How to Prevent Malware-Free Attacks with CrowdStrike Falcon Endpoint Protection

Introduction

In this document, we will see how to prevent malware-free attacks with CrowdStrike Falcon. Malware-free attacks are attacks that do not use malware.
Falcon uses multiple methods to prevent and detect those types of attacks and this unique combination allows Falcon to protect against even the most advanced attacks. This document will focus on Falcon’s exploit blocking and Indicators of Attack (IOAs) protection features.

Video

“How to Detect and Prevent Malware Free Attacks with CrowdStrike Falcon”

Read Video Transcript

Instructions

1: Go the prevention settings of the Falcon User Interface

You can configure prevention features in the Configuration App. Once in the App, make sure you are in Prevention Policy, then click on settings. Please note that you need Admin privileges to configure the prevention features on the Prevention App settings page. Also, the configuration changes only take a couple of seconds to be updated on the endpoints.
prevention-policy

2: Preventing malware free attacks with exploit blocking

One of the challenges with attacks that do not use malware is that they can inject commands can directly into memory. Those attacks take advantage of vulnerabilities and make use of exploit kits. This is why Falcon provides an exploit blocking function.  To turn an exploit mitigation on or off, just slide the toggle for the exploit mitigation you want to change. In our example we are going to turn on Force ASLR mitigation.

malware-free exploit-mitigation
Let’s slide the toggle to the right and confirm the change

aslr-policy-change
Green toggles indicated enabled.

change-accepted

 

If you want to disable the prevention for that exploit, slide the toggle to the left and confirm that you want to disabled.

Here is an example of exploit blocking detection in the Falcon User Interface.

blocked-exploit

 

3: Preventing malware with Indicators of Attacks

Exploit blocking provides another layer of protection but may not be sufficient at times. Because some file-less malware do not use exploit kits, but rely on a user’s mistake to successfully compromise a system. Ransomware, for example, has some infamous examples of file-less ransomware that do not use exploits. Targeted attacks also fall into that category.

This is why Falcon also uses Indicators of Attacks (IOAs) to protect systems. IOAs look across both legitimate activity and suspicious activities and detect stealthy chains of events that indicate malware infection attempts.  IOAs prevent attacks which do not use malware are enabled by default.  Attacks such as adware and ransomware, specific IOAs can be configured.

You can enable or disable them in the current window by sliding the toggles similar to exploit blocking.

ransomware-settings

Ransomware prevented based on an Indicator of Attack.

locky-detection

Conclusion: Protect against malware-free attacks

Falcon uses exploit blocking and Indicators of Attacks to protect you against malware-free attacks. In addition, remember that Falcon also protects against known malware, unknown malware with its Machine Learning and Custom Blocking abilities. Falcon uniquely combines powerful methods into an integrated approach that protects endpoints more effectively against both malware and breaches.

More Resources

 

Stop Breaches with CrowdStrike Falcon request a live demo