• As a global cybersecurity industry leader and a Research Partner for the MITRE Engenuity Center for Threat-Informed Defense, CrowdStrike provided expertise and thought leadership to two of the Center for Threat-Informed Defense’s latest research projects.
• The Sensor Mappings to ATT&CK project aimed to map sensors and other data sources to the MITRE ATT&CK^® framework techniques so SOCs know which tools and capabilities to check for the use of TTPs that would indicate their environment is under attack.
• The Insider Threat TTP Knowledge Base Version 2 project sought to enhance a repository of tactics, techniques and procedures (TTPs) used by insider attackers by including nontechnical indicators, plus their respective mitigations, helping organizations prevent and defend against insider cybersecurity threats.

Organizations worldwide rely on the MITRE ATT&CK framework as a critical resource for defending against cyberattacks. The MITRE ATT&CK framework is also a key tool for advancing threat research in the cybersecurity industry. However, one of the challenges in using the MITRE ATT&CK framework is mapping the output from logs, sensors and other tools as ATT&CK data sources in the framework. As a result, it’s not always clear to SOCs how to use the tools and services at their disposal to provide visibility into specific adversary behaviors or threats that put their environment at risk.

The MITRE Engenuity Center for Threat-Informed Defense launched the Sensor Mappings to ATT&CK project to address gaps in this area by mapping sensor events to ATT&CK data sources. When complete, this effort will help SOCs understand which of their tools and/or system capabilities they should monitor to spot specific ATT&CK techniques that adversaries use, as well as identify which tools and/or system capabilities the SOC should acquire to address any gaps in coverage. Ultimately, the Sensor Mappings to ATT&CK project will make the MITRE ATT&CK framework even more valuable.

Sometimes, the threat of a cyberattack comes from within an organization rather than from outside adversaries. Insider threats pose a unique challenge to SOCs. They are often difficult to detect — the attacker is already within the network and possesses valid, active credentials to critical resources — and they can do considerable damage. The Center for Threat-Informed Defense’s initial Insider Threat TTP Knowledge Base project identified the most commonly used TTPs for insider attacks across a wide range of industries for inclusion in a repository. The project also included mitigations for these TTPs, providing a method for organizations to take the actions needed to defend their systems against insider threats.

In the recently completed Version 2 of this project, the TTPs were expanded beyond the technical mechanisms used by insiders on IT systems that were identified in Version 1 to include nontechnical indicators. These observable human indicators (OHIs) include facts about a person or their role that might elevate their risk of being an insider threat.

CrowdStrike was a participant in both of these projects — the latest example of our commitment to cybersecurity industry research.

Sensor Mappings to ATT&CK

There are several key deliverables for the Sensor Mappings to ATT&CK project, which has the ultimate goal of extending ATT&CK data sources to link techniques to tools, capabilities and data sources such as sensors that can provide visibility. Achieving this goal will allow SOCs to better understand their current defensive capabilities so they can fill any gaps (through analytics, tools or other means) and more effectively search for threats.

1. Methodology: Create a document and specification that describes how to map system logs, sensors and capabilities to ATT&CK data sources.
2. Data Model: Create a new data model or extend existing models to include data source, data components, data elements, relationships and event/telemetry data.
3. Mappings: Conform to the specification defined in Methodology, including a resource that will host the mappings for the purposes of review, download and analysis of coverage.
4. Usability: Identify tools, documentation and other resources.
5. Logs, Sensors and Capabilities: Include coverage of Sysmon (all events), Windows Event Log (any security-related events), Osquery, auditd, Zeek and AWS CloudTrail.

Mapping: Using Data Sources, Data Components, Data Elements, Relationships and Event/Telemetry Data to Detect Specific ATT&CK TTPs

The model below shows how the domains are mapped together through data sources, data components, data elements, relationships and event/telemetry data.

Figure 1. The goal of this project is to better connect the defensive data in ATT&CK with the way operational defenders analyze potential adversaries/behaviors (Source: Center for Threat-Informed Defense)

The Sensor Mappings to ATT&CK project includes the creation of a STIX 2 representation of the mappings (providing ease of use for teams that currently use STIX) as well as a command line interface tool.

Insider Threat TTP Knowledge Base Version 2

Insider threats can be employees, former employees, contractors, partners, service providers or anyone who has knowledge about and/or access to an organization’s computer systems and network. Insider threats are particularly challenging for SOCs to detect and defend against. Security solutions are primarily focused on detecting and defending against cyberattacks launched by external adversaries, so what might otherwise be suspicious behavior from within is often assumed to be legitimate use — if it’s detected at all. In addition, insiders often have the advantage of knowing details about the system and network settings and security measures. They may even have knowledge about exploitable security shortcomings or vulnerabilities.

