, agentless snapshot scanning for OS vulnerabilities and complete cloud attack path visualization, among countless other industry-leading capabilities to our cloud security technology to help customers simplify security operations and harden their cloud environments. 

And with our acquisition of Bionic, the pioneer of application security posture management (ASPM), CrowdStrike is the first cloud security vendor to natively secure customers in the cloud by providing complete visibility across cloud and app-level risks, delivering the industry’s most complete platform for cloud security, from code to cloud.

Forrester Ranks CrowdStrike a Leader and Highest in Strategy

Forrester gave CrowdStrike the highest score in the Strategy category, which we believe demonstrates how CrowdStrike is building on its strengths to deliver both the present and future of cloud security from the AI-native CrowdStrike Falcon XDR platform. 

Forrester recognizes the range of CrowdStrike’s cloud security capabilities in its report:

“CrowdStrike offers strong agent-based CWP for Linux and Windows and robust container runtime protection. IaC scanning is versatile and effective. Cloud detection and response capabilities are also ahead of the competition.”

To protect against the cloud threats of tomorrow, cloud security must evolve faster than the adversary. We pioneered cloud-native cybersecurity and continue to deliver the innovation needed to extend industry-leading protection across every area of the attack surface. 

“From its agent-based behavioral malware detection roots, CrowdStrike has been expanding on its AI/ML rails into CSPM and IaC scanning. CrowdStrike shows a convincing CWS vision, and its innovation potential as indicated by technical employee staffing is ahead of the competition,” according to Forrester’s report.

ASPM is one area we’re particularly excited about. With Bionic, we will extend the Falcon platform’s unique agent-based and agentless protection of cloud infrastructure with unprecedented visibility into application behavior and vulnerability prioritization for both server-based and serverless infrastructure, without disrupting the development process.

CrowdStrike doesn’t stop at industry-leading technology. We’re the only cloud security vendor with a full range of cloud threat detection and response services including incident response, threat hunting, assessment and 24/7 MDR services for your entire cloud estate.

Cloud Security for Every Organization

CrowdStrike scored a perfect 5/5 in the Number of Customers criterion in this Forrester Wave. Organizations are flocking to CrowdStrike Falcon® Cloud Security for several reasons. 

CrowdStrike’s mission is to stop breaches. To support that mission, we’re delivering a unified cybersecurity platform from endpoint to cloud with both agent-based and agentless support for cloud security. With pre-runtime and runtime protection, and agentless technology, we’re meeting customers wherever they are on their cloud security journey.

In addition, we’ve engineered CrowdStrike Falcon Cloud Security to make security operations easier. We help reduce alert fatigue by correlating cloud risks to apps and services, allowing teams to focus on the vulnerabilities with the most business risk. We also integrate the industry’s best threat intelligence into Falcon Cloud Security to continuously reduce the attack surface and speed up mean time-to-response with auto-remediation and other automations.

Finally, CrowdStrike is a platform cybersecurity company. Our platform provides comprehensive visibility across on-prem and cloud assets, including apps, data and user identity. Every module on the AI-native Falcon platform, including Falcon Cloud Security, is deployed using the same lightweight agent, a strategy that helps customers consolidate point products, eliminate security gaps and reduce operational overhead, while easily adding new protections as threats evolve.

Forrester interviewed a number of CrowdStrike customers for its report, which states: “Reference customers said that the CWP agent is easy to install.” 

This Forrester Wave for Cloud Workload Security is a trustworthy report to help tech buyers choose the right cloud security vendors. With this recognition, we’re poised to help more organizations replace immature cloud security point products and continue building one of the largest and fastest growing cloud security businesses in the industry.

Additional Resources

Beyond Compliance: Secure Your Business in the Cloud with Falcon Cloud Security

25 January 2024 at 21:58

Cloud infrastructure is subject to a wide variety of international, federal, state and local security regulations. Organizations must comply with these regulations or face the consequences. 

