
Crowdstrike's Falcon platform uses AI-powered threat detection to identify and respond to cyber threats in real-time. This allows organizations to detect and contain threats quickly, minimizing the damage.
Crowdstrike's investigation process involves collecting and analyzing endpoint data to identify the root cause of a threat. This data includes system logs, network traffic, and behavioral data.
By using Crowdstrike's investigation and response capabilities, organizations can reduce the time it takes to detect and respond to threats from days to minutes. This is a significant improvement over traditional security methods.
Crowdstrike's Falcon platform can also automate many of the manual tasks involved in investigation and response, freeing up security teams to focus on higher-level tasks.
Readers also liked: Crowdstrike Response to Delta
What Happened
The incident that led to the outage was caused by a new feature added to CrowdStrike's sensor in February. This feature aimed to provide visibility into possible novel attack techniques that could abuse certain Windows mechanisms.
CrowdStrike introduced this feature to enhance its security capabilities, but it ultimately caused the outage. The exact nature of the feature and how it contributed to the outage is not specified in the statement.
The company has acknowledged the incident and is focused on using the lessons learned to improve its services.
You might enjoy: What Is the Primary Feature of a Viatical Settlement
Security Incident Investigation Best Practices
Security incident investigation is a complex process that requires a structured approach to ensure thoroughness and efficiency. Act quickly to investigate high-severity detections immediately. This is because the longer you wait, the more damage a threat can cause.
To gain deeper visibility into compromised hosts, use Real-Time Response (RTR). This feature allows you to run diagnostic commands and gather more details about the affected host.
Here are the key steps to follow when performing a live investigation using RTR:
- Click on the affected host and select Real Time Response (RTR).
- Run diagnostic commands to gather more details:
- Check network connections:
Once you've gathered the necessary information, it's essential to contain the threat to prevent further damage. Contain the threat first, and then investigate second. This approach will help you prevent the threat from spreading and make it easier to investigate.
To gain a deeper understanding of the threat, use Falcon OverWatch for proactive security monitoring. This feature will help you identify potential threats and take proactive measures to prevent them.
Broaden your view: Hazard Prevention and Control Should Contain Both
Here are the key best practices to follow when investigating security incidents:
✅ Act Quickly – Investigate high-severity detections immediately.
✅ Use Real-Time Response (RTR) – Gain deeper visibility into compromised hosts.
✅ Contain First, Investigate Second – Prevent further damage by isolating threats.
✅ Enable Threat Hunting – Use Falcon OverWatch for proactive security monitoring.
Threat Containment
Threat Containment is a crucial step in the Crowdstrike investigation process. It helps prevent the spread of malware and allows for a more thorough investigation.
To contain a threat, you can quarantine the host. This involves selecting the affected endpoint in Host Management and clicking Contain Host to isolate it from the network.
This process prevents further spread while investigation continues. It's a simple yet effective way to contain the threat and prevent it from causing more harm.
By following these steps, you can effectively contain the threat and move forward with the investigation.
Additional reading: Avoid Prevent Burnout Work
Threat Hunting
Threat hunting is a crucial step in a Crowdstrike investigation. It involves searching for related threats to identify potential attack vectors.
To start, navigate to Threat Intelligence > IOCs. This is where you'll find valuable information about file hashes, domains, and IP addresses linked to the attack.
Search for any relevant file hashes, domains, or IP addresses that may be connected to the attack. This will help you understand the scope of the incident.
Cross-check detections to see if other endpoints were affected. This will give you a clear picture of the attack's impact.
Here's a step-by-step guide to help you navigate the threat hunting process:
- Navigate to Threat Intelligence > IOCs.
- Search for file hashes, domains, or IP addresses linked to the attack.
- Cross-check detections to see if other endpoints were affected.
Prevention and Best Practices
Act quickly in the face of a high-severity detection, and investigate immediately to minimize damage.
Using Real-Time Response (RTR) can give you a deeper understanding of the compromised host, helping you make informed decisions.
Contain the threat first, and then investigate second, to prevent further damage and limit the attack's impact.
Enabling threat hunting with Falcon OverWatch can help you proactively monitor your security and stay one step ahead of potential threats.
Take a look at this: Risk Identification Asset Threat Vulnerability
Information Gathering
Information Gathering is a crucial step in any Crowdstrike investigation. You can gather high-level information through the Crowdstrike platform, which includes the detected time, hostname and user involved, tactic and technique, and IOA name and description.
