This document and video will demonstrate how to use Falcon Device Control to monitor and manage USB devices to minimize the attack surface and risk of incidents.
Device Control Policy Options
Falcon Device Control enables customers to use their existing management platform and lightweight agent to establish and enforce policies for USB devices. The policies and options can be found under “Configuration > USB Device Policies”.
From the policy list, you can choose to edit an existing policy or create a new policy. Within each policy, you are presented with a list of different USB device classes. This gives you the granularity to define different policies for different types of devices. Device classes include imaging, printers and mass storage.
For mass storage, you will see four options available. “Read, write and execute” gives users full access. For mass storage, “Read and write only” is often used to prevent the auto-execution of unwanted programs.
Within the policy for each class, you also have the option to define exceptions. These exceptions can be done for specific devices or in larger groups using vendor and product information. This allows you to provide necessary functionality while maintaining control over user access. It is also very helpful when enforcing specific corporate standards.
Device Control Visibility
With Falcon Device Control, you gain visibility into the USB devices and use profiles in your environment. You can access to dashboard under “Investigate > USB Device Control”.
The dashboard gives you a breakdown by class, manufacturer and device. Each of the chart areas is clickable and provides quick access to filtered information and the supporting usage history.
In this example, drilling down on the “Mass Storage” device class illustrates that this specific environment has seen three different manufacturers in the last 30 days with a detailed usage history shown below. Valuable information, like the combined ID, can be used to further tune policies and define individual exceptions. The combined id is the serial number+manufacture ID+Product ID.
Device Control Investigation
If there is a need to take immediate action on a USB device, Falcon Device Control provides both the visibility and the policy you need to be effective. Under “Device Usage by Host” you can search on a specific hostname to see what USB devices they have employed over a given time range. You can review the current policy for each device and how often it is used. That information can be used to as needed to tune the policies for each class or allow exceptions for specific devices.
There is also an overview of “Files Written to USB”. This can be especially helpful in cases where unapproved data exfiltration is suspected. For the enterprise, this information can be filtered by computer name, user name, file, file type or time range to help you investigate specific issues.
Falcon Device Control provides industry leading visibility into your organization’s usage of USB devices. It helps you understand, control, report and investigate how those devices are being used to help you manage risk and minimize this attack vector.
- CrowdStrike 15-Day Free Trial
- CrowdStrike Tech Center
- Sign up for a weekly Falcon demo
- Request a 1:1 Demo
- Guide to AV Replacement
- CrowdStrike Products
- Falcon OverWatch
How to Contain an Infected System
Hi, there. My name’s Peter Ingebrigtsen. And today, we’ve logged into the falcon.crowdstrike.com, or the Falcon User Interface.
And what we’re going to do is take a look at some of our systems and recognize that some of them are either currently under attack or recently been under attack, and may have been compromised. And we’d like to contain that system until we can further get to it, get our hands on it, and get a little bit more information out of it, or just prevent it from doing any more damage than it’s already done.
In order to do that, you need to be on your Detections app. You can do that by going to the radar here on the left-hand side. If you’re not already, or if your user interface doesn’t open that when you first log in, head there. And then just select the Recent Detections.
When that opens, you’ll notice that you can filter by any number of criteria, but we’re looking at some of the more recent events or situations that are going on. And you’ll notice that the same single machine has noticed a lot of different scenarios with privilege escalation or web exploits. And these severities are high to critical.
And we’d like to log in there, maybe do a little something, take a little closer look, and see if there’s something we should do. Obviously, we should do something. And as we start to dig through here, we see that there’s a lot of detection patterns, whether that be known malware, credential theft, or web exploits. We can see in the process tree a lot of different commands that were issued that look at that privilege escalation that we noticed earlier– or start to set that up.
So, we know that there’s something bad going on, and we’d like to take action right away. So, what we want to do is network contain this machine. But what I want to show you, as well, is that as we do this– I’m going to go to the machine itself. And I’d like to start a continuous ping so that you can watch the behavior and how long it takes to respond to this network containment.
Now, while we contain this– or take this machine off the network– we don’t kill the connection to the CrowdStrike Cloud. So, that as we get our hands on it– we clean it up, we feel comfortable putting it back on to the network– we can still operate or control that machine through the user interface that we have here.
The other thing I’d like to do is start a large download, so that we initiate with a single TCP connection– and there happens to be one in process– as opposed to the ping, where there may be multiple TCP resets or individual TCP threads going every time. So that you can see that as we contain this machine, it literally just knocks it off the network.
Forgive my screen, but I’ve changed the resolution for YouTube and for appearance purposes.
But as I come in here– and this will be right at the middle of the screen– this actually says Device Actions. And I’d like to contain it.
Now, as we do that, we have some options to make some notes. Contained by Peter. Multiple threats observed. Whatever notes you’d like to make– and then select Contain.
Now, the second we do this, on the left-hand side, you’ll see how quickly it takes for that to respond. So, immediately, almost in real time, you see a network failure on the download, and the ping test– or the continuous ping fail. So, we can close that.
Now, let’s say we’re a couple days later, this machine’s cleaned up, ready to go, and be put back in the network. You can go ahead and lift the network containment, again, from the user interface. We still have that connection to the machine, even though all the other network connections have been terminated.
So, as we do that, all good. Uncontain. And you’ll notice that almost immediately that ping starts to fire right back up again.
So, network containment is a powerful tool that we can use if we see something immediately taking action or if we see something recently in the past, and we’d like to get that machine off the network– almost quarantine it– so that it can’t do any more damage.
So, this has been network containment of network devices in the Falcon Sensor User Interface platform. Thanks again for watching.