Recently one of my clients received a well-performed phishing attack with an “invoice”, that like a lot of attachments was malware. Everything seemed to be legit except that the invoice ended in one of my honeypot inboxes. I usually deploy some email addresses, not in use active use by the company, that I monitor in order to catch attacks. The malware seems to be a trojan focused on stealing information. Furthermore being a fresh sample at the beginning is was only detected by six detection engines in VirusTotal, right now it detected by 18 over the 60 available on VirusTotal.
最近,我的一位客户收到了带有“发票”的性能良好的网络钓鱼攻击,就像许多附件一样,都是恶意软件。 一切似乎都是合法的,除了发票在我的一个蜜罐收件箱中结束了。 我通常会部署一些我监视的电子邮件地址,而不是公司正在使用的电子邮件地址,以捕获攻击。 该恶意软件似乎是专注于窃取信息的木马。 此外,刚开始时仅由VirusTotal中的六个检测引擎检测到了新鲜样品,目前,VirusTotal上提供的60个样本中有18个检测到它。
Due to this low detection rate, it was more than possible than my client could have ended infected. This is nothing new but help me to show my client the current evolution of phishing attacks and offer them the possibility to improve their security. Being a small-medium size enterprise they can not allocate a lot budget to cybersecurity, but I started to study possible improvements.
由于这种低的检测率,这比我的客户被感染的可能性还大。 这并不是什么新鲜事物,但是可以帮助我向客户展示网络钓鱼攻击的最新发展,并为他们提供提高其安全性的可能性。 作为中小型企业,他们无法为网络安全分配大量预算,但是我开始研究可能的改进。
One of the first malware detection engines that blocked the malware was CrowdStrike Falcon.
最早阻止恶意软件的恶意软件检测引擎之一是CrowdStrike Falcon。
My client does have a great attack surface and their main elements of attacks are unauthorized access to an email account and infected endpoints. Having the email addresses already secured, I thought about to deploy a new generation of Endpoint, Detection and Response engine (EDR). One of the first malware detection engines that blocked the malware was CrowdStrike Falcon. Because of that comes to my mind as one of the possibilities to acquire and implement inside of the company.
我的客户确实具有强大的攻击面,并且攻击的主要内容是未经授权访问电子邮件帐户和受感染的端点。 在已经确保电子邮件地址安全的前提下,我考虑部署新一代的端点,检测和响应引擎(EDR)。 最早阻止恶意软件的恶意软件检测引擎之一是CrowdStrike Falcon。 因此,我想到这是在公司内部进行收购和实施的可能性之一。
In 2019 was positioned as a Leader in Gartner Magic Quadrant for Endpoint Protection Platforms.
在2019年被定位为Gartner端点保护平台魔力象限的领导者。
CrowdStrike was founded in 2011 and in 2019 was positioned as a Leader in Gartner Magic Quadrant for Endpoint Protection Platforms. Like any other product, I decided to test it before recommending it to my client. So, after this little introduction let’s start to play and review CrowStrike.
CrowdStrike成立于2011年,并于2019年被定位为端点保护平台Gartner魔力象限的领导者。 与其他任何产品一样,我决定先进行测试,然后再推荐给客户。 因此,在进行了这一简短介绍之后,让我们开始玩并回顾CrowStrike。
尝试人群罢工猎鹰端点保护 (Trying CrowdStrike Falcon Endpoint Protection)
Visiting their webpage you can obtain a 15-day trial. CrowdStrike has a good looking web administration dashboard where you can review your sensors, alerts and configure your deployment. For me, this is really important because I am deploying a service that will manage remotely.
