CrowdStrike Taking Protection to a New Level

Taking Protection to a New Level: CrowdStrike Announces its $1 Million Breach Prevention Warranty







Although many industries have long offered product warranties to assure customers the products they purchase will function as advertised, this has not been true for cybersecurity.

When a security product fails, customers have had little recourse — until now. CrowdStrike® is thrilled to be changing the game once again by offering our customers a $1 million dollar warranty on our most comprehensive solution, CrowdStrike Falcon EPP Complete™. The warranty covers a range of expenses should EPP Complete fail to protect your organization as expected and what’s more — it’s included with the solution at no charge.

Falcon EPP Complete is a unique offering that combines the effectiveness of the Falcon platform with the efficiency of a dedicated team of security professionals.

It ensures that all aspects of endpoint security are handled — from on boarding, configuration and maintenance to monitoring, alert handling and remediation.

CrowdStrike is so confident in Falcon EPP Complete’s breach protection capabilities that we have established a breach warranty of up to $1 million in the event that a customer using EPP Complete experiences a breach within their protected environment that EPP Complete should have prevented. If a legitimate breach occurs, we’ve made the warranty easy to implement, without unachievable requirements or hidden caveats. And the beauty is that the warranty is included in the purchase price of the product. All new EPP Complete clients are eligible for this warranty.

If the warranty is triggered, it provides a broad spectrum of benefits that cover the following breach response expenses:  incident response, legal fees, notification, credit monitoring, forensic investigation and public communications expenses. Also, for customers who are developing an overall cyber risk management program that includes a balance between cyber risk mitigation and cyber risk transfer, Falcon EPP Complete is the ideal solution. If a Falcon EPP Complete customer experiences a breach, the breach prevention warranty transfers risk from the customer to CrowdStrike.

The benefits for CrowdStrike customers are self-evident: The warranty provides an extra layer of protection at no additional cost.

The combination of the efficacy and simplicity of EPP Complete with the CrowdStrike warranty gives our customers ultimate peace-of-mind, relieving anxiety and financial loss if an unexpected breach occurs, and making the breach response process more convenient, efficient, and stress-free.

With this warranty for CrowdStrike Falcon EPP Complete, we are demonstrating our confidence in the most tangible way possible: by giving customers the peace-of-mind and financial assurance they deserve.

Learn more about the Falcon EPP Complete Warranty

Read the Falcon EPP Complete Warranty Press Release

For a free trial of CrowdStrike Falcon Prevent™ next-gen AV, click here


Growing use of Python Malware hints at malware authors development

In 2018, there have already been several instances of Python-written components of malware. This was a developing trend across 2017 and is widely seen as either lower level actors trialing their hand at malware development or proof of concepts. However, recent developments seem to suggest that the threat landscape has surpassed just lower level actor’s use of Python, with examples of the language becoming much more commonplace.

Strategic assessment:

PyCryptoMiner was the first example of this development in 2018. Identified by F5 Labs, the crypto miner had recently been developed to include leveraging CVE-2017-12149 on J-Boss servers. Initially it used dictionary and brute force attacks against SSH login credentials of target Linux systems, deploying a base64-encoded Python script designed to connect to the C&C server. The additional payloads were also written in Python code.

Palo Alto also identified a Python-based malware, dubbed “PowerStager”. Thematically, Python-based malware often targets Linux systems, most likely due to the development environments the malware was used in. However, PowerStager generates Windows executables and then launches PowerShell scripts in order to execute a shellcode payload. It also had several configuration options, suggesting the authors were much more organised, and potentially skilled, than previously seen.

The targeting of a Brazilian management institution by two different versions of CannibalRAT written in Python also highlights an example were potentially more skilled actors have switched to using Python. The code targeted INESAP users and given its sole targeting of Brazil and use of obfuscation, Talos suggested it could have been for cyberespionage purposes.

It is noted that most malware making use of Python scripts rely on other languages for increased functionality. The latest example, a backdoor identified by Alien Vault, found 50% of the code was written in Python. However, the language’s ubiquitous use in malware development is an increasing trend and perhaps most poignantly seen in the GitHub DDoS random note. According to CyberReason, the note was written in a line of Python code that repeated multiple times.

Historically, Python-based malware was an indication of the lower skilled actors, as Python is viewed as a gateway language to learn coding. However, with more groups leveraging the scripts in successful operations, this arguments seems harder to sustain.

Microsoft vulnerabilities

Microsoft vulnerabilities observed as the most heavily targeted attack vector of 2017

According to research, 7 of the 10 most exploited flaws of 2017 were Microsoft products, with two of these rated critical. This is a noticeable change from previous years where Adobe Flash was the most commonly compromised attack vector. There has also been a decrease in exploit kit development, down 62% in 2017. While this change may suggest Adobe Flash is less exploited and better protected than it was before, it gives troubling indications for Microsoft vulnerabilities. Not only does it make up most of the most popular vulnerabilities for threat actors, several of these flaws were not patched for several months despite the flaws being recognized and observed by Microsoft and several threat detection companies. Three of the vulnerabilities in the top 10 actually also appeared in the same list in 2016.