Due to the dynamic nature of cloud environments, maintaining consistent compliance for regulatory standards such as CIS, NIST, PCI DSS and SOC 2 benchmarks can be difficult, especially for highly regulated industries running hybrid or multi-cloud infrastructures. Challenges vary by industry but often include cloud complexity, data residency, time-consuming audits and keeping up with new regulations. 

Read: “What is Cloud Compliance? A Starter Guide for Security Professionals”

Many organizations are uncertain about their cloud compliance obligations — and who is responsible for them. Cloud security tools such as cloud security posture management (CSPM) and cloud workload protection (CWP) can help organizations meet compliance benchmarks while providing advanced protection against cyberattacks. 

Monitoring your cloud deployments against compliance frameworks provides a base level of controls and best practices. However, these deployments must also be layered with advanced protection. With cloud breaches rampant, this advanced protection is critical, as adversaries continue to evolve their techniques faster than compliance regulations can be updated. 

CrowdStrike Falcon® Cloud Security covers the four major security compliance frameworks, including MITRE ATT&CK®, CIS, NIS and ISO, as well as industry-specific requirements, including GDPR and PCI-DSS for financial services and payments, FedRAMP and FISMA for government, and HIPAA and HITECH for healthcare. 

With Falcon Cloud Security, you can identify risks and security gaps, address misconfigurations and vulnerabilities, and enforce gold-standard policies to meet industry regulations while securing your business in the cloud. 

Here’s the story of how one organization did just that. 

Going Beyond Compliance: Commercial Bank of California

As a bank built for the speed and scale of modern business, Commercial Bank of California (CBC) runs a number of web applications and APIs hosted in AWS and Microsoft Azure. In addition to adhering to federal and state regulations, PCI security standards and NACHA, CBC implements CIS benchmarks to harden its cloud environments. 

Before adopting Falcon Cloud Security, CBC had to manually identify gaps and track remediation. With CrowdStrike, the bank can automatically detect misconfigurations in near real-time and filter them by MITRE ATT&CK and compliance guidelines. Falcon Cloud Security also sorts by severity rating, allowing CBC to prioritize remediation based on risks. 

“We care about our clients’ data and the funds they entrust us to hold. We needed a solution that could both monitor and harden our multi-cloud environment so we can avoid any data loss or potential compromise,” said Kevin Tsuei, SVP Information Security Officer at CBC. “Falcon Cloud Security has been a time-saving resource for us and a valuable tool to enhance our security posture.”

CBC learned it could easily deploy Falcon Cloud Security to protect its cloud environments using the same lightweight CrowdStrike Falcon® sensor it uses to protect its endpoints and other attack surfaces. With Falcon Cloud Security, CBC can go beyond compliance to secure its business in the cloud.

“Falcon Cloud Security helped us harden our cloud environments. We can now quickly identify and fix cloud misconfigurations, secure our containers and protect our Linux servers in both AWS and Azure,” said Tsuei. “With CrowdStrike, we can remediate any cloud intrusion in less than 16 minutes, which puts our minds at ease.”


Making Cloud Compliance Easier

Cloud compliance starts with a robust, well-defined security posture that provides visibility and control with a granular view of infrastructure and workflow traffic. While all cloud security solutions help with compliance to some degree, CrowdStrike delivers comprehensive cloud detection and response, enabling a robust security posture and compliance specific to different industries and regulations. 

CrowdStrike can help you attain compliance for your cloud environment so you can focus on innovating your business. Falcon Cloud Security offers:

  • Unified compliance visibility. Use the compliance dashboard, framework details and drill-down capabilities for simple and consistent compliance auditing and reporting.
  • Compliance management. Enforce compliance of industry regulations and security benchmarks with automated compliance features and customized policies.
  • Simplified reporting. View and export results of assessments mapped to a benchmark or framework requirement. You can also export scheduled or on-demand reports of your compliance posture and non-compliant assets.
  • Remediation. Get remediation steps, alert logic and MITRE ATT&CK information for each policy. Links to related compliance information are available for quick reference throughout the user interface.