访问他们的网页,您可以获得15天的试用期。 CrowdStrike具有一个外观漂亮的Web管理仪表板,您可以在其中查看传感器,警报和配置部署。 对我来说,这真的很重要,因为我正在部署将进行远程管理的服务。
There are three predefined dashboards with information:
有三个预定义的信息板,其中包含信息:
- Activity: A dashboard will the last detections and alerts. 活动:仪表板将显示最后的检测和警报。
- Hosts: A dashboard with sensor information, like how many hosts are online and reporting information. 主机:具有传感器信息的仪表板,例如有多少主机在线并报告信息。
- Intelligence: A dashboard with threat actors information. It is like a WikiPage. 情报:具有威胁参与者信息的仪表板。 它就像一个WikiPage。
One cool feature is that you can create your custom dashboards. For example, you can create a dashboard showing some activity information with the detections and number of sensors up.
一项很酷的功能是您可以创建自定义仪表板。 例如,您可以创建一个显示一些活动信息的仪表板,其中检测信息和传感器数量均增加。
传感器安装(Sensors installations)
To detect and response attacks you need to install CrowdStrike sensors in your endpoints. Like other EDR services CrowdStrike has a client-server architecture, you need to deploy sensors around your network that will report and block attacks in your endpoint. From the web dashboard, you can download sensor installers and then deploy them in your organization. This installation can be done manually or automated.
要检测和响应攻击,您需要在端点中安装CrowdStrike传感器。 与其他EDR服务一样,CrowdStrike具有客户端-服务器体系结构,您需要在网络周围部署传感器,以报告并阻止端点中的攻击。 您可以从Web仪表板下载传感器安装程序,然后将其部署到您的组织中。 此安装可以手动或自动完成。
Another good point to mention here is that CrowdStrike is available in Windows, Mac and Linux.
这里要提到的另一个好点是CrowdStrike在Windows,Mac和Linux中可用。
For example, in Windows systems, this can be easily automated using your favourite deployment tool and the following command.
例如,在Windows系统中,可以使用您喜欢的部署工具和以下命令轻松地将其自动化。
WindowsSensor.exe /install /quiet /norestart CID=<CCID>In each sensor installation, you will need to set a Customer ID (CID). This CID is a code available from your admin dashboard and allows the automatic enrollment of every new host added. Another good point to mention here is that CrowdStrike is available in Windows, Mac and Linux. We need to protect all devices regardless of the operating system that is running.
在每个传感器安装中,您将需要设置一个客户ID(CID)。 此CID是管理控制台中可用的代码,并允许自动注册添加的每个新主机。 这里要提到的另一个好点是CrowdStrike在Windows,Mac和Linux中可用。 无论运行什么操作系统,我们都需要保护所有设备。
传感器配置 (Sensors Configuration)
if you have sensors running in detect only mode they will not block any malware attacks
如果您的传感器以仅检测模式运行,它们将不会阻止任何恶意软件攻击
After deployed our sensors we need to select configuration policies for each or group of them, base on our interests. By default, there are two policies centred in detect only and detect and response. In order to block attacks, we need detection and response and not only detection. By aware of this configuration because if you have sensors running in detect only mode they will not block any malware attacks.
部署传感器后,我们需要根据我们的兴趣为每个传感器或每个组选择配置策略。 默认情况下,有两个策略仅集中于“仅检测”以及“检测和响应”。 为了阻止攻击,我们不仅需要检测,还需要检测和响应。 通过了解此配置,因为如果您的传感器以仅检测模式运行,它们将不会阻止任何恶意软件攻击。
Additionally, each detection and response police can be configured. I recommend enabling all the possible sensor capabilities but we will need to adjust this configuration to our scenario.
此外,可以配置每个检测和响应策略。 我建议启用所有可能的传感器功能,但是我们将需要根据我们的情况调整此配置。
CrowdStrike uses several machine learning models for making decisions and we can adjust their aggressivity. One can think that the best mode will be extra aggressive for detection and prevention but like any other machine learning models, this will increase the false-positive ratio. If we run CrowdStrike in Extra Aggressive mode you are going to end blocking legitimate apps in your organization. In fact, I could not run some legitimate apps in aggressive mode. You can always configure CrowdStrike with exclusion patterns for avoiding some false positives detected but you will need the balance of aggressivity base on your organization use of applications.
