University of Advancing Technology

NTS405 Incident Response

Crowdstrike
Final Paper

Nicholas Diley

Abstract
This document details the usage and best practices of the multi-use security tool, Crowdstrike,
particularly for their incident/emergency response platform. Usage ranges from server side
authentication and post-incident deployment, where one can confidently protect their
organization from targeted attacks.

Crowdstrike
Crowdstrike is a business and software suite that has been developed to tackle the rising issue of
internet based attacks, and mitigation of such risks. Founded in 2011, the creators of Crowdstrike
were aware of the sophisticated attacks that were forcing the worlds leading businesses into
headlines that could not be solved with existing malware-based defense. Where only about 60%
of attacks are malware based, its to be understood that another method of defense may be
necessary. That is where the Crowdstrike products and services come into play for businesses
that wanted to have another defining edge when it came to their server side security.
To solve the problem, they had to create a new endpoint protection platform from the ground up.
Protecting endpoints was critical, because thats where the data resides in any organization, and
its exactly where these targeted attacks are focused. Once the endpoint is breached, adversaries
can move laterally within your network with relative ease, and quietly siphon off your valuable
data and intellectual property for months, sometimes years, without fear of detection.
From there they started designing a brand-new security architecture, one delivered entirely in the
cloud. Companies already understood the benefits that Software as a Service (SaaS) provided in
the form of CRM, HR, financial and other business-critical solutions. Not only would cloud

architecture drive down cost and complexity, it would allow them to effectively crowdsource
threat information from around the world and provide instant community immunity to their
customers.

Variety of Platforms
Crowdstrike generally offers four different products for business side operations, and an
additional two services, one of which is to be best associated with our usage in the market. These
products available are as follows:
Falcon Host A Security as a Service platform that offers real-time detection and insight
into breaches within your system(s)
Falcon Intelligence A subscription service that offers analysis, reports and live feed of
best practices and configurations for your devices
Falcon DNS A managed service maintained by Crowdstrike for intrusion detection and
analysis across your domain, offering security and rapid deployment
Crowdstrike as a Service Which includes the full Falcon platform with services and
assistance from the Crowdstrike Security Operations Center (CSOC), to assist with
intrusion detection analysts and prevention
And for their services, they offer Incident Response and Proactive Services. The Incident
Response program has competitors in regards to Cylance and Mandiant, but in the world of
wanting to prevent attacks from targeted malware, we need all of the help that we can get. There
have been numerous tools presented by Crowdstrike, and I will go more into detail with them
further into the document.

Crowdstrike as an Incident Response Platform

The highlight of Crowdtrike lies within its Falcon Host product/service, offering endpoint
protection for users, and allowing access to the slew of Crowdstrike services across the board.
Acting as a small sensor on the host device, it all works with the Crowdstrike cloud, offering
Protection and Visibility of any incoming threats, being able to monitor any incoming traffic and
comparing it to any past exploit or event, and keeping track of any changes going across your
system. Through normal procedure the list of items that this service covers is as follows:

Process Creation
Drivers Loaded
Registry Modifications
Memory Access
Disk Access

The Falcon Host suite is very lightweight in terms of how it impacts your machine as well.
Taking up very little memory where installation is exceptionally short (5 seconds) with no reboot
needed, where base configurations are generally set to what the standard user may need.
Configuration may be optimized based on certain systems, as these will work across Windows,
Macintosh, and Linux systems.
The Crowdstrike Falcon Host cloud is the architecture that they use to try and sell their
systems, offering services such as real time detection and protection through their Security as a
Service (SaaS) strategy. As with other services that offer similar strategies, through the
information we are able to send in are they able to analyze node signatures or any Indications of
Compromise (IoC), where any threat intelligence is stored within their databases for information
and packet comparison when it comes to popular methods of attack. These do include Hashes,
IPs, Domains, and more that other users may have ran into issues with. Utilizing Indicators of
Attack (IoA), they are able to analyze other pieces of information for usage within machine

learning algorithms to further plan out any methods of attack used within this platform as well.
As our machines are collecting data, their database is slowly growing, as with many other
services of this caliber, where we can have further protection against real-time issues as we
become introduced to them.
The service works as a real time data capturing tool, where we are continuously pumping
data into their cloud where these packets/pieces may be analyzed to find the root cause of attack
and develop manners of protection. This does mean actively hunting and searching your network
for any manner of breaches, and watching your workflow as any attacks that may be in progress.
The crowdstrike suite does utilize endpoint activity monitoring as well, to monitor any potential
attacks, breaches, or any kind of strategy being levied against our network. We can work in a
general timeline of Breach Detection, Remediation and Cleaning, where the goal in mind is to
prevent the attack from occurring in the first place, detecting any manner of similar nature, and
lessening the time to clean up the processes, and ensuring business continuity.

