←back to thread

CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

(www.theregister.com)
158 points kenjackson | 9 comments | 22 Jul 24 02:22 UTC | HN request time: 0.833s | source | bottom
Show context
ykonstant ◴[22 Jul 24 06:05 UTC] No.41031312[source]
Sorry to hijack this post, but for affected admins reading this: how is the recovery process going? What is your estimated time to normalcy?

Also, for Linux and especially BSD admins: has this incident affected your perspective on EDR/XDR systems in the kernel? What would you suggest as an alternative to ensure regulatory compliance?

replies(2): >>41031360 #>>41041546 #
tgv ◴[22 Jul 24 06:15 UTC] No.41031360[source]
I do manage a few Linux machines (firewall passes only http and https -> nginx -> custom backend), but I'd never heard of Crowdstrike before. I don't even know what their product is supposed to do. As far as I can see, kernel level protection could only help prevent someone bypassing the firewall and trigger an exploit in nginx. But if Crowdstrike knows about such exploits, everyone does, and the firewall or nginx gets patched.

What am I missing?

Edit: I know it is supposed to implement "EDR", but it's always explained in the vaguest of terms.

replies(5): >>41031414 #>>41031431 #>>41031453 #>>41033240 #>>41034207 #
1. jabroni_salad ◴[22 Jul 24 06:31 UTC] No.41031453[source]
> But if Crowdstrike knows about such exploits, everyone does

This is actually the most important thing happening with EDR as a concept, it handles novel cases that have never been seen before, with a human review very quickly. Our csirt has an SLA of 3 minutes.

It's right there in the name acronym. Detection and Response.

replies(2): >>41031905 #>>41034825 #
2. therein ◴[22 Jul 24 08:07 UTC] No.41031905[source]
So like let's say a user of a computer in my fleet ran something infected with malware that had enough diligence to have a unique file signature. It puts itself to startup items in a creative way and then calls back home with just a standard SSH connection.

In that case are you telling me their pitch is that they detect this behavior, dispatch some human agent from their CSIRT within 3 minutes to remotely but manually come check the binary, dump some strings, do some reverse engineering and track the CC server etc?

replies(3): >>41032312 #>>41032982 #>>41036029 #
3. michaelt ◴[22 Jul 24 09:14 UTC] No.41032312[source]
> In that case are you telling me their pitch is that they detect this behavior, dispatch some human agent from their CSIRT within 3 minutes to remotely but manually come check the binary, dump some strings, do some reverse engineering and track the CC server etc?

Crowdstrike is not in the business of selling to people who know WTF any of that means.

Crowdstrike is in the business of selling to people like the CEO of Southwest Airlines. Their pitch is "The definitive AI-native SOC platform; Forrester named CrowdStrike a Leader in The Forrester Wave for Managed Detection and Response (MDR) in Europe; IDC MarketScape name CrowdStrike Named a Leader in Worldwide Risk-Based Vulnerability Management Platforms 2023 Vendor Assessment"

If the CEO consults people lower in the hierarchy, the pitch is "Some asshole has decided you need to be SOC2 compliant, that means you need to run antivirus, our product will check that checkbox and though our product is not good, it is at least better than mcafee or symantec"

4. p_l ◴[22 Jul 24 10:56 UTC] No.41032982[source]
Not necessarily from Crowdstrike CSIRT, but I have experience of security calling me back within 30 minutes of changing system security impacting file to verify that it was done by me and not something else.

Probably because they had already looked at the modification which was benign so slower escalation path in absence of other indicators.

replies(1): >>41034864 #
5. rswail ◴[22 Jul 24 14:28 UTC] No.41034825[source]
That's just marketing bullshit.

"We have magic code that watches everyone's computer and sends it all back to our system, where we apply magic to detect malware and then send the code back to all of your systems and until we can say we have AI, we're going to lie that a human will be able to review this information in 3 minutes.

replies(1): >>41036002 #
6. rswail ◴[22 Jul 24 14:31 UTC] No.41034864{3}[source]
tripwire(1) has been part of systems for decades.

Bullshit about "they had already looked at the modification which was benign".

So your "security" is to totally expose every operation of your software to an external party with absolutely no auditing of what data they are exfiltrating from your system?

replies(1): >>41035397 #
7. p_l ◴[22 Jul 24 15:13 UTC] No.41035397{4}[source]
It was handled by internal security team.

Also, tripwire was limited to periodically scanning files, couldn't scan for example syscalls and trace relationships between them.

But yes, tripwire is a very early EDR/XDR.

8. jabroni_salad ◴[22 Jul 24 16:06 UTC] No.41036002[source]
We staff our own SOC and 99% of the tickets that go thru it are just 'some app we already know about has updated to be slightly different' or 'some new app has appeared and needs to be documented'. It is super rote and boring.
9. jabroni_salad ◴[22 Jul 24 16:08 UTC] No.41036029[source]
If the device isnt in a technical user collection, then the fact that an outbound SSH connection happened at all is a pretty good IOC. A fucking slack bot can respond to that.