Most active commenters
  • p_l(3)
  • jabroni_salad(3)

←back to thread

CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

(www.theregister.com)
158 points kenjackson | 14 comments | 22 Jul 24 02:22 UTC | HN request time: 1.477s | source | bottom
Show context
ykonstant ◴[22 Jul 24 06:05 UTC] No.41031312[source]
Sorry to hijack this post, but for affected admins reading this: how is the recovery process going? What is your estimated time to normalcy?

Also, for Linux and especially BSD admins: has this incident affected your perspective on EDR/XDR systems in the kernel? What would you suggest as an alternative to ensure regulatory compliance?

replies(2): >>41031360 #>>41041546 #
1. tgv ◴[22 Jul 24 06:15 UTC] No.41031360[source]
I do manage a few Linux machines (firewall passes only http and https -> nginx -> custom backend), but I'd never heard of Crowdstrike before. I don't even know what their product is supposed to do. As far as I can see, kernel level protection could only help prevent someone bypassing the firewall and trigger an exploit in nginx. But if Crowdstrike knows about such exploits, everyone does, and the firewall or nginx gets patched.

What am I missing?

Edit: I know it is supposed to implement "EDR", but it's always explained in the vaguest of terms.

replies(5): >>41031414 #>>41031431 #>>41031453 #>>41033240 #>>41034207 #
2. Khaine ◴[22 Jul 24 06:26 UTC] No.41031414[source]
It is primarily aimed at workstations, although it does run and is run on servers. The idea is to be able to identify malware based on behaviour, rather than rely on signatures.

EDR solutions hook into the kernel to log, and block system calls. They use this information to try and generically identify malware. For example you could detect ransomware by identifying a process that is enumerating a large number of files, reading from those files, and then saving those files.

For a SOC, you can also use an EDR to identify files, hashes, connections to given IPs across your fleet of servers. This can allow you to see what devices have been compromised. The EDR can then isolate them, by blocking network syscalls and allow only the SOC to access to investigate and remediate.

This is the value they provide (or at least claim to) to a cyber team

3. p_l ◴[22 Jul 24 06:28 UTC] No.41031431[source]
The whole point of those systems is catching actual behaviours, not patching/firewalling per se (though they do some level of permission management on some platforms).

For example, patching nginx is not going to help if your user gets phished of an suth token that was explicitly supposed to let them run code on the server - bit catching that the code started browsing files elsewhere and sending data out will help you notice the breach.

4. jabroni_salad ◴[22 Jul 24 06:31 UTC] No.41031453[source]
> But if Crowdstrike knows about such exploits, everyone does

This is actually the most important thing happening with EDR as a concept, it handles novel cases that have never been seen before, with a human review very quickly. Our csirt has an SLA of 3 minutes.

It's right there in the name acronym. Detection and Response.

replies(2): >>41031905 #>>41034825 #
5. therein ◴[22 Jul 24 08:07 UTC] No.41031905[source]
So like let's say a user of a computer in my fleet ran something infected with malware that had enough diligence to have a unique file signature. It puts itself to startup items in a creative way and then calls back home with just a standard SSH connection.

In that case are you telling me their pitch is that they detect this behavior, dispatch some human agent from their CSIRT within 3 minutes to remotely but manually come check the binary, dump some strings, do some reverse engineering and track the CC server etc?

replies(3): >>41032312 #>>41032982 #>>41036029 #
6. michaelt ◴[22 Jul 24 09:14 UTC] No.41032312{3}[source]
> In that case are you telling me their pitch is that they detect this behavior, dispatch some human agent from their CSIRT within 3 minutes to remotely but manually come check the binary, dump some strings, do some reverse engineering and track the CC server etc?

Crowdstrike is not in the business of selling to people who know WTF any of that means.

Crowdstrike is in the business of selling to people like the CEO of Southwest Airlines. Their pitch is "The definitive AI-native SOC platform; Forrester named CrowdStrike a Leader in The Forrester Wave for Managed Detection and Response (MDR) in Europe; IDC MarketScape name CrowdStrike Named a Leader in Worldwide Risk-Based Vulnerability Management Platforms 2023 Vendor Assessment"

If the CEO consults people lower in the hierarchy, the pitch is "Some asshole has decided you need to be SOC2 compliant, that means you need to run antivirus, our product will check that checkbox and though our product is not good, it is at least better than mcafee or symantec"

7. p_l ◴[22 Jul 24 10:56 UTC] No.41032982{3}[source]
Not necessarily from Crowdstrike CSIRT, but I have experience of security calling me back within 30 minutes of changing system security impacting file to verify that it was done by me and not something else.

Probably because they had already looked at the modification which was benign so slower escalation path in absence of other indicators.

replies(1): >>41034864 #
8. weberer ◴[22 Jul 24 11:34 UTC] No.41033240[source]
Basically it monitors activity on your computer (process spawning, file changes, etc) and logs them as "Events". Then it sends those to their ML models for "Detection". And if malware behavior is detected, then they perform a "Response" whatever that may be. Probably notifying the user and IT department.
9. skywhopper ◴[22 Jul 24 13:35 UTC] No.41034207[source]
In the ideal case, it logs everything your computer does, every process that's running, every system call they make, every Internet connection made, website visited, etc, and reports it all back to a central data repository that's constantly being scanned for suspicious behavior. But more importantly, when a hack does occur, the security team can go back to that data lake and figure out exactly what happened.

In reality, that's way too much data for anyone to make sense of, but giant companies spend tens of millions of dollars per year to deploy all the things so they can say they're doing it.

On the other hand, funny things can happen. I got called out by the security team at one job because the EDR agent on my workstation registered that I had put a file on disk that had a malware signature. Well, it turns out that I had checked out the security team's git repo containing malware signatures...

But I did get called out in about 20 minutes by a random security engineer I'd never met who told me the exact path on my PC where the file was. Is that a good thing? I'm not sure.

10. rswail ◴[22 Jul 24 14:28 UTC] No.41034825[source]
That's just marketing bullshit.

"We have magic code that watches everyone's computer and sends it all back to our system, where we apply magic to detect malware and then send the code back to all of your systems and until we can say we have AI, we're going to lie that a human will be able to review this information in 3 minutes.

replies(1): >>41036002 #
11. rswail ◴[22 Jul 24 14:31 UTC] No.41034864{4}[source]
tripwire(1) has been part of systems for decades.

Bullshit about "they had already looked at the modification which was benign".

So your "security" is to totally expose every operation of your software to an external party with absolutely no auditing of what data they are exfiltrating from your system?

replies(1): >>41035397 #
12. p_l ◴[22 Jul 24 15:13 UTC] No.41035397{5}[source]
It was handled by internal security team.

Also, tripwire was limited to periodically scanning files, couldn't scan for example syscalls and trace relationships between them.

But yes, tripwire is a very early EDR/XDR.

13. jabroni_salad ◴[22 Jul 24 16:06 UTC] No.41036002{3}[source]
We staff our own SOC and 99% of the tickets that go thru it are just 'some app we already know about has updated to be slightly different' or 'some new app has appeared and needs to be documented'. It is super rote and boring.
14. jabroni_salad ◴[22 Jul 24 16:08 UTC] No.41036029{3}[source]
If the device isnt in a technical user collection, then the fact that an outbound SSH connection happened at all is a pretty good IOC. A fucking slack bot can respond to that.