Back to Tech Center

How CrowdStrike’s Intel Improves Cloud Security

August 6, 2021

CrowdStrike Tech Center

Introduction

Public cloud environments are excellent targets for cryptojacking. With the proper access, an adversary can take advantage of expensive, quickly provisioned virtual resources without detection. CrowdStrike’s Cloud Security Posture Management solution, Falcon Horizon, helps organizations secure cloud environments while proactively monitoring for misconfigurations, overly permissive access settings and suspect behaviors.

Video

Falcon Horizon Assessments

Leveraging two different types of assessments, the main dashboard illustrates an overview of recent findings across all of the registered cloud accounts and providers. Service misconfigurations are shown on the left, while the behavioral assessment findings on the right  focus on activities or patterns that could be malicious.

cspm intel ioa dashboard

Assessments are performed on a regular basis using policies that CrowdStrike has developed for the different cloud services. The policies tab reveals a comprehensive list of policies broken down by provider and service including links to compliance information, the default severity and the policy type. 

cspm Intel IOA policies

Intelligence Indicators of Attack

Given CrowdStrike’s built-in Intelligence experience, Falcon Horizon is able to offer behavioral detections based specifically on malicious indicators like IP addresses. Applying to “Any” AWS service, there are behavioral policies that monitor for both read and write API calls. By monitoring all cloud activities, these policies will discover any connection with known malicious IP addresses.

cspm intel ioa policies

The policy details outline that this read policy identifies reconnaissance activity associated with the Discovery MITRE tactic and include the recommended remediation steps.

cspm intel ioa read details

Meanwhile, the Intelligence policy for write API calls indicates execution and an attack in progress.

cspm intel ioa details write

Note that the scope of Falcon Horizon is not limited to a single provider. Policies and remediation steps based on Intelligence indicators are also available for any Azure service. Regardless of cloud provider, any findings related to these behavioral policies would indicate that a bad actor has gained access to the environment.

cspm intel ioa azure

Intelligence Findings

In this sample finding related to the AWS Write API call policy, notice that the confidence score and severity level are included to help with prioritization.

cspm intel ioa finding

The timeline displays additional details about the event including the user and the malicious IP address. Because the threat status of indicators can change, the Intel section includes dates to understand the reputation of the IP over time.

cspm intel ioa dates

Conclusion

As organizations continue to deploy mission critical data and applications to the cloud, it is critical that those resources are properly monitored and protected. In addition to misconfigurations and behaviors, Falcon Horizon monitors multi-cloud deployments for Intelligence Indicators of Attack to quickly detect suspect communications and stop breaches.

More resources

Related Content

TRY CROWDSTRIKE FREE FOR 15 DAYS

GET STARTED WITH A FREE TRIAL