Hi stocknovice, thanks for linking that article, especially since I probably should have done the research myself to find the info
The post begins by noting the Falcon platform already resists this type of attack three different ways …
Are you referring to this snippet: Minimize the attack surface, detect and respond quickly, and mitigate an incident so it doesn’t turn into a breach. If so I think this is just a generic statement from CRWD on their cybersecurity approach, the gist of which is the second of these points, i.e. detect abnormal behaviour. CRWD prides itself on advanced techniques beyond basic virus/malware detection.
The article mentions lateral movement in the Solar Winds breach, which is basically that the initial breach was via a software patch, but then the attackers moved laterally to obtain credentials (e.g. valid user login/password) to continue their attack. This is where advanced techniques are needed, however the attackers moved very slowly and used multiple credentials, which made the intrusion incredibly difficult to detect.
The most relevant statement in the CRWD post is (bolding mine) “An identity-centric approach, as would be required to disrupt these recent attacks, uses a combination of real-time authentication traffic analysis and machine learning (ML) analytics to quickly determine and respond to an identity attack being attempted or already in progress.” It would be interesting to understand how Falcon could have identified this attack just from the attackers behaviour. If the attacker is moving slowly and acting like a normal user, how could anyone tell, let alone AI/ML? Then again, they are not going to reveal their secrets are they?
Ultimately I didn’t see any statement to the effect that Falcon could or did stop this attack before it happened. Among the many organisations that were breached over many months, weren’t there at least a few of them with Crowdstrike products installed? I would guess that there were some, but they were happy enough to get the new SolarWinds Vulnerability Dashboard to help them patch things up. And if Falcon did stop an attack, why didn’t CRWD trace it back to the software patch?
… and closes by listing multiple existing capabilities for defending against the SolarWinds incident. It came out shortly before SolarWinds starting using CRWD to protect its endpoints.
I can’t say this is a guarantee Falcon would have prevented this hack, but CrowdStrike sure wasn’t shy about addressing it directly.
I think this is just good advertising by CRWD for their product. They’ve quickly added capabilities to help new and existing customers who were affected by the hack. Which is good, of course. But it was FireEye that found this breach, not Crowdstrike.
That said, there is now a rising tide in cybersecurity, from which CRWD, as the market leader, will benefit the most.
Long CRWD (top holding @ 21%)