The Falcon Cloud Security compliance dashboard makes cloud compliance easier (click to enlarge)

CrowdStrike achieved 100% protection, 100% visibility and 100% analytic detection coverage in the MITRE Engenuity ATT&CK® Evaluations: Enterprise Round 5. Our cloud-native application protection platform (CNAPP) capabilities offer both pre-runtime container image scanning and runtime protection — providing complete protection against cloud breaches.

Watch this short video to see how Falcon Cloud Security makes it easier for organizations to enforce cloud compliance:

Delivered from the AI-native CrowdStrike Falcon Platform

A strong cloud security solution helps you enforce compliance throughout your security operations, while also providing a unified approach to threat prevention, visibility and security posture management to stop breaches.

While some cloud security vendors offer pieces of security, compliance and governance of policies, CrowdStrike goes above and beyond to offer unified security and compliance across the entire infrastructure, from on-premises to the cloud, in a single console and single interface as part of the AI-native CrowdStrike Falcon platform.

The result is an industry-leading cloud security solution that allows organizations to enforce cloud compliance while delivering the strongest protection against breaches.

Additional Resources

4 Major Falcon LogScale Next-Gen SIEM Updates That Accelerate Time-to-Insights

18 January 2024 at 18:17

To unlock the speed and scalability of CrowdStrike Falcon® LogScale next-gen SIEM, you must first bring your data into the powerful, cloud-native solution. And with log sources multiplying and data volumes skyrocketing, you need an easy way to collect, parse and enrich your data.

Data onboarding can be complex and time-consuming in traditional SIEM tools. Data engineering teams must contend with countless evolving log sources, formats and ingestion methods. Painful setup processes can overwhelm even the most experienced teams and lead to deployment delays, cost overruns and employee burnout.

We’ve recently introduced an array of advancements for Falcon LogScale to help you ease setup, avoid headaches and power faster security insights. Here are the most notable new features.

1. Get Started Faster with New Marketplace Packages

The Falcon LogScale Marketplace lets you fast-track the setup of next-gen SIEM with turnkey packages that include prebuilt parsers, dashboards, alerts, actions and saved queries. Installed in just a few clicks from the Falcon LogScale user interface, packages in the Falcon LogScale Marketplace make it easier than ever to unlock the potential of your entire security ecosystem.

In the last three months, we have launched over 30 new Falcon LogScale packages to help you use new data sources faster. These packages include parsers that normalize data to a common schema based on an OpenTelemetry standard. The schema allows analysts to search data without knowing the specifics of the data format, and hunt across data sources with ease. 

With this rapid release of new Falcon LogScale packages, our vision of delivering a comprehensive marketplace for next-gen SIEM is becoming reality. We plan to publish even more ready-to-use content this year to help ease adoption, scale your SIEM deployments and relieve overburdened staff.

2. Simplify Data Onboarding with CrowdStream

CrowdStream, a native capability of the CrowdStrike Falcon® XDR platform, transforms how you onboard and manage your log data by directly connecting any data source to Falcon LogScale. Sitting between data sources and their destination, CrowdStream provides an elegant and cost-effective way to route data to Falcon LogScale to accelerate the adoption of next-gen SIEM while minimizing the complexity and cost of connecting data sources.

CrowdStream not only accelerates the adoption of Falcon LogScale, it gives you visibility and control over your data. You can granularly mask or truncate sensitive data for compliance purposes. In addition, CrowdStream can enrich data with threat intelligence or geolocation information, and optionally remove extraneous fields, null values and duplicate events.

Leveraging Cribl’s observability pipeline technology, CrowdStream offers out-of-the-box integrations to collect data from a broad set of applications and devices. It can also normalize data into a consistent format before it’s routed to Falcon LogScale, making data immediately actionable for threat hunting and investigations. With CrowdStream, Falcon LogScale provides end-to-end data pipelining and event management to address a broad set of security and compliance use cases with ease.

CrowdStream is available now. Falcon LogScale customers with cloud-native deployments receive 10GB/day of data streaming at no additional cost. Unlimited data streaming is available with the purchase of an additional CrowdStream subscription beginning in February 2024.

