Falcon Intelligence is the consumable output of the CrowdStrike Global Intelligence Team. Its purpose is to offer an in-depth and historical understanding of adversaries, their campaigns and their motivations in the form of intelligence reports that provide real-time adversary analysis. The service - SaaS - is available in multiple formats. Standard subscribers access actor profiles, Falcon Intelligence APIs (Actor, Indicator) and Maltego transforms. We find the access to Maltego extremely valuable.
Premium subscribers have access to Strategic Intelligence Reports (HTML, PDF, plus via API), actor profiles, technical intelligence reports (HTML, PDF, plus via API), actionable intelligence feeds and indicator data Falcon intelligence APIs (Actor, Indicator and Reports), tailored intelligence API (custom keyword searching), custom malware analysis requests, requests for information (RFIs), and quarterly strategic intelligence briefings (webinars). There also is a specialized premium eCrime and targeted intrusion service available at additional cost over the usual premium package.
This is not trivial to deploy but the effort was worth it. On the surface, following the excellent documentation, it appears to be a simple task. Deploying a sensor agent takes seconds. We deployed on a Windows Server 2008 and it took almost no time to download the agent and deploy. Then things slowed down. A lot. We contacted support but in the five minutes before I canceled the email, the sensor finally appeared on the dashboard. After that, everything went smoothly.
The sensor communicates automatically with the cloud and then captures all of the data it needs to begin analysis. There are a lot of options for how you analyze your system. As well, there are some screens that are more generic, such as the actors screens. It seems clear that CrowdStrike is more focused on espionage than on cybercrime. There are 59 espionage actors and only 12 criminal and 12 hacktivist actors. This is a case of using Falcon to augment a tool that does cybercrime well, but does not do espionage as neatly. As if to verify this conclusion, Falcon knows about 43 Chinese actors but only 16 from the Russian Federation. We are under the assumption that the eCrime version fills the cybercrime gap in the normal premium version that we reviewed.
To get started, we dropped into the Investigate menu where we saw a complete picture of our host. This not only included static information but such things as process executions, admin tool usage, DNS requests and network connections. At a glance we could see the important issues on our test host. Drilling down on one of the DNS requests, we got an extremely detailed view of all of the activity associated with that request. Additional drill-down got us additional detail. We easily can imagine the ease with which an analyst could apply this tool forensically in an attack.
Support is included with the subscription and once this is up and running - not an onerous task by any means, but one that takes patience while the hosts are populating the cloud dashboard - this is an excellent product. Documentation is clear and well-written and overall - even at its hefty price tag - this absolutely is a tool worth having for organizations that are concerned with cyberespionage, particularly financial institutions, government agencies and the like. For the extra money, if the eCrime version covers both the espionage and the cybercrime arenas as well as this version is concerned, we would look to that as a general purpose intelligence/analysis tool.