Strategic assessment:

The 7 vulnerabilities that made the top 10 list specifically targeted Microsoft’s Windows, Office, Edge and Internet Explorer programmes. Furthermore, the two critical vulnerabilities were observed to allow threat actors to execute code directly onto a target machine as well as access, modify and delete data.

One of these critical vulnerabilities was CVE-2017-0199 which was identified and patched in April 2017, yet had already been in active exploitation for three months by this time indicating issues with poor reactive mitigation with Microsoft. The vulnerability allowed arbitrary code to be executed on a victim’s machine, giving a vast array of further attack vectors.

Furthermore, this vulnerability took advantage of the Object Linking and Embedding (OLE) feature to insert foreign files into a user’s system. This is a well-known attack vector, with OLE being used in almost every previous vulnerability relating to Microsoft Office. Microsoft spent several months investigating it, unaware it was in active exploitation.

The second most critical vulnerability, CVE-2017-0189 was an escalation of privilege flaw, allowing threat actors to make new user accounts with full user rights. Yet this vulnerability too was only patched after significant exploitation, with appearances in around a dozen exploit kits and builders. This again raises questions of Microsoft’s ability to patch issues before they become heavily exploited, and gives something to look out for over 2018.

Interestingly, the sophistication of browsers presently has helped in closing the scope of vulnerabilities. For example, the “click to play” setting in Chrome is enabled by default and has been seen to limit the ability and impact of many Adobe Flash Player related vulnerabilities. Users also visit sites with Flash less often, with this dropping from 80% of users per day in 2014, to 17% in 2017. This indicates that the rise of Microsoft products to the top spot may actually simply be as other vulnerabilities are being defended against more effectively as well as a proactive push from the industry to decrease reliance on Flash, the cause of so many problems, with it expected to reach its end of life by 2020.

Microsoft BugFixes April

Microsoft Fixes 66 Bugs in April Patch Tuesday Release

Target: Users using the affected software.

Attack Vector: Various methods of delivery.

Summary: Microsoft Patch Tuesday updates have been released for April including 66 CVE listed vulnerabilities, 24 of which are rated critical. The count of patches are fewer than recently observed, however, the number of vulnerabilities rated critical has increased by almost 50 percent, the majority of these being in browsers and browser-related technologies. The security updates were rolled out across numerous pieces of software, with elevation of privilege, bypass and remote code execution vulnerabilities making up a large portion of this month’s issue.

One of the most notably important flaws Microsoft focused on is an elevation privilege bug, CVE-2018-1034, which could allow an authenticated attacker to install programs, access stored data or create new accounts with full user rights on Windows 7 and Server 2008 R2 machines. Five font based flaws were also a major focus for Microsoft this month that could allow attackers to take control of the victim’s system through specially crafted websites and fonts. Furthermore, a Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability, CVE-2018-8117, has also been observed, which could allow an attacker to log keystrokes.

Risk assessment summary: The threat is assessed as 4c LOW. Although there are several vulnerabilities in this release which could potentially be exploited by actors and an increase in critical vulnerabilities compared to last month, there is only one zero-day flaw. This flaw is identified as CVE-2018-1034 which is most likely used for cross-site scripting attacks. The elevation of privilege vulnerability leaves users at risk who installed the security updates in January and can only be fixed by the user installing the new service updates. The Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability has been patched by Microsoft who have enhanced the security by mandating unique AES encryption keys. The last vulnerability detailed is the remote code flaw in the Microsoft Malware Protection Engine. Microsoft released an emergency patch to mitigate this flaw earlier in the week.

FireEye M-Trends Report 2018

M-Trends 2018 report covers incidents and investigations undertaken by Mandiant, a FireEye subsidiary, from 1st October 2016 to 30th September 2017. The wide ranging report highlights the amount of dwell time, given as the number of days between evidence of an attack to its discovery, the rise of Iranian APT groups, the problems associated with legacy systems and the re-attack rate, defined as companies that were successfully attacked again within a year of a previous significant attack. The figures are given by region and industry, which gives some useful insights, however, the report does suffer from the limitation that it is solely reliant on Mandiant’s industry view, which is acknowledged in the report.

Strategic assessment:

Dwell Time statistics give a concerning view of the threats seen by Mandiant, and is perhaps useful in their marketing. The dwell time statistics show that although a significant amount of threats are detected within 30 days, there are spikes of activity at the three month and year mark. Globally, the median dwell time for 2017 was 101 days, which is the first yearly increase since Mandiant released figures in 2011. This suggests a global detection issue.

The report also details the strategic overview of new APT activity discovered by FireEye, with high-level TTPs covered. APT32 through to APT35 are mentioned, with a separate focus on Iranian actors and APT35.