3. Easily Extend Detection and Response to Cloud Assets with Amazon S3 Integration

More than 80% of breaches involve data stored in the cloud. As adversaries shift their focus to the cloud, you must expand your realm of visibility and control to your cloud environment.

A perfect place to start is with Amazon Web Services (AWS) data. If your organization is like countless others, you use Amazon S3 object storage to retain your cloud data. You probably store cloud logs, such as AWS CloudTrail, Amazon CloudWatch and VPC Flow Logs, in Amazon S3 buckets. Because many cloud-delivered applications and services can write logs to S3 buckets, you can forward security-relevant logs from a variety of sources to S3 storage and then pull this data into your security and observability tools.

A new Amazon S3 log ingestion feature in Falcon LogScale lets you automatically retrieve logs from S3 buckets for analysis and visualization. Flexible configuration options let you select compression, preprocessing and parser of your choice depending on the format of your data. These step-by-step instructions explain how to set up this powerful new feature in Falcon LogScale and start hunting for cloud threats at blazing-fast speed.

4. Remotely Manage and Monitor a Massive Fleet of Falcon LogScale Collectors

The Falcon LogScale Collector provides a robust, reliable way to forward logs from Linux, Windows and macOS hosts to Falcon LogScale. Gathering data from a variety of sources, including files, command sources, syslog and Windows events, the Falcon LogScale Collector swiftly sends events with sub-second latency between when a line is written on the host and when it is forwarded to Falcon LogScale.

We’ve introduced a number of enhancements that raise the bar for Falcon LogScale Collector management. For example, a new fleet management feature lets you manage Falcon LogScale Collector instances from the Falcon LogScale management interface. The Falcon LogScale Collector also now gathers CPU, memory and disk usage metrics, allowing administrators to identify and troubleshoot issues. Recent optimizations increase agent performance and resilience, and de-duplicate redundant log data.

Experience Next-Gen SIEM 

As the future of log management and next-gen SIEM, Falcon LogScale lets you collect up to 1 petabyte of data per day and query data up to 150x faster than legacy SIEMs. Between the new Marketplace packages, flexible CrowdStream observability pipeline, Amazon S3 ingestion and Falcon LogScale Collector advancements, we’ve taken Falcon LogScale to the next level, enabling you to spend more time stopping threats and less time onboarding data.

We’ve also added in-product tutorials and filter alerts, and elevated the user experience with dashboard widgets, PDF reporting and table drill-down options. For a complete list of features, see the Falcon LogScale release notes.

Our ultimate goal is to offer the world’s most effortless, automated data onboarding across all data sources, and we’re investing inordinate resources to achieve it. The innovations announced in this post are just the beginning.

Additional Resources

CrowdStrike Demonstrates Cloud Security Leadership at AWS re:Invent 2023

30 November 2023 at 17:13

CrowdStrike is honored to be named Partner of the Year for several 2023 Geo and Global AWS Partner Awards at Amazon Web Services re:Invent 2023, where we are participating this year as a Diamond Sponsor.

We are also proud to be a launch partner for AWS Built-in and achieve two AWS competencies. These accomplishments demonstrate our forward-thinking approach to cloud security and commitment to ensuring CrowdStrike customers have the strongest possible protection as the cloud threat landscape continues to evolve.

Let’s get into this week’s announcements.

CrowdStrike Wins Multiple AWS Partner Awards

CrowdStrike was recognized during AWS re:Invent as a global leader with a key role in helping customers drive innovation and build solutions on AWS. This year, CrowdStrike was selected as the winner of the following AWS Partner Awards:

  • Public Sector Partner of the Year: Recognizes CrowdStrike as the top AWS Public Sector Partner with cloud-based solutions and experience supporting government, space, education and nonprofit organizations around the world.
  • State or Local Government Partner of the Year: Recognizes CrowdStrike as the top AWS Partner with the Government Competency, delivering innovative mission-based wins for state and/or local governments.
  • Non-Profit Organization Partner of the Year: Recognizes CrowdStrike as the top AWS Partner that has delivered innovative mission-based wins for non-profits.