CrowdStrike使用几种机器学习模型来进行决策,我们可以调整它们的攻击性。 可以认为,最佳模式对于检测和预防将格外积极,但是像其他任何机器学习模型一样,这将增加假阳性率。 如果我们在Extra Aggressive模式下运行CrowdStrike,您将最终阻止组织中的合法应用程序。 实际上,我无法在主动模式下运行某些合法的应用程序。 您始终可以使用排除模式配置CrowdStrike,以避免检测到某些误报,但是您将需要在组织对应用程序的使用基础上兼顾攻击性。
测试CrowdStrike响应 (Testing the CrowdStrike response)
So, after configure and deploy a sensor on a host, let’s start throwing malware into CrowdStrike a see how it answer.
因此,在主机上配置并部署传感器之后,让我们开始向CrowdStrike投掷恶意软件,看看它如何回答。
The first thing I did was to deploy the fake invoice that I mentioned at the beginning of the article. CrowdStrike blocked the process and quarantined the file and an alert is presented on the admin dashboard. Each one of these alerts can be assigned to different users of the dashboard for easier handling.
我要做的第一件事是部署本文开头提到的伪造发票。 CrowdStrike阻止了该过程并隔离了该文件,并且在管理仪表板上显示了警报。 这些警报中的每一个都可以分配给仪表板的不同用户,以便于处理。
A cool and useful feature of this new generation of EDR is the availability of following the chain of the processes that developed the alert. In this case, I just opened the malware executable, but for example, if this execution was the result of a running macro we will see a Microsoft Office process.
新一代EDR的一项很酷而有用的功能是可以跟踪生成警报的过程链。 在这种情况下,我只是打开了恶意软件可执行文件,但是例如,如果此执行是运行的宏的结果,我们将看到一个Microsoft Office进程。
电源外壳(PowerShell)
Another of the tests that I launched was the use of malicious Powershell commands. Powershell it is a common and potent tool for performing, Fileless usually rely on Powershell.
我启动的另一项测试是使用恶意的Powershell命令。 Powershell它是执行的常用工具,Fileless通常依靠Powershell。
CrowdStrike was able to detect an attack using mimikatz throw Powershell and it was able to decode the commands. It needs to be mentioned that it was an easy encoding on base64 but nonetheless I like the result.
CrowdStrike能够使用mimikatz throw Powershell检测到攻击,并且能够解码命令。 需要提到的是,它是在base64上的简单编码,但是我还是喜欢结果。
Windows宏和勒索软件(Windows Macros and Ransomware)
Finally, I get some fresh samples from Any.run looking for test ransomware and some malicious Office macros. I launched around 10 samples and each of them was blocked.
最后,我从Any.run获得了一些新样本,以寻找测试勒索软件和一些恶意Office宏。 我发射了大约10个样本,每个样本都被阻止了。
Most of the detections were made by the Sensor Based Machine Learning, twelve of them, and the Cloud-Based Machine Learning, five of them.
大多数检测是由基于传感器的机器学习(其中十二个)和基于云的机器学习(其中五个)进行的。
误报(False positives)
After running some possible controversial programs like Veracrypt, Winhex or Processhacker. The only one that CrowdStrike blocked was Processhacker
运行了一些可能引起争议的程序后,例如Veracrypt,Winhex或Processhacker。 CrowdStrike阻止的唯一一个是Processhacker
Like I mentioned before, one more thing to take into account with these solutions is the false positive rate. We could end blocking legitimate programs in our organization due to failures in the machine learning detection models. My sensors were running aggressive detection and moderate prevention modes. After running some possible controversial programs like Veracrypt, Winhex or Processhacker. The only one that CrowdStrike blocked was Processhacker and in a way, it makes sense the blocking of Processhacker. A normal user is not going to use Processhacker on their daily basis.