The detected time is typically displayed in a format like Mar. 9, 2024 13:38:08, providing a clear timestamp for the investigation. The hostname and user involved can be identified through the Crowdstrike platform, which helps to narrow down the scope of the investigation.
Falcon Intel via Intelligence Indicator — Domain is a tactic and technique that can be used to gather information. This means that the domain has been identified as malicious through Falcon Intelligence. The IOA name is typically IntelDomainMedium, and the description provides more context about the type of intelligence gathered.
In some cases, the triggering indicator may be associated with a defanged URL, such as moemaldives[.]pmd-office[.]com. This URL may have been identified as malicious through other means, such as VirusTotal.
You might enjoy: What Types of Investments Are Typically in Target Date Funds
To gather more information, you can also review the screenshot provided, which may show a child process WINWORD.EXE nested under explorer.exe. This suggests that a Word document was accessed or opened by the user. Additionally, clicking on the "Related Intelligence" tab can reveal more information about the associated domain.
Here are some key steps to gather information in a Crowdstrike investigation:
- Review the detected time and hostname and user involved.
- Identify the tactic and technique used, such as Falcon Intel via Intelligence Indicator — Domain.
- Examine the IOA name and description for more context.
- Review the screenshot provided for additional information.
- Click on the "Related Intelligence" tab to gather more information about the associated domain.
By following these steps, you can gather high-level information and begin to piece together the details of the investigation.
Real-Time Response
Real-Time Response is a crucial step in a CrowdStrike investigation. It allows you to gather more details about the affected host.
To perform a Live Investigation Using Real Time Response (RTR), click on the affected host and select Real Time Response (RTR).
Run diagnostic commands to gather more details. This includes checking network connections.
Here's a quick rundown of what you can check:
- Network connections
This will help you understand the scope of the issue and identify potential malicious activity. Remember to act quickly, as high-severity detections require immediate investigation.
View Active Detections
To view active detections, navigate to Activity > Detections in the left-hand menu. You can then filter results by various criteria to focus on the most critical events.
Filtering results by severity level is a good starting point. As a SOC analyst, you'll prioritize events based on their severity level, ranging from Critical to Low. In this case, we're working with a Medium severity detection.
The CrowdStrike interface provides a wealth of information about each detection. Reviewing the Network Operations, Disk Operations, and DNS requests can give you a high-level overview of potential malicious activity. Here are some specific details to look out for:
- 50 network operations conducted, potentially connecting to malicious IPs
- 58 instances of Disk Operations recorded, indicating further investigation is warranted
- 28 DNS requests recorded, with a possibility of one or more being malicious
By gathering this high-level information, you can quickly determine if further investigation is needed to validate the findings.
Live Investigation with Real-Time Response
To perform a live investigation using Real Time Response (RTR), click on the affected host and select RTR.
You'll then need to run diagnostic commands to gather more details. This can include checking network connections, which is a crucial step in understanding the scope of the incident.
Here are the steps to take:
- Click on the affected host and select Real Time Response (RTR).
- Run diagnostic commands to gather more details.
The first diagnostic command you should run is to check network connections.
What Is?
CrowdStrike is a cybersecurity company that specializes in threat intelligence, endpoint detection and response (EDR), next-generation antivirus (NGAV), and managed hunting services.
Their cloud-delivered endpoint protection platform, CrowdStrike Falcon, is designed to detect, prevent, and respond to cybersecurity threats across various endpoints.
CrowdStrike Falcon is used to protect workstations, servers, and mobile devices.
The company occupies a distinguished position as a "Leader" in the Gartner Magic Quadrant for Endpoint Protection Platforms (EPP).
CrowdStrike Falcon is a cloud-delivered endpoint protection platform.
A SOC analyst dealing with investigating and resolving incidents in CrowdStrike can benefit from this investigation.
Premier Cyber Security Portal
Crowdstrike investigation is a game-changer for cyber security.
Crowdstrike Falcon, a cloud-native endpoint protection platform, is used by over 4,000 customers worldwide.
It's impressive to think about the vast amount of data Crowdstrike collects, with over 1 billion sensors deployed across the globe.
The Crowdstrike Falcon platform is designed to detect and prevent even the most sophisticated cyber threats.
Crowdstrike's AI-powered threat graph is a key component of its platform, analyzing billions of signals in real-time to identify potential threats.
The result is a highly effective cyber security solution that has been proven to stop even the most advanced attacks.
Crowdstrike's success can be attributed in part to its ability to stay ahead of emerging threats, with its research team identifying and mitigating over 100,000 malware variants every day.
Featured Images: pexels.com