CrowdStrike: An AWS Built-in Launch Partner with Built-In Competency

Businesses are constantly seeking ways to fortify their cloud environments to defend against adversaries increasingly targeting the cloud. They must select the right technologies to protect their cloud-based systems and workloads and deploy these solutions in a seamless, efficient and scalable manner. 

During AWS re:invent 2023, AWS officially launched its AWS Built-in Competency partner program. The goal of this initiative is to accelerate customer success by promoting AWS Independent Software Vendor (ISV) partners delivering cloud security and operational services that integrate closely with AWS native services. 

CrowdStrike achieved the AWS Built-in Competency in the security category by automating cloud security deployment and leveraging the event-driven architecture of cloud services. For example, when new workloads are provisioned — such as the launch of new Amazon EC2 instances or creation of new AWS accounts — that event can be used to trigger specific security actions. These may include automatically deploying the CrowdStrike Falcon® sensor on Amazon EC2 for CrowdStrike Falcon® Cloud Security runtime protection, or registering new accounts for Falcon Cloud Security agentless posture scanning and behavioral analysis.

Falcon Cloud Security provides complete visibility into cloud assets and uncovers risks related to misconfigurations, software package vulnerabilities, hard-coded secrets, malware, insecure identities and more. Combining agent-based and agentless detection in a unified platform empowers Falcon Cloud Security to proactively identify, prioritize and remove critical issues in cloud environments.

The integration between Falcon Cloud Security and AWS Built-In will: 

  • Automate security deployment: Falcon Cloud Security combines several key capabilities that work together to deliver unified cloud security. These include:
  • Cloud security posture management (CSPM): Falcon Cloud Security scans AWS services to uncover misconfigurations that adversaries could use to start or extend an attack, while ingesting AWS service API telemetry to hunt for anomalous activity that may indicate an attack. 
  • Cloud workload protection (CWP): Agent-based CWP provides deep insight and AI-driven adaptive protection for workloads including Amazon EC2 instances and containerized applications.
  • Pre-runtime protection: Pre-runtime container image scanning and infrastructure-as-code (IaC) scanning identify vulnerable packages and high-risk configurations before they are implemented in production. 

Individually, each of these components could require a different deployment mechanism that may delay time-to-value, especially when protecting multiple accounts across multiple regions. CrowdStrike’s built-in solution combines these capabilities in a simple and configurable CloudFormation template. It works with AWS Control Tower to establish a secure multi-account landing zone and can independently and automatically deploy individual components in response to events in the environment, such as the creation of new Amazon EC2 instances or deployment of new accounts in an AWS Control Tower or AWS Organizations landing zone. 

Accelerate the customer’s time-to-value: The need for effective, reliable and quick integration of security tools is paramount. By streamlining the integration process, CrowdStrike empowers customers to fully harness the benefits of foundational AWS-native services while achieving complete cloud security. Our objective is to deliver a unified customer experience by eliminating the complexities of combining disparate software and data sources.

Enhance reliability and efficiency: As businesses look to migrate and expand their operations on AWS, they need a security solution that can deploy at the speed of cloud. With AWS Built-in, customers can seamlessly deploy Falcon Cloud Security and consolidate disjointed point products with the most unified cloud-native application protection platform (CNAPP), built on a combined agent-based and agentless approach for complete visibility and protection.

CrowdStrike Achieves AWS Container Competency

The AWS Container Competency recognizes ISV partners offering software designed to operate seamlessly and cost-effectively in container environments. Container clusters such as Amazon Elastic Kubernetes Service (EKS) may host hundreds, thousands or even tens of thousands of ephemeral containers in a single cluster. They rely on IaC to define automated actions that occur throughout the container and cluster lifecycle. 

Our achievement of the AWS Container Competency marks a significant milestone in our partnership with AWS. This underscores our deep and proven expertise in managing container-based applications, a critical aspect of modern cloud environments. By attaining this competency, CrowdStrike not only demonstrates its commitment to providing robust security solutions for containerized applications but also aligns closely with AWS’ high standards for performance and security.

