Falcon for Mobile is CrowdStrike’s EDR solution on mobile devices. Falcon for Mobile monitors and records activities taking place on Android and iOS, providing the visibility necessary to detect attackers, malicious insider activity, and corporate data leakage Falcon for Mobile allows organizations to benefit from powerful reporting, investigation, and threat hunting capabilities across the enterprise including the very important and relied upon mobile technologies.
Mobile Hosts Dashboard
The Mobile Hosts dashboard can be found under Investigate > Mobile Hosts and provides an overview of the devices across the environment; broken down by platform, operating system, manufacturer, model and agent version. For each graph, we can drill down on a given subset to see the supporting details.
Mobile Timeline Report
Falcon presents us with the Mobile Timeline report which can be used to understand any recent events that occured on a particular mobile device. A key difference in Mobile operating systems is that apps often run for long periods of time and as a result there are fewer process executions. Once an app is started it will interact with the operating system using API calls.
With that in mind we will filter the events for any launched apps (also known as a process rollup) as well as any Android API calls (referred to as AndroidIntentSentIPC). Having this visibility gives us context that we’ll need in order to conduct a thorough investigation.
The second benefit of Falcon for Mobile is the detailed reporting and investigation capabilities that are available specifically with mobile devices. Using the Suspicious Events Report (Investigate > Mobile Hosts > Reports), we get an overview of the top statistics highlighting those devices that are jailbroken, rooted, and have sideloading enabled. This report immediately draws attention to the higher risk mobile devices. To take a closer look at a specific event, we can simply click on the Agent ID to pivot into an event search. This allows us to investigate the suspect device with all of the associated event data at our fingertips.
Finally, we are going to see how CrowdStrike enables threat hunting across the entire enterprise – including mobile devices. Beginning with an IP that we suspected to be a command and control server, ThreatGraph makes it possible for us to perform a simple search across all of our event data to understand if any of our hosts have communicated with this address. In the example we see 4 events across different platforms including Windows workstations/servers, Mac, Android, and iOS devices. With Falcon Insight we are able to do one search through CrowdStrike’s cloud delivered management platform to get complete results across the entire endpoint population.
RemoteAddressIP4=126.96.36.199 OR RemoteAddressIP6=188.8.131.52 | eval RemoteAddressIP=if(isnull(RemoteAddressIP4), RemoteAddressIP6, RemoteAddressIP4) | table _time ComputerName aid event_platform RemoteAddressIP
Crowdstrike has delivered EDR for mobile devices. This gives the organization greater visibility, reporting, and hunting capabilities for a better understanding of the devices, events and risks across the entire environment.