CrowdStrike was a big part of the initial Insider Threat TTP Knowledge Base project, contributing data and expertise (you can read about that effort here). In Version 2 of the project, the primary deliverable is to expand the scope of the original project to include nontechnical OHIs, including:

• Subject with elevated privileges
• Monitoring status of subject
• Telework status of subject
• Performance improvement plan required
• Turnover rate of subject’s role
• Time at company
• Management level
• Seniority of subject
• Government security clearance

CrowdStrike researchers provided insider threat expertise and anonymized instances of insider threats for aggregation by the Center for Threat-Informed Defense team. This data allowed the team to determine the most common tactics and techniques that are employed by inside actors. In addition, our researchers helped define the mitigations for the identified insider threats and provided thought leadership on topics covered by this research, including the concept of OHIs.

Contributing to Center for Threat-Informed Defense Projects: CrowdStrike’s Ongoing Commitment to Cybersecurity Research and Innovation

CrowdStrike’s commitment to cybersecurity research and innovation is reflected in the best-in-class protection of the CrowdStrike Falcon^® XDR platform.

Adversaries never stop their relentless march toward more sophisticated tradecraft, but CrowdStrike researchers and threat analysts are always watching and hunting for novel attack techniques — including insider threats. CrowdStrike researchers publish many of their findings, sharing information in the name of improving defenses globally against dangerous new adversary tactics and previously unknown malware. The findings of CrowdStrike researchers also benefit independent cybersecurity testing organizations, which are able to update their tools and evaluation processes to reflect the latest threats and tactics.

Our commitment to research extends to being a Research Partner at the MITRE Engenuity Center for Threat-Informed Defense. The Center for Threat-Informed Defense’s mission — “to advance the state of the art and the state of the practice in threat-informed defense globally” — is an important one that CrowdStike is proud to support. CrowdStrike’s participation in the Center for Threat-Informed Defense’s Sensor Mappings to ATT&CK and Insider Threat TTP Knowledge Base projects capped a 12-month period in which CrowdStrike participated in four major research initiatives with the Center for Threat-Informed Defense. CrowdStrike looks forward to continuing to provide expertise and thought leadership to the Center for Threat-Informed Defense.

You can learn more about the Center for Threat-Informed Defense’s Sensor Mappings to ATT&CK project here and the Insider Threat TTP Knowledge Base Version 2 project here.

Additional Resources

• Learn how you can stop cloud breaches with CrowdStrike unified cloud security for multi-cloud and hybrid environments — all in one lightweight platform.
• Read about adversaries tracked by CrowdStrike in the CrowdStrike 2024 Global Threat Report.
• Read about the types of insider threats and how to detect them here.
• Test CrowdStrike next-generation antivirus for yourself. Start your free trial of CrowdStrike^® Falcon Prevent today.

CrowdStrike is proud to announce its official sponsorship of the Mac Admins Community through its not-for-profit arm, the Mac Admins Foundation. CrowdStrike joins a distinguished list of sponsors at the highest level.

The Mac Admins Foundation serves as a vibrant hub of collaboration, information sharing and professional growth for the Mac Admins Community. Founded in 2015 and with more than 40,000 members, the Mac Admins Foundation provides a “global online community of IT professionals who specialize in Apple hardware and software.” The community is an amazing network of peers committed to helping each other learn and grow when it comes to all things related to macOS devices.

This focus on community aligns perfectly with the CrowdStrike ethos. CrowdStrike is built on the power of the crowd. Our community consists of tens of thousands of customers, partners and  security practitioners around the world dedicated to defeating adversaries, defending our estates and stopping breaches. 

Also aligned with the CrowdStrike ethos is the focus on innovation. Members of the Mac Admins Community are constantly creating — new ideas, businesses and applications — on their machines. CrowdStrike is also relentlessly working to strengthen organizations’ defenses against evolving cyberattacks without getting in the way of great work. We are proud to know today’s innovators are turning to CrowdStrike to secure their best, most critical work. 

We’re excited to join these two powerful communities to learn from and support each other on our shared missions. 

CrowdStrike: Dedicated to Protecting macOS Devices and Stopping Breaches

MacOS has become a frequent target of cyberattacks as it has increased in popularity for business and enterprise applications. While the macOS provides strong security features, adversaries continue to develop malware specifically targeting macOS, including ransomware, backdoors and trojans.

CrowdStrike is dedicated to protecting the macOS community and devices through research and technology. CrowdStrike researchers continue to track a growing number of attacks targeting macOS devices. The CrowdStrike Falcon® platform delivers industry-leading protection against a broad spectrum of attacks targeting macOS — from commodity and zero-day malware, ransomware and exploits to advanced malware-free and fileless attacks. 

CrowdStrike continually participates in third-party testing to demonstrate the efficacy of the Falcon platform in protecting against macOS threats. In 2023, CrowdStrike Falcon® Pro for Mac won the AV-Comparatives Approved Mac Security Product award for the sixth consecutive year.  During testing, Falcon Pro for Mac achieved 100% protection against Mac malware, with zero false positives and with no observable performance reduction on the Macs used for testing.

During the testing, AV-Comparatives collected 309 Mac malware samples that were representative of what the organization detected being used in the wild during the first half of 2023. Testers inserted USB flash drives containing these malware samples into the Macs, providing the first opportunity for security products to detect and protect against the malware. Any samples that were not detected were then copied to the Mac’s system disk and executed. If a security solution did not detect and neutralize by this stage, it was considered a miss.