Falcon Cloud Security’s container environment protection uses Kubernetes-native packaging and deployment features such as Operators and Helm charts to provision cluster resources such as access roles, configuration files and self-healing pod replicas. The Kubernetes Admission Controller feature discovers new cluster objects as they’re created, inspects them for risks and vulnerabilities, and enables the creation of granular policies to block, alert or log specific cluster operations. Falcon Cloud Security is designed to protect a wide range of container environments including CSP-managed and self-managed Kubernetes, Amazon Elastic Container Service (Amazon ECS), Red Hat OpenShift on AWS (ROSA) and individual Docker hosts.

CrowdStrike’s dual achievement of the AWS Built-in Competency and Container Competency is a clear testament to our forward-thinking approach in cloud security. By aligning with AWS’s high standards, we’re both reinforcing our commitment to providing advanced security solutions and ensuring these solutions are seamlessly integrated with AWS’ leading cloud services. This synergy is pivotal in today’s landscape, where the sophistication of cyber threats targeting cloud environments continues to evolve. 

Curious about Falcon Cloud Security? Explore our free, no-obligation Cloud Security Risk Review for instant and complete visibility into your entire cloud estate, provided through agentless scanning. It deploys in minutes with zero impact to your business.

Additional Resources

CrowdStrike’s View on the New U.S. Policy for Artificial Intelligence

21 November 2023 at 20:37

The major news in technology policy circles is this month’s release of the long-anticipated Executive Order (E.O.) on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. While E.O.s govern policy areas within the direct control of the U.S. government’s Executive Branch, they are important broadly because they inform industry best practices and can even potentially inform subsequent laws and regulations in the U.S. and abroad.

Accelerating developments in AI — particularly generative AI — over the past year or so has captured policymakers’ attention. And calls from high-profile industry figures to establish safeguards for artificial general intelligence (AGI) in particular has further heightened attention in Washington, D.C. In that context, the E.O. should be viewed as an early and significant step addressing AI policy rather than a final word.

Given CrowdStrike’s extensive experience with AI since the company’s founding in 2011, we want to highlight a few key topics that relate to innovation, public policy and cybersecurity.

The E.O. in Context

Like the technology it seeks to influence, the E.O. itself has many parameters. Its 13 sections cover a broad cross section of administrative and policy imperatives. These range from policing and biosecurity to consumer protection and the AI workforce. Appropriately, there’s significant attention to the nexus between AI and cybersecurity, which is covered at some length in Section 4.

Before diving into specific cybersecurity provisions, it is important to highlight a few observations on the document’s overall scope and approach. Fundamentally, the document strikes a reasonable balance between exercising caution regarding potential risks and enabling innovation, experimentation and adoption of potentially transformational technologies. In complex policy areas, some stakeholders will always disagree with how to achieve balance, but we’re encouraged by several attributes of the document.

First, in numerous areas of the E.O., agencies are designated as “owners” of specific next steps. This clarifies for stakeholders how to provide feedback and reduces the odds for gaps or duplicative efforts.

Second, the E.O. outlines several opportunities for stakeholder consultation and feedback. These will likely materialize through Request for Comment (RFC) opportunities issued by individual agencies. Further, there are several areas where the E.O. tasks existing — or establishes new — advisory panels to integrate structured stakeholder feedback on AI policy issues.

Third, the E.O. mandates a brisk progression for next steps. Many E.O.s require tasks to be finished in 30- or 60-day windows, which are difficult for agencies to meet at all, let alone in deliberate fashion. This document in many instances provides for 240-day deadlines, which should enable 30- and 60-day engagement periods through RFCs, as outlined above.

Finally, the E.O. states plainly that “as generative AI products become widely available and common in online platforms, agencies are discouraged from imposing broad general bans or blocks on agency use of generative AI.” This should help ensure that government agencies explore positive use cases for leveraging AI for their own mission areas. If history is any guide, it’s easy to imagine a scenario where a talented junior staffer at a given agency identifies a key way to leverage AI at some time next year, that no one could easily forecast this year. It would be unwise to foreclose that possibility, as innovation should be encouraged inside and outside of government.

