Crowdstrike Falcon is, largely, a threat-hunting tool that ties the endpoint tightly into its threat-hunting ecosystem. The focus is on malware, particularly very sophisticated malware, such as ransomware and advanced persistent threats. However, it is not restricted to attacks that depend on malware. The product also has excellent intrusion prevention/blocking capabilities as well. This includes exploit blocking, machine learning, behavioral blocking, IOC blocking, custom whitelisting/blacklisting, endpoint detection and response, forensic level visibility, along with its managed hunting. CrowdStrike Falcon is SaaS and requires no on-premise management hardware or infrastructure, but it does require a lightweight sensor at the endpoint.
We deployed our sensors to a couple of virtual machines in our virtual test beds and went out to the management console to see what it could find. This is a no-nonsense console. There are no graphs showing statistics. What you see is a menu of choices down the left side, all represented with icons that represent activity, investigate, hosts, configuration, dashboards, intelligence, users and support. This is a logical order, so we began with activity. All of the icons have submenus. When we hovered over activity we saw a submenu for detections. Going there, we saw nothing, as we expected.
Next, we attacked our endpoints with some malware and went back to the submenu. The ballgame had changed materially. We saw a high-risk threat. Expanding the selection, we saw a complete picture of how the malware attacked the system and attempted to spread and do its mischief. The malware was our old friend Locky. We saw that when we introduced it to the system it attempted to execute Winlogon, Userinit and, finally, Explorer. At that point, it was ready to begin executing which, we were assured, it did not do. The analysis was complete with hashes and attack chain. From this we could conclude that the file that introduced the malware into our system was Winlogon.
If we wanted a detailed history of activity on that particular machine we could go to investigate and get an entire history within a selected period of time. We could search by host - which we did - or hash (to see if a particular piece of malware had proliferated through the enterprise), or any of several other parameters.
Hosts can be managed through the hosts menus and we could build policies through the configuration menu. We went to the prevention policy submenu and saw that we had deployed a single policy called default. We could adjust that as we wished and added other policy along with or instead of the one we selected. Adjustment of policies is done by a simple on/off switch.
Dashboards can give overviews suitable for executives. These are familiar graphs. Detection activity is quite a bit more detailed with easy drill-downs. Finally, there a dashboard for detection resolution.
Intelligence is just what the name implies and takes advantage of CrowdStrike's superior intelligence feeds, plus others as you wish to add them. Ours took feeds from NetWiness, Snort/Suricata and Yara. The overall machine learning is a graph model so it has a sophisticated approach to analysis. This is a bit unusual in the treat-hunting industry. In fact, we've seen just one other company using this approach.
We were impressed with the CrowdStrike website. It contains just about anything you might need to help educate you on hunting, CrowdStrike or how other companies are using Falcon. There is easy access to Falcon support and assistance is comprehensive with basic no-cost aid for the life of your contract with CrowdStrike. As well, there are fee-based advanced options and CrowdStrike has a threat-hunting support team, called OverWatch, to help you with difficult hunting problems.