Of the 309 Mac malware samples employed during testing, Falcon Pro for Mac had zero misses, providing 100% detection and 100% protection. There were zero false positives recorded. The Mac computers used in testing showed no observable performance reduction thanks to the lightweight Falcon sensor. 

Deepening Our Connection to the Mac Community 

As a global leader in cybersecurity, our commitment to the Mac community starts by delivering the device protection required to keep businesses running on macOS devices. And through the sponsorship of the Mac Admins Community, we’re extending our support to the amazing Mac Admins and the people behind the devices.

We believe that open and technical communities like Mac Admins drive the collaboration needed to build and scale the core technologies that power the software and devices that millions of people love and that countless businesses run on. We’re thankful for the hard work of the Mac Admins Community and proud to be a sponsor. 

Additional Resources

• Learn more about how CrowdStrike Falcon endpoint protection for macOS unifies the technologies required to successfully stop breaches.
• Watch this short video to see how Falcon protects macOS.
• Read this blog: CrowdStrike Falcon Pro for Mac Achieves 100% Mac Malware Protection, Awarded 2023 AV-Comparatives Approved Mac Security Product.

Cyber risks for small and medium-sized businesses (SMBs) have never been higher. SMBs face a barrage of attacks, including ransomware, malware and variations of phishing/vishing. This is one reason why the Cybersecurity and Infrastructure Security Agency (CISA) states “thousands of SMBs have been harmed by ransomware attacks, with small businesses three times more likely to be targeted by cybercriminals than larger companies.” 

In a desperate attempt to defend themselves, SMBs often turn to traditional antivirus (AV) software and even off-the-shelf consumer AV solutions. But these offerings simply can’t keep up with modern attacks. Referred to as “legacy AV,” these solutions are reactive and only able to defend against known malware or ransomware previously cataloged by the AV provider. This is too slow and reactive to stop modern adversaries. It only takes one attack to slip through legacy defenses to bring a business to a halt, or worse, result in a company-ending event.  

Legacy AV is also difficult to manage, especially with limited IT and security staff. The average deployment of these products is three months. In addition, they require quite a bit of tuning and manual configuration to be fully functional, adding to the operational burden of managing and updating legacy security tools.

Uncertain of which cybersecurity offering to buy and then deploy, many businesses throw up their hands in defeat. One poll shows 60% of SMBs use no cybersecurity measures at all. 

SMBs deserve cybersecurity that’s simple, affordable and effective. Today, we’re announcing a new release of CrowdStrike Falcon® Go to bring our industry-leading, AI-powered cybersecurity protection to SMBs in a package that’s never been easier to purchase, install or operate. 

SMBs Need Cybersecurity That Works

CrowdStrike knows how cybercriminals work and why they target SMBs. We also understand SMBs are often understaffed, resource-constrained and lack in-house security expertise. 

Falcon Go delivers award-winning cybersecurity to protect SMBs against ransomware, malware  and unknown threats. This simple yet powerful solution leverages modern technology, including machine learning, behavioral detection and AI, to deliver best-in-class protection against the cyber threats of today and tomorrow. With Falcon Go, small businesses can get the same enterprise-grade protection trusted by the world’s largest organizations and governments in a simple user experience designed for their needs.

SMBs no longer need to worry about staying ahead of evolving cyber threats. Powering Falcon Go is the world’s leading AI-native CrowdStrike Falcon® platform, which collects and analyzes trillions of endpoint events per week, giving SMBs the power of the crowd in a solution that even non-technical staff can use to keep their business safe. 

While other SMB cybersecurity solutions may offer simplicity, businesses need security that actually stops breaches. The Falcon platform scored 100% ransomware prevention in SE Labs testing, demonstrating that SMB cybersecurity can be both simple and effective.

Frictionless Purchasing and Installation in Seconds

CrowdStrike is making it easy for SMBs to purchase elite protection and quickly protect their company. Starting today, Falcon Go is available on Amazon Business, allowing SMBs to purchase industry-leading cybersecurity from the same website that millions of businesses use to purchase everyday business items.

Once purchased, users can instantly download and install Falcon Go to begin preventing threats with a guided setup wizard that recommends pre-configured protection levels. With Falcon Go, small businesses can immediately see which devices are protected and any threat activity, with guided and automated next steps to resolve security concerns. Falcon Go also makes it easy to expand protection to new devices, allowing the solution to support business growth. 

SMBs need simple, fast, modern cybersecurity to stop breaches at a price they can afford. With the release of Falcon Go, small businesses can get AI-powered, award-winning cybersecurity with easy purchasing, installation and operations to stop modern cyberattacks. 

To get started with a free trial of Falcon Go, visit the CrowdStrike website.

Additional Resources

• Purchase Falcon Go on Amazon Business.
• Learn more about Falcon Go: affordable cybersecurity designed to protect small businesses.
• Watch this three-minute demo to see Falcon Go in action.