How CrowdStrike’s Intel Improves Cloud Security
Public cloud environments are excellent targets for cryptojacking. With the proper access, an adversary can take advantage of expensive, quickly provisioned virtual resources without detection. CrowdStrike’s Cloud Security Posture Management solution, Falcon Horizon, helps organizations secure cloud environments while proactively monitoring for misconfigurations, overly permissive access settings and suspect behaviors.
Falcon Horizon Assessments
Leveraging two different types of assessments, the main dashboard illustrates an overview of recent findings across all of the registered cloud accounts and providers. Service misconfigurations are shown on the left, while the behavioral assessment findings on the right focus on activities or patterns that could be malicious.
Assessments are performed on a regular basis using policies that CrowdStrike has developed for the different cloud services. The policies tab reveals a comprehensive list of policies broken down by provider and service including links to compliance information, the default severity and the policy type.
Intelligence Indicators of Attack
Given CrowdStrike’s built-in Intelligence experience, Falcon Horizon is able to offer behavioral detections based specifically on malicious indicators like IP addresses. Applying to “Any” AWS service, there are behavioral policies that monitor for both read and write API calls. By monitoring all cloud activities, these policies will discover any connection with known malicious IP addresses.
The policy details outline that this read policy identifies reconnaissance activity associated with the Discovery MITRE tactic and include the recommended remediation steps.
Meanwhile, the Intelligence policy for write API calls indicates execution and an attack in progress.
Note that the scope of Falcon Horizon is not limited to a single provider. Policies and remediation steps based on Intelligence indicators are also available for any Azure service. Regardless of cloud provider, any findings related to these behavioral policies would indicate that a bad actor has gained access to the environment.
In this sample finding related to the AWS Write API call policy, notice that the confidence score and severity level are included to help with prioritization.
The timeline displays additional details about the event including the user and the malicious IP address. Because the threat status of indicators can change, the Intel section includes dates to understand the reputation of the IP over time.
As organizations continue to deploy mission critical data and applications to the cloud, it is critical that those resources are properly monitored and protected. In addition to misconfigurations and behaviors, Falcon Horizon monitors multi-cloud deployments for Intelligence Indicators of Attack to quickly detect suspect communications and stop breaches.