AI and Cybersecurity Provisions

On cybersecurity specifically, the E.O. touches on a number of key areas. It’s good to see specific callouts to agencies like the National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA) and Office of the National Cyber Director (ONCD) that have significant applied cyber expertise.

One section of the E.O. attempts to reduce risks of synthetic content — that is, generative audio, imagery and text. It’s clear the measures cited here are exploratory in nature rather than rigidly prescriptive. As a community, we’ll need to innovate solutions to this problem set. And with U.S. elections around the corner, we hope to see rapid advancements in this space.

In many instances, the E.O.’s authors paid close attention to enumerating AI policy through established mechanisms, some of which are closely related to ongoing cybersecurity efforts. This includes the direction to align with the AI Risk Management Framework (NIST AI 100-1) and the Secure Software Development Framework. This will reduce risks associated with establishing new processes, while enabling more coherent frameworks for areas where there are only subtle distinctions or boundaries between, for example, software, security and AI.

The document also attempts to leverage sector risk management agencies (SRMAs) to drive better preparedness within critical infrastructure sectors. Specifically, it mandates:

Within 90 days of the date of this order, and at least annually thereafter … relevant SRMAs, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security for consideration of cross-sector risks, shall evaluate and provide to the Secretary of Homeland Security an assessment of potential risks related to the use of AI in critical infrastructure sectors involved, including ways in which deploying AI may make critical infrastructure systems more vulnerable to critical failures, physical attacks, and cyber attacks, and shall consider ways to mitigate these vulnerabilities.

This is important, but we also encourage these working groups to consider benefits along with risks. There are many areas where AI can drive better protection of critical assets. When done correctly, AI can rapidly surface hidden threats, accelerate the decision making of less experienced security analysts and simplify a multitude of complex tasks.

At CrowdStrike, AI has been fundamental to our approach from the beginning and has been built natively into the CrowdStrike Falcon® platform. Beyond replacing legacy AV, our platform uses analytics to help prioritize critical vulnerabilities that introduce risk and employs the power of AI to generate and validate new indicators of attack (IOAs). With Charlotte AI, CrowdStrike is harnessing the power of generative AI to make customers faster at detecting and responding to incidents, more productive by automating manual tasks, and more valuable by learning new skills with ease. This type of AI-fueled innovation is fundamental to keep pace with ever-evolving adversaries incorporating AI into their own tactics, techniques and procedures.

In Summary

This E.O. represents a key step in the evolution of U.S. AI policy. It’s also particularly timely. As we described in our recent testimony to the House Judiciary Committee, AI is key to driving better cybersecurity outcomes and is also of increasing interest to cyber threat actors. As a community, we’ll need to continue to work together to ensure defenders realize the leverage AI can provide, while mitigating whatever harms might come from threat actors’ abuse of AI systems.

This article was first published in SC Magazine: The Biden EO on AI: A stepping stone to the cybersecurity benefits of AI

Additional Resources

Eliminate Repetitive Tasks and Accelerate Response with Falcon Fusion

20 November 2023 at 18:38

Adversaries are becoming more sophisticated and faster with their attacks. According to the CrowdStrike 2023 Threat Hunting Report, the average eCrime breakout time is just 79 minutes. This is partly due to adversaries taking advantage of tools that leverage automation like password-cracking tools, exploit kits for web browser vulnerabilities, and marketplaces that sell stolen data. Automation is making their jobs easier and more efficient and is yielding more profitable results, putting security teams at a disadvantage. Attackers use automation — and your team should too.

Inefficient and Manual Processes Are Slowing Down Your Team

Unfortunately, security analysts face more than just threats. Their day-to-day operations are plagued with numerous challenges. It’s not uncommon for security analysts to investigate and respond to a threat with inconsistent processes that include overly manual investigations that force them to correlate data across multiple, disjointed security tools. This leads to lost time, expensive mistakes and overall analyst burnout.

