Solarwinds hack and CRWD

Crowdstrike released this video explaining how Falcon can be used to assess vulnerability to the Solarwinds hack that may be of interest to this group. Will be very interesting to see how many new customers CRWD is adding this month.
https://www.youtube.com/watch?v=aE_Kgbv_xL0

Peregrine Trader put together a great Twitter thread describing many of the key elements of what is publicly known so far.
https://discussion.fool.com/the-russian-hack-way-worse-than-1st-…

Was particularly interested in the statements about the attacks being so bad that there is discussion about rebuilding systems from scratch. And that people in underground forums have been trying to sell the exploit since 2017.

https://www.reuters.com/article/global-cyber-solarwinds/hack…

“solarwinds123”

Wow #Thiscompanyisreallystupid

Andy

Many people worried about what the recent Cyber hacks mean for Crowdstrike ? I think it’s a substantial tail wind for Crowdstrike. Crowdstrike has one of the best cyber security solution. Crowdstrike is the least likely to be hacked. Even if Crowdstrike is hacked, what are they going to do? Who to they switch to? Maybe the other companies are much worse. No company is perfect in this world. So in the event Crowdstrike is hacked, they will learn from it and improve further.

After recent hacks, there will be more investment into cyber security across the industry both private and government. This will be a tailwind to Crowdstrike for at least 1 year. Even fire eye stock sky rocketed after Fire eye was hacked. It was not fire eye’s fault, it was Solar Wind. Fire Eye discovered the hack and let everyone know.

Is there any evidence that Crowdstrike would have prevented SolarWinds penetration. My sense is that this was a highly sophisticated attack.

While I’m happy to be a CRWD owner, methinks the market response on this issue alone is unmerited.

🆁🅶🅱
post tenebras lux
For not in my bow do I trust, nor can my sword save me.

makes me feel good that Solarwinds deployed Crowdstrike after finding the hack:https://www.crn.com/news/security/solarwinds-deploys-crowdst…

Gordon
Long CRWD and ZS

RGB,

My view is that SolarWinds immediately announcing they have implemented Crowdstrike’s product as a pretty good sign they at least thought it would have better detected/mitigated the attack than what they were using.

It was my view that previously the market wasn’t fully giving Crowdstrike a fair valuation relative to it’s growth outlook and extremely high levels of profitability along with that growth. (The FCF they have been reporting is very impressive)
The Russia hacking story will only accelerate the need for their product.

Bnh

There is no justice in the world. Solarwinds should have purchased the FireEye service, not CRWD. It was FireEye that spent the money to research and share the details of the CozyBear APT29 Solarwinds hack. CRWD leveraged this information for their own sales pitch. FEYE, being a good citizen, shared all details of the exploit and corrective actions to the community long before this became public. They could have kept the exploit to themselves to capitalize on while other competitors flailed to investigate. This is why FEYE is a trusted partner of the FBI/CIA and many allied heads of state.

There really is no profit in exploit research other than building reputation, and FireEye’s Incident Response capabilities are number 1. It has always been this way. And I may whine on justice, but my money is on CRWD. I sold all my FEYE stock a year ago when I retired. My money is on CRWD. My heart is with FEYE.

-zane

If FireEye was really a good citizen it would have reported the problem publically , letting it’s non insider investors know the facts.

After recent hacks, there will be more investment into cyber security across the industry both private and government. This will be a tailwind to Crowdstrike for at least 1 year. Even fire eye stock sky rocketed after Fire eye was hacked. It was not fire eye’s fault, it was Solar Wind. Fire Eye discovered the hack and let everyone know.

I have read that both FEYE and SWI have brought in CRWD after the hack. SWI has 400 or the Fortune 500 as clients. I’m betting that some of that business will migrate to CRWD also.

Rob

RoyGeeBiv,

Looks like your answer to question of Crowdstrike’s ability to prevent the SolarWinds attack has been answered on the SA news link below

https://seekingalpha.com/news/3647401-crowdstrike-was-target…

For those that don’t want to go to the link. The hackers attempted to attack them and failed. I have no doubt this is good PR and will drive many more companies to adopt their product. As we know each additional customer makes the product stronger.

Happy holidays- long CRWD
Bnh

Ahhh… thanks for that. Hope CRWD stays solid here. More here on how CRWD is proactively serving the security community.
https://www.crowdstrike.com/blog/crowdstrike-launches-free-t…

🆁🅶🅱
post tenebras lux
For not in my bow do I trust, nor can my sword save me.

Bnh,

That article describes how hackers were unable to penetrate CRWD itself.

However I took RGB’s question to be whether CRWD could have prevented one of its customers from being attacked. If so, it could drive the stock price higher. I haven’t seen anything stating this yet.

5th

However I took RGB’s question to be whether CRWD could have prevented one of its customers from being attacked. If so, it could drive the stock price higher. I haven’t seen anything stating this yet.

https://www.crowdstrike.com/blog/identity-security-lesson-fr….

The post begins by noting the Falcon platform already resists this type of attack three different ways and closes by listing multiple existing capabilities for defending against the SolarWinds incident. It came out shortly before SolarWinds starting using CRWD to protect its endpoints.

I can’t say this is a guarantee Falcon would have prevented this hack, but CrowdStrike sure wasn’t shy about addressing it directly.

Hi stocknovice, thanks for linking that article, especially since I probably should have done the research myself to find the info

The post begins by noting the Falcon platform already resists this type of attack three different ways …

Are you referring to this snippet: Minimize the attack surface, detect and respond quickly, and mitigate an incident so it doesn’t turn into a breach. If so I think this is just a generic statement from CRWD on their cybersecurity approach, the gist of which is the second of these points, i.e. detect abnormal behaviour. CRWD prides itself on advanced techniques beyond basic virus/malware detection.