正如我之前提到的,这些解决方案还需要考虑的另一件事是误报率。 由于机器学习检测模型的故障,我们可能最终阻止了组织中的合法程序。 我的传感器正在运行主动检测和中等预防模式。 运行了一些可能引起争议的程序后,例如Veracrypt,Winhex或Processhacker。 CrowdStrike阻止的唯一一个是Processhacker,从某种意义上说,阻止Processhacker是有意义的。 普通用户不会每天使用Processhacker。
结论和未来测试(Conclusions and future tests)
The results seems to be promising but I found a great problem with this product, the price. You need to acquire a minimum of 5 licenses turning this into a sub-total $924.95.
结果似乎令人鼓舞,但我发现该产品的价格存在很大问题。 您至少需要获得5个许可 总计小计924.95美元。
The first thing that I would like to do is to perform more test with a greater number of samples. Looking for external opinions I discovered The PC Security Channel on Youtube and it performed a test using CrowdStrike in 2019, go look at it because I find it very interesting. I am using a CrowdStrike 2020 version that should be different, at least the web admin dashboard is different, but further sample test testing needs to be done.
我想做的第一件事是对更多的样本执行更多的测试。 寻找外部意见时,我在Youtube上发现了PC Security Channel ,并在2019年使用CrowdStrike进行了测试,请继续看一下,因为我发现它非常有趣。 我使用的CrowdStrike 2020版本应该有所不同,至少在Web管理仪表板上有所不同,但是还需要进行进一步的示例测试测试。
Either way in my tests the results seems to be promising but I found a great problem with this product, the price. If I want to implement Falcon Enterprise I need to pay around $184.99 per endpoint per year, the do little discount when you are going to pay. And in top of that, you need to acquire a minimum of 5 licenses turning this into a sub-total $924.95. I am also evaluation other products like Kaspersky Endpoint Security and 10 licences are between $335.00 or $575.00. Furthermore, Kaspersky offers things like patch management around your endpoint. I am currently testing Kaspersky Endpoint Security, with great results, but just looking at the price there is a great difference.
在我的测试中,无论哪种方式,结果似乎都是有希望的,但是我发现该产品的价格存在很大问题。 如果我想实施Falcon Enterprise,则每年需要为每个终端节点支付184.99美元左右,这在您支付时将不会有多少折扣。 最重要的是,您至少需要获得5个许可 总计小计924.95美元。 我还评估了其他产品,例如Kaspersky Endpoint Security和10个许可证,价格在$ 335.00或$ 575.00之间。 此外,卡巴斯基还可以在端点周围提供补丁管理等功能。 我目前正在测试Kaspersky Endpoint Security,并获得了不错的结果,但是仅看价格,它们之间的差异就很大。
We should not fall in the belief that having an EDR turn our devices in bulletproof systems.
我们不应该相信拥有EDR可以将我们的设备转移到防弹系统中。
This made say that in my opinion CrowdStrike is overpriced. Of course, I think that it is a useful EDR but you can find better alternatives with expending that amount of money. Moreover, another thing that I would like to mention is that having one of these solutions is not going to end all your security problems. You are going to have an attack that is not going to be detected by these systems, and further defence mechanics need to include in your organization for helping on those situations. In my experience expending this amount of money, only EDR services could affect buying other security tools and services. We should not fall in the belief that having an EDR turn our devices in bulletproof systems.
我认为这表明CrowdStrike价格过高。 当然,我认为这是一种有用的EDR,但您可以花那笔钱找到更好的选择。 此外,我还要提到的另一件事是,拥有这些解决方案之一并不能解决您所有的安全问题。 您将遭受这些系统无法检测到的攻击,并且组织中还需要其他防御机制来为这些情况提供帮助。 以我的经验来看,只有EDR服务会影响购买其他安全工具和服务。 我们不应该相信拥有EDR可以将我们的设备转移到防弹系统中。
So play with CrowdStrike, ask for a demo, but definitely there are better security/price options.
因此,请与CrowdStrike一起玩,索取演示,但肯定有更好的安全性/价格选择。
翻译自: https://medium.com/@carloslannister/playing-with-crowdstrike-55c1b5c329b9
3490
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