To level up the playing field against attackers, your security team must adopt security tools that harness the power of automation and seamlessly integrate with your ecosystem to enable them to work smarter and faster. By standardizing processes and automating repetitive tasks, your team will increase its productivity, efficiency and accuracy. Not only will they gain back valuable time to focus on higher-value operations, they will be able to respond to threats faster.

The Power of Automation Relies on Well-defined Security Processes

Getting started with security automation can be a daunting task because sometimes processes are not designed for automation. If the business logic is not defined correctly, automated processes can yield erroneous results that only become obvious when they are operational. To start your automation journey, you need to assess how it can streamline your current security operations — based on your organizational goals — by establishing priorities and identifying the repetitive and mundane tasks that hold back your team.

Once these are identified, you are ready to gradually implement automation. Start defining the process by documenting the steps the team must take, determining the information needed and where it resides, and identifying who in your organization has access to it. There are numerous security use cases that are prime candidates for automation given their recurrence and number of repetitive tasks involved, such as phishing, alert enrichments, endpoint incident response, threat hunting and more.

Selecting the right tool for the job will also give your team an advantage. Attacks are evolving fast, making use cases and security tools obsolete quicker, and you want to invest in security and IT tools that can integrate with a flexible security architecture. It can be a challenge for security teams to ensure that configurations of automation tools work with the many different point tools in use — and therefore, native automation capabilities are preferred. To successfully deploy automated workflows and orchestrate investigations and incident response, you need to evaluate tools for their ability to integrate with your current tools and also for their API ecosystem to ensure deep and standardized integrations as you expand into new use cases. 

Accelerate Investigation and Response with Native SOAR Capabilities

If you do a search for the ‘average number of security tools used by a SOC,” you’ll find data that shows companies can use 40, 50 and even as many as 60-70 security tools. Consolidating and integrating tools is a business imperative, reducing the complexity and simplifying the management of tasks and workflows. Consolidating tools not only helps reduce your budget, it allows your security analysts to conduct their day-to-day operations from a single console to reduce swivel-chair syndrome.

The CrowdStrike Falcon® platform offers native security orchestration automation and response (SOAR) capabilities through CrowdStrike Falcon® Fusion, which empowers your security team to build automated workflows to speed up threat investigation and response. Fully integrated with the CrowdStrike Falcon platform and its product modules, Falcon Fusion orchestrates workflows across the platform and with third-party tools such as ticketing systems that enhance collaboration and bridge the gap between security and IT. Your team will have access to high-quality security data, automated workflows, integrations and response actions, all from the unified Falcon platform.

Increase SOC Productivity and Reduce Analyst Burnout with Falcon Fusion

The ability to systematize your incident response plan into automated workflows gives your security analysts the power to increase consistency and accuracy as they resolve threats. The Falcon Fusion no-code interface results in workflow builds in just minutes – teams simply select the trigger, define conditions and configure the actions. It also enables you to orchestrate complex use cases with conditional branching and logic, and to schedule them to run continuously. For common security use cases, Falcon Fusion provides pre-built playbooks to give your security a head start automating your security operations processes, all from the same console that your team already uses. 

With over 61,000 unique workflow definitions, Falcon Fusion gives you limitless opportunities to automate your processes to make them more efficient. By integrating with Falcon Real Time Response, your analysts will be able to import customized scripts, created by them or from the library, to expand the actions that they can perform with their workflows for immediate remediation. And, due to its native integration across Falcon platform modules, Falcon Fusion extends the automation power of each module like CrowdStrike Falcon® Intelligence Recon for digital threat monitoring, CrowdStrike Falcon® Spotlight for automated vulnerability remediation and more.

Security automation is essential to defend your attack surface and give your security team a fighting chance against adversaries. By automating workflows such as investigating incidents faster, scaling vulnerability patching and containing hosts to stop lateral movement, Falcon Fusion will up-level your team to punch above their weight and reduce your mean time to respond (MTTR) to better protect your organization and keep adversaries at bay. 

Additional Resources

❌
❌