The article mentions lateral movement in the Solar Winds breach, which is basically that the initial breach was via a software patch, but then the attackers moved laterally to obtain credentials (e.g. valid user login/password) to continue their attack. This is where advanced techniques are needed, however the attackers moved very slowly and used multiple credentials, which made the intrusion incredibly difficult to detect.

The most relevant statement in the CRWD post is (bolding mine) “An identity-centric approach, as would be required to disrupt these recent attacks, uses a combination of real-time authentication traffic analysis and machine learning (ML) analytics to quickly determine and respond to an identity attack being attempted or already in progress.” It would be interesting to understand how Falcon could have identified this attack just from the attackers behaviour. If the attacker is moving slowly and acting like a normal user, how could anyone tell, let alone AI/ML? Then again, they are not going to reveal their secrets are they?

Ultimately I didn’t see any statement to the effect that Falcon could or did stop this attack before it happened. Among the many organisations that were breached over many months, weren’t there at least a few of them with Crowdstrike products installed? I would guess that there were some, but they were happy enough to get the new SolarWinds Vulnerability Dashboard to help them patch things up. And if Falcon did stop an attack, why didn’t CRWD trace it back to the software patch?

… and closes by listing multiple existing capabilities for defending against the SolarWinds incident. It came out shortly before SolarWinds starting using CRWD to protect its endpoints.

I can’t say this is a guarantee Falcon would have prevented this hack, but CrowdStrike sure wasn’t shy about addressing it directly.

I think this is just good advertising by CRWD for their product. They’ve quickly added capabilities to help new and existing customers who were affected by the hack. Which is good, of course. But it was FireEye that found this breach, not Crowdstrike.

That said, there is now a rising tide in cybersecurity, from which CRWD, as the market leader, will benefit the most.

Long CRWD (top holding @ 21%)

5th horseman,

I was referring to this portion of the post a little further down:

"CrowdStrike® customers using the Falcon Identity Protection solutions are already protected from the recent attacks in three ways. They are:

1. Proactively protected by the ability to reduce the attack surface with better IT hygiene through the understanding of protocol vulnerabilities (e.g., NTLM), identification of stale privileged accounts, mapping of all service accounts, and other exposures of the identity store
2. Able to mitigate an attack in progress by detecting, in real time, identity-based attack vectors, including the lateral movement techniques used with victims of the SolarWinds breach
3. Protected by an automated response of the use of identity-specific attacks, including some of the attack testing tools that were stolen as part of the FireEye breach

In addition, CrowdStrike customers already have several capabilities to help defend against the recently disclosed SolarWinds incident:

* Use CrowdStrike Threat Graph® to identify affected hosts:
** The new SolarWinds Vulnerability Dashboard identifies hosts with IOCs related to the SolarWinds vulnerability, including a look-back ability to see which devices have written the compromised files in the last 90 days.
** The Indicator Graph allows customers to determine whether there has been evidence of affected files and hosts in the past year.

*Identify new incidents with specific ML detections:
** Customers will see detections for IOCs related to the SolarWinds vulnerability on hosts with the Cloud ML detection option enabled."

I’m no techie, but that sounds like more than just boilerplate advertising to me. Granted, it doesn’t specifically state Falcon would have prevented this breach but it very clearly says “protected” and “defend”. I’ll leave it to others more technically inclined to break down the details. All I can say it reads like a pretty confident response from a company that was not directly involved in this incident. If CRWD determined Falcon had similar vulnerabilities, they probably should have kept their mouth shut and gone back to the lab to fix the flaws. But that’s not what they did. For better or worse, I’m viewing that as a positive.

I’m no techie, but that sounds like more than just boilerplate advertising to me. Granted, it doesn’t specifically state Falcon would have prevented this breach but it very clearly says “protected” and “defend”.

Good intuition. Spot on.

Let’s dance around the problems of others.

For those that don’t want to go to the link. The hackers attempted to attack them and failed.

CRWD has a good security system, but I suspect Microsoft gets credit for that particular catch. What I read on CNBC is that Microsoft informed Crowdstrike of an attempt by hackers to read Crowdstrike emails via a Microsoft “resellers” account. That sounds like Microsoft caught it, not Crowdstrike.

https://www.cnbc.com/2020/12/24/suspected-russian-hackers-ma…

The pertinent part of the story says,
CrowdStrike said that it was alerted by Microsoft on Dec. 15 that the hackers had tried to read CrowdStrike’s emails using a Microsoft reseller’s account “several months ago.” CrowdStrike said in its blog post that the attempt failed.

Here is another story:
https://thehackernews.com/2020/12/microsoft-warns-crowdstrik…

It sounds like Crowdstrike is a customer of Microsoft’s cloud services and Microsoft saw a penetration attempt. Or perhaps Microsoft monitors its reseller accounts for suspicious activity and saw it there.

Hi Fifth.

Ultimately I didn’t see any statement to the effect that Falcon could or did stop this attack before it happened. Among the many organisations that were breached over many months, weren’t there at least a few of them with Crowdstrike products installed? I would guess that there were some, but they were happy enough to get the new SolarWinds Vulnerability Dashboard to help them patch things up. And if Falcon did stop an attack, why didn’t CRWD trace it back to the software patch?

I think these are all great questions to ask CRWD IR. The way I am thinking of this is until I see proof that Crowdstrike was hacked than I have to assume they weren’t. It is spelled out very succinctly exactly who was hacked. The question I have is if Crowdstrike was hacked where is your proof? I haven’t seen a single article yet that they have been.

Also, I haven’t seen anything on Okta either. I find that interesting only because Okta manages identity. Maybe Okta is really doing a great job also.

Andy