An example of the standard dashboard is as follows:

As displayed from the dashboard, we are able to see information pertaining to any user accounts
and any suspected machines or files within a set amount of time. There is the ability to monitor
any detections made across, by cross comparing hash values, methods of attack, and other further
incidents across the information sent to the cloud infrastructure, allowing for the quick
monitoring of our systems and user accounts across the board.
Adversaries are any of the systems that would have launched attacks against our system,
where any detections are stored between the systems and showing the top perpetrators against the
system. This would also include any domains that may be launching attacks. Detections are
exactly what it is supposed to be, where you can track the type of detections and also the
timeframe of which they had occurred. This does include the number of files within that are
exposed as well, granting insight into the machines that were broken into, the amount of
machines across our network as well.
By clicking on the sections that would include the detections and accounts, we are able to
go through a much more detailed view of our systems, where we can see files detected or
downloaded, services started or affected by the attack, or keep track of all traffic monitored
across the period decided. An example of this would be a prospective report of any attacks that
may occur during a 30 day period, using the Endpoint Activity Monitoring (EAM) tool. We also

have at our disposal various other analysis tools:

Through detections, we have a wide variety of information made available through the
systems. This includes the severity of the issue, while also compiling a list of resolved and
unresolved issues, along with those that are verified threats and issues. The items can be further
examined in regards to the type of activity going on, where we can also assess the destination
and the machine involved for further investigation and forensics.

Whenever a report comes into question, we have the ability to see all of the processes involved
and the manner of exploit provided as well. This gives much insight into the attack, and is able to
keep tabs on any such reoccurrences that may happen in this matter as well.
Overall, Crowdstrike would be a program suite that work well with other forensics
programs. As it is another program that can work well following the attacks, there will still be the
need to use other preventative software wherever necessary, where this is generally the case for
any and all similar endpoint technologies. The cloud services through Crowdstrike is a large
resource to receive all manner of information in regards to preventative measures and any kind
of information that would help with preventing the attacks to begin with. With their databases
being consistently updated with information coming from real systems and events, it will serve
to keep everyone in a better state of mind whenever it comes to newer or older vulnerabilities
rising up again.

PROS
Incredibly rapid deployment of software and services
24x7 Intelligence and Security Operations
o The Crowdstrike analysts assure us that they will be working across the clock and

across the world to ensure business continuity

General support across all platforms
Very lightweight in terms of usage
Easy UI for configuration and analysis
Information is continuously updated in real time, kept retroactively, and contextually for

better understanding and serving as a bank of information for understanding your threats
Pre & Post tools available for Incident Response Capabilities
CONS
This is another software suite that increases the amount of information it can work with
only as quickly as we are affected by them
Real time protection is beneficial, however with a zero day attack, this will only serve as
an announcement to them
They are continuously monitoring all traffic going across your network
As this is endpoint protection, it would be advised to have other preventative software
and the like.

REFERENCES

CrowdStrike Accredited by NSA for Cyber Incident Response Services - CrowdStrike. (2014,
July 7). Retrieved from http://www.crowdstrike.com/crowdstrike-accredited-by-nsa-forcyber-incident-response-services/
FireEye and Mandiant: A Marriage Forged in Compromise. (2014, January 7). Retrieved from
http://blogs.bromium.com/2014/01/07/fireeye-and-mandiant-a-marriage-forged-incompromise/
Incident Response | CrowdStrike Services. (n.d.). Retrieved from
http://www.crowdstrike.com/services/incident-response/
Introduction to CrowdStrike Falcon Host - CrowdStrike. (2015, July 28). Retrieved from
http://www.crowdstrike.com/introduction-to-crowdstrike-falcon-host/
Next-Generation Endpoint Protection | CrowdStrike Falcon Host. (n.d.). Retrieved August 22,
2015, from http://www.crowdstrike.com/products/falcon-host/
I also spent time at the Crowdstrike booth at Blackhat 2015 discussing the program and was able
to see a live demonstration of the program. They later sent me information through email, which
would serve to assist in my studies.

CrowdStrike as a
CrowdStrike Falcon
Service Datasheet 0415.pdf Datasheet 0415.pdf