How to Get Five Second Visibility Across Your Organization with Falcon Endpoint Protection

Introduction

Visibility is an essential element in next generation endpoint protection. While legacy endpoint security products were limited to either blocking or allowing an activity, next generation endpoint protection products add the ability to record activity on the endpoint and store it in a database for future search and investigation. While this may sound simple, there are actually vast differences in the way that this can be implemented.

CrowdStrike delivers superior visibility as a result of its unique architecture. The key points to know about this architecture are:

  • The Falcon sensor does more than just record and store events. It puts events in context. It is trivial to simply record events and dump them into a database. This creates a garbage-in-garbage-out scenario for admins that ends up wasting time and driving up infrastructure costs. The Falcon sensor takes a different approach. It actually links related events together to paint an accurate picture of the state of the machine. It then displays that picture to the admin (rather than a stream of unrelated events). Understanding individual events as part of a broader sequence of events allows the sensor to then apply security logic derived from CrowdStrike intelligence. If a sequence of events matches a known indicator of attack, the Falcon sensor will identify the activity as malicious, send a detection alert to the administrator and also block the threat.
  • Events recorded by the Falcon sensor are streamed to the cloud and stored in a graph database. This approach ensures that data is accessible to the administrator even if some systems are offline at the time of the search. It also ensures speed and scalability. The CrowdStrike graph database – known as Threat Graph – is designed to return results for all queries in five seconds or less, regardless of the size or the amount of data in the database.

This architecture allows Falcon Endpoint Protection to provide deep visibility across your entire environment in five seconds or less.

Video

Read Video Transcript

Prerequisites

In order to proceed, the following requirements must be met:

  • Client operating system: Windows 7 SP1 or higher (and server equivalents), Mac OS X Yosemite or higher, RHEL or CenOS 6 or higher, Ubuntu 14.04
  • Two Windows test systems with the Falcon sensor installed
  • Steps 8 and later require an FTP server and usage of a RAR utility

Step-By-Step Procedure

The purpose of these use cases is to illustrate what events are recorded by the Falcon sensor and to show the speed at which those events can be searched from the Falcon Events App. These use cases represent a tiny subset of the events that are recorded and made searchable. Please contact us to learn about all of our visibility and search capabilities.

Step 1

Go to CrowdStrike Falcon Endpoint Protection Login Page and login

CrowdStrike Falcon Endpoint Protection Login

Step 2

Navigate to Events App

EventsApp

Step 3

Switch to Test System 1 and start Remote Desktop connection to Test System 2. This remote connection will be recorded.

Remote Desktop Connection

You can search for this activity in the events app by entering the following search: ComputerName=hostname IoSessionConnected
The results will show that the connection occurred and also provide contextual details of the connection.

IoSessionCreated

Step 4

Return to the RDP session and choose to run the Windows Command Prompt as Administrator. When prompted, choose Yes to the User Account Control (UAC) prompt.

UAC

 

Return to the Events App and enter the following search: ComputerName=hostname UACExeElevation
The results will show that CMD started, but it will also show the contextual events around the execution along with the details of the UAC elevation.

UacExecelevation

Step 5

Return to the RDP session and type “whoami” in the Windows Command Prompt

whoami

Go back to the Events App and enter the following search: ComputerName=hostname whoami
The results show that the Falcon sensor can not only see that CMD started, but that it can also see all command activity. Similarly, you can search for activity by user with the following search: ComputerName=hostname UserIdentity

whoami

Step 6

Return to the RDP session and type “powershell” in the Windows Command Prompt. If we execute the next few commands from PowerShell within a Windows Command Prompt, then many of the activities will be obfuscated (a common attacker technique). However, Falcon can see through this obfuscation technique.

Screen Shot 2016-07-22 at 2.30.55 PM

In CMD change directory to the desktop and then type “mkdir exfil”
This creates a folder for us to stage data that we will later attempt to exfiltrate.

cmd mkdir

Go back to the Events App and enter the following search: ComputerName=hostname DirectoryCreate
We can immediately see the creation of the new directory.

DirectoryCreate

Step 7

Return to the RDP session. In CMD change directory to the exfil directory. Then type: New-Service -name evilsrv -DisplayName “Evil Service” -BinaryPathName C:\Windows\System32\PING.EXE

new service cmd

Go back to the Events App and enter the following search: ComputerName=hostname CreateService
The results tell us that a service was created, but it also shows us all of the context around the service. For example, it also tells us that its purpose is to launch PING.EXE.

CreateService

 

THE FOLLOWING STEPS REQUIRE AN FTP SERVER AND A RAR UTILITY

 

Step 8

Return to the RDP session. Download a RAR utility from an FTP server in CMD with a command like: Invoke-WebRequest -uri ftp://ftpserver/Rar.exe -OutFile rar.exe

Invoke Web Request

Go to Events App and see that the RAR utility was written with the following search: ComputerName=hostname PeFileWritten

PeFileWritten

Return to the RDP session. Add all .doc files to a RAR archive and password protect it in CMD with a command like: .\rar.exe a -hpPassword ..\*.doc

RAR doc files

Go to Events App and see that the data was archived with the following search: ComputerName=hostname RarFileWritten You can also get the details of the archive utility with the following search: ComputerName=hostname rar.exe

The critical thing to know about this data preparation phase is that it was all done inside an existing PowerShell process. This obfuscation technique makes the FTP and RAR activity invisible to most tools, but Falcon can still see it. In fact, Falcon can even detect when an attacker tries to hide an archive file by giving it a benign extension like .txt. This is true because Falcon doesn’t simply look at the file extension; instead, it looks at the entire sequence of events and can see that an archiving utility was used to create the file before it was renamed to .txt (for example).

Step 9

Falcon can also see removable media activity. To proceed, insert removable media to your test system or mount removable media to your VM. Go to Events App and see that removable media was mounted with the following search: ComputerName=hostname FsVolumeMounted

FsVolumeMounted

To continue our data exfiltration example, go to CMD and type: copy .\exfil.rar e:\

Data exfil to USB

This copies the archived data to the removable media device. To see this in the Events App, return to the events app and type the following search: ComputerName=hostname CommandHistory

These search results include all commands executed on the system. This is a quick and easy way to see attacker activity because they typically prefer to use command line interfaces. In this example, you can see the entire attack chain summarized in one simple event.

Command history

Conclusion

CrowdStrike Falcon Endpoint Protection makes it quick and easy to get visibility across your entire organization. The solution is SaaS-based and built on a graph database. This means that administrators get unlimited scalability without any need to invest in on-premise hardware. More importantly, it means that administrators can always get immediate responses to their queries – regardless of deployment size. This document showed a small subset of the events that Falcon captures, and also showed how quickly they can be searched for in the Events App. CrowdStrike is continually adding additional visibility features, so please contact us for the latest information.

More Resources

 

Stop Breaches with CrowdStrike Falcon request a live demo