What is Falcon Intelligence?
CrowdStrike Falcon Intelligence™ provides in-depth, technical, operational and strategic analysis of the latest threats, enabling customers to understand the risks they are facing and make the most of their defense and cybersecurity operations. Tactical cyber threat intelligence is focused on the present and the immediate future and is commonly technical in nature. It could be as simple as using threat indicators to proactively hunt for and defend against adversaries. Operational threat intelligence focuses on the motivations, intent, and capabilities of adversaries and how they plan, conduct, and sustain campaigns and major operations. Strategic threat intelligence provides information about the risks and implications associated with threats. Security and executive management can use strategic intelligence to make more informed and optimized cybersecurity decisions.
Broadly, this intelligence is delivered in two forms for customers. First, Falcon Intelligence provides API feeds that contain information on indicators, which in turn can be consumed by other security systems e.g. firewalls, HIPS, etc. Second, Falcon Intelligence produces reports that are used by security professionals to better prepare and react to threats and adversaries that are active.
What are the differences between the levels of Falcon Intelligence subscriptions?
Falcon Intelligence is packaged in ways that best align with customer’s preferred method for consuming threat intelligence, as well as the threat coverage areas that are most applicable to them. Specifically, CrowdStrike® customers can choose the Standard Level or one of three Premium Levels.
The Standard Level includes the following:
- Tactical threat intelligence content such as IP addresses, domain names, and file hashes for eCrime and targeted intrusion/hacktivist adversaries and campaigns
- Web portal access to actor profiles
- Indicator search
- Actor & indicator APIs
- Maltego transforms
There are three Premium Levels that include the following:
- All the standard features, plus…
- Tactical and strategic threat intelligence content for either eCrime and targeted intrusion/hacktivist adversaries or both, depending on the Premium level you choose
- Strategic intelligence reports and notices — ad-hoc, weekly, monthly and quarterly (HTML and PDF)
- Web portal access to actor profiles, threat intelligence feeds and rules
- All APIs: actor, indicator, reports, and tailored intelligence
- Tailored intelligence searches and rules
- Ability to submit Requests for information (RFIs)
- Ability to submit malware samples for analysis
- Quarterly one on one Threat Briefings with an Intel Analyst
For more details on what is included in each Falcon Intelligence subscription, visit this page.
What are the different types of Falcon Intelligence reports?
CrowdStrike threat intelligence provides three types of reports: Technical Intelligence Reports, Strategic Intelligence Reports, and Flash News. Technical Intelligence Reports cover the tactics, techniques, and procedures (TTPs) an adversary is using, while Strategic Intelligence Reports cover geopolitical and historical adversary activities. These reports are cumulative and allow customers to observe trends over time. Flash News provides customers with timely information on an array of intelligence subjects including, emerging threats, existing and new adversaries, recent and ongoing adversary activity and other significant cyber threat news. Flash News is provided as new threats are discovered.
Where can I find an example of Falcon Intelligence report?
The Boson Spider eCrime report focuses on the criminal organization behind the Core Bot banking trojan malware, an entity that CrowdStrike Falcon Intelligence tracks as the adversary “Boson Spider.” This report exemplifies the detailed threat information available to Falcon Intelligence eCrime service subscribers, and underscores the value of CrowdStrike’s best-in-class threat intelligence on criminal actors, their campaigns and ecosystems.
CrowdStrike threat intelligence blogs also provide crucial information on threats and attacks: Read Falcon Intelligence Report: Wanna Ransomware Spreads Rapidly; CrowdStrike Falcon Prevents the Attack, or Decrypting NotPetya/Petya: Tools for Recovering Your MFT after and Attack.
Do I get any type of threat intelligence if I use CrowdStrike Falcon endpoint protection?
Yes, CrowdStrike Falcon® endpoint protection uses Falcon Intelligence to provide faster detection of the activities and TTPs identified as malicious by Falcon Intelligence. In addition, the integration of threat intelligence brings contextualized information and includes attribution where relevant, providing details on the adversary attributed and any other information known about the attack.
How can I integrate Falcon Intelligence into my existing security solutions?
What kind of information is delivered through the different Falcon Intelligence APIs and what are some common integrations?
Falcon Intelligence offers three APIs:
- The Indicator API provides authenticated access to the CrowdStrike database for all technical indicators. A common integration is with SIEMs, IDSes, data visualization tools, and more. The Indicator API is available to all Falcon Intelligence subscribers.
- The Actor API provides authenticated access to the CrowdStrike database for all 80-plus named threat actors. A common integration is with TIPs (Threat Intelligence Platforms) to provide in-depth attribution information and analysis. The Actor API is available to all Falcon Intelligence subscribers.
- The Reports API provides authenticated access to a complete database of all CrowdStrike intelligence reports. The Reports API is available to Falcon Intelligence Premium subscribers.
Can I submit malware samples to be analyzed?
Falcon Intelligence Premium subscribers can provide malware samples through the portal for analysis by the Falcon Intelligence team to determine adversary attribution, indicators, and malware identification. Responses to customer-provided malware submissions are provided via email by the CrowdStrike support team.
What feeds and rules does a Falcon Intelligence Premium subscription provide? What devices are supported?
Signatures and/or indicators to detect network and host activity are provided in the SNORT, YARA, NetWitness, C2, Common Event Format (CEF) systems, which can be used with a variety of host- and network- based devices, such as IPS, HIPS, firewalls, and others. These signatures and/or indicators can be directly loaded into your existing network and host security products and used for detection, monitoring, situational awareness and prevention of malicious activities by adversaries tracked by CrowdStrike. Signatures and indicators can integrate with existing security infrastructure (host, network, and SIEM security solutions).
Do I need access to both types of intelligence — targeted intrusions/hacktivism and eCrime?
Based on the nature of your business, some organizations may be impacted by both nation-state and geopolitically motivated activity (targeted intrusions and hacktivism) and eCrime activity. By subscribing to CrowdStrike’s combined Premium subscription, you’ll have access to all of the intelligence that is published for comprehensive coverage and protection.
Does Falcon Intelligence Premium support the ability to search through all of the indicators that it provides?
Yes, there is indicator search capability within the Falcon Intelligence portal. Subscribers can search against all of the indicators that CrowdStrike generates, with easy-to-use filters to quickly and efficiently find information they are interested in.
Does Falcon Intelligence support requests for information (RFIs)?
Yes, this is offered as part of the Falcon Intelligence Premium subscription. It allows subscribers to interact directly with the CrowdStrike Intelligence team and ask questions of them.