Recently, CrowdStrike introduced the new CrowdStrike® Incident Workbench, a more effective and efficient way to visualize and prioritize security incidents. With alert fatigue so prevalent among security teams, CrowdScore™ and the Incident Workbench are designed to improve response times and present meaningful metrics to help security teams optimize decision-making.
As a user of the CrowdStrike Falcon® platform, I wanted to better understand how the Incident Workbench would affect my day-to-day workflow. In this article, we’ll walk through an active attack detected by Falcon and leverage CrowdScore to understand what happened and how best to respond.
Falcon Standing By
We start by setting up a Windows 7 system running Falcon under a detection-only policy. Typically, Falcon would be deployed with prevention enabled, but using a detection-only policy gives us the best opportunity to see what the Incident Workbench can do for us.
To begin, we’ve successfully gained SYSTEM privileges by leveraging Metasploit to exploit a Windows 7 system susceptible to last year’s BlueKeep vulnerability. We’ve dumped user credentials and also installed a persistent backdoor to remotely access the system at any time thereafter. Despite Falcon not running in full prevention mode, the powerful endpoint detection and response (EDR) capabilities of Falcon InsightTM continue to provide visibility into the attack. Let’s examine more closely what Falcon observed, leveraging the Incident Workbench.
1. First, we log in to the Falcon console, and in the left menu click on Incidents under Activity. This will show the Incident Workbench view. Note that a new incident has appeared, and a score has already been assigned based on the detections associated with our attack. If we had a variety of attacks occurring, the varying scores assigned to the associated incidents would help us prioritize where we should focus our incident response efforts.
Figure 1. CrowdScore Incident Workbench View (click image to enlarge)
2. Clicking into the incident, we can pivot to the Graph view, which includes the timeline above and displays a high-level view of all of the hosts and processes involved in the compromise. Clicking on each process will provide more details on what events transpired.
Figure 2. Graph View (click image to enlarge)
Each view has its own advantages. In my testing, the number of hosts and events involved will determine which view is easiest to navigate. I like the clean look of the Graph view, so let’s step through the events using that mode.
3. Next, we click on the red spoolsv.exe node and then expand the window that opens. We see that Falcon detected credential-dumping activities.
Figure 3. Credential Dumping Detected (click image to enlarge)
4. Now, we scroll to the bottom and expand the Network operations section, and we can confirm that our attacker system (10.0.1.18) via port 4444 was connected to our Windows 7 system (10.0.1.15) and performed this malicious activity.
Figure 4. Network Operations View (click image to enlarge)
5. Close this window and click on its parent process node, services.exe. Scroll to the bottom and expand the Registry operations section. Here we see the backdoor that was installed as a service and then executed from C:WindowsTEMPdefault.exe.
Figure 5. Registry Operations View of Backdoor (click image to enlarge)
6. Let’s close this window and click on the red default.exe node that’s the grandchild process of the second services.exe process node. You’ll note that Falcon has detected this executable to be malicious, based on its tactics and Falcon’s own machine learning.
Next, we scroll to the bottom and expand the Network operations section. This is the backdoor installed on the Windows 7 system (10.0.1.15) reconnecting after reboot to our attacker system (10.0.1.18) on port 4444 that is running the Metasploit exploit handler.
Figure 6. Network Operations with Backdoor Installed on a Windows 7 System (click image to enlarge)
You can see that the Incident Workbench is a powerful tool that combines a number of useful features into one platform: a clear timeline of events, detailed malicious activity grouped by type, and interactive visuals. For an incident responder, having this kind of information so easily accessible and digestible greatly speeds up the time to understand an incident and take appropriate actions.
Now that we have a clear picture of what the attacker did, we can respond in a number of ways. First, we can use Falcon Real Time Response to remotely kill all active malicious processes. Next, we can download a copy of the backdoor and any other notable artifacts for further offline analysis and indicator of compromise (IOC) creation. We can then proceed to remove the backdoor and other malicious files from the system. Finally, let’s not forget to adjust our Falcon policy to prevent this type of activity from occurring in the first place!
Imagine trying to investigate this incident using traditional methods: poring over volumes of disparate system and network logs to manually create a timeline, analyzing memory dumps to determine specifically what transpired and then trying to correlate all of that data to hopefully draw conclusions and respond appropriately. On top of all of this, now imagine having multiple ongoing incidents and trying to quickly prioritize which to respond to first.
No thanks.
Conclusion
We’ve now seen how the Incident Workbench lets us quickly analyze an ongoing incident. By grouping related incidents and attaching a score, we can more easily prioritize our incident response efforts, ultimately leading to shorter remediation times. With the new Incident Workbench, we can easily step through an attack and quickly pivot to Real Time Response to take any necessary actions. Hopefully, this walkthrough gives you a good idea of how your team can use CrowdScore and the Incident Workbench to more efficiently respond to incidents.
About the Author
Eric Ooi is an information security professional focused on vulnerability management, network security monitoring, and incident response. His credentials include: GCIH, GCIA, GIAC Advisory Board, OSCP, and CISSP.
Visit Eric’s website and learn more: ericooi.com
Leave a Reply