Falcon for Mobile is CrowdStrike’s EDR solution on mobile devices. Falcon for Mobile monitors and records activities taking place on Android and iOS, providing the visibility necessary to detect attackers, malicious insider activity, and corporate data leakage Falcon for Mobile allows organizations to benefit from powerful reporting, investigation, and threat hunting capabilities across the enterprise including the very important and relied upon mobile technologies.
Mobile Detections Dashboard
The Mobile Detections Dashboard provides a breakdown of mobile risks found in the environment. Detections uncovered by Falcon are mapped against the MITRE ATT&CK™ for Mobile framework, making it easy to understand the tactics and techniques utilized as well as the impact of the detection. In the dashboard you can drill into each chart to obtain further details about the detection listed. You can also drill into the device details, which provides a historical view of the activity on the specific device, to help you determine that action needs to be taken against the mobile device to prevent further compromise. The detections in the Mobile Detections Dashboard are made possible by the events and visibility sent by Falcon for Mobile.
Mobile Hosts Dashboard
The Mobile Hosts dashboard can be found under Investigate > Mobile Hosts and provides an overview of the devices across the environment; broken down by platform, operating system, manufacturer, model and agent version. For each graph, we can drill down on a given subset to see the supporting details.
Mobile Timeline Report
Falcon presents us with the Mobile Timeline report which can be used to understand any recent events that occured on a particular mobile device. A key difference in Mobile operating systems is that apps often run for long periods of time and as a result there are fewer process executions. Once an app is started it will interact with the operating system using API calls.
With that in mind we will filter the events for any launched apps (also known as a process rollup) as well as any Android API calls (referred to as AndroidIntentSentIPC). Having this visibility gives us context that we’ll need in order to conduct a thorough investigation.
The second benefit of Falcon for Mobile is the detailed reporting and investigation capabilities that are available specifically with mobile devices. Using the Suspicious Events Report (Investigate > Mobile Hosts > Reports), we get an overview of the top statistics highlighting those devices that are jailbroken, rooted, and have sideloading enabled. This report immediately draws attention to the higher risk mobile devices. To take a closer look at a specific event, we can simply click on the Agent ID to pivot into an event search. This allows us to investigate the suspect device with all of the associated event data at our fingertips.
Finally, we are going to see how CrowdStrike enables threat hunting across the entire enterprise – including mobile devices. Beginning with an IP that we suspected to be a command and control server, ThreatGraph makes it possible for us to perform a simple search across all of our event data to understand if any of our hosts have communicated with this address. In the example we see 4 events across different platforms including Windows workstations/servers, Mac, Android, and iOS devices. With Falcon Insight we are able to do one search through CrowdStrike’s cloud delivered management platform to get complete results across the entire endpoint population.
RemoteAddressIP4=126.96.36.199 OR RemoteAddressIP6=188.8.131.52 | eval RemoteAddressIP=if(isnull(RemoteAddressIP4), RemoteAddressIP6, RemoteAddressIP4) | table _time ComputerName aid event_platform RemoteAddressIP
Crowdstrike has delivered EDR for mobile devices. This gives the organization greater visibility, reporting, and hunting capabilities for a better understanding of the devices, events and risks across the entire environment.