According to Mandiant, the number of attacks originating from threat actors sponsored by Iran has significantly increased. The group are thought to leverage strategic web compromises (SWC) to ensnare more victims with persistency across multiple organisations for months and sometimes years. Home-grown custom malware is used in both destructive attacks and espionage campaigns. With reference to PUPYRAT, the report details an attack methodology used by the group to steal credentials which even showed a level of adaption to accommodate cloud migration trends, as companies moved to off-premises email solutions.

In a titled “Once a target, always a target” segment, FireEye quantify the subsequent risk of a follow-up significant cyberattack, taken to mean activity that may include data theft, compromised accounts, credential harvesting, lateral movement and spear phishing. Nearly half of customers with at least one significant attack were successfully attacked again within one year. However, there is a big geographical divide in this statistic. Over 91% of Mandiant’s APAC customers with at least one significant attack will have attacker activity within the next year, compared to 44% in the Americas and 47% in EMEA.

High tech, telecommunications, and education top the charts for the number of attack groups and number of significant attacks by different threat actors, although the financial, high tech and healthcare sectors saw the highest number of significant attacks. Although, the industry preference identified could also be to some extent reflective of Mandiant’s customer base rather than pure attack preferences, it supports similar findings by other vendors.

Customer Records

2.4 Customer Records

Target, the major retailer, was hacked on Black Friday in 2013. Over 40 million debit card accounts were scooped up. The data was not encrypted. Groups of Target customers filed suit claiming that “Target failed to implement and maintain reasonable security procedures and practices.” Roll forward to 2015 when Target paid out $10 million to customers as a result of lawsuits. This $10 million does not include costs to notify, legal costs, loss of good will among existing customers, and the effect on Target’s reputation in the marketplace.

Go back

Human Resources Records

2.3 Human Resources (HR) Records

The largest HR or personnel records breach (break in with theft/manipulation of data) in history occurred in 2015 at the United States Office of Personnel Management or OPM for short. The breach involved the theft of 21.5 million US government employee records along with 5.6 million fingerprint records. Keep in mind that these records contain the contents of the SF86 a questionnaire completed when applying for a security clearance and include information not only about the applicant, but also about their extended families and neighbour’s. It is rumoured that the Chinese are using the information from these records to put together a “Facebook” of US government and military personnel that can be used to put pressure against them or co-opt them.

This breach was a classic case of risk versus reward. Enough golden eggs (records) existed in one place with the potential for enough damage that they were highly sought after and justified the expenditure of almost any effort to obtain them.

Access was obtained through a breach of a US Government contractor who had access, and, unfortunately, less security to go through. We the defensive team, the good guys failed to encrypt the records, disperse the records (so they’re not all in one place), and keep non-current records offline. To make matters worse, the intrusion was not detected for a long period of time.

Go back

Medical Records

2.2 Medical Records

Medical records are worth about ten times what credit card numbers are on the black market. “Why?” you ask. Because medical records can be used to file fraudulent claims. It takes much longer to realize your medical records have been compromised than to notice a problem with your credit card number. This time differential combined with the relatively poor cyber security of hospitals provides hackers with a very lucrative market.

Note that medical records fall under HIPAA. HIPAA is the Health Insurance Portability and Accountability Act—you probably signed a form at your doctor’s office. Health providers are legally obligated to take reasonable steps to protect your healthcare information. Penalties are based on the level of negligence and can range from $100 to $50,000 per violation. This is capped at $1.5 million per year for violations of each HIPAA provision.

Go back

Why Should I Care About Cyber Security?

Good cyber security is tedious and expensive. For businesses, though, the alternative is loss of customer good will and potential closing of the business. On the personal side, the inconvenience of identity theft, data loss, and invasion of privacy exact a heavy toll on your finances and your time. The result is an unfair burden on small businesses and individuals. It is important to recognize that this is the way it is, this is the world we live in, and accept a personal, even if limited, role in being a good data steward and protector. This article discusses a select few of the cyber security incidents of the last couple of years in various categories to help you understand the magnitude and variety of what’s out there.

By being aware of the targets, potential attacks, and the defensive tools you have, you can diminish the hacker’s perceived relative gain for the time spent on you. For example, if a hacker determined that the profit was only a few cents per hour for the time spent, the hacker would find something more lucrative to do. In time, if we (the defensive team, the good guys) diligently protect ourselves, the sheer number of hackers and attacks will be reduced. The rest of the battle will become easier to defend against and we might even be able to track down those few remaining bad actors.

Go back

Post Attack

1.5 Post Attack

After a successful attack, there is work to be done in the areas of forensics, legal, insurance (hopefully purchased before the attack), damage assessment, and target cleanup/validation. In addition, policies and defences must be examined to figure out what went wrong and how to do a better job next time.

It might be hard to get motivated and started on your defensive measures, if you don’t know why cyber security matters. Read on!

Go back