CrowdStrike Falcon combines intelligence, next-generation antivirus, endpoint detection and response and managed hunting via the cloud. The company pioneered the use of attack indicators to protect against advanced persistent threats with and without malware. The 24/7 Falcon OverWatch team backs the tool’s functionality, going beyond alert triage with proactive adversary and threat hunting across all environments.

The solution focuses on stopping breaches from occurring through advanced detection, prevention, monitoring and granular search capabilities meant to protect against sophisticated threats and adversaries that may otherwise go undetected.

It is broken into two main parts: 1) A single, lightweight, intelligent sensor deployed to every endpoint to gather system events that takes proactive detection and prevention actions as necessary, with or without cloud connectivity. 2) Data is continuously transmitted from the sensor to the CrowdStrike ThreatGraph.

MalQuery is CrowdStrike’s database of malware where hashes are cross-referenced to obtain additional information. If a piece of malware is used repeatedly by an actor, the system can assign attribution then begin building a profile on how that adversary operates. This information is also fed into the sandbox report. Sandboxing is integrated into alerts, eliminating the need to deploy another box or add a separate console.

By following the comprehensive instructions provided, we found setup was straightforward. To put the tool through maneuvers, we ran our lab’s toolsets on Windows Server 2016, WS 2012r2 and W10, which Crowdstrike caught. We then navigated to the activity dashboard, which showed detections and an accurate number of detonations we had executed. We were truly impressed with the ease of navigation between the different applications and how interactive the dashboard is. An administrator or security analyst with little experience could navigate this product with a high degree of confidence in understanding an event. CrowdStrike impressively stopped all five testing detonations.

The ThreatGraph takes data and produces a sophisticated, powerful graph of digestible and actionable information. It constantly analyzes data to detect and establish behavioral patterns indicating new attacks. When we clicked on one of the incidents displayed under most recent detections, the tool populated a visual process tree of the incident. We found the the process tree easy to navigate and the information in the details pane on the right side of the screen to be straightforward. This showed numerous details on execution, files, sandbox analysis, etc. helping organizations gain a clear understanding as quickly as possible without being overly technical.

Tested by Tom Weil and Matthew Hreben