This document and video will provide an overview of CrowdStrike’s Intelligence services and the importance of consumable intelligence.
Intelligence Services Overview
Threat Intelligence is a key component of CrowdStrike’s effective approach. It is critical that organizations have consumable Intelligence so that they can understand the adversary, learn from attacks and take action on indicators to improve their overall defenses.
That approach goes beyond being just another threat feed. Starting with a customer onboarding process, CrowdStrike works to understand your business, third party tools and existing processes so that the Intelligence information provided is both relevant and useful. Below are a few examples of how CrowdStrike’s Intelligence Services are different than the competition.
Ease of Use
The Intelligence Dashboard provides an overview of the latest information and reports. You can drill down into this report to view specific items or use the map to perform your own searches starting with country.
After clicking on a given country, you see additional filter options so that you can research the latest alerts based on the target countries, target industries, actors or motivations.
From the Intelligence menu, you can also elect to have a subscription to receive these alerts directly via email.
That menu gives you the option to set the frequency of email updates along with your areas of interest as shown below.
CrowdStrike provides customized content including business sector briefs and tailored intelligence. During the onboarding process, CrowdStrike will collect information on key phrases, product names, critical infrastructure, terms or people.
Below, you see the option for “Tailored Intelligence” in the Intelligence application on the left menu.
That option takes you to a list of all the monitored key works for your organization. With the information gathered during onboarding, CrowdStrike will monitor the Internet and report on any mentions that could indicate a targeted attack on your organization.
You can drill down on the “Keyword Names” to see the full list of hits. You can view the details of each hit including date, time and complete text.
Access to Experts
CrowdStrike’s Intelligence experts track the activity of over one hundred threat actors around the world. That information can help you understand the adversary and their motivations while also empowering you to take action to improve you organizations defenses. You will see an option to do research by “Actors” in the Intelligence menu.
Like before, the Actor search includes a filter option so that you can hone in on your specific areas of concern.
For each actor, you will also find a detailed profile that summarizes the findings of CrowdStrike’s Intelligence experts including the commonly targeted industries and countries for each actor. Also included are any known Command & Control addresses and frequency leverages vulnerabilities. That kind of information can help you bolster your existing defenses against a specific adversary.
From the actor profile, you will also find links to related alerts and Tipper reports. Tipper reports are very detailed including additional Indicators of Compromise as well as hunting tools like yara rules.
In the event that you need to do research on a specific sample, Intelligence customers also have the option to submit malware files for CrowdStrike analysis.
The “Submit Malware” page allows you to upload a file along with a description to CrowdStrike’s Intelligence team for complete analysis. This is more than the “request for detection” that other vendors offer. The result of this request is a complete report detailing the behavior of the file. It could even result in a Tipper report or Intelligence alert.
As you have seen, CrowdStrike’s Intelligence offerings give you customized intelligence that is accessible and easy to use. It is much more than just another threat feed. CrowdStrike provides a solution tailored for your organization to maximize the usefulness of the data, improve your response capabilities and reduce the risk of breach.
How to Contain an Infected System
Hi, there. My name’s Peter Ingebrigtsen. And today, we’ve logged into the falcon.crowdstrike.com, or the Falcon User Interface.
And what we’re going to do is take a look at some of our systems and recognize that some of them are either currently under attack or recently been under attack, and may have been compromised. And we’d like to contain that system until we can further get to it, get our hands on it, and get a little bit more information out of it, or just prevent it from doing any more damage than it’s already done.
In order to do that, you need to be on your Detections app. You can do that by going to the radar here on the left-hand side. If you’re not already, or if your user interface doesn’t open that when you first log in, head there. And then just select the Recent Detections.
When that opens, you’ll notice that you can filter by any number of criteria, but we’re looking at some of the more recent events or situations that are going on. And you’ll notice that the same single machine has noticed a lot of different scenarios with privilege escalation or web exploits. And these severities are high to critical.
And we’d like to log in there, maybe do a little something, take a little closer look, and see if there’s something we should do. Obviously, we should do something. And as we start to dig through here, we see that there’s a lot of detection patterns, whether that be known malware, credential theft, or web exploits. We can see in the process tree a lot of different commands that were issued that look at that privilege escalation that we noticed earlier– or start to set that up.
So, we know that there’s something bad going on, and we’d like to take action right away. So, what we want to do is network contain this machine. But what I want to show you, as well, is that as we do this– I’m going to go to the machine itself. And I’d like to start a continuous ping so that you can watch the behavior and how long it takes to respond to this network containment.
Now, while we contain this– or take this machine off the network– we don’t kill the connection to the CrowdStrike Cloud. So, that as we get our hands on it– we clean it up, we feel comfortable putting it back on to the network– we can still operate or control that machine through the user interface that we have here.
The other thing I’d like to do is start a large download, so that we initiate with a single TCP connection– and there happens to be one in process– as opposed to the ping, where there may be multiple TCP resets or individual TCP threads going every time. So that you can see that as we contain this machine, it literally just knocks it off the network.
Forgive my screen, but I’ve changed the resolution for YouTube and for appearance purposes.
But as I come in here– and this will be right at the middle of the screen– this actually says Device Actions. And I’d like to contain it.
Now, as we do that, we have some options to make some notes. Contained by Peter. Multiple threats observed. Whatever notes you’d like to make– and then select Contain.
Now, the second we do this, on the left-hand side, you’ll see how quickly it takes for that to respond. So, immediately, almost in real time, you see a network failure on the download, and the ping test– or the continuous ping fail. So, we can close that.
Now, let’s say we’re a couple days later, this machine’s cleaned up, ready to go, and be put back in the network. You can go ahead and lift the network containment, again, from the user interface. We still have that connection to the machine, even though all the other network connections have been terminated.
So, as we do that, all good. Uncontain. And you’ll notice that almost immediately that ping starts to fire right back up again.
So, network containment is a powerful tool that we can use if we see something immediately taking action or if we see something recently in the past, and we’d like to get that machine off the network– almost quarantine it– so that it can’t do any more damage.
So, this has been network containment of network devices in the Falcon Sensor User Interface platform. Thanks again for watching.