top of page

Improve Identity Threat Detection with CrowdStrike Falcon

December was Interesting.

Ransomware attacks in the US were up 2.3x – yes, 233% – in the second half of 2021 compared to the first half.

And we attended a demo for CrowdStrike’s Falcon Identity Threat Detection (ITD) product. Falcon ITD enhances clients’ cyber defense against ransomware.

Given ransomware’s exponential rise in the last year, we are sharing a few highlights from the demo here:

  • Ransomware Trend #1: Defend identity access as much as the endpoint

CrowdStrike acquired Preempt in 2019 when their research findings showed endpoint and identity management needed better integration. From a MITRE ATT&CK framework perspective, ransomware is neither the beginning nor the end of the intrusion – but the monetization of it.

A ‘typical’ ransomware attack: Initial Access starts with legitimate credentials or a purchase on the Dark Web before proceeding through Execution, Persistence, and then ultimately to gain access to the wider organization (i.e. Lateral Movement). CrowdStrike adheres to the 1/10/60 Rule:

Within 1 minute, we must detect the attacker; Within 10 minutes, we must understand how they got there and isolate the attacker; and Within 60 minutes, we must remediate or the exploit becomes infinitely more difficult to contain.

While ransomware criminals continue to attack in complex ways, one common element is how identities are used at multiple steps along the attack. We at IX have seen examples where the attackers are even pursuing payment while simultaneously leaking credentials! One recent example that emphasizes the value of identities throughout the attack is, of course, SolarWinds. While we’re talking about SolarWinds…

  • Ransomware Trend #2: Third-party Supplier Risk

Any partner worldwide can be infiltrated via a patch vulnerability, and attackers are increasingly pivoting to prioritizing identity first.

A prime example: service accounts. A service account has privilege inside the environment, allowing one vector for attackers to exploit. A service account is generally an account where something served and performed a task, and it was not a human executing the task. If not used after 90 or 180 days, that account should be deactivated.

Moreover, service accounts may be dormant for many years before being exploited. A recent real-world example is a Pass-the-Hash (PtH) attack using a path 27 years after being found in Active Directory (AD). This vector is still prevalent and accessible.

A more painful and recent example is Log4j. For those at BlackHat in 2016, the technique underpinning the Log4j exploit was a topic even then, and yet it became a preferred attack vector in 2021!

To further drive this point home, Forrester cites 80% of data breaches have a connection to compromised privileged credentials. Verizon states 80% of breaches involve brute force or lost / stolen credentials.

A final case study on leveraging service accounts: Colonial Pipeline. The attacker used a dormant account to access its environment before it went laterally internally. The impact was substantial as the attack locked up more than 30,000 accounts and, of course, stopped the oil supply to the US Eastern seaboard.

The consensus from CS on Colonial Pipeline is that Multi-factor Authentication (MFA) was nullified In All Likelihood because this dormant service account used for the attack was excluded from the MFA roll-out, as opposed to human users who adopted MFA during the roll-out.

  • Ransomware Trend #3: Knock-on Effect to Cyber insurance

Customers’ insurance claims are being denied and their premiums are rising because insurance providers find the insured have serious gaps in their programs compared to the NIST and MITRE frameworks. 27% of US companies are starting to implement Zero Trust (ZT) policies, and 82% intend to adopt ZT.

  • Features Preview: How CS Falcon mitigates these increased risks

Identity Based Segmentation brings layers of control tied to credentials. It outlines every user group and then sets limits for those groups. CS Falcon sits on the domain controller with domain in the cloud. It looks for anomalous behavior and then blocks it there. Remote Desktop Protocol would be blocked and alert triggered, for example. Theoretically, this would stop Log4j, Gold Fort Kit, PtH, etc.

Valid accounts are the most common technique for establishing credentials and using them for execution, which are most often Command Prompt activities. CS Falcon also stitches identities together when personnel change roles, preserving one identity and lowering the attack surface. Anything that authenticates through AD, CS Falcon can validate.

Furthermore, CS Falcon uses conditional access to mitigate lateral movement as well as force MFA. Policies and protections built into this platform block requests for credentials. If blocked, it would not show up in the AD logs, but it would show up in the Falcon logs.

Falcon Consul Dashboard shows the characteristics of the account, whether privileged, stale, etc., trail of access attempts ahead of a lock-out, and geo tracking. Geo tracking checks whether anomalous behavior is an impossible “Superman attack” with logons from San Francisco one minute and then suddenly from Ukraine, for example.

Finally, CS Falcon sits in the middle with frictionless Zero Trust interaction. As a proud Preferred Partner of CrowdStrike, we at ImagineX Consulting are here to help demo the CrowdStrike product portfolio and select what’s right for strengthening your security posture, or continue to realize value from your investment for existing CS customers.


bottom of page