CrowdStrike’s Automated Remediation
Introduction
Attacks today are sophisticated with many moving parts that can leave a wake of debris even if they are detected and stopped. There could be additional lingering processes, files that might be dropped, or startup mechanisms put in place to try to establish persistence.
While CrowdStrike does block malicious files outright based on its attributes, leveraging Indicators of Attack to analyze a threat’s behavior is an extremely powerful approach to identify the intent of what an attacker is trying to accomplish and prevent breaches.
To detect Indicators of Attack, earlier phases of tactics, techniques, and procedures (TTPs) may have been carried out on the host before the actual damage is blocked. These TTPs could potentially generate artifacts that are leveraged at different phases of the attack.
With CrowdStrike’s Automated Remediation, it’ll safely clean up spawned supporting artifacts after detecting malicious behavior based on an Indicator of Attack.
Video
Easy to implement
Automated remediation is simple to enable in the Prevention Policy. After it’s enabled, it’ll work automatically from here on out.
Automatically remediate systems impacted by malicious behavior
When malicious activity occurs on a host, CrowdStrike will analyze its behaviors. If the process is convicted, CrowdStrike will automatically remove artifacts even if they have never been seen before and are only connected with the process by the fact that they were created by it.
It’ll also automatically kill associated processes and reverse registry modifications.
In the Falcon console, we can see an indicator signifying that a remediation action was performed when we look at the detection.
A timeline will show all the remediation actions that have been performed. The details of the remediation actions, such as any files quarantined, processes killed, and registry values deleted are available. There is also the capability to release any quarantined files as well.
A list of all the remediation activity across the entire organization is also available. This would help us to better understand what hosts are being remediated and if there are any additional steps that could be taken to prevent future breaches.
Conclusion
CrowdStrike’s Automated Remediation can save time and help protect the organization by automatically removing artifacts dropped by malicious actors. This simple approach can help reduce risks and allows analysts to focus on higher